├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE.md ├── PULL_REQUEST_TEMPLATE.md ├── dependabot.yml └── workflows │ ├── gitsecrets.yml │ ├── initiaterelease.yml │ ├── manualtrigger.yml │ └── static.yml ├── .gitignore ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── NOTICE ├── NVIDA_DRIVER_VERSION ├── README.md ├── additional-packages └── .gitignore ├── al1.pkr.hcl ├── al2.pkr.hcl ├── al2023.pkr.hcl ├── al2023arm.pkr.hcl ├── al2023gpu.pkr.hcl ├── al2023neu.pkr.hcl ├── al2arm.pkr.hcl ├── al2gpu.pkr.hcl ├── al2inf.pkr.hcl ├── al2keplergpu.pkr.hcl ├── al2kernel5dot10.pkr.hcl ├── al2kernel5dot10arm.pkr.hcl ├── al2kernel5dot10gpu.pkr.hcl ├── al2kernel5dot10inf.pkr.hcl ├── files ├── 29-ecs-banner-begin.sh.amzn2 ├── 31-ecs-banner-finish.sh.amzn2 ├── 69-available-updates-begin.sh.amzn2 ├── 71-available-updates-finish.sh.amzn2 ├── 90_ecs.cfg.amzn2 ├── al1 │ ├── 90_ecs.cfg │ └── ecs-custom-motd ├── amazon-ssm-agent.gpg └── repos │ └── amzn2-extras.repo ├── generate-release-notes.sh ├── generate-release-vars.sh ├── release-al1.auto.pkrvars.hcl ├── release-al2.auto.pkrvars.hcl ├── release-al2023.auto.pkrvars.hcl ├── scripts ├── al1 │ ├── check-ownership.sh │ ├── configure-docker-storage-setup.sh │ ├── unlock-releasever.sh │ └── user_data.sh ├── al2 │ ├── install-kernel5dot10.sh │ └── reboot-for-kernel-upgrade.sh ├── al2023 │ └── setup-motd.sh ├── append-efs-client-info.sh ├── check-update-security.sh ├── check-update.sh ├── cleanup.sh ├── enable-ecs-agent-gpu-support-al2023.sh ├── enable-ecs-agent-gpu-support.sh ├── enable-ecs-agent-inferentia-support.sh ├── enable-services.sh ├── install-additional-packages.sh ├── install-docker.sh ├── install-ecs-init.sh ├── install-exec-dependencies.sh ├── install-service-connect-appnet.sh └── setup-ecs-config-dir.sh └── variables.pkr.hcl /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners 2 | 3 | # These owners will be the default owners for everything in 4 | # the repo. Unless a later match takes precedence, these accounts 5 | # will be requested for review when someone opens a pull request. 6 | * @aws/aws-ecs-agent -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 10 | 11 | 12 | ### Summary 13 | 14 | 15 | 16 | ### Description 17 | 18 | 19 | 20 | 21 | 22 | ### Expected Behavior 23 | 24 | 25 | ### Observed Behavior 26 | 27 | 28 | ### Environment Details 29 | 35 | 36 | 37 | ### Supporting Log Snippets 38 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | ### Summary 9 | 10 | 11 | ### Implementation details 12 | 13 | 14 | ### Testing 15 | 16 | 27 | 28 | New tests cover the changes: 29 | 30 | ### Description for the changelog 31 | 37 | 38 | ### Licensing 39 | 40 | By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. 41 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: ".github/workflows" 5 | schedule: 6 | interval: weekly 7 | time: "00:00" 8 | open-pull-requests-limit: 1 9 | target-branch: "main" 10 | -------------------------------------------------------------------------------- /.github/workflows/gitsecrets.yml: -------------------------------------------------------------------------------- 1 | name: GitSecretsScan 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | git-secret-check: 7 | name: Git Secrets Scan 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v4 11 | with: 12 | path: src/github.com/aws/amazon-ecs-ami 13 | - name: Git Secrets Scan Script 14 | run: | 15 | # workaround git-secrets requiring the say command: https://github.com/awslabs/git-secrets/pull/221 16 | ln -s "$(which echo)" /usr/local/bin/say 17 | set -ex 18 | cd $GITHUB_WORKSPACE 19 | git clone https://github.com/awslabs/git-secrets.git && cd git-secrets 20 | sudo make install 21 | git secrets --register-aws --global 22 | cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-ami 23 | git secrets --install 24 | git secrets --register-aws 25 | git secrets --scan-history 26 | -------------------------------------------------------------------------------- /.github/workflows/initiaterelease.yml: -------------------------------------------------------------------------------- 1 | name: InitiateRelease 2 | 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | - cron: 0 18 * * 1-5 7 | 8 | jobs: 9 | GenerateConfig: 10 | runs-on: ubuntu-latest 11 | outputs: 12 | stage_exit_code: ${{ steps.stage.outputs.stage_exit_code }} 13 | push_exit_code: ${{ steps.push.outputs.push_exit_code }} 14 | pr_exit_code: ${{ steps.pr.outputs.pr_exit_code }} 15 | permissions: 16 | id-token: write 17 | contents: write 18 | pull-requests: write 19 | env: 20 | IAM_INSTANCE_PROFILE_ARN: ${{ secrets.IAM_INSTANCE_PROFILE_ARN }} 21 | GH_TOKEN: ${{ github.token }} 22 | steps: 23 | - name: Checkout 24 | uses: actions/checkout@v4 25 | - name: Create Release Branch 26 | run: | 27 | date=$(date '+%Y%m%d') 28 | git checkout -b release-${date} 29 | - name: Install xmllint 30 | run: | 31 | # generate-release-vars.sh depends on these packages 32 | sudo apt-get update && sudo apt-get install libxml2-utils 33 | - name: Configure AWS Credentials 34 | uses: aws-actions/configure-aws-credentials@v4 35 | with: 36 | role-to-assume: ${{ secrets.AMI_GENERATE_CONFIG_ROLE }} 37 | aws-region: us-west-2 38 | - name: Configure Bot Alias 39 | run: | 40 | git config --global user.name "GenerateConfig Action" 41 | git config --global user.email "gcaction@github.com" 42 | - name: Check AL2 Update 43 | run: ./scripts/check-update.sh al2 44 | - name: Check AL2023 Update 45 | run: ./scripts/check-update.sh al2023 46 | - name: Check for changes 47 | id: stage 48 | run: | 49 | # Git diff returns exit code of 1 when there is a change staged 50 | # We need the set statements to prevent erroring out 51 | set +e 52 | git diff --cached --quiet 53 | echo "stage_exit_code=$?" >> "$GITHUB_OUTPUT" 54 | set -e 55 | - name: Commit and Push Changes 56 | id: push 57 | if: ${{ steps.stage.outputs.stage_exit_code == 1 }} 58 | run: | 59 | date=$(date '+%Y%m%d') 60 | git commit -m "Release ${date}" 61 | git status 62 | git push --set-upstream origin release-${date} 63 | echo "push_exit_code=$?" >> "$GITHUB_OUTPUT" 64 | - name: Open PR for Branch 65 | id: pr 66 | if: ${{ steps.stage.outputs.stage_exit_code == 1 && steps.push.outputs.push_exit_code == 0 }} 67 | run: | 68 | date=$(date '+%Y%m%d') 69 | gh pr create --base main --head release-${date} --title "Release ${date}" --body "Enhanced ECS Optimized AMI Release changes" 70 | echo "pr_exit_code=$?" >> "$GITHUB_OUTPUT" 71 | PushToCodeCommit: 72 | needs: GenerateConfig 73 | if: ${{ needs.GenerateConfig.outputs.stage_exit_code == 1 && needs.GenerateConfig.outputs.push_exit_code == 0 && needs.GenerateConfig.outputs.pr_exit_code == 0 }} 74 | runs-on: ubuntu-latest 75 | permissions: 76 | id-token: write 77 | contents: read 78 | steps: 79 | - name: Checkout 80 | uses: actions/checkout@v4 81 | - name: Configure AWS Credentials 82 | uses: aws-actions/configure-aws-credentials@v4 83 | with: 84 | role-to-assume: ${{secrets.AMI_MIRROR_ROLE}} 85 | aws-region: us-west-2 86 | - name: Delete shinkansen branch on codecommit repository 87 | run: | 88 | aws codecommit delete-branch --repository-name amazon-ecs-ami-mirror --branch-name shinkansen 89 | - name: Sleeping for 60 seconds after CodeCommit branch deletion and before recreating it 90 | run: | 91 | sleep 60 92 | - name: Configure prereqs 93 | run: | 94 | git config --global user.name "Github Action" 95 | git config --global user.email "action@github.com" 96 | pip install git-remote-codecommit 97 | - name: Mirror to shinkansen branch on codecommit repository 98 | run: | 99 | date=$(date '+%Y%m%d') 100 | git clone --single-branch --branch release-${date} https://github.com/aws/amazon-ecs-ami ecsAmiGithub 101 | git clone codecommit::us-west-2://amazon-ecs-ami-mirror ecsAmiCodeCommit 102 | cp ecsAmiCodeCommit/Config ecsAmiGithub/ 103 | cd ecsAmiGithub 104 | git add Config 105 | git commit -m "Release ${date}" 106 | git remote add codecommit codecommit::us-west-2://amazon-ecs-ami-mirror 107 | git push codecommit release-${date}:shinkansen 108 | MetricPublish: 109 | needs: [GenerateConfig, PushToCodeCommit] 110 | if: ${{ always() }} 111 | runs-on: ubuntu-latest 112 | permissions: 113 | id-token: write 114 | contents: read 115 | steps: 116 | - name: Checkout 117 | uses: actions/checkout@v4 118 | - name: Configure AWS Credentials 119 | uses: aws-actions/configure-aws-credentials@v4 120 | with: 121 | role-to-assume: ${{secrets.AMI_MIRROR_ROLE}} 122 | aws-region: us-west-2 123 | - name: Failure Scenario 124 | if: ${{ needs.GenerateConfig.result == 'failure' || needs.PushToCodeCommit.result == 'failure' }} 125 | run: aws cloudwatch put-metric-data --metric-name EcsAmiGithubActionStatus --namespace ECSAMIRelease --value "-1" 126 | - name: Release Kickoff Scenario 127 | if: ${{ needs.PushToCodeCommit.result == 'success'}} 128 | run: aws cloudwatch put-metric-data --metric-name EcsAmiGithubActionStatus --namespace ECSAMIRelease --value 1 129 | - name: No Release Scenario 130 | if: ${{ needs.GenerateConfig.result == 'success' && needs.PushToCodeCommit.result == 'skipped' }} 131 | run: aws cloudwatch put-metric-data --metric-name EcsAmiGithubActionStatus --namespace ECSAMIRelease --value 0 132 | -------------------------------------------------------------------------------- /.github/workflows/manualtrigger.yml: -------------------------------------------------------------------------------- 1 | name: ManualPushToCodeCommit 2 | 3 | on: workflow_dispatch 4 | 5 | jobs: 6 | PushToCodeCommit: 7 | runs-on: ubuntu-latest 8 | permissions: 9 | id-token: write 10 | contents: read 11 | steps: 12 | - name: Checkout 13 | uses: actions/checkout@v4 14 | - name: Configure AWS Credentials 15 | uses: aws-actions/configure-aws-credentials@v4 16 | with: 17 | role-to-assume: ${{secrets.AMI_MIRROR_ROLE}} 18 | aws-region: us-west-2 19 | - name: Delete shinkansen branch on codecommit repository 20 | run: | 21 | aws codecommit delete-branch --repository-name amazon-ecs-ami-mirror --branch-name shinkansen 22 | - name: Sleeping for 60 seconds after CodeCommit branch deletion and before recreating it 23 | run: | 24 | sleep 60 25 | - name: Configure prereqs 26 | run: | 27 | git config --global user.name "Github Action" 28 | git config --global user.email "action@github.com" 29 | pip install git-remote-codecommit 30 | - name: Mirror to shinkansen branch on codecommit repository 31 | run: | 32 | date=$(date '+%Y%m%d') 33 | git clone --single-branch --branch main https://github.com/aws/amazon-ecs-ami ecsAmiGithub 34 | git clone codecommit::us-west-2://amazon-ecs-ami-mirror ecsAmiCodeCommit 35 | cp ecsAmiCodeCommit/Config ecsAmiGithub/ 36 | cd ecsAmiGithub 37 | git add Config 38 | git commit -m "Release ${date}" 39 | git remote add codecommit codecommit::us-west-2://amazon-ecs-ami-mirror 40 | git push codecommit main:shinkansen 41 | MetricPublish: 42 | needs: [PushToCodeCommit] 43 | if: ${{ always() }} 44 | runs-on: ubuntu-latest 45 | permissions: 46 | id-token: write 47 | contents: read 48 | steps: 49 | - name: Configure AWS Credentials 50 | uses: aws-actions/configure-aws-credentials@v4 51 | with: 52 | role-to-assume: ${{secrets.AMI_MIRROR_ROLE}} 53 | aws-region: us-west-2 54 | - name: Success 55 | if: ${{ needs.PushToCodeCommit.result == 'success' }} 56 | run: aws cloudwatch put-metric-data --metric-name EcsAmiGithubActionStatus --namespace ECSAMIRelease --value 1 -------------------------------------------------------------------------------- /.github/workflows/static.yml: -------------------------------------------------------------------------------- 1 | name: Static Checks 2 | 3 | on: [pull_request] 4 | 5 | jobs: 6 | run: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v4 10 | - run: make static-check 11 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | packer 2 | manifest.json 3 | overrides.auto.pkrvars.hcl 4 | shfmt 5 | shellcheck 6 | *.idea 7 | *.DS_Store 8 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | PACKER_VERSION := 1.7.4 2 | KERNEL := $(shell uname -s | tr A-Z a-z) 3 | ARCH := $(shell uname -m) 4 | 5 | ifeq (${ARCH},arm64) 6 | ARCH_ALT=arm64 7 | endif 8 | ifeq (${ARCH},aarch64) 9 | ARCH_ALT=arm64 10 | endif 11 | ifeq (${ARCH},x86_64) 12 | ARCH_ALT=amd64 13 | endif 14 | 15 | PACKER_URL="https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_${KERNEL}_${ARCH_ALT}.zip" 16 | SHFMT_URL="https://github.com/mvdan/sh/releases/download/v3.4.0/shfmt_v3.4.0_${KERNEL}_${ARCH_ALT}" 17 | SHELLCHECK_URL="https://github.com/koalaman/shellcheck/releases/download/v0.7.2/shellcheck-v0.7.2.${KERNEL}.${ARCH}.tar.xz" 18 | 19 | packer: 20 | curl -fLSs ${PACKER_URL} -o ./packer.zip 21 | unzip ./packer.zip 22 | rm ./packer.zip 23 | 24 | release-al1.auto.pkrvars.hcl: 25 | echo "Missing configuration file: release-al1.auto.pkrvars.hcl." 26 | exit 1 27 | 28 | release-al2.auto.pkrvars.hcl: 29 | echo "Missing configuration file: release-al2.auto.pkrvars.hcl." 30 | exit 1 31 | 32 | release-al2023.auto.pkrvars.hcl: 33 | echo "Missing configuration file: release-al2023.auto.pkrvars.hcl." 34 | exit 1 35 | 36 | .PHONY: check-region 37 | check-region: 38 | @bash -c "if [ -z ${REGION} ]; then echo 'ERROR: REGION variable must be set. Example: \"REGION=us-west-2 make al2\"'; exit 1; fi" 39 | 40 | .PHONY: init 41 | init: packer 42 | ./packer init . 43 | 44 | .PHONY: packer-fmt 45 | packer-fmt: packer 46 | ./packer fmt -check . 47 | 48 | .PHONY: validate 49 | validate: check-region init 50 | ./packer validate -var "region=${REGION}" . 51 | 52 | .PHONY: al1 53 | al1: check-region init validate release-al1.auto.pkrvars.hcl 54 | ./packer build -only="amazon-ebs.al1" -var "region=${REGION}" . 55 | 56 | .PHONY: al2 57 | al2: check-region init validate release-al2.auto.pkrvars.hcl 58 | ./packer build -only="amazon-ebs.al2" -var "region=${REGION}" . 59 | 60 | .PHONY: al2arm 61 | al2arm: check-region init validate release-al2.auto.pkrvars.hcl 62 | ./packer build -only="amazon-ebs.al2arm" -var "region=${REGION}" . 63 | 64 | .PHONY: al2gpu 65 | al2gpu: check-region init validate release-al2.auto.pkrvars.hcl 66 | ./packer build -only="amazon-ebs.al2gpu" -var "region=${REGION}" . 67 | 68 | .PHONY: al2keplergpu 69 | al2keplergpu: check-region init validate release-al2.auto.pkrvars.hcl 70 | ./packer build -only="amazon-ebs.al2keplergpu" -var "region=${REGION}" . 71 | 72 | .PHONY: al2inf 73 | al2inf: check-region init validate release-al2.auto.pkrvars.hcl 74 | ./packer build -only="amazon-ebs.al2inf" -var "region=${REGION}" . 75 | 76 | .PHONY: al2kernel5dot10 77 | al2kernel5dot10: check-region init validate release-al2.auto.pkrvars.hcl 78 | ./packer build -only="amazon-ebs.al2kernel5dot10" -var "region=${REGION}" . 79 | 80 | .PHONY: al2kernel5dot10arm 81 | al2kernel5dot10arm: check-region init validate release-al2.auto.pkrvars.hcl 82 | ./packer build -only="amazon-ebs.al2kernel5dot10arm" -var "region=${REGION}" . 83 | 84 | .PHONY: al2kernel5dot10gpu 85 | al2kernel5dot10gpu: check-region init validate release-al2.auto.pkrvars.hcl 86 | ./packer build -only="amazon-ebs.al2kernel5dot10gpu" -var "region=${REGION}" . 87 | 88 | .PHONY: al2kernel5dot10inf 89 | al2kernel5dot10inf: check-region init validate release-al2.auto.pkrvars.hcl 90 | ./packer build -only="amazon-ebs.al2kernel5dot10inf" -var "region=${REGION}" . 91 | 92 | .PHONY: al2023 93 | al2023: check-region init validate release-al2023.auto.pkrvars.hcl 94 | ./packer build -only="amazon-ebs.al2023" -var "region=${REGION}" . 95 | 96 | .PHONY: al2023arm 97 | al2023arm: check-region init validate release-al2023.auto.pkrvars.hcl 98 | ./packer build -only="amazon-ebs.al2023arm" -var "region=${REGION}" . 99 | 100 | .PHONY: al2023neu 101 | al2023neu: check-region init validate release-al2023.auto.pkrvars.hcl 102 | ./packer build -only="amazon-ebs.al2023neu" -var "region=${REGION}" . 103 | 104 | .PHONY: al2023gpu 105 | al2023gpu: check-region init validate release-al2023.auto.pkrvars.hcl 106 | ./packer build -only="amazon-ebs.al2023gpu" -var "region=${REGION}" . 107 | 108 | shellcheck: 109 | curl -fLSs ${SHELLCHECK_URL} -o /tmp/shellcheck.tar.xz 110 | tar -xvf /tmp/shellcheck.tar.xz -C /tmp --strip-components=1 111 | mv /tmp/shellcheck ./shellcheck 112 | rm /tmp/shellcheck.tar.xz 113 | 114 | shfmt: 115 | curl -fLSs ${SHFMT_URL} -o ./shfmt 116 | chmod +x ./shfmt 117 | 118 | .PHONY: fmt 119 | fmt: packer shfmt 120 | ./packer fmt . 121 | ./shfmt -l -s -w -i 4 ./*.sh ./*/*.sh ./*/*/*.sh 122 | 123 | .PHONY: static-check 124 | static-check: packer-fmt shfmt shellcheck 125 | REGION=us-west-2 make validate 126 | ./shfmt -d -s -w -i 4 ./*.sh ./*/*.sh ./*/*/*.sh 127 | ./shellcheck --severity=error --exclude=SC2045 ./*.sh ./*/*.sh ./*/*/*.sh 128 | 129 | .PHONY: clean 130 | clean: 131 | -rm manifest.json 132 | -rm shellcheck 133 | -rm shfmt 134 | -rm packer 135 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | -------------------------------------------------------------------------------- /NVIDA_DRIVER_VERSION: -------------------------------------------------------------------------------- 1 | # NVIDIA Driver Version Tracking 2 | # ------------------------------ 3 | # IMPORTANT: This file is for INFORMATIONAL AND TRACKING PURPOSES ONLY. 4 | # 5 | # DO NOT EDIT THIS FILE MANUALLY. It is automatically updated by the 6 | # check-update.sh script. Manual changes will be overwritten. 7 | # Format: nvidia_driver_version_ = "" 8 | # 9 | # This file tracks the latest NVIDIA driver versions detected for different 10 | # Amazon Linux AMIs. It does not affect the actual driver installations. 11 | # For driver installations or updates, please refer to the appropriate 12 | # documentation or automation scripts. 13 | 14 | nvidia_driver_version_al2 = "550.163.01" 15 | nvidia_driver_version_al2023 = "570.133.20" 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ECS-optimized AMI Build Recipes 2 | 3 | This is a [packer](https://packer.io) recipe for creating an ECS-optimized AMI. 4 | It will create a private AMI in whatever account you are running it in. 5 | 6 | ## Instructions 7 | 8 | 1. Setup AWS cli credentials. 9 | 2. Make the recipe that you want, REGION must be specified. Options are: al1, al2, al2arm, al2gpu, al2keplergpu, al2inf, 10 | al2kernel5dot10, al2kernel5dot10arm, al2kernel5dot10gpu, al2kernel5dot10inf, al2023, al2023arm, al2023neu, al2023gpu. 11 | ``` 12 | REGION=us-west-2 make al2 13 | ``` 14 | 15 | **NOTE**: `al2keplergpu` is a build recipe that this package supports to build ECS-Optimized GPU AMIs for instances with GPUs 16 | with Kepler architecture (such as P2 type instances). ECS-Optimized GPU AMIs for this target are not officially built and published. 17 | 18 | ## Configuration 19 | 20 | This recipe allows for configuration of your AMI. All configuration variables are defined and documented 21 | in the file: `./variables.pkr.hcl`. This is also where some defaults are defined. 22 | 23 | Variables can be set in `./release.auto.pkrvars.hcl` or `./overrides.auto.pkrvars.hcl`. 24 | 25 | #### Overrides 26 | 27 | If you would like to override any of the defaults provided here without committing any changes to git, you 28 | can use the `overrides.auto.pkrvars.hcl` file, which is ignored by source control. 29 | 30 | For example, if you want your AMI to have a smaller root block device, you can override the default value 31 | of 30 GB like this: 32 | 33 | ``` 34 | export REGION=us-west-2 35 | echo "block_device_size_gb = 8" > ./overrides.auto.pkrvars.hcl 36 | make al2 37 | ``` 38 | 39 | ## Additional Packages 40 | 41 | Any rpm package placed into the additional-packages/ directory will be uploaded to the instance and installed. 42 | 43 | **NOTE**: All packages must end with extension `"$(uname -m).rpm"`, ie `.x86_64.rpm` or `.aarch64.rpm`. 44 | 45 | ## Cleanup 46 | 47 | 1. Deregister the AMI from EC2 Images via cli or console. 48 | 2. Delete the snapshot from EC2 EBS via cli or console. 49 | 50 | ## IAM Permissions 51 | 52 | For details on the minimum IAM permissions required to build the AMI, please see the 53 | packer docs: https://www.packer.io/docs/builders/amazon#iam-task-or-instance-role 54 | 55 | ## Security 56 | 57 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 58 | 59 | ## License 60 | 61 | This project is licensed under the Apache-2.0 License. 62 | -------------------------------------------------------------------------------- /additional-packages/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything in this directory 2 | * 3 | # Except this file 4 | !.gitignore 5 | -------------------------------------------------------------------------------- /al1.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al1 = "${var.ami_name_prefix_al1}${var.ami_version_al1}-amazon-ecs-optimized" 3 | default_tags = { 4 | os_version = "Amazon Linux" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version_al1}" 7 | ecs_agent_version = "${var.ecs_version_al1}" 8 | ami_type = "al1" 9 | ami_version = "2018.03.${var.ami_version_al1}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al1" { 15 | ami_name = "${local.ami_name_al1}" 16 | ami_description = "Amazon Linux AMI amzn-ami-2018.03.${var.ami_version_al1} x86_64 ECS HVM GP2" 17 | instance_type = var.general_purpose_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = 8 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | launch_block_device_mappings { 25 | volume_size = 22 26 | delete_on_termination = true 27 | volume_type = "gp2" 28 | device_name = "/dev/xvdcz" 29 | } 30 | metadata_options { 31 | http_endpoint = "enabled" 32 | http_tokens = "required" // This enforces IMDSv2 33 | http_put_response_hop_limit = 2 34 | } 35 | region = var.region 36 | source_ami_filter { 37 | filters = { 38 | name = "${var.source_ami_al1}" 39 | } 40 | owners = ["amazon"] 41 | most_recent = true 42 | include_deprecated = true 43 | } 44 | ami_ou_arns = "${var.ami_ou_arns}" 45 | ami_org_arns = "${var.ami_org_arns}" 46 | ami_users = "${var.ami_users}" 47 | user_data_file = "scripts/al1/user_data.sh" 48 | ssh_interface = "public_ip" 49 | ssh_username = "ec2-user" 50 | tags = "${local.merged_tags}" 51 | run_tags = "${var.run_tags}" 52 | } 53 | 54 | build { 55 | sources = [ 56 | "source.amazon-ebs.al1" 57 | ] 58 | 59 | provisioner "shell" { 60 | inline_shebang = "/bin/sh -ex" 61 | inline = [ 62 | "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for cloud-init...'; sleep 1; done" 63 | ] 64 | } 65 | 66 | provisioner "file" { 67 | source = "files/al1/90_ecs.cfg" 68 | destination = "/tmp/90_ecs.cfg" 69 | } 70 | 71 | provisioner "shell" { 72 | inline_shebang = "/bin/sh -ex" 73 | inline = [ 74 | "sudo mv /tmp/90_ecs.cfg /etc/cloud/cloud.cfg.d/90_ecs.cfg" 75 | ] 76 | } 77 | 78 | provisioner "file" { 79 | source = "files/al1/ecs-custom-motd" 80 | destination = "/tmp/ecs-custom-motd" 81 | } 82 | 83 | provisioner "shell" { 84 | inline_shebang = "/bin/sh -ex" 85 | inline = [ 86 | "sudo mv /tmp/ecs-custom-motd /etc/update-motd.d/30-banner", 87 | "sudo chmod 755 /etc/update-motd.d/30-banner" 88 | ] 89 | } 90 | 91 | provisioner "shell" { 92 | inline_shebang = "/bin/sh -ex" 93 | inline = [ 94 | "mkdir /tmp/additional-packages" 95 | ] 96 | } 97 | 98 | provisioner "file" { 99 | source = "additional-packages/" 100 | destination = "/tmp/additional-packages" 101 | } 102 | 103 | provisioner "shell" { 104 | script = "scripts/setup-ecs-config-dir.sh" 105 | } 106 | 107 | provisioner "shell" { 108 | inline_shebang = "/bin/sh -ex" 109 | inline = [ 110 | "sudo yum install -y docker-${var.docker_version_al1} ecs-init-${var.ecs_version_al1} ${local.packages_al1}" 111 | ] 112 | } 113 | 114 | provisioner "shell" { 115 | script = "scripts/install-additional-packages.sh" 116 | } 117 | 118 | provisioner "file" { 119 | source = "files/amazon-ssm-agent.gpg" 120 | destination = "/tmp/amazon-ssm-agent.gpg" 121 | } 122 | 123 | provisioner "shell" { 124 | script = "scripts/install-exec-dependencies.sh" 125 | environment_vars = [ 126 | "AMI_TYPE=${source.name}", 127 | "REGION=${var.region}", 128 | "EXEC_SSM_VERSION=${var.exec_ssm_version}", 129 | "AIR_GAPPED=${var.air_gapped}" 130 | ] 131 | } 132 | 133 | provisioner "shell" { 134 | script = "scripts/al1/configure-docker-storage-setup.sh" 135 | } 136 | 137 | provisioner "shell" { 138 | script = "scripts/al1/unlock-releasever.sh" 139 | } 140 | 141 | provisioner "shell" { 142 | script = "scripts/al1/check-ownership.sh" 143 | } 144 | 145 | provisioner "shell" { 146 | script = "scripts/append-efs-client-info.sh" 147 | } 148 | 149 | provisioner "shell" { 150 | inline_shebang = "/bin/sh -ex" 151 | inline = [ 152 | "sudo usermod -a -G docker ec2-user" 153 | ] 154 | } 155 | 156 | provisioner "shell" { 157 | inline_shebang = "/bin/sh -ex" 158 | inline = [ 159 | "sudo yum update -y --security --sec-severity=critical --exclude=nvidia*,docker*,cuda*,containerd*" 160 | ] 161 | } 162 | 163 | provisioner "shell" { 164 | script = "scripts/cleanup.sh" 165 | } 166 | 167 | post-processor "manifest" { 168 | output = "manifest.json" 169 | strip_path = true 170 | } 171 | } 172 | -------------------------------------------------------------------------------- /al2.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2 = "${var.ami_name_prefix_al2}-hvm-2.0.${var.ami_version_al2}-x86_64-ebs" 3 | motd_files = [ 4 | "29-ecs-banner-begin", 5 | "31-ecs-banner-finish", 6 | "69-available-updates-begin", 7 | "71-available-updates-finish" 8 | ] 9 | default_tags = { 10 | os_version = "Amazon Linux 2" 11 | source_image_name = "{{ .SourceAMIName }}" 12 | ecs_runtime_version = "Docker version ${var.docker_version}" 13 | ecs_agent_version = "${var.ecs_agent_version}" 14 | ami_type = "al2" 15 | ami_version = "2.0.${var.ami_version_al2}" 16 | } 17 | merged_tags = merge("${local.default_tags}", "${var.tags}") 18 | } 19 | 20 | source "amazon-ebs" "al2" { 21 | ami_name = "${local.ami_name_al2}" 22 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} x86_64 ECS HVM GP2" 23 | instance_type = var.general_purpose_instance_types[0] 24 | launch_block_device_mappings { 25 | volume_size = var.block_device_size_gb 26 | delete_on_termination = true 27 | volume_type = "gp2" 28 | device_name = "/dev/xvda" 29 | } 30 | metadata_options { 31 | http_endpoint = "enabled" 32 | http_tokens = "required" // This enforces IMDSv2 33 | http_put_response_hop_limit = 2 34 | } 35 | region = var.region 36 | source_ami_filter { 37 | filters = { 38 | name = "${var.source_ami_al2}" 39 | } 40 | owners = ["amazon"] 41 | most_recent = true 42 | include_deprecated = true 43 | } 44 | ami_ou_arns = "${var.ami_ou_arns}" 45 | ami_org_arns = "${var.ami_org_arns}" 46 | ami_users = "${var.ami_users}" 47 | ssh_interface = "public_ip" 48 | ssh_username = "ec2-user" 49 | tags = "${local.merged_tags}" 50 | run_tags = "${var.run_tags}" 51 | } 52 | 53 | build { 54 | sources = [ 55 | "source.amazon-ebs.al2", 56 | "source.amazon-ebs.al2arm", 57 | "source.amazon-ebs.al2gpu", 58 | "source.amazon-ebs.al2keplergpu", 59 | "source.amazon-ebs.al2inf", 60 | "source.amazon-ebs.al2kernel5dot10", 61 | "source.amazon-ebs.al2kernel5dot10arm", 62 | "source.amazon-ebs.al2kernel5dot10gpu", 63 | "source.amazon-ebs.al2kernel5dot10inf" 64 | ] 65 | 66 | provisioner "file" { 67 | source = "files/90_ecs.cfg.amzn2" 68 | destination = "/tmp/90_ecs.cfg" 69 | } 70 | 71 | provisioner "shell" { 72 | inline_shebang = "/bin/sh -ex" 73 | inline = [ 74 | "sudo mv /tmp/90_ecs.cfg /etc/cloud/cloud.cfg.d/90_ecs.cfg", 75 | "sudo chown root:root /etc/cloud/cloud.cfg.d/90_ecs.cfg" 76 | ] 77 | } 78 | 79 | dynamic "provisioner" { 80 | for_each = local.motd_files 81 | labels = ["file"] 82 | content { 83 | source = "files/${provisioner.value}.sh.amzn2" 84 | destination = "/tmp/${provisioner.value}" 85 | } 86 | } 87 | 88 | dynamic "provisioner" { 89 | for_each = local.motd_files 90 | labels = ["shell"] 91 | content { 92 | inline_shebang = "/bin/sh -ex" 93 | inline = [ 94 | "sudo mv /tmp/${provisioner.value} /etc/update-motd.d/${provisioner.value}", 95 | "sudo chmod 755 /etc/update-motd.d/${provisioner.value}" 96 | ] 97 | } 98 | } 99 | 100 | provisioner "shell" { 101 | inline_shebang = "/bin/sh -ex" 102 | inline = [ 103 | "mkdir /tmp/additional-packages" 104 | ] 105 | } 106 | 107 | provisioner "file" { 108 | source = "additional-packages/" 109 | destination = "/tmp/additional-packages" 110 | } 111 | 112 | provisioner "shell" { 113 | inline_shebang = "/bin/sh -ex" 114 | inline = [ 115 | "sudo yum install -y ${local.packages_al2}" 116 | ] 117 | } 118 | 119 | provisioner "shell" { 120 | script = "scripts/setup-ecs-config-dir.sh" 121 | } 122 | 123 | provisioner "shell" { 124 | script = "scripts/install-docker.sh" 125 | environment_vars = [ 126 | "DOCKER_VERSION=${var.docker_version}", 127 | "CONTAINERD_VERSION=${var.containerd_version}", 128 | "RUNC_VERSION=${var.runc_version}", 129 | "AIR_GAPPED=${var.air_gapped}" 130 | ] 131 | } 132 | 133 | # the ordering matters here, this repo is installed after docker is installed 134 | # so that the docker extras repo is overwritten in the final AMI. 135 | provisioner "file" { 136 | source = "files/repos/amzn2-extras.repo" 137 | destination = "/tmp/amzn2-extras.repo" 138 | } 139 | 140 | provisioner "shell" { 141 | inline_shebang = "/bin/sh -ex" 142 | inline = [ 143 | "sudo mv /tmp/amzn2-extras.repo /etc/yum.repos.d/amzn2-extras.repo", 144 | "sudo chown root:root /etc/yum.repos.d/amzn2-extras.repo" 145 | ] 146 | } 147 | 148 | provisioner "shell" { 149 | script = "scripts/install-ecs-init.sh" 150 | environment_vars = [ 151 | "REGION=${var.region}", 152 | "AGENT_VERSION=${var.ecs_agent_version}", 153 | "INIT_REV=${var.ecs_init_rev}", 154 | "AL_NAME=amzn2", 155 | "AIR_GAPPED=${var.air_gapped}", 156 | "ECS_INIT_URL=${var.ecs_init_url_al2}", 157 | "ECS_INIT_LOCAL_OVERRIDE=${var.ecs_init_local_override}" 158 | ] 159 | } 160 | 161 | provisioner "shell" { 162 | script = "scripts/install-additional-packages.sh" 163 | } 164 | 165 | provisioner "file" { 166 | source = "files/amazon-ssm-agent.gpg" 167 | destination = "/tmp/amazon-ssm-agent.gpg" 168 | } 169 | 170 | provisioner "shell" { 171 | script = "scripts/install-exec-dependencies.sh" 172 | environment_vars = [ 173 | "AMI_TYPE=${source.name}", 174 | "REGION=${var.region}", 175 | "EXEC_SSM_VERSION=${var.exec_ssm_version}", 176 | "AIR_GAPPED=${var.air_gapped}", 177 | "REGION_DNS_SUFFIX=${var.region_dns_suffix}" 178 | ] 179 | } 180 | 181 | provisioner "shell" { 182 | script = "scripts/append-efs-client-info.sh" 183 | } 184 | 185 | provisioner "shell" { 186 | environment_vars = ["AMI_TYPE=${source.name}"] 187 | script = "scripts/al2/install-kernel5dot10.sh" 188 | } 189 | 190 | ### If necessary, reboot worker instance to install kernel update for enable-ecs-agent-inferentia-support or 191 | ### enable-ecs-agent-gpu-support scripts that factor in kernel version. 192 | provisioner "shell" { 193 | environment_vars = ["AMI_TYPE=${source.name}"] 194 | expect_disconnect = "true" 195 | script = "scripts/al2/reboot-for-kernel-upgrade.sh" 196 | } 197 | 198 | provisioner "shell" { 199 | environment_vars = ["AMI_TYPE=${source.name}"] 200 | pause_before = "10s" # pause for starting the reboot 201 | script = "scripts/enable-ecs-agent-inferentia-support.sh" 202 | } 203 | 204 | provisioner "shell" { 205 | environment_vars = [ 206 | "AMI_TYPE=${source.name}", 207 | "AIR_GAPPED=${var.air_gapped}" 208 | ] 209 | script = "scripts/enable-ecs-agent-gpu-support.sh" 210 | } 211 | 212 | provisioner "shell" { 213 | inline_shebang = "/bin/sh -ex" 214 | inline = [ 215 | "sudo usermod -a -G docker ec2-user" 216 | ] 217 | } 218 | 219 | provisioner "shell" { 220 | script = "scripts/enable-services.sh" 221 | } 222 | 223 | provisioner "shell" { 224 | script = "scripts/install-service-connect-appnet.sh" 225 | } 226 | 227 | provisioner "shell" { 228 | inline_shebang = "/bin/sh -ex" 229 | inline = [ 230 | "sudo yum update -y --security --sec-severity=critical --exclude=nvidia*,docker*,cuda*,containerd*,runc*" 231 | ] 232 | } 233 | 234 | provisioner "shell" { 235 | script = "scripts/cleanup.sh" 236 | } 237 | 238 | post-processor "manifest" { 239 | output = "manifest.json" 240 | strip_path = true 241 | } 242 | } 243 | -------------------------------------------------------------------------------- /al2023.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2023 = "${var.ami_name_prefix_al2023}-hvm-2023.0.${var.ami_version_al2023}${var.kernel_version_al2023}-x86_64" 3 | default_tags = { 4 | os_version = "Amazon Linux 2023" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version_al2023}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2023" 9 | ami_version = "2023.0.${var.ami_version_al2023}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2023" { 15 | ami_name = "${local.ami_name_al2023}" 16 | ami_description = "Amazon Linux AMI 2023.0.${var.ami_version_al2023} x86_64 ECS HVM EBS" 17 | instance_type = var.general_purpose_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp3" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2023}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | 47 | build { 48 | sources = [ 49 | "source.amazon-ebs.al2023", 50 | "source.amazon-ebs.al2023arm", 51 | "source.amazon-ebs.al2023neu", 52 | "source.amazon-ebs.al2023gpu" 53 | ] 54 | 55 | provisioner "file" { 56 | source = "files/90_ecs.cfg.amzn2" 57 | destination = "/tmp/90_ecs.cfg" 58 | } 59 | 60 | provisioner "shell" { 61 | inline_shebang = "/bin/sh -ex" 62 | inline = [ 63 | "sudo mv /tmp/90_ecs.cfg /etc/cloud/cloud.cfg.d/90_ecs.cfg", 64 | "sudo chown root:root /etc/cloud/cloud.cfg.d/90_ecs.cfg" 65 | ] 66 | } 67 | 68 | provisioner "shell" { 69 | script = "scripts/al2023/setup-motd.sh" 70 | } 71 | 72 | provisioner "shell" { 73 | inline_shebang = "/bin/sh -ex" 74 | inline = [ 75 | "mkdir /tmp/additional-packages" 76 | ] 77 | } 78 | 79 | provisioner "shell" { 80 | inline_shebang = "/bin/sh -ex" 81 | inline = [ 82 | "sudo dnf update -y --releasever=${var.distribution_release_al2023}" 83 | ] 84 | } 85 | 86 | provisioner "file" { 87 | source = "additional-packages/" 88 | destination = "/tmp/additional-packages" 89 | } 90 | 91 | provisioner "shell" { 92 | inline_shebang = "/bin/sh -ex" 93 | inline = [ 94 | "sudo dnf install -y ${local.packages_al2023}", 95 | "sudo dnf swap -y gnupg2-minimal gnupg2-full" 96 | ] 97 | } 98 | 99 | provisioner "shell" { 100 | script = "scripts/setup-ecs-config-dir.sh" 101 | } 102 | 103 | provisioner "shell" { 104 | script = "scripts/install-docker.sh" 105 | environment_vars = [ 106 | "DOCKER_VERSION=${var.docker_version_al2023}", 107 | "CONTAINERD_VERSION=${var.containerd_version_al2023}", 108 | "RUNC_VERSION=${var.runc_version_al2023}", 109 | "AIR_GAPPED=${var.air_gapped}" 110 | ] 111 | } 112 | 113 | provisioner "shell" { 114 | script = "scripts/install-ecs-init.sh" 115 | environment_vars = [ 116 | "REGION=${var.region}", 117 | "AGENT_VERSION=${var.ecs_agent_version}", 118 | "INIT_REV=${var.ecs_init_rev}", 119 | "AL_NAME=amzn2023", 120 | "ECS_INIT_URL=${var.ecs_init_url_al2023}", 121 | "AIR_GAPPED=${var.air_gapped}", 122 | "ECS_INIT_LOCAL_OVERRIDE=${var.ecs_init_local_override}" 123 | ] 124 | } 125 | 126 | provisioner "shell" { 127 | script = "scripts/append-efs-client-info.sh" 128 | } 129 | 130 | provisioner "shell" { 131 | script = "scripts/install-additional-packages.sh" 132 | } 133 | 134 | ### exec 135 | 136 | provisioner "file" { 137 | source = "files/amazon-ssm-agent.gpg" 138 | destination = "/tmp/amazon-ssm-agent.gpg" 139 | } 140 | 141 | provisioner "shell" { 142 | script = "scripts/install-exec-dependencies.sh" 143 | environment_vars = [ 144 | "AMI_TYPE=${source.name}", 145 | "REGION=${var.region}", 146 | "EXEC_SSM_VERSION=${var.exec_ssm_version}", 147 | "AIR_GAPPED=${var.air_gapped}", 148 | "REGION_DNS_SUFFIX=${var.region_dns_suffix}" 149 | ] 150 | } 151 | 152 | ### reboot worker instance to install kernel update. enable-ecs-agent-inferentia-support needs 153 | ### new kernel (if there is) to be installed. 154 | provisioner "shell" { 155 | inline_shebang = "/bin/sh -ex" 156 | expect_disconnect = "true" 157 | inline = [ 158 | "sudo reboot" 159 | ] 160 | } 161 | 162 | provisioner "shell" { 163 | environment_vars = [ 164 | "AMI_TYPE=${source.name}" 165 | ] 166 | pause_before = "10s" # pause for starting the reboot 167 | start_retry_timeout = "40s" # wait before start retry 168 | max_retries = 3 169 | script = "scripts/enable-ecs-agent-inferentia-support.sh" 170 | } 171 | 172 | provisioner "shell" { 173 | environment_vars = [ 174 | "AMI_TYPE=${source.name}" 175 | ] 176 | script = "scripts/enable-ecs-agent-gpu-support-al2023.sh" 177 | } 178 | 179 | provisioner "shell" { 180 | inline_shebang = "/bin/sh -ex" 181 | inline = [ 182 | "sudo usermod -a -G docker ec2-user" 183 | ] 184 | } 185 | 186 | provisioner "shell" { 187 | script = "scripts/enable-services.sh" 188 | } 189 | 190 | provisioner "shell" { 191 | script = "scripts/install-service-connect-appnet.sh" 192 | } 193 | 194 | provisioner "shell" { 195 | script = "scripts/cleanup.sh" 196 | } 197 | 198 | post-processor "manifest" { 199 | output = "manifest.json" 200 | strip_path = true 201 | } 202 | } 203 | -------------------------------------------------------------------------------- /al2023arm.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2023arm = "${var.ami_name_prefix_al2023}-hvm-2023.0.${var.ami_version_al2023}${var.kernel_version_al2023arm}-arm64" 3 | default_tags = { 4 | os_version = "Amazon Linux 2023" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version_al2023}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2023arm" 9 | ami_version = "2023.0.${var.ami_version_al2023}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2023arm" { 15 | ami_name = "${local.ami_name_al2023arm}" 16 | ami_description = "Amazon Linux AMI 2023.0.${var.ami_version_al2023} arm64 ECS HVM EBS" 17 | instance_type = var.arm_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp3" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2023arm}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2023gpu.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2023gpu = "${var.ami_name_prefix_al2023}-gpu-hvm-2023.0.${var.ami_version_al2023}${var.kernel_version_al2023}-x86_64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2023" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version_al2023}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2023gpu" 9 | ami_version = "2023.0.${var.ami_version_al2023}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2023gpu" { 15 | ami_name = "${local.ami_name_al2023gpu}" 16 | ami_description = "Amazon Linux AMI 2023.0.${var.ami_version_al2023} x86_64 ECS HVM EBS" 17 | instance_type = var.gpu_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp3" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2023}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2023neu.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2023neu = "${var.ami_name_prefix_al2023}-neuron-hvm-2023.0.${var.ami_version_al2023}${var.kernel_version_al2023}-x86_64" 3 | default_tags = { 4 | os_version = "Amazon Linux 2023" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version_al2023}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2023neu" 9 | ami_version = "2023.0.${var.ami_version_al2023}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2023neu" { 15 | ami_name = "${local.ami_name_al2023neu}" 16 | ami_description = "Amazon Linux AMI 2023.0.${var.ami_version_al2023} x86_64 ECS HVM EBS" 17 | instance_type = var.neu_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp3" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2023}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2arm.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2arm = "${var.ami_name_prefix_al2}-hvm-2.0.${var.ami_version_al2}-arm64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2arm" 9 | ami_version = "2.0.${var.ami_version_al2}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2arm" { 15 | ami_name = "${local.ami_name_al2arm}" 16 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} arm64 ECS HVM GP2" 17 | instance_type = var.arm_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2arm}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2gpu.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2gpu = "${var.ami_name_prefix_al2}-gpu-hvm-2.0.${var.ami_version_al2}-x86_64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2gpu" 9 | ami_version = "2.0.${var.ami_version_al2}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2gpu" { 15 | ami_name = "${local.ami_name_al2gpu}" 16 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} x86_64 ECS HVM GP2" 17 | instance_type = var.gpu_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2inf.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2inf = "${var.ami_name_prefix_al2}-inf-hvm-2.0.${var.ami_version_al2}-x86_64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2inf" 9 | ami_version = "2.0.${var.ami_version_al2}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2inf" { 15 | ami_name = "${local.ami_name_al2inf}" 16 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} x86_64 ECS HVM GP2" 17 | instance_type = var.inf_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2keplergpu.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2keplergpu = "${var.ami_name_prefix_al2}-kepler-gpu-hvm-2.0.${var.ami_version_al2}-x86_64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2keplergpu" 9 | ami_version = "2.0.${var.ami_version_al2}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2keplergpu" { 15 | ami_name = "${local.ami_name_al2keplergpu}" 16 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} x86_64 ECS HVM GP2" 17 | instance_type = var.gpu_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2kernel5dot10.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2kernel5dot10 = "${var.ami_name_prefix_al2}-kernel-5.10-hvm-2.0.${var.ami_version_al2}-x86_64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2kernel5dot10" 9 | ami_version = "2.0.${var.ami_version_al2}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2kernel5dot10" { 15 | ami_name = "${local.ami_name_al2kernel5dot10}" 16 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} Kernel 5.10 x86_64 ECS HVM GP2" 17 | instance_type = var.general_purpose_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2kernel5dot10}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2kernel5dot10arm.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2kernel5dot10arm = "${var.ami_name_prefix_al2}-kernel-5.10-hvm-2.0.${var.ami_version_al2}-arm64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2kernel5dot10arm" 9 | ami_version = "2.0.${var.ami_version_al2}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2kernel5dot10arm" { 15 | ami_name = "${local.ami_name_al2kernel5dot10arm}" 16 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} Kernel 5.10 arm64 ECS HVM GP2" 17 | instance_type = var.arm_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2kernel5dot10arm}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2kernel5dot10gpu.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2kernel5dot10gpu = "${var.ami_name_prefix_al2}-kernel-5.10-gpu-hvm-2.0.${var.ami_version_al2}-x86_64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2kernel5dot10gpu" 9 | ami_version = "2.0.${var.ami_version_al2}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2kernel5dot10gpu" { 15 | ami_name = "${local.ami_name_al2kernel5dot10gpu}" 16 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} Kernel 5.10 x86_64 ECS HVM GP2" 17 | instance_type = var.gpu_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2kernel5dot10}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /al2kernel5dot10inf.pkr.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | ami_name_al2kernel5dot10inf = "${var.ami_name_prefix_al2}-kernel-5.10-inf-hvm-2.0.${var.ami_version_al2}-x86_64-ebs" 3 | default_tags = { 4 | os_version = "Amazon Linux 2" 5 | source_image_name = "{{ .SourceAMIName }}" 6 | ecs_runtime_version = "Docker version ${var.docker_version}" 7 | ecs_agent_version = "${var.ecs_agent_version}" 8 | ami_type = "al2kernel5dot10inf" 9 | ami_version = "2.0.${var.ami_version_al2}" 10 | } 11 | merged_tags = merge("${local.default_tags}", "${var.tags}") 12 | } 13 | 14 | source "amazon-ebs" "al2kernel5dot10inf" { 15 | ami_name = "${local.ami_name_al2kernel5dot10inf}" 16 | ami_description = "Amazon Linux AMI 2.0.${var.ami_version_al2} Kernel 5.10 x86_64 ECS HVM GP2" 17 | instance_type = var.inf_instance_types[0] 18 | launch_block_device_mappings { 19 | volume_size = var.block_device_size_gb 20 | delete_on_termination = true 21 | volume_type = "gp2" 22 | device_name = "/dev/xvda" 23 | } 24 | metadata_options { 25 | http_endpoint = "enabled" 26 | http_tokens = "required" // This enforces IMDSv2 27 | http_put_response_hop_limit = 2 28 | } 29 | region = var.region 30 | source_ami_filter { 31 | filters = { 32 | name = "${var.source_ami_al2kernel5dot10}" 33 | } 34 | owners = ["amazon"] 35 | most_recent = true 36 | include_deprecated = true 37 | } 38 | ami_ou_arns = "${var.ami_ou_arns}" 39 | ami_org_arns = "${var.ami_org_arns}" 40 | ami_users = "${var.ami_users}" 41 | ssh_interface = "public_ip" 42 | ssh_username = "ec2-user" 43 | tags = "${local.merged_tags}" 44 | run_tags = "${var.run_tags}" 45 | } 46 | -------------------------------------------------------------------------------- /files/29-ecs-banner-begin.sh.amzn2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | # Copyright (C) 2018 Amazon.com, Inc. or its affiliates. 4 | # All Rights Reserved. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"). 7 | # You may not use this file except in compliance with the License. 8 | # A copy of the License is located at 9 | # 10 | # http://aws.amazon.com/apache2.0/ 11 | # 12 | # or in the "license" file accompanying this file. This file is 13 | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS 14 | # OF ANY KIND, either express or implied. See the License for the 15 | # specific language governing permissions and limitations under the 16 | # License. 17 | 18 | echo -e " 19 | __| __| __| 20 | _| ( \__ \ Amazon Linux 2 (ECS Optimized) 21 | ____|\___|____/ 22 | 23 | For documentation, visit http://aws.amazon.com/documentation/ecs" 24 | 25 | # Disable system-release banner during update-motd, reverted with 26 | # 31-ecs-banner-finish. 27 | chmod -x /etc/update-motd.d/30-banner 28 | -------------------------------------------------------------------------------- /files/31-ecs-banner-finish.sh.amzn2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | # Copyright (C) 2018 Amazon.com, Inc. or its affiliates. 4 | # All Rights Reserved. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"). 7 | # You may not use this file except in compliance with the License. 8 | # A copy of the License is located at 9 | # 10 | # http://aws.amazon.com/apache2.0/ 11 | # 12 | # or in the "license" file accompanying this file. This file is 13 | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS 14 | # OF ANY KIND, either express or implied. See the License for the 15 | # specific language governing permissions and limitations under the 16 | # License. 17 | 18 | # Re-enable the system release banner to return to packaged defaults 19 | # after being disabled by 29-ecs-banner-begin. 20 | chmod +x /etc/update-motd.d/30-banner 21 | -------------------------------------------------------------------------------- /files/69-available-updates-begin.sh.amzn2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | # Copyright (C) 2024 Amazon.com, Inc. or its affiliates. 4 | # All Rights Reserved. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"). 7 | # You may not use this file except in compliance with the License. 8 | # A copy of the License is located at 9 | # 10 | # http://aws.amazon.com/apache2.0/ 11 | # 12 | # or in the "license" file accompanying this file. This file is 13 | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS 14 | # OF ANY KIND, either express or implied. See the License for the 15 | # specific language governing permissions and limitations under the 16 | # License. 17 | 18 | # package_updates is a summary of the number of updates available. 19 | # It is copied from 70-available-updates, which is inherited from AL2. 20 | package_updates=$(LANG=C timeout 30s /usr/bin/yum \ 21 | --debuglevel 2 \ 22 | --security check-update 2>/dev/null \ 23 | | grep -P '(?|release-al1.auto.pkrvars.hcl <|release-al2.auto.pkrvars.hcl <|release-al2023.auto.pkrvars.hcl <>/tmp/docker-storage-setup <>/tmp/31-banner 12 | , #_ 13 | ~\_ ####_ 14 | ~~ \_#####\ 15 | ~~ \###| 16 | ~~ \#/ ___ Amazon Linux 2023 (ECS Optimized) 17 | ~~ V~' '-> 18 | ~~~ / 19 | ~~._. _/ 20 | _/ _/ 21 | _/m/' 22 | 23 | For documentation, visit http://aws.amazon.com/documentation/ecs 24 | EOF 25 | sudo mv /tmp/31-banner /etc/motd.d/31-banner 26 | -------------------------------------------------------------------------------- /scripts/append-efs-client-info.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | cat <>user_data.txt 93 | Content-Type: multipart/mixed; boundary="//" 94 | MIME-Version: 1.0 95 | 96 | --// 97 | Content-Type: text/cloud-config; charset="us-ascii" 98 | MIME-Version: 1.0 99 | Content-Transfer-Encoding: 7bit 100 | Content-Disposition: attachment; filename="cloud-config.txt" 101 | 102 | #cloud-config 103 | repo_upgrade: none 104 | 105 | --// 106 | Content-Type: text/x-shellscript; charset="us-ascii" 107 | MIME-Version: 1.0 108 | Content-Transfer-Encoding: 7bit 109 | Content-Disposition: attachment; filename="userdata.txt" 110 | 111 | #!/bin/bash 112 | cd /tmp 113 | sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm 114 | sudo start amazon-ssm-agent 115 | --//-- 116 | EOT 117 | 118 | else 119 | echo "#cloud-config" >>user_data.txt 120 | echo "repo_upgrade: none" >>user_data.txt 121 | fi 122 | 123 | # Launch ec2 instance with given ami and SSM access for command execution 124 | # Also get instance id 125 | # Modify user data to ignore automatic updates by al and al2 126 | instance_id=$(aws ec2 run-instances \ 127 | --image-id $ami_id \ 128 | --instance-type $instance_type \ 129 | --iam-instance-profile Arn=$IAM_INSTANCE_PROFILE_ARN \ 130 | --metadata-options "HttpEndpoint=enabled,HttpTokens=required,HttpPutResponseHopLimit=2" \ 131 | --user-data file://user_data.txt \ 132 | --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value='$platform-check-update-security'}]' | 133 | jq -r '.Instances[0].InstanceId') 134 | 135 | # check-update based on platform 136 | if [ "$platform" = "al2_gpu" ]; then 137 | # The amzn2-nvidia repository does not provide updateinfo metadata (updateinfo.xml), 138 | # which YUM relies on to classify updates as security-related. The --security flag 139 | # would not detect updates without this metadata. Therefore, we check for all updates 140 | # to nvidia-driver packages and handle them as potential security updates. 141 | command_params='commands=["yum check-update nvidia-driver-latest-dkms -q"]' 142 | elif [ "$platform" = "al2023_gpu" ]; then 143 | # Run check-update in a loop to ensure that the repo metadata is up to date 144 | command_params='commands=["for i in {1..5}; do dnf clean expire-cache; dnf --refresh check-upgrade nvidia-driver-cuda -q; code=$?; if [ $code -eq 100 ]; then exit 100; fi; sleep 5; done; exit 0"]' 145 | else 146 | command_params='commands=["yum check-update --security --sec-severity=critical --exclude=nvidia*,docker*,cuda*,containerd*,runc* -q"]' 147 | fi 148 | 149 | # Wait for instance status to reach ok, fail at timeout code 150 | aws ec2 wait instance-running --instance-ids $instance_id 151 | check_wait_response $(echo $?) 152 | 153 | # Instance has been launched, terminate in case of an error 154 | trap 'failure_cleanup' ERR 155 | 156 | rm user_data.txt 157 | 158 | # Assert that ssm agent is running before moving forward 159 | ssm_agent_status() { 160 | aws ssm describe-instance-information \ 161 | --instance-information-filter-list key=InstanceIds,valueSet=$instance_id \ 162 | --query 'InstanceInformationList[0].PingStatus' --output text 163 | } 164 | max_retries=10 165 | success=0 166 | for ((r = 0; r < max_retries; r++)); do 167 | if [ "$(ssm_agent_status)" = "Online" ]; then 168 | success=1 169 | break 170 | fi 171 | sleep 10 172 | done 173 | if [ $success -ne 1 ]; then 174 | echo "SSM Agent connection timed out" 175 | failure_cleanup 176 | exit 1 177 | fi 178 | 179 | # Send command 180 | cmd_id=$(aws ssm send-command \ 181 | --document-name 'AWS-RunShellScript' \ 182 | --parameters "$command_params" \ 183 | --targets Key=instanceids,Values=$instance_id \ 184 | --comment "run security check" | 185 | jq -r '.Command.CommandId') 186 | 187 | # Wait for command to be executed 188 | command_status() { 189 | aws ssm get-command-invocation \ 190 | --command-id $cmd_id \ 191 | --instance-id $instance_id \ 192 | --query 'Status' \ 193 | --output text 194 | } 195 | max_retries=25 196 | success=0 197 | for ((r = 0; r < max_retries; r++)); do 198 | sleep 5 199 | cmd_status=$(command_status) 200 | if [ "$cmd_status" = "Failed" ] || [ "$cmd_status" = "Success" ]; then 201 | success=1 202 | break 203 | fi 204 | done 205 | if [ $success -ne 1 ]; then 206 | echo "Command execution timed out" 207 | failure_cleanup 208 | exit 1 209 | fi 210 | 211 | # Get command output 212 | cmd_output=$(aws ssm get-command-invocation \ 213 | --command-id $cmd_id \ 214 | --instance-id $instance_id) 215 | 216 | cmd_response_code=$(echo "$cmd_output" | jq -r '.ResponseCode') 217 | std_output=$(echo "$cmd_output" | jq -r '.StandardOutputContent') 218 | 219 | # Delete the instance 220 | terminate_out=$(aws ec2 terminate-instances --instance-ids $instance_id) 221 | 222 | # Return whether update is necessary 223 | if [ "$cmd_response_code" -eq "$UPDATE_EXISTS_CODE" ]; then 224 | if [ "$platform" = "al2_gpu" ]; then 225 | nvidia_driver_version=$(echo "$std_output" | grep "nvidia-driver-latest-dkms" | awk '{print $2}' | cut -d'-' -f1 | sed 's/^[0-9]://') 226 | if [ -n "$nvidia_driver_version" ]; then 227 | echo "true $nvidia_driver_version" 228 | else 229 | echo "true" 230 | fi 231 | elif [ "$platform" = "al2023_gpu" ]; then 232 | nvidia_driver_version=$(echo "$std_output" | grep "nvidia-driver-cuda" | awk '{print $2}' | cut -d'-' -f1 | sed 's/^[0-9]://') 233 | echo "true $nvidia_driver_version" 234 | else 235 | echo "true" 236 | fi 237 | elif [ "$cmd_response_code" -ne "$SUCCESS_CODE" ]; then 238 | # If update doesn't exist and there was a fail code, something went wrong 239 | echo "Unknown issue with the command execution" 240 | exit 1 241 | else 242 | echo "false" 243 | fi 244 | 245 | exit 0 246 | -------------------------------------------------------------------------------- /scripts/check-update.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -exo pipefail 3 | 4 | usage() { 5 | echo "Usage:" 6 | echo " $0 AMI_TYPE" 7 | echo "Example:" 8 | echo " $0 al2" 9 | echo "AMI_TYPE Must be one of: al1, al2, al2023" 10 | } 11 | 12 | error() { 13 | local msg="$1" 14 | echo "ERROR: $msg" 15 | usage 16 | exit 1 17 | } 18 | 19 | # Function to handle NVIDIA driver version extraction and storage 20 | handle_nvidia_version() { 21 | local ami_variant=$1 22 | local gpu_update=$2 23 | 24 | # Skip if not a GPU-supported AMI type 25 | if [[ $ami_variant != "al2" && $ami_variant != "al2023" ]]; then 26 | return 27 | fi 28 | 29 | local version="" 30 | local version_key="nvidia_driver_version_${ami_variant}" 31 | 32 | if [[ $gpu_update == true* ]]; then 33 | version=$(echo "$gpu_update" | cut -d' ' -f2) 34 | fi 35 | 36 | # Update version entry if version is available and file exists 37 | if [ -n "$version" ] && [ -f NVIDIA_DRIVER_VERSION ]; then 38 | if grep -q "^${version_key} = " NVIDIA_DRIVER_VERSION; then 39 | sed -i "s/^${version_key} = .*/${version_key} = \"${version}\"/" NVIDIA_DRIVER_VERSION 40 | fi 41 | fi 42 | } 43 | 44 | readonly ami_type="$1" 45 | if [ -z "$ami_type" ]; then 46 | error "AMI_TYPE must be provided" 47 | fi 48 | 49 | cp release-$ami_type.auto.pkrvars.hcl release-$ami_type.old.hcl 50 | ./generate-release-vars.sh $ami_type 51 | set +e 52 | diff_val=$(diff <(grep -v ami_version release-$ami_type.old.hcl) <(grep -v ami_version release-$ami_type.auto.pkrvars.hcl)) 53 | set -e 54 | 55 | # Check for NVIDIA driver version for both AL2 and AL2023 56 | if [ "$ami_type" = "al2" ] || [ "$ami_type" = "al2023" ]; then 57 | gpu_update=$(./scripts/check-update-security.sh "${ami_type}_gpu") 58 | handle_nvidia_version "$ami_type" "$gpu_update" 59 | if [[ $gpu_update == true* ]]; then 60 | Update="true" 61 | fi 62 | fi 63 | 64 | # If no difference in dependencies, check for security update 65 | if [ -z "$diff_val" ]; then 66 | Update="false" 67 | case "$ami_type" in 68 | "al2023") 69 | # AL2023 version already generates a diff in dependency file if it has security updates, so no check necessary if AL2023 70 | ;; 71 | "al1") 72 | Update=$(./scripts/check-update-security.sh $ami_type) 73 | ;; 74 | "al2") 75 | # Check all AL2 variants 76 | amd_update=$(./scripts/check-update-security.sh $ami_type) 77 | arm_update=$(./scripts/check-update-security.sh "${ami_type}_arm") 78 | 79 | # Combine results 80 | if [[ $amd_update == true* ]] || [[ $arm_update == true* ]]; then 81 | Update="true" 82 | fi 83 | ;; 84 | *) 85 | echo "Error: Invalid AMI type: $ami_type" 86 | exit 1 87 | ;; 88 | esac 89 | else 90 | Update="true" 91 | fi 92 | 93 | rm "release-$ami_type.old.hcl" 94 | 95 | if [ "$Update" = "true" ]; then 96 | echo "Update exists for $ami_type" 97 | git add release-$ami_type.auto.pkrvars.hcl 98 | if [ -f NVIDIA_DRIVER_VERSION ] && ! git diff --quiet NVIDIA_DRIVER_VERSION; then 99 | echo "NVIDIA driver version changes detected" 100 | git add NVIDIA_DRIVER_VERSION 101 | fi 102 | else 103 | echo "Update does not exist for $ami_type" 104 | fi 105 | -------------------------------------------------------------------------------- /scripts/cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | # Below command actually runs `sudo dnf clean all` for AL2023. 5 | # See https://docs.aws.amazon.com/linux/al2023/ug/package-management.html for more details. 6 | sudo yum clean all 7 | 8 | function cleanup() { 9 | FILES=("$@") 10 | for FILE in "${FILES[@]}"; do 11 | if sudo test -f $FILE; then 12 | echo "Deleting $FILE" 13 | sudo shred -zuf $FILE 14 | fi 15 | if sudo test -f $FILE; then 16 | echo "Failed to delete '$FILE'. Failing." 17 | exit 1 18 | fi 19 | done 20 | } 21 | 22 | # Clean up for cloud-init files 23 | CLOUD_INIT_FILES=( 24 | "/etc/locale.conf" 25 | "/var/log/cloud-init.log" 26 | "/var/log/cloud-init-output.log" 27 | ) 28 | echo "Cleaning up cloud init files" 29 | cleanup "${CLOUD_INIT_FILES[@]}" 30 | if [[ $(sudo find /var/lib/cloud -type f | sudo wc -l) -gt 0 ]]; then 31 | echo "Deleting files within /var/lib/cloud/*" 32 | sudo find /var/lib/cloud -type f -exec shred -zuf {} \; 33 | fi 34 | 35 | if [[ $(sudo ls /var/lib/cloud | sudo wc -l) -gt 0 ]]; then 36 | echo "Deleting /var/lib/cloud/*" 37 | sudo rm -rf /var/lib/cloud/* || true 38 | fi 39 | 40 | # Clean up for temporary instance files 41 | INSTANCE_FILES=( 42 | "/etc/.updated" 43 | "/etc/aliases.db" 44 | "/etc/hostname" 45 | "/var/lib/misc/postfix.aliasesdb-stamp" 46 | "/var/lib/postfix/master.lock" 47 | "/var/spool/postfix/pid/master.pid" 48 | "/var/.updated" 49 | "/var/cache/yum/x86_64/2/.gpgkeyschecked.yum" 50 | ) 51 | echo "Cleaning up instance files" 52 | cleanup "${INSTANCE_FILES[@]}" 53 | 54 | # Clean up for ssh files 55 | SSH_FILES=( 56 | "/etc/ssh/ssh_host_rsa_key" 57 | "/etc/ssh/ssh_host_rsa_key.pub" 58 | "/etc/ssh/ssh_host_ecdsa_key" 59 | "/etc/ssh/ssh_host_ecdsa_key.pub" 60 | "/etc/ssh/ssh_host_ed25519_key" 61 | "/etc/ssh/ssh_host_ed25519_key.pub" 62 | "/root/.ssh/authorized_keys" 63 | ) 64 | echo "Cleaning up ssh files" 65 | cleanup "${SSH_FILES[@]}" 66 | USERS=$(ls /home/) 67 | for user in $USERS; do 68 | echo Deleting /home/"$user"/.ssh/authorized_keys 69 | sudo find /home/"$user"/.ssh/authorized_keys -type f -exec shred -zuf {} \; 70 | done 71 | for user in $USERS; do 72 | if sudo test -f /home/"$user"/.ssh/authorized_keys; then 73 | echo Failed to delete /home/"$user"/.ssh/authorized_keys 74 | exit 1 75 | fi 76 | done 77 | 78 | INSTANCE_LOG_FILES=( 79 | "/var/log/audit/audit.log" 80 | "/var/log/boot.log" 81 | "/var/log/dmesg" 82 | "/var/log/messages" 83 | "/var/log/cron" 84 | ) 85 | echo "Cleaning up instance log files" 86 | cleanup "${INSTANCE_LOG_FILES[@]}" 87 | 88 | echo "Cleaning TOE files" 89 | if [[ $(sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then 90 | echo "Deleting files within {{workingDirectory}}/TOE_*" 91 | sudo find {{workingDirectory}}/TOE_* -type f -exec shred -zuf {} \; 92 | fi 93 | if [[ $(sudo find {{workingDirectory}}/TOE_* -type f | sudo wc -l) -gt 0 ]]; then 94 | echo "Failed to delete {{workingDirectory}}/TOE_*" 95 | exit 1 96 | fi 97 | if [[ $(sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then 98 | echo "Deleting {{workingDirectory}}/TOE_*" 99 | sudo rm -rf {{workingDirectory}}/TOE_* 100 | fi 101 | if [[ $(sudo find {{workingDirectory}}/TOE_* -type d | sudo wc -l) -gt 0 ]]; then 102 | echo "Failed to delete {{workingDirectory}}/TOE_*" 103 | exit 1 104 | fi 105 | 106 | echo "Cleaning up ssm log files" 107 | if sudo test -d "/var/log/amazon/ssm"; then 108 | echo "Deleting /var/log/amazon/ssm/*" 109 | sudo rm -rf /var/log/amazon/ssm 110 | fi 111 | if sudo test -d "/var/log/amazon/ssm"; then 112 | echo "Failed to delete /var/log/amazon/ssm" 113 | exit 1 114 | fi 115 | 116 | if [[ $(sudo find /var/log/sa/sa* -type f | sudo wc -l) -gt 0 ]]; then 117 | echo "Deleting /var/log/sa/sa*" 118 | sudo shred -zuf /var/log/sa/sa* 119 | fi 120 | if [[ $(sudo find /var/log/sa/sa* -type f | sudo wc -l) -gt 0 ]]; then 121 | echo "Failed to delete /var/log/sa/sa*" 122 | exit 1 123 | fi 124 | 125 | if [[ $(sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l) -gt 0 ]]; then 126 | echo "Deleting /var/lib/dhclient/dhclient*.lease" 127 | sudo shred -zuf /var/lib/dhclient/dhclient*.lease 128 | fi 129 | if [[ $(sudo find /var/lib/dhclient/dhclient*.lease -type f | sudo wc -l) -gt 0 ]]; then 130 | echo "Failed to delete /var/lib/dhclient/dhclient*.lease" 131 | exit 1 132 | fi 133 | 134 | if [[ $(sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then 135 | echo "Deleting files within /var/tmp/*" 136 | sudo find /var/tmp -type f -exec shred -zuf {} \; 137 | fi 138 | if [[ $(sudo find /var/tmp -type f | sudo wc -l) -gt 0 ]]; then 139 | echo "Failed to delete /var/tmp" 140 | exit 1 141 | fi 142 | if [[ $(sudo ls /var/tmp | sudo wc -l) -gt 0 ]]; then 143 | echo "Deleting /var/tmp/*" 144 | sudo rm -rf /var/tmp/* 145 | fi 146 | 147 | # Shredding is not guaranteed to work well on rolling logs 148 | 149 | if sudo test -f "/var/lib/rsyslog/imjournal.state"; then 150 | echo "Deleting /var/lib/rsyslog/imjournal.state" 151 | sudo shred -zuf /var/lib/rsyslog/imjournal.state 152 | sudo rm -f /var/lib/rsyslog/imjournal.state 153 | fi 154 | 155 | if [[ $(sudo ls /var/log/journal/ | sudo wc -l) -gt 0 ]]; then 156 | echo "Deleting /var/log/journal/*" 157 | sudo find /var/log/journal/ -type f -exec shred -zuf {} \; 158 | sudo rm -rf /var/log/journal/* 159 | fi 160 | 161 | # delete a few items missed in https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-best-practices.html 162 | sudo rm -rf \ 163 | /etc/machine-id \ 164 | /var/cache/dnf \ 165 | /var/cache/yum \ 166 | /tmp/* \ 167 | /var/lib/dhcp/dhclient.* \ 168 | /var/lib/dnf/history* \ 169 | /var/lib/yum/history \ 170 | /var/log/secure \ 171 | /var/log/wtmp \ 172 | /etc/ssh/ssh_host* 173 | 174 | sudo touch /etc/machine-id 175 | -------------------------------------------------------------------------------- /scripts/enable-ecs-agent-gpu-support-al2023.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | # Only proceed for AL2023 GPU AMIs 5 | if [[ $AMI_TYPE != "al2023"*"gpu" ]]; then 6 | exit 0 7 | fi 8 | 9 | ### Install GPU Drivers and Required Packages 10 | # Install base requirements 11 | sudo dnf install -y dkms kernel-modules-extra kernel-devel-$(uname -r) 12 | 13 | # Enable DKMS service 14 | sudo systemctl enable --now dkms 15 | 16 | # nvidia-release creates an nvidia repo file at /etc/yum.repos.d/amazonlinux-nvidia.repo 17 | sudo dnf install -y nvidia-release 18 | 19 | # Install NVIDIA drivers and tools 20 | sudo dnf install -y nvidia-driver \ 21 | nvidia-fabric-manager \ 22 | pciutils \ 23 | xorg-x11-server-Xorg \ 24 | nvidia-container-toolkit \ 25 | oci-add-hooks 26 | 27 | ### Configure NVIDIA Services 28 | # The Fabric Manager service needs to be started and enabled on EC2 P4d instances 29 | # in order to configure NVLinks and NVSwitches 30 | sudo systemctl enable nvidia-fabricmanager 31 | 32 | # NVIDIA Persistence Daemon needs to be started and enabled on P5 instances 33 | # to maintain persistent software state in the NVIDIA driver. 34 | sudo systemctl enable nvidia-persistenced 35 | 36 | ### Configure ECS GPU Support 37 | mkdir -p /tmp/ecs 38 | echo 'ECS_ENABLE_GPU_SUPPORT=true' >/tmp/ecs/ecs.config 39 | sudo mv /tmp/ecs/ecs.config /var/lib/ecs/ecs.config 40 | 41 | ### Configure GPU Container Runtime 42 | # Create required directories 43 | sudo mkdir -p /etc/docker-runtimes.d 44 | sudo mkdir -p /usr/share/docker-runtime-nvidia 45 | 46 | # Create the nvidia runtime script 47 | sudo tee /etc/docker-runtimes.d/nvidia <<'EOF' 48 | #!/bin/sh 49 | if [ ! -x /usr/sbin/runc ]; then 50 | runc_path=/usr/bin/docker-runc 51 | else 52 | runc_path=/usr/sbin/runc 53 | fi 54 | exec /usr/bin/oci-add-hooks --hook-config-path /usr/share/docker-runtime-nvidia/hook-config.json --runtime-path "$runc_path" "$@" 55 | EOF 56 | 57 | # Create the NVIDIA container hook configuration 58 | sudo tee /usr/share/docker-runtime-nvidia/hook-config.json <<'EOF' 59 | { 60 | "hooks": { 61 | "prestart": [ 62 | { 63 | "path": "/usr/bin/nvidia-container-runtime-hook", 64 | "args": ["/usr/bin/nvidia-container-runtime-hook", "prestart"] 65 | } 66 | ] 67 | } 68 | } 69 | EOF 70 | 71 | # Set appropriate file permissions 72 | sudo chmod 755 /etc/docker-runtimes.d/nvidia 73 | sudo chmod 644 /usr/share/docker-runtime-nvidia/hook-config.json 74 | -------------------------------------------------------------------------------- /scripts/enable-ecs-agent-gpu-support.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | # Makes sure that a compatible version of gcc is used for compiling NVIDIA driver. 5 | set_compatible_gcc_version_for_nvidia_compile() { 6 | # Currently a compatible version of gcc is assumed to be used by default, unless the AMI recipe uses kernel 5.10. 7 | if [[ $AMI_TYPE == *"kernel5dot10gpu" ]]; then 8 | # Explicitly use gcc10 since gcc version for compiling the NVIDIA driver must match gcc version with which the 9 | # Linux kernel was compiled. 10 | sudo sed -i "s/'make' -j2 module/& CC=\/usr\/bin\/gcc10-cc/" /usr/src/${MODULE_NAME}-${MODULE_VERSION}/dkms.conf 11 | fi 12 | } 13 | 14 | if [[ $AMI_TYPE != "al2"*"gpu" ]]; then 15 | exit 0 16 | fi 17 | 18 | # set up amzn2-nvidia repo 19 | GPG_CHECK=1 20 | # don't do the gpg check in air-gapped regions 21 | if [ -n "$AIR_GAPPED" ]; then 22 | GPG_CHECK=0 23 | fi 24 | tmpfile=$(mktemp) 25 | cat >$tmpfile <$tmpfile <<"EOF" 87 | #!/usr/bin/env bash 88 | set -o errexit 89 | set -o nounset 90 | set -o xtrace 91 | DKMS=/usr/sbin/dkms 92 | DKMS_ARCHIVE_DIR=/var/lib/dkms-archive 93 | KERNEL_VERSION="$(uname -r)" 94 | MODULE_VERSION=$(${DKMS} status -m nvidia | awk '{print $2}' | tr -d ',:') 95 | ${DKMS} uninstall -m nvidia -v ${MODULE_VERSION} 96 | NVIDIA_TO_REMOVE="nvidia/${MODULE_VERSION}" 97 | ${DKMS} remove ${NVIDIA_TO_REMOVE} --all 98 | echo "found nvidia kernel module: ${MODULE_VERSION}" 99 | MODULE_ARCHIVE="${DKMS_ARCHIVE_DIR}/nvidia-open/nvidia-open-${MODULE_VERSION}-kernel${KERNEL_VERSION}-x86_64.dkms.tar.gz" 100 | echo "loading from ${MODULE_ARCHIVE}" 101 | ${DKMS} ldtarball ${MODULE_ARCHIVE} 102 | ${DKMS} install -m nvidia -v ${MODULE_VERSION} 103 | sudo systemctl daemon-reload 104 | ${DKMS} status -m nvidia 105 | EOF 106 | 107 | sudo mv $tmpfile /var/lib/ecs/scripts/install-nvidia-open-kmod.sh 108 | sudo chmod +x /var/lib/ecs/scripts/install-nvidia-open-kmod.sh 109 | fi 110 | 111 | # system-release-nvidia creates an nvidia repo file at /etc/yum.repos.d/amzn2-nvidia.repo 112 | sudo yum install -y system-release-nvidia 113 | sudo rm /etc/yum.repos.d/amzn2-nvidia-tmp.repo 114 | 115 | # for building AMIs for GPUs with Kepler architecture, fix package versions 116 | # also exclude nvidia and cuda packages to update. Newer Nvidia drivers do not support Kepler architecture 117 | # TODO: The package versions are fixed for Kepler. They have to be manually updated when there is a minor version update in AL repo. 118 | if [[ $AMI_TYPE == "al2keplergpu" ]]; then 119 | sudo yum install -y kernel-devel-$(uname -r) \ 120 | system-release-nvidia \ 121 | nvidia-driver-latest-dkms-470.182.03 \ 122 | nvidia-fabric-manager-470.182.03-1 \ 123 | pciutils-3.5.1-2.amzn2 \ 124 | xorg-x11-server-Xorg \ 125 | docker-runtime-nvidia-1 \ 126 | oci-add-hooks \ 127 | libnvidia-container-1.4.0 \ 128 | libnvidia-container-tools-1.4.0 \ 129 | nvidia-container-runtime-hook-1.4.0 130 | 131 | sudo yum install -y cuda-toolkit-11-4 132 | echo "exclude=*nvidia* *cuda*" | sudo tee -a /etc/yum.conf 133 | else 134 | # Default GPU AMI 135 | sudo yum install -y kernel-devel-$(uname -r) \ 136 | system-release-nvidia \ 137 | nvidia-driver-latest-dkms \ 138 | nvidia-fabric-manager \ 139 | pciutils \ 140 | xorg-x11-server-Xorg \ 141 | docker-runtime-nvidia \ 142 | oci-add-hooks \ 143 | libnvidia-container1 \ 144 | libnvidia-container-tools \ 145 | nvidia-container-toolkit-base \ 146 | nvidia-container-toolkit 147 | 148 | sudo yum install -y cuda-drivers \ 149 | cuda 150 | fi 151 | 152 | if [[ $AMI_TYPE == *"kernel5dot10gpu" ]]; then 153 | # rebuild module/update drivers using compatible gcc version (gcc10) 154 | MODULE_NAME="nvidia" 155 | MODULE_VERSION=$(${DKMS} status -m ${MODULE_NAME} | awk '{print $2}' | tr -d ',:') 156 | set_compatible_gcc_version_for_nvidia_compile 157 | sudo ${DKMS} install -m "${MODULE_NAME}" -v "${MODULE_VERSION}" 158 | fi 159 | 160 | # The Fabric Manager service needs to be started and enabled on EC2 P4d instances 161 | # in order to configure NVLinks and NVSwitches 162 | sudo systemctl enable nvidia-fabricmanager 163 | # NVIDIA Persistence Daemon needs to be started and enabled on P5 instances 164 | # to maintain persistent software state in the NVIDIA driver. 165 | sudo systemctl enable nvidia-persistenced 166 | mkdir -p /tmp/ecs 167 | echo 'ECS_ENABLE_GPU_SUPPORT=true' >>/tmp/ecs/ecs.config 168 | sudo mv /tmp/ecs/ecs.config /var/lib/ecs/ecs.config 169 | -------------------------------------------------------------------------------- /scripts/enable-ecs-agent-inferentia-support.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | if [[ $AMI_TYPE != "al2"*"inf" && $AMI_TYPE != "al2023neu" ]]; then 5 | exit 0 6 | fi 7 | 8 | # docs about installing neuron docker environment on inferentia instances: 9 | # https://awsdocs-neuron.readthedocs-hosted.com/en/latest/neuron-deploy/tutorials/tutorial-docker-env-setup.html 10 | # https://awsdocs-neuron.readthedocs-hosted.com/en/latest/neuron-intro/mxnet-setup/mxnet-install.html#install-neuron-mxnet 11 | 12 | # Copy the neuron repo 13 | cat >/tmp/neuron.repo <>/tmp/ecs/ecs.config 51 | sudo mv /tmp/ecs/ecs.config /var/lib/ecs/ecs.config 52 | 53 | # Copy neuron runtime to docker runtime to be accessed as one of the runtimes supported. 54 | if [ ! -f $NEURON_RUNTIME ]; then 55 | sudo cp /opt/aws/neuron/bin/oci_neuron_hook_wrapper.sh $NEURON_RUNTIME 56 | sudo chmod +x $NEURON_RUNTIME 57 | fi 58 | -------------------------------------------------------------------------------- /scripts/enable-services.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | sudo systemctl enable ecs 5 | sudo systemctl enable amazon-ecs-volume-plugin 6 | sudo systemctl enable amazon-ssm-agent 7 | -------------------------------------------------------------------------------- /scripts/install-additional-packages.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | ARCH=$(uname -m) 5 | 6 | # install any rpm packages from the additional-packages/ directory 7 | if ls /tmp/additional-packages/*."${ARCH}".rpm; then 8 | echo "Found additional packages with architecture ${ARCH} to be installed" 9 | sudo yum localinstall -y /tmp/additional-packages/*."${ARCH}".rpm 10 | else 11 | echo "No matching additional packages with architecture ${ARCH} found" 12 | fi 13 | if ls /tmp/additional-packages/*.noarch.rpm; then 14 | echo "Found additional packages with no specific architecture to be installed" 15 | sudo yum localinstall -y /tmp/additional-packages/*.noarch.rpm 16 | else 17 | echo "No matching additional packages with no architecture found" 18 | fi 19 | -------------------------------------------------------------------------------- /scripts/install-docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | if command -v amazon-linux-extras; then 5 | # enable docker "extras" repo when available 6 | sudo amazon-linux-extras enable docker 7 | fi 8 | 9 | sudo yum install -y "docker-$DOCKER_VERSION" "containerd-$CONTAINERD_VERSION" "runc-$RUNC_VERSION" 10 | -------------------------------------------------------------------------------- /scripts/install-ecs-init.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | if [ -n "$AIR_GAPPED" ]; then 5 | echo "Air-gapped region, assuming ecs-init and dependencies will be in additional-packages/ directory" 6 | exit 0 7 | fi 8 | 9 | if [ -n "$ECS_INIT_LOCAL_OVERRIDE" ]; then 10 | echo "ecs-init is provided locally, assuming it's in additional-packages/ directory" 11 | exit 0 12 | fi 13 | 14 | WORK_DIR="$(mktemp -d)" 15 | trap "rm -rf ${WORK_DIR}" EXIT 16 | 17 | # gpg key is taken from https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html 18 | cat >"$WORK_DIR/amazon-ecs-agent.gpg" <&2 "Using configured DNS suffix: $REGION_DNS_SUFFIX" 15 | echo "$REGION_DNS_SUFFIX" 16 | return 17 | fi 18 | 19 | if [ -n "$AIR_GAPPED" ]; then 20 | echo "Air-gapped region, need to set DNS suffix explicitly" 21 | exit 1 22 | fi 23 | 24 | local host_suffix="" 25 | if grep -q "^cn-" <<<"$REGION"; then 26 | host_suffix=".cn" 27 | fi 28 | echo "amazonaws.com${host_suffix}" 29 | } 30 | 31 | DNS_SUFFIX=$(get_dns_suffix) 32 | 33 | BINARY_PATH="/var/lib/ecs/deps/execute-command/bin/${EXEC_SSM_VERSION}" 34 | CERTS_PATH="/var/lib/ecs/deps/execute-command/certs" 35 | ARCHITECTURE="$(uname -m)" 36 | 37 | # Download ssm agent static binaries in BINARY_PATH 38 | mkdir -p /tmp/ssm-binaries && cd /tmp/ssm-binaries 39 | 40 | # Import ssm agent public key 41 | gpg --import /tmp/amazon-ssm-agent.gpg 42 | 43 | case $ARCHITECTURE in 44 | 'x86_64') 45 | curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.${DNS_SUFFIX}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz 46 | curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.${DNS_SUFFIX}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig" -o amazon-ssm-agent.tar.gz.sig 47 | ;; 48 | 'aarch64') 49 | curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.${DNS_SUFFIX}/${EXEC_SSM_VERSION}/linux_arm64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz 50 | curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.${DNS_SUFFIX}/${EXEC_SSM_VERSION}/linux_arm64/amazon-ssm-agent-binaries.tar.gz.sig" -o amazon-ssm-agent.tar.gz.sig 51 | ;; 52 | esac 53 | gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz 54 | 55 | sudo tar -xvf amazon-ssm-agent.tar.gz 56 | sudo mkdir -p "${BINARY_PATH}" 57 | sudo cp amazon-ssm-agent "${BINARY_PATH}"/amazon-ssm-agent 58 | sudo cp ssm-agent-worker "${BINARY_PATH}"/ssm-agent-worker 59 | sudo cp ssm-session-worker "${BINARY_PATH}"/ssm-session-worker 60 | rm -rf /tmp/ssm-binaries 61 | 62 | # Copy certs with 400 permission in CERTS_PATH 63 | sudo mkdir -p ${CERTS_PATH} && cd ${CERTS_PATH} 64 | sudo cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem tls-ca-bundle.pem 65 | sudo chmod 400 tls-ca-bundle.pem 66 | -------------------------------------------------------------------------------- /scripts/install-service-connect-appnet.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | sudo yum install -y ecs-service-connect-agent 5 | -------------------------------------------------------------------------------- /scripts/setup-ecs-config-dir.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | sudo mkdir -p "/etc/ecs" 5 | 6 | if [ ! -f "/etc/ecs/ecs.config" ]; then 7 | sudo touch /etc/ecs/ecs.config 8 | fi 9 | 10 | if [ ! -f "/etc/ecs/ecs.config.json" ]; then 11 | sudo touch /etc/ecs/ecs.config.json 12 | fi 13 | -------------------------------------------------------------------------------- /variables.pkr.hcl: -------------------------------------------------------------------------------- 1 | packer { 2 | required_plugins { 3 | amazon = { 4 | version = ">= 1.2.8" 5 | source = "github.com/hashicorp/amazon" 6 | } 7 | } 8 | } 9 | 10 | locals { 11 | packages_al1 = "amazon-efs-utils ec2-net-utils acpid irqbalance numactl rng-tools docker-storage-setup" 12 | packages_al2 = "amazon-efs-utils ec2-net-utils acpid amazon-ssm-agent yum-plugin-upgrade-helper iproute-tc" 13 | packages_al2023 = "amazon-efs-utils amazon-ssm-agent amazon-ec2-net-utils acpid iproute-tc" 14 | } 15 | 16 | variable "ami_name_prefix_al1" { 17 | type = string 18 | description = "Outputted AMI name prefix." 19 | default = "unofficial-amzn-ami-2018.03." 20 | } 21 | 22 | variable "ami_name_prefix_al2" { 23 | type = string 24 | description = "Outputted AMI name prefix." 25 | default = "unofficial-amzn2-ami-ecs" 26 | } 27 | 28 | variable "ami_name_prefix_al2023" { 29 | type = string 30 | description = "Outputted AMI name prefix." 31 | default = "unofficial-amzn2023-ami-ecs" 32 | } 33 | 34 | variable "ami_version_al1" { 35 | type = string 36 | description = "Outputted AMI version." 37 | } 38 | 39 | variable "ami_version_al2" { 40 | type = string 41 | description = "Outputted AMI version." 42 | } 43 | 44 | variable "ami_version_al2023" { 45 | type = string 46 | description = "Outputted AMI version." 47 | } 48 | 49 | variable "region" { 50 | type = string 51 | description = "Region to build the AMI in." 52 | } 53 | 54 | variable "block_device_size_gb" { 55 | type = number 56 | description = "Size of the root block device." 57 | default = 30 58 | } 59 | 60 | variable "ecs_agent_version" { 61 | type = string 62 | description = "ECS agent version to build AMI with." 63 | default = "1.94.0" 64 | } 65 | 66 | variable "ecs_init_rev" { 67 | type = string 68 | description = "ecs-init package version rev" 69 | default = "1" 70 | } 71 | 72 | variable "docker_version" { 73 | type = string 74 | description = "Docker version to build AMI with." 75 | default = "25.0.8" 76 | } 77 | 78 | variable "containerd_version" { 79 | type = string 80 | description = "Containerd version to build AMI with." 81 | default = "1.7.27" 82 | } 83 | 84 | variable "runc_version" { 85 | type = string 86 | description = "Runc version to build AMI with." 87 | default = "1.2.4" 88 | } 89 | 90 | variable "docker_version_al2023" { 91 | type = string 92 | description = "Docker version to build AL2023 AMI with." 93 | default = "25.0.8" 94 | } 95 | 96 | variable "containerd_version_al2023" { 97 | type = string 98 | description = "Containerd version to build AL2023 AMI with." 99 | default = "1.7.27" 100 | } 101 | 102 | variable "runc_version_al2023" { 103 | type = string 104 | description = "Runc version to build AL2023 AMI with." 105 | default = "1.2.4" 106 | } 107 | 108 | variable "exec_ssm_version" { 109 | type = string 110 | description = "SSM binary version to build ECS exec support with." 111 | default = "3.3.1802.0" 112 | } 113 | 114 | variable "source_ami_al2" { 115 | type = string 116 | description = "Amazon Linux 2 source AMI to build from." 117 | } 118 | 119 | variable "source_ami_al2arm" { 120 | type = string 121 | description = "Amazon Linux 2 ARM source AMI to build from." 122 | } 123 | 124 | variable "source_ami_al2kernel5dot10" { 125 | type = string 126 | description = "Amazon Linux 2 Kernel 5.10 source AMI to build from." 127 | } 128 | 129 | variable "source_ami_al2kernel5dot10arm" { 130 | type = string 131 | description = "Amazon Linux 2 Kernel 5.10 ARM source AMI to build from." 132 | } 133 | 134 | variable "source_ami_al2023" { 135 | type = string 136 | description = "Amazon Linux 2023 source AMI to build from." 137 | } 138 | 139 | variable "source_ami_al2023arm" { 140 | type = string 141 | description = "Amazon Linux 2023 ARM source AMI to build from." 142 | } 143 | 144 | variable "distribution_release_al2023" { 145 | type = string 146 | description = "Amazon Linux 2023 distribution release." 147 | } 148 | 149 | variable "kernel_version_al2023" { 150 | type = string 151 | description = "Amazon Linux 2023 kernel version." 152 | } 153 | 154 | variable "kernel_version_al2023arm" { 155 | type = string 156 | description = "Amazon Linux 2023 ARM kernel version." 157 | } 158 | 159 | variable "source_ami_al1" { 160 | type = string 161 | description = "Amazon Linux 1 source AMI to build from." 162 | } 163 | 164 | variable "docker_version_al1" { 165 | type = string 166 | description = "Docker version to build AL1 AMI with." 167 | default = "20.10.13" 168 | } 169 | 170 | variable "ecs_version_al1" { 171 | type = string 172 | description = "ECS version to build AL1 AMI with." 173 | default = "1.51.0" 174 | } 175 | 176 | variable "air_gapped" { 177 | type = string 178 | description = "If this build is for an air-gapped region, set to 'true'" 179 | default = "" 180 | } 181 | 182 | variable "ecs_init_url_al2" { 183 | type = string 184 | description = "Specify a particular ECS init URL for AL2 to install. If empty it will use the standard path." 185 | default = "" 186 | } 187 | 188 | variable "ecs_init_url_al2023" { 189 | type = string 190 | description = "Specify a particular ECS init URL for AL2023 to install. If empty it will use the standard path." 191 | default = "" 192 | } 193 | 194 | variable "ecs_init_local_override" { 195 | type = string 196 | description = "Specify a local init rpm under /additional-packages to be used for building AL2 and AL2023 AMIs. If empty it will use ecs_init_url if specified, otherwise the standard path" 197 | default = "" 198 | } 199 | 200 | variable "general_purpose_instance_types" { 201 | type = list(string) 202 | description = "List of available in-region instance types for general-purpose platform" 203 | default = ["c5.large"] 204 | } 205 | 206 | variable "gpu_instance_types" { 207 | type = list(string) 208 | description = "List of available in-region instance types for GPU platform" 209 | default = ["c5.4xlarge"] 210 | } 211 | 212 | variable "arm_instance_types" { 213 | type = list(string) 214 | description = "List of available in-region instance types for ARM platform" 215 | default = ["m6g.xlarge"] 216 | } 217 | 218 | variable "inf_instance_types" { 219 | type = list(string) 220 | description = "List of available in-region instance types for INF platform" 221 | default = ["inf1.xlarge"] 222 | } 223 | 224 | variable "neu_instance_types" { 225 | type = list(string) 226 | description = "List of available in-region instance types for NEU platform" 227 | default = ["inf1.xlarge"] 228 | } 229 | 230 | variable "ami_ou_arns" { 231 | type = list(string) 232 | description = "A list of Amazon Resource Names (ARN) of AWS Organizations organizational units (OU) that have access to launch the resulting AMI(s)." 233 | default = [] 234 | } 235 | 236 | variable "ami_org_arns" { 237 | type = list(string) 238 | description = "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s)." 239 | default = [] 240 | } 241 | 242 | variable "ami_users" { 243 | type = list(string) 244 | description = "A list of account IDs that have access to launch the resulting AMI(s)." 245 | default = [] 246 | } 247 | 248 | variable "tags" { 249 | type = map(string) 250 | description = "Tags to apply to the built AMI." 251 | default = {} 252 | } 253 | 254 | variable "run_tags" { 255 | type = map(string) 256 | description = "Tags to apply to resources (key-pair, SG, IAM, snapshot, interfaces and instance) used when building the AMI." 257 | default = {} 258 | } 259 | 260 | variable "region_dns_suffix" { 261 | type = string 262 | description = "DNS Suffix to use for in region URLs" 263 | default = "" 264 | } 265 | --------------------------------------------------------------------------------