AMI builds private by default

petetomasik · petetomasik · commit b06e1642e73d · 2025-08-19T11:52:01.000-04:00
diff --git a/.buildkite/pipeline.yaml b/.buildkite/pipeline.yaml
@@ -56,6 +56,8 @@ steps:
     command: .buildkite/steps/packer.sh windows
     timeout_in_minutes: 60
     retry: { automatic: { limit: 3 } }
+    env:
+      AMI_PUBLIC: true
     agents:
       queue: "${BUILDKITE_AGENT_META_DATA_QUEUE}"
     depends_on:
@@ -122,6 +124,8 @@ steps:
     command: .buildkite/steps/packer.sh linux
     timeout_in_minutes: 60
     retry: { automatic: { limit: 3 } }
+    env:
+      AMI_PUBLIC: true
     agents:
       queue: "${BUILDKITE_AGENT_META_DATA_QUEUE}"
     depends_on:
@@ -187,6 +191,8 @@ steps:
     command: .buildkite/steps/packer.sh linux arm64
     timeout_in_minutes: 60
     retry: { automatic: { limit: 3 } }
+    env:
+      AMI_PUBLIC: true
     agents:
       queue: "${BUILDKITE_AGENT_META_DATA_QUEUE}"
     depends_on:
diff --git a/Makefile b/Makefile
@@ -20,6 +20,13 @@ WIN64_INSTANCE_TYPE ?= m7i.xlarge
 BUILDKITE_BUILD_NUMBER ?= none
 BUILDKITE_PIPELINE_DEFAULT_BRANCH ?= main
 
+# AMI visibility configuration
+AMI_PUBLIC ?= false
+AMI_USERS ?=
+
+# Convert comma-separated AMI_USERS to JSON array format
+AMI_USERS_JSON = $(if $(AMI_USERS),[$(shell echo '$(AMI_USERS)' | $(SED) 's/[^,][^,]*/"&"/g')],[])
+
 IS_RELEASED ?= false
 ifeq ($(BUILDKITE_BRANCH),$(BUILDKITE_PIPELINE_DEFAULT_BRANCH))
 	IS_RELEASED = true
@@ -109,6 +116,8 @@ packer-linux-amd64.output: $(PACKER_LINUX_FILES) build/fix-perms-linux-amd64
 			-var 'instance_type=$(AMD64_INSTANCE_TYPE)' \
 			-var 'build_number=$(BUILDKITE_BUILD_NUMBER)' \
 			-var 'is_released=$(IS_RELEASED)' \
+			-var 'ami_public=$(AMI_PUBLIC)' \
+			-var 'ami_users=$(AMI_USERS_JSON)' \
 			buildkite-ami.pkr.hcl | tee $@
 
 build/linux-arm64-ami.txt: packer-linux-arm64.output env-AWS_REGION
@@ -144,6 +153,8 @@ packer-linux-arm64.output: $(PACKER_LINUX_FILES) build/fix-perms-linux-arm64
 			-var 'build_number=$(BUILDKITE_BUILD_NUMBER)' \
 			-var 'is_released=$(IS_RELEASED)' \
 			-var 'agent_version=$(CURRENT_AGENT_VERSION_LINUX)' \
+			-var 'ami_public=$(AMI_PUBLIC)' \
+			-var 'ami_users=$(AMI_USERS_JSON)' \
 			buildkite-ami.pkr.hcl | tee $@
 
 build/windows-amd64-ami.txt: packer-windows-amd64.output env-AWS_REGION
@@ -171,6 +182,8 @@ packer-windows-amd64.output: $(PACKER_WINDOWS_FILES)
 			-var 'build_number=$(BUILDKITE_BUILD_NUMBER)' \
 			-var 'is_released=$(IS_RELEASED)' \
 			-var 'agent_version=$(CURRENT_AGENT_VERSION_WINDOWS)' \
+			-var 'ami_public=$(AMI_PUBLIC)' \
+			-var 'ami_users=$(AMI_USERS_JSON)' \
 			buildkite-ami.pkr.hcl | tee $@
 
 # -----------------------------------------
diff --git a/packer/linux/buildkite-ami.pkr.hcl b/packer/linux/buildkite-ami.pkr.hcl
@@ -37,6 +37,18 @@ variable "is_released" {
   default = false
 }
 
+variable "ami_public" {
+  type        = bool
+  description = "Whether to make the AMI publicly available to all AWS users. Defaults to false for security."
+  default     = false
+}
+
+variable "ami_users" {
+  type        = list(string)
+  description = "List of AWS account IDs that should have access to the AMI when ami_public is false."
+  default     = []
+}
+
 data "amazon-ami" "al2023" {
   filters = {
     architecture        = var.arch
@@ -50,7 +62,8 @@ data "amazon-ami" "al2023" {
 
 source "amazon-ebs" "elastic-ci-stack-ami" {
   ami_description                           = "Buildkite Elastic Stack (Amazon Linux 2023 w/ docker)"
-  ami_groups                                = ["all"]
+  ami_groups                                = var.ami_public ? ["all"] : ["self"]
+  ami_users                                 = var.ami_public ? [] : var.ami_users
   ami_name                                  = "buildkite-stack-linux-${var.arch}-${replace(timestamp(), ":", "-")}"
   instance_type                             = var.instance_type
   region                                    = var.region
diff --git a/packer/windows/buildkite-ami.pkr.hcl b/packer/windows/buildkite-ami.pkr.hcl
@@ -37,6 +37,18 @@ variable "is_released" {
   default = false
 }
 
+variable "ami_public" {
+  type        = bool
+  description = "Whether to make the AMI publicly available to all AWS users. Defaults to false for security."
+  default     = false
+}
+
+variable "ami_users" {
+  type        = list(string)
+  description = "List of AWS account IDs that should have access to the AMI when ami_public is false."
+  default     = []
+}
+
 data "amazon-ami" "windows-server-2022" {
   filters = {
     name                = "Windows_Server-2022-English-Full-Base-*"
@@ -49,7 +61,8 @@ data "amazon-ami" "windows-server-2022" {
 
 source "amazon-ebs" "elastic-ci-stack" {
   ami_description = "Buildkite Elastic Stack (Windows Server 2022 w/ docker)"
-  ami_groups      = ["all"]
+  ami_groups      = var.ami_public ? ["all"] : ["self"]
+  ami_users       = var.ami_public ? [] : var.ami_users
   ami_name        = "buildkite-stack-windows-${replace(timestamp(), ":", "-")}"
   communicator    = "winrm"
   instance_type   = var.instance_type
