Golden VM images are template server images that are hardened to meet IT standards and come with preinstalled and preconfigured custom software and settings that help you save time and ensure consistency. EC2 Image Builder enables you to automate the creation, management, and deployment of compliant golden VM images quickly and easily via automated pipelines that keep images secure and up-to-date.

Create an image recipe ^

An image recipe is a document that defines the components to be applied to the base images to create the desired configuration for the output image. After a recipe has been created, it cannot be modified. A new version must be created to change the components.

To create a recipe, do the following:

Navigate to the EC2 Image Builder Console.

EC2 Image Builder console

EC2 Image Builder console

Select Saved configurations > Image recipes.

Then click Create image recipe.

Image Recipe console

Image Recipe console

On the new screen, provide the following:

Recipe details—Under this section, specify a descriptive name, a recipe version in the format of major.minor.patch, and, optionally, a description for this recipe.

Recipe details

Recipe details

Base image—The starting point for image customization. In this section, select the image using one of the following methods:

  • Managed Images—Images created by you, shared with you, or provided by AWS. This is the option we're using in this guide.
  • Custom AMI ID—Pass the AMI ID and ensure that the AWS Systems Manager Agent (SSM Agent) is preinstalled in this AMI.
  • Import base image—Import from your VM into Image Builder, and use the converted image as the base image in your recipe.

Then, you need to specify the image operating system. As of the time of this writing, Image Builder supports Amazon Linux, Windows, Ubuntu, CentOS, RHEL, and SLES. In this guide, we will use Windows.

Afterward, you need to choose the image origin from the following options:

  • Quick start (Amazon-managed)—Amazon-curated images to help you get started
  • Images owned by me—Images you created with Image Builder
  • Images shared with me—Images shared with this account

Finally, you need to specify the Image name and Auto-versioning option, which is the OS version that the pipeline can automate for future builds.

Base image selection

Base image selection

Instance configuration—Under this section, specify the settings and scripts to run in addition to the components you choose for your image. In the User data section, configure an instance or run a configuration script during launch.

Configure the instance

Configure the instance

Working directory—Under this section, specify the working directory for use during the build and test workflows.

Specify the working directory

Specify the working directory

Components—Components are software scripts that define the custom configuration of an image. Components cannot be modified or replaced after a recipe is created. Automatic version choices are provided for each component. A maximum of 20 components (including build and test) can be applied to a recipe.

The Components section comprises two steps:

Step 1: Choose build components to produce the desired output AMI—These are software scripts that define a sequence of steps for downloading, installing, and configuring software packages. They also define validation steps. You can select Amazon-managed build components, such as the Amazon CloudWatch agent, or you can create custom components.

Select build components

Select build components

Step 2: (Optional) Select tests to verify the output AMI (post-build)—These are sequences of steps used to verify that the output image built by your image pipeline is functioning as expected. You can select Amazon-managed build components, such as testing a successful reboot after a build, or you can create custom components.

image8

image8

Select test components

Note: Visit this link to learn more about creating customized build and test components.

Storage (Volumes)—The root volume's device name, snapshot, and IOPS selections are not editable. However, you can change all the remaining settings, such as size. You can also add new volumes.

Specify storage device settings

Specify storage device settings

Tags—Assign metadata to your recipe resource.

Finally, click Create recipe.

Create infrastructure configurations ^

Infrastructure configurations specify infrastructure details for the instances that will run from the golden image we're creating.

To create an infrastructure configuration, do the following:

Navigate to the Infrastructure configurations section in the EC2 Image Builder console.

Click Create infrastructure configuration.

Infrastructure Configuration Console

Infrastructure Configuration Console

On the new screen, specify the following:

General—Under this section, specify the following:

  • Name—Provide a descriptive name.
  • Description—Provide a description for the infrastructure configuration we're creating (optional).
  • IAM role—Select a role to associate with the instance profile. This role defines what permissions the instances launched by EC2 Image Builder will have in your account. These permissions are used to download and execute your components, upload logs to CloudWatch, and perform any additional actions specified in your selected components.

Note: Ensure you've created an IAM role with the needed permissions before creating the infrastructure configuration.

General infrastructure configurations

General infrastructure configurations

AWS infrastructure—In this section, specify the following:

  • Instance type—Select one or more instance types to customize your image.
  • SNS topic—Select an SNS topic to receive notifications and alerts from the EC2 Image Builder.

Note—Ensure that you have an SNS topic already created before creating the infrastructure configurations.

  • VPC—Specify the VPC, the subnet within the VPC, and the security groups.
  • Troubleshooting settings—Specify settings to troubleshoot issues with building your image, such as whether to terminate your instance upon failure, a key pair to attach to the instance, and where to save the logs.
Specify AWS infrastructure settings

Specify AWS infrastructure settings

Infrastructure tags—Assign metadata to the EC2 instance created during the build process.

Tags—Assign metadata to your infrastructure configuration resource.

Finally, click Create Infrastructure Configuration.

Create distribution settings ^

Distribution settings include specific regional settings for encryption, launch permissions, accounts that can launch the output AMI, the output AMI name, and license configurations.

To create a distribution setting, do the following:

Navigate to the Distribution settings section in the EC2 image Builder console.

Click Create distribution settings.

Distribution settings console

Distribution settings console

On the new screen, specify the following:

Image type—Select the image output type, either an AMI or a Docker image.

Specify image type

Specify image type

General—Specify a descriptive name and, optionally, add a description.

Region settings—The default region is displayed as Region 1 in the Region settings. Some settings for the default region are not open for editing. To add more regions for distribution, click Add Region. You can also publish the AMI to other AWS accounts by specifying target accounts, but you must create the EC2ImageBuilderDistributionCrossAccountRole role in all of the target accounts in the target regions and attach the Ec2ImageBuilderCrossAccountDistributionAccess managed policy to the role.

You can specify an Output AMI name, where the final output name is the provided name suffixed with a timestamp of when the AMI was built. If you do not specify a name, EC2 Image Builder appends the build timestamp to the recipe name. This ensures unique AMI names for each build.

You can grant access to specified AWS principals (AWS accounts, organizations, and organizational units) to launch instances from your AMI via AMI Sharing.

If you want to attach license configurations, a construct of AWS License Manager, to images built with Image Builder, license configurations contain licensing rules based on the terms of your enterprise agreements. Image Builder inherits license configurations associated with your AMI.

If you are using an EC2 launch template, you can instruct EC2 Image Builder to create a new version of your launch template that includes the latest AMI ID after the build completes.

Specify region settings

Specify region settings

Output AMI tags—Assign metadata to your output AMI. The specified tags are applied to all selected regions.

Tags—Assign metadata to your distribution settings resource.

Finally, click Create settings.

Create an image pipeline ^

The image pipeline defines all aspects of the process of customizing images. It comprises the image recipe, infrastructure configuration, distribution, and test settings.

To create an image pipeline, do the following:

Navigate to the Image pipelines section in the EC2 image Builder console.

Click Create image pipeline.

Image Pipelines console

Image Pipelines console

On the new screen, specify the following pipeline details:

General—Specify a descriptive name and, optionally, add a description.

Specify pipeline details

Specify pipeline details

Build Schedule—You can schedule your pipeline job to run automatically using the Schedule builder or a cron expression, or you can run your job manually.

image18

image18

Configure pipeline scheduler options

Tags—Assign metadata to your distribution settings resource.

Then click Next.

On the next screen, choose a recipe. Select the recipe created earlier.

On the next screen, define the infrastructure configuration. Select the infrastructure configuration created earlier.

On the next screen, define the distribution settings. Select the distribution settings created earlier.

On the next screen, review your configuration, and then click Create pipeline.

Conclusion ^

In this article, we've reviewed how to build your golden VM images on AWS using EC2 Image Builder. If you have any further questions, please mention them in the comments.

Subscribe to 4sysops newsletter!

DISCLAIMER: This article represents my own viewpoints, not those of my employer, Amazon Web Services.

0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account