cloudfoundry / bosh-aws-light-stemcell-builder Goto Github PK

Hi all,

Currently We are having issues with our AMIs present in AWS region eu-west-1 for xenial stemcells 621.5 ,170.3,

Suddenly the AWS AMI went missing form our AWS account and when we try to upload the stemcell for that it says it already exists.

But when we use --fix option to fix this it gives below error :

L Error: CPI error 'Bosh::Clouds::CloudError' with message 'Stemcell does not contain an AMI in region eu-west-1' in 'create_stemcell' CPI method (CPI request ID: 'cpi-433859')

Please let us know what is the issue, why the AMI went missing and what could be the cause?

Also we are able to upload any new stemcell and find its AMI on AWS like for version 621.123.

Please let us know how can we resolve this issue.

We raised it with AWS on why the AMIs are missing bt we received the response as we are not owner of this AMIs and to contact the owner of these AMIs

Hey,

The ☁️.gov team is migrating to using tagged instance profile workers in our Concourse pipelines. We deploy a lightly modified version of this aws-light-stemcell-builder. We'd like to propose a new feature to allow for credentials to be optional and instead leverage AWS instance profiles. @18F/cloud-gov-ops

@jmcarp observed this:

i think they want to build stemcells in multiple partitions, so they want to use creds instead of instance profiles

with the installation of the aws cli with pip it install version 1 of the aws cli
see https://github.com/cloudfoundry/bosh-aws-light-stemcell-builder/blob/master/ci/docker/boshcpi.light-stemcell-builder/Dockerfile#L11

aws cli version 2 is out for a while now and maby we hould upgrade at some point
a quick glance at https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html
and our ci build scripts

• https://github.com/cloudfoundry/bosh-stemcells-ci/blob/b1447184bfc90f17685818f6d0bb0364907f6c3a/tasks/publish.sh#L53
• https://github.com/cloudfoundry/bosh-stemcells-ci/blob/master/tasks/light-aws/tag-aws-ami-light.sh#L20

it seems we migrate without any issues

The bosh-aws-light-stemcell-builder fails to build FIPS light stemcells since it is made to produce public AMIs but FIPS stemcells should be private AMIs. That difference effects the procedure how FIPS light stemcells need to build.

Three major differences/problems are currently known:

1. As of now created snapshots are always made accessible for everyone. That need to be prevented for private AMIs like FIPS stemcells.

2. The encryption of private EBS Snapshots and AMIs need to be done using Multi Region Custom KMS keys since they otherwise cannot be shared with other regions afterwards. (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-snapshot-considerations)

3. Private EBS Snapshots and AMIs need to be shared across accounts following a defined process (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-policy.html#create-cac-policy) which is not yet implemented in the light stemcell builder.

It's not a good experience that people need to have go installed to be able to build this tool. There should be a pre-compiled binary somewhere (maybe there is and it's not documented?) that can be directly used.

Is there anyone else having this issue where boxes just start and then die? It started with 3262.