Include only AMI's owned by caller during pre-validate #354
Conversation
|
|
There was a problem hiding this comment.
Hi @cartermckinnon,
Out of curiosity, have you tested the change on your environment?
This seems harmless, but I just want to make sure this works as intended before we merge it and release a new version of the plugin.
Outside of this check, this change looks good to me, I'm pre-approving this PR, and we can merge it once we've had confirmation.
Thanks again for the fix!
|
I've tested the following scenarios:
Without this change, both scenarios fail on the pre-validation step, because With this change, both scenarios succeed and an AMI named I tested this by building this branch locally ( Then I used |
|
Sounds good, thanks for the confirmation @cartermckinnon! I'll merge this now. |
I maintain the EKS-optimized AMI, and as a result I build a lot of AMI's. 😄
Our current naming convention for AMI's uses a date of the form
YYYYMMDD. For better or worse, that's what we do. We have internal processes that build AMI's using this naming convention, and subsequently grant permissions for those AMI's to various other AWS accounts.The pre-validate step in the
amazon-ebsbuilder will fail if any existing AMI returned by aec2.DescribeImagescall uses the proposed name. This makes sense, because the laterec2.CreateImagecall will fail with aInvalidAMIName.Duplicatecode if there is such a collision, after we've already executed the time-consuming steps.But, this
ec2.CreateImageerror only occurs when the caller has an existing AMI with the same name, whereas the pre-validate step currently fails even when an existing AMI that the caller has launch permissions for uses the same name (including public AMI's).This PR modifies the pre-validate step to only check for existing AMI's that are owned by the caller.