Sharing AWS AMIs using Terraform

We at Tensult have an automation-first approach to almost everything. Our team keeps coming up with ways to automate mundane implementation or admin tasks to reduce manual effort and risk of errors.

Our team evaluated a few options in this space, and decided that Terraform by Hashicorp was the best among them for our needs. It has support for all the major cloud providers, and has good documentation with clear examples and detailed explanation of arguments.

I was curious to try it out myself, even though my last coding stint was more than 15 years back, when I wrote simple programs in C and C++. With a bit of help from my team, I found it was surprisingly simple, and some of the old concepts of datatypes and syntax came rushing back.

The use-case I picked was fairly simple: to share an AWS AMI with other AWS accounts.This needed 3 inputs, namely the ami-id, the region where the AMI had to be shared and the AWS account number(s) (a 12 digit number to uniquely identify an AWS account). Given that we are an AWS partner, we have needs to run this code across multiple customers, so I have added a ‘profile’ variable, which can be passed at run-time with different IAM roles.

Variable definition in Terraform

The accounts numbers are defined as a list, so that we can share with multiple account numbers in one go.

One can also configure default values, like I have configured the default region here. If no default value is provided, you will be prompted for these values at run-time.

Once variables are defined, we get into the code for creating a sharing permission for the AMI. I relied on the Terraform example to get started. Here, since we envisage multiple AWS accounts, we have created a loop depending on the length of the AWS account_ids list, and the sharing step will loop through and share the ami with each account one by one. The code is available in our github repository.

AMI-Sharing Code

Finally, you have the option to preview how your code will behave when executed by using the ‘Plan’ step in the Terraform workflow. During this step, Terraform will tell you what resources will get created, what gets modifed, and if some resources in the existing account get destroyed as well. This is similar to the dry-run option in the AWS cli, but much richer. It will also call out any errors in your code.

Finally, when you’re ready, you have to run a command as below, where profile is the name of a profile created in your AWS credentials file (typically at ~/.aws/credentials)

terraform apply -var ‘profile=aws-profile-1’ -var ‘ami_id=ami-5ab6cde7fg8h9i10’ -var ‘account_ids=[“112233445566”,”777888999000",”123456123456"]’

If you want to run this for any other region, you need add another variable to override the default value for region. (-var ‘region=eu-west-1’).

Conclusion

You’ve now seen how it is possible to automate a simple activity of ami-sharing using Terraform. I will be sharing some more posts on a few other scenarios soon. My latest one is on VPC Peering using Terraform. If you’re keen to explore more scenarios built by the Tensult team using Terraform, you can visit our repository.