Make AWS AMI's accessible by the public

Fixes: containers#191 On at least two occasions I can remember, users outside the containers-team have requested access to our CI VM images. Unfortunately doing this for the GCE images has some security-interest conflicts with our build automation. However, making the AWS AMI's public is rather easy to do. In fact it's the default unless they are specifically locked down. Simply remove the private restrictions and allow access to `"all"` AWS groups. Signed-off-by: Chris Evich <cevich@redhat.com>
cevich · Dec 7, 2022 · 1ae4d54 · 1ae4d54
1 parent 4f2c152
commit 1ae4d54
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 10 deletions.
diff --git a/base_images/cloud.yml b/base_images/cloud.yml
@@ -110,9 +110,9 @@ builders:
       type: 'amazon-ebs'
       source_ami_filter:  # Will fail if >1 or no AMI found
         owners:
-            # Docs are wrong, specifying the Account ID required to make AMIs private.
-            # The Account ID is hard-coded here out of expediency, since passing in
-            # more packer args from the command-line (in Makefile) is non-trivial.
+            # Docs are wrong, specifying the Account ID required to search only for
+            # our own imported AMIs. The Account ID is hard-coded here out of
+            # expediency.
             - &accountid '449134212816'
         # It's necessary to 'search' for the base-image by these criteria.  If
         # more than one image is found, Packer will fail the build (and display
@@ -156,10 +156,7 @@ builders:
       run_tags: *awstags
       run_volume_tags: *awstags
       snapshot_tags: *awstags
-      # This is necessary for security - The CI service accounts are not permitted
-      # to use AMI's from any other account, including public ones.
-      ami_users:
-        - *accountid
+      ami_groups: ["all"]  # Make resulting AMI publically accessable to all users
       ssh_username: 'fedora'
       ssh_clear_authorized_keys: true
       # N/B: Required Packer >= 1.8.0

diff --git a/cache_images/cloud.yml b/cache_images/cloud.yml
@@ -124,9 +124,7 @@ builders:
       run_tags: *ami_tags
       run_volume_tags: *ami_tags
       snapshot_tags: *ami_tags
-      # Also required to make AMI private
-      ami_users:
-        - *accountid
+      ami_groups: ["all"]  # Make resulting AMI publically accessable to all users
       ssh_username: 'root'
       ssh_clear_authorized_keys: true
       # N/B: Required Packer >= 1.8.0