ImageBuilder: Image (CfnImage) do not clean generated AMI on destroy

[mhtrinhLIC]

I previously open the issue #21431

The proposed solution by @peterwoodworth did not solve the issue

cfn_image.cfn_options.deletion_policy = cdk.CfnDeletionPolicy.DELETE

Here is an example code :

class CfnAmi(Stack):
    def __init__(self, scope: Construct, id: str,
                 **kwargs) -> None:
        super().__init__(scope, id,
                        description="Test: ami ",
                        **kwargs)
        stack=id+"-"
        workingDir="/tmp"
        
        # Ec2 builder role and instance profile
        role = iam.Role(self, "amiBuilderRole", 
                        assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
                        )
        role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"))
        role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("EC2InstanceProfileForImageBuilder"))
          
        insProfileName=f"{stack}InstanceProfile"
        instanceProfile = iam.CfnInstanceProfile(self, "MyCfnInstanceProfile",
            roles=[role.role_name],
            instance_profile_name=insProfileName,
        )        
        
        
        # Image Builder Infrastructure configuration
        self.infra = imagebuilder.CfnInfrastructureConfiguration(self, "Infra",
            instance_profile_name=instanceProfile.instance_profile_name,
            name=id+"InfraConfig",
            # the properties below are optional
            instance_types=["t2.micro"],            
        )
        
        # Force the dependencies. For some reason it fails to do it itself !!!
        # Using instanceProfile.instance_profile_name is not enough for some reason ...
        self.infra.add_depends_on(instanceProfile)
        
        
        self.recipe = imagebuilder.CfnImageRecipe(self, "MyCfnImageRecipe",
            components=[{"componentArn":"arn:aws:imagebuilder:ap-southeast-2:aws:component/aws-cli-version-2-linux/x.x.x"}],
            name=stack+"ImageRecipeUniq",
            
            parent_image="arn:aws:imagebuilder:ap-southeast-2:aws:image/ubuntu-server-20-lts-x86/x.x.x",
            version="1.0.0",
            working_directory=workingDir,
            block_device_mappings=[imagebuilder.CfnImageRecipe.InstanceBlockDeviceMappingProperty(
                device_name="/dev/sda1",
                ebs=imagebuilder.CfnImageRecipe.EbsInstanceBlockDeviceSpecificationProperty(                    
                    volume_size=8,
                    volume_type="gp2"
                ),
            )],            
        )
        
        # Construct responsible to triggering image build
        cfn_image = imagebuilder.CfnImage(self, "MyCfnImage",
            infrastructure_configuration_arn=self.infra.attr_arn,

            # the properties below are optional
            enhanced_image_metadata_enabled=False,
            image_recipe_arn=self.recipe.attr_arn,
            image_tests_configuration=imagebuilder.CfnImage.ImageTestsConfigurationProperty(
                image_tests_enabled=False,
                timeout_minutes=60
            ),
        )

        cfn_image.cfn_options.deletion_policy = cdk.CfnDeletionPolicy.DELETE
        
        CfnOutput(self,"ami id",value=cfn_image.attr_image_id)

Once deployed, an AMI will be available (after about 30min).
Then delete the stack : all resources are deleted except for the AMI (and the associated snapshot).
I am expecting that all resource created by the stack should be deleted, including the AMI.

[peterwoodworth]

Can you share the section of the template which defines the Image please?

[mhtrinhLIC]

Here is the output of cdk synth:

Description: "Test: ami "
Resources:
  amiBuilderRole8466FD89:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/AmazonSSMManagedInstanceCore
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/EC2InstanceProfileForImageBuilder
    Metadata:
      aws:cdk:path: test-stack/amiBuilderRole/Resource
  MyCfnInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - Ref: amiBuilderRole8466FD89
      InstanceProfileName: test-stack-InstanceProfile
    Metadata:
      aws:cdk:path: test-stack/MyCfnInstanceProfile
  Infra:
    Type: AWS::ImageBuilder::InfrastructureConfiguration
    Properties:
      InstanceProfileName: test-stack-InstanceProfile
      Name: test-stackInfraConfig
      InstanceTypes:
        - t2.micro
    DependsOn:
      - MyCfnInstanceProfile
    Metadata:
      aws:cdk:path: test-stack/Infra
  MyCfnImageRecipe:
    Type: AWS::ImageBuilder::ImageRecipe
    Properties:
      Components:
        - ComponentArn: arn:aws:imagebuilder:ap-southeast-2:aws:component/aws-cli-version-2-linux/x.x.x
      Name: test-stack-ImageRecipeUniq
      ParentImage: arn:aws:imagebuilder:ap-southeast-2:aws:image/ubuntu-server-20-lts-x86/x.x.x
      Version: 1.0.0
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeSize: 8
            VolumeType: gp2
      WorkingDirectory: /tmp
    Metadata:
      aws:cdk:path: test-stack/MyCfnImageRecipe
  MyCfnImage:
    Type: AWS::ImageBuilder::Image
    Properties:
      InfrastructureConfigurationArn:
        Fn::GetAtt:
          - Infra
          - Arn
      EnhancedImageMetadataEnabled: false
      ImageRecipeArn:
        Fn::GetAtt:
          - MyCfnImageRecipe
          - Arn
      ImageTestsConfiguration:
        ImageTestsEnabled: false
        TimeoutMinutes: 60
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: test-stack/MyCfnImage
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/z2NzQrCMBCEn8V7Gq0ieO/JkyU+gKTppq5tk7LZIBLy7mr8OQ3z8TGzlfta1it9D5Xpx2rCTqYzazOKF7ok1LNMyk8gGut+eXSBtTPQkrc4QRY46wG6iFMPJFMxLOnAFA1HgsY7i0MkzehdGXj7Cgwu8K85CwXBRzKFnSIvkcvrl2bRPvjq3XonD7LerG4BsaLoGGeQ6pNPxxszyM4AAAA=
    Metadata:
      aws:cdk:path: test-stack/CDKMetadata/Default
Outputs:
  amiid:
    Value:
      Fn::GetAtt:
        - MyCfnImage
        - ImageId
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
  CheckBootstrapVersion:
    Assertions:
      - Assert:
          Fn::Not:
            - Fn::Contains:
                - - "1"
                  - "2"
                  - "3"
                  - "4"
                  - "5"
                - Ref: BootstrapVersion
        AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.

[peterwoodworth]

OK Thanks for this @mhtrinhLIC. I think this is a bug with CloudFormation/ImageBuilder. I will report this internally P77739395 and get back to you

[peterwoodworth]

I'm told that this is how the service works. The ImageBuilder service outputs an AMI which is an EC2 resource. ImageBuilder service policy doesn't allow for deleting AMI, so the generated AMI cannot be deleted this way. If you do wish to delete the AMI with CDK, I would suggest creating an AwsCustomResource which makes use of the deregisterImage API call

[mhtrinhLIC]

In that case, is it possible to have this information written somewhere in the documentation ? Because this is not intuitive for the end user.

[peterwoodworth]

We only generate this documentation. I've requested that they clarify this in the documentation, so that we can have better documentation on our end as well. Thanks!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.