Merge pull request #355 from cisagov/improvement/specify-architecture…

…s-as-separate-filter Build both ARM64 and x86-64 AMIs
cisagov · Aug 12, 2024 · d44181d · d44181d
2 parents 6334bf2 + f161416
commit d44181d
Show file tree

Hide file tree

Showing 8 changed files with 179 additions and 23 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -238,6 +238,12 @@ jobs:
       - lint
       - test
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -315,7 +321,8 @@ jobs:
         # This runs through the AMI creation process but does not
         # actually create an AMI
         run: |
-          packer build -timestamp-ui \
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
             -var skip_create_ami=true \
             src/packer.pkr.hcl
       - name: Remove /usr/bin/python3 symlink to the installed Python

diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -33,6 +33,12 @@ jobs:
     needs:
       - diagnostics
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -108,7 +114,8 @@ jobs:
         run: packer init src
       - name: Create machine image
         run: |
-          packer build -timestamp-ui \
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
             -var is_prerelease=${{ github.event.release.prerelease }} \
             -var release_tag=${{ github.event.release.tag_name }} \
             -var release_url=${{ github.event.release.html_url }} \

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -40,6 +40,12 @@ jobs:
     needs:
       - diagnostics
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -123,7 +129,8 @@ jobs:
         run: packer init src
       - name: Create machine image
         run: |
-          packer build -timestamp-ui \
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
             -var is_prerelease=${{ github.event.release.prerelease }} \
             -var release_tag=${{ github.event.release.tag_name }} \
             -var release_url=${{ github.event.release.html_url }} \

diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl
@@ -63,8 +63,21 @@ variable "skip_create_ami" {
   type        = bool
 }
 
-data "amazon-ami" "debian_bookworm" {
+data "amazon-ami" "debian_bookworm_arm64" {
   filters = {
+    architecture        = "arm64"
+    name                = "debian-12-arm64-*"
+    root-device-type    = "ebs"
+    virtualization-type = "hvm"
+  }
+  most_recent = true
+  owners      = ["136693071363"]
+  region      = var.build_region
+}
+
+data "amazon-ami" "debian_bookworm_x86_64" {
+  filters = {
+    architecture        = "x86_64"
     name                = "debian-12-amd64-*"
     root-device-type    = "ebs"
     virtualization-type = "hvm"
@@ -76,7 +89,51 @@ data "amazon-ami" "debian_bookworm" {
 
 locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
 
-source "amazon-ebs" "example" {
+source "amazon-ebs" "arm64" {
+  ami_name                    = "example-hvm-${local.timestamp}-arm64-ebs"
+  ami_regions                 = var.ami_regions
+  associate_public_ip_address = true
+  encrypt_boot                = true
+  instance_type               = "t4g.small"
+  kms_key_id                  = var.build_region_kms
+  launch_block_device_mappings {
+    delete_on_termination = true
+    device_name           = "/dev/xvda"
+    encrypted             = true
+    volume_size           = 8
+    volume_type           = "gp3"
+  }
+  region             = var.build_region
+  region_kms_key_ids = var.region_kms_keys
+  skip_create_ami    = var.skip_create_ami
+  source_ami         = data.amazon-ami.debian_bookworm_arm64.id
+  ssh_username       = "admin"
+  subnet_filter {
+    filters = {
+      "tag:Name" = "AMI Build"
+    }
+  }
+  tags = {
+    Application        = "Example"
+    Architecture       = "arm64"
+    Base_AMI_Name      = data.amazon-ami.debian_bookworm_arm64.name
+    GitHub_Release_URL = var.release_url
+    OS_Version         = "Debian Bookworm"
+    Pre_Release        = var.is_prerelease
+    Release            = var.release_tag
+    Team               = "VM Fusion - Development"
+  }
+  # Many Linux distributions are now disallowing the use of RSA keys,
+  # so it makes sense to use an ED25519 key instead.
+  temporary_key_pair_type = "ed25519"
+  vpc_filter {
+    filters = {
+      "tag:Name" = "AMI Build"
+    }
+  }
+}
+
+source "amazon-ebs" "x86_64" {
   ami_name                    = "example-hvm-${local.timestamp}-x86_64-ebs"
   ami_regions                 = var.ami_regions
   associate_public_ip_address = true
@@ -93,7 +150,7 @@ source "amazon-ebs" "example" {
   region             = var.build_region
   region_kms_key_ids = var.region_kms_keys
   skip_create_ami    = var.skip_create_ami
-  source_ami         = data.amazon-ami.debian_bookworm.id
+  source_ami         = data.amazon-ami.debian_bookworm_x86_64.id
   ssh_username       = "admin"
   subnet_filter {
     filters = {
@@ -102,7 +159,8 @@ source "amazon-ebs" "example" {
   }
   tags = {
     Application        = "Example"
-    Base_AMI_Name      = data.amazon-ami.debian_bookworm.name
+    Architecture       = "x86_64"
+    Base_AMI_Name      = data.amazon-ami.debian_bookworm_x86_64.name
     GitHub_Release_URL = var.release_url
     OS_Version         = "Debian Bookworm"
     Pre_Release        = var.is_prerelease
@@ -120,7 +178,10 @@ source "amazon-ebs" "example" {
 }
 
 build {
-  sources = ["source.amazon-ebs.example"]
+  sources = [
+    "source.amazon-ebs.arm64",
+    "source.amazon-ebs.x86_64",
+  ]
 
   provisioner "ansible" {
     playbook_file = "src/upgrade.yml"

diff --git a/src/version.txt b/src/version.txt
@@ -1 +1 @@
-__version__ = "1.0.1"
+__version__ = "2.0.0"
diff --git a/terraform-post-packer/main.tf b/terraform-post-packer/main.tf
@@ -24,34 +24,92 @@ locals {
   account_name_regex  = format("^env[[:digit:]]+ \\(%s\\)$", local.images_account_type)
 }
 
-# The IDs of all cisagov/skeleton-packer AMIs
-data "aws_ami_ids" "historical_amis" {
+# The IDs of all ARM64 cisagov/skeleton-packer AMIs
+data "aws_ami_ids" "historical_amis_arm64" {
+  owners = [data.aws_caller_identity.images.account_id]
+
+  filter {
+    name   = "architecture"
+    values = ["arm64"]
+  }
+
   filter {
-    name = "name"
-    values = [
-      "example-hvm-*-x86_64-ebs",
-    ]
+    name   = "name"
+    values = ["example-hvm-*-arm64-ebs"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
   }
 
   filter {
     name   = "virtualization-type"
     values = ["hvm"]
   }
+}
+
+# Assign launch permissions to the ARM64 AMIs
+module "ami_launch_permission_arm64" {
+  # Really we only want the var.recent_ami_count most recent AMIs, but
+  # we have to cover the case where there are fewer than that many
+  # AMIs in existence.  Hence the min()/length() tomfoolery.
+  for_each = toset(slice(data.aws_ami_ids.historical_amis_arm64.ids, 0, min(var.recent_ami_count, length(data.aws_ami_ids.historical_amis_arm64.ids))))
+
+  source = "github.com/cisagov/ami-launch-permission-tf-module"
+
+  providers = {
+    aws        = aws
+    aws.master = aws.master
+  }
+
+  account_name_regex   = local.account_name_regex
+  ami_id               = each.value
+  extraorg_account_ids = var.extraorg_account_ids
+}
+
+# The IDs of all x86-64 cisagov/skeleton-packer AMIs
+data "aws_ami_ids" "historical_amis_x86_64" {
+  owners = [data.aws_caller_identity.images.account_id]
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["example-hvm-*-x86_64-ebs"]
+  }
 
   filter {
     name   = "root-device-type"
     values = ["ebs"]
   }
 
-  owners = [data.aws_caller_identity.images.account_id]
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+# This moved block allows us to rename the resources at
+# aws_ami_ids.historical_amis to aws_ami_ids.historical_amis_x86_64
+# instead of destroying and recreating them with a new name.
+#
+# TODO: Consider removing this moved block when it is no longer
+# needed.  See cisagov/skeleton-packer#369 for more details.
+moved {
+  from = aws_ami_ids.historical_amis
+  to   = aws_ami_ids.historical_amis_x86_64
 }
 
-# Assign launch permissions to the AMI
-module "ami_launch_permission" {
+# Assign launch permissions to the x86-64 AMIs
+module "ami_launch_permission_x86_64" {
   # Really we only want the var.recent_ami_count most recent AMIs, but
   # we have to cover the case where there are fewer than that many
   # AMIs in existence.  Hence the min()/length() tomfoolery.
-  for_each = toset(slice(data.aws_ami_ids.historical_amis.ids, 0, min(var.recent_ami_count, length(data.aws_ami_ids.historical_amis.ids))))
+  for_each = toset(slice(data.aws_ami_ids.historical_amis_x86_64.ids, 0, min(var.recent_ami_count, length(data.aws_ami_ids.historical_amis_x86_64.ids))))
 
   source = "github.com/cisagov/ami-launch-permission-tf-module"
 
@@ -64,3 +122,14 @@ module "ami_launch_permission" {
   ami_id               = each.value
   extraorg_account_ids = var.extraorg_account_ids
 }
+
+# This moved block allows us to rename the resources at
+# module.ami_launch_permission to module.ami_launch_permission_x86_64
+# instead of destroying and recreating them with a new name.
+#
+# TODO: Consider removing this moved block when it is no longer
+# needed.  See cisagov/skeleton-packer#369 for more details.
+moved {
+  from = module.ami_launch_permission
+  to   = module.ami_launch_permission_x86_64
+}
diff --git a/terraform-post-packer/outputs.tf b/terraform-post-packer/outputs.tf
@@ -1,4 +1,9 @@
-output "launch_permissions" {
-  value       = module.ami_launch_permission
-  description = "The cisagov/ami-launch-permission-tf-module for each AMI to which launch permission is being granted."
+output "launch_permissions_arm64" {
+  value       = module.ami_launch_permission_arm64
+  description = "The cisagov/ami-launch-permission-tf-module for each ARM64 AMI to which launch permission is being granted."
+}
+
+output "launch_permissions_x86_64" {
+  value       = module.ami_launch_permission_x86_64
+  description = "The cisagov/ami-launch-permission-tf-module for each x86_64 AMI to which launch permission is being granted."
 }
diff --git a/terraform-post-packer/variables.tf b/terraform-post-packer/variables.tf
@@ -12,6 +12,6 @@ variable "extraorg_account_ids" {
 
 variable "recent_ami_count" {
   default     = 12
-  description = "The number of most-recent AMIs for which to grant launch permission (e.g. \"3\").  If this variable is set to three, for example, then accounts will be granted permission to launch the three most recent AMIs (or all most recent AMIs, if there are only one or two of them in existence)."
+  description = "The number of most-recent AMIs (per architecture) for which to grant launch permission (e.g. \"3\").  If this variable is set to three, for example, then accounts will be granted permission to launch the three most recent AMIs (or all most recent AMIs, if there are only one or two of them in existence)."
   type        = number
 }