AWSTemplateFormatVersion: 2010-09-09 Parameters: IamEC2IBRoleName: Description: IAM Role for EC2ImageBuilder Instance Profile to be attached to EC2 used as BuildServer Type: String Default: EC2ImageBuilderRole ImageBuilderSNSTopicName: Description: ImageBuilder SNS Topic Name Type: String Default: ImageBuilderNotifications NotificationEmail: Description: Email address to receieve notifications Type: String SubnetId: Description: Subnet Id that will be used to spin up the build server needs access to public internet Type: AWS::EC2::Subnet::Id SecurityGroupIds: Description: Security Group Ids that will be attached to build server Type: List InstanceTypes: Description: Instance type used by ImageBuilder build server Type: CommaDelimitedList AllowedValues: - t3.small - t3.medium - c5.large - m5.large - r5.large Default: 't3.small, t3.medium' SharedAccountId: Description: AWS Account ID of the shared account that created the base image Type: String AllowedPattern: ^\d{12}$ ConstraintDescription: 12 Digit Account number of the Shared Account SharedImageEncryptionKMSKeyArn: Description: CMK Key used for Encrypting Image in Shared Account Type: String Resources: EC2IBRole: Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource - EIAMPolicyActionWildcard ignore_reasons: - EIAMPolicyWildcardResource: Condition specified - EIAMPolicyActionWildcard: Condition specified Type: AWS::IAM::Role Properties: RoleName: !Ref IamEC2IBRoleName Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - !Sub ec2.${AWS::URLSuffix} Action: - sts:AssumeRole ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonInspectorFullAccess - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore - !Sub arn:${AWS::Partition}:iam::aws:policy/EC2InstanceProfileForImageBuilder Policies: - PolicyName: EC2ImageBuilderPolicyForInspector PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - ssm:SendCommand - ec2:CreateTags Resource: '*' Condition: StringEquals: aws:ResourceTag/CreatedBy: EC2 Image Builder - PolicyName: EC2ImageBuilderAppAccount-KMS-Decrypt PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - kms:Decrypt Resource: !Ref SharedImageEncryptionKMSKeyArn EC2InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: !Sub ${EC2IBRole}Profile Path: / Roles: - !Ref EC2IBRole ImageBuilderSNSTopic: Type: AWS::SNS::Topic Properties: TopicName: !Ref ImageBuilderSNSTopicName ImageBuilderSNSPolicy: Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource - EIAMPolicyActionWildcard ignore_reasons: - EIAMPolicyWildcardResource: Condition specified - EIAMPolicyActionWildcard: Condition specified Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Id: ImageBuilderSNSPolicy Version: 2012-10-17 Statement: - Sid: default-policy-id Effect: Allow Principal: AWS : '*' Action: - sns:GetTopicAttributes - sns:SetTopicAttributes - sns:AddPermission - sns:RemovePermission - sns:DeleteTopic - sns:Subscribe - sns:ListSubscriptionsByTopic - sns:Publish Resource: !Ref ImageBuilderSNSTopic Condition: StringEquals: AWS:SourceOwner: !Sub ${AWS::AccountId} - Sid: allow-imagebuilder Effect: Allow Principal: Service: !Sub imagebuilder.${AWS::URLSuffix} Action: sns:Publish Resource: !Ref ImageBuilderSNSTopic Topics: - !Ref ImageBuilderSNSTopic ImageBuilderSNSSubscription: Type: AWS::SNS::Subscription Properties: Endpoint: !Ref NotificationEmail Protocol: email TopicArn: !Ref ImageBuilderSNSTopic AmznLinuxImageRecipe: Type: AWS::ImageBuilder::ImageRecipe Properties: Name: AmznLinux2-ImageRecipe-AppAccount Version: 1.0.0 ParentImage: !Sub arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${SharedAccountId}:image/amznlinux2-imagerecipe-shared/x.x.x Description: Image Recipe for AmznLinux2 Server Images Components: - ComponentArn: !Sub arn:${AWS::Partition}:imagebuilder:${AWS::Region}:aws:component/apache-tomcat-9-linux/x.x.x BlockDeviceMappings: - DeviceName: /dev/xvda Ebs: DeleteOnTermination: true Encrypted: true VolumeType: gp3 VolumeSize: 30 WorkingDirectory: /tmp Tags: ParentOS: AmznLinux2 InfraConfig: Type: AWS::ImageBuilder::InfrastructureConfiguration Properties: Name: InfraConfig-AmznLinux InstanceProfileName: !Ref EC2InstanceProfile InstanceTypes: !Ref InstanceTypes SnsTopicArn: !Ref ImageBuilderSNSTopic SubnetId: !Ref SubnetId SecurityGroupIds: !Ref SecurityGroupIds TerminateInstanceOnFailure: true DistributionConfig: Type: AWS::ImageBuilder::DistributionConfiguration Properties: Name: AmznLinux-DistributionConfig Distributions: - Region: !Ref AWS::Region AmiDistributionConfiguration: Name: 'AmznLinux-Image-{{ imagebuilder:buildDate }}' AmiTags: Name: 'AmznLinux-Image-v{{ imagebuilder:buildVersion }}' BuildDate: '{{ imagebuilder:buildDate }}' BuildVersion: '{{ imagebuilder:buildVersion }}' ImagePipeline: Type: AWS::ImageBuilder::ImagePipeline Properties: ImageRecipeArn: !GetAtt AmznLinuxImageRecipe.Arn DistributionConfigurationArn: !GetAtt DistributionConfig.Arn InfrastructureConfigurationArn: !GetAtt InfraConfig.Arn ImageTestsConfiguration: ImageTestsEnabled: false TimeoutMinutes: 90 Name: AmznLinuxImagePipeline Status: ENABLED Outputs: InfraConfigArn: Description: Infrastructure Config Arn Value: !Ref InfraConfig