Here's the new release tool. It uses the identity broker to acquire credentials for all activated regions and copy the AMI, including tags, to that region. For future accounting it also adds a
source_ami tag. Everything should also work if the user isn't using the identity broker, so long as AWS credentials are accessible by the SDK and
--region is passed (one or more times) to specify target regions. The tool will try not to copy the AMI more than once to a region, using the
source_ami tag, so if it's run multiple times for the same source AMI it will copy to new regions and fix permissions if needed.
The flip to public permissions is designed to happen all at once, post-copy, in the linear flow so that a release looks like it happens approximate at the same time.
I've tested the identity broker path as well as the permissions fix path but have not tested the standalone path since that isn't a use-case I have and I don't have a test account handy right now; any testing there would be appreciated. I also haven't tested sharing with separate accounts
--allow-accounts instead of
--public, but that should work as well.
To use the identity broker, grab the API key from the broker homepage and export it as the environment variable
IDENTITY_BROKER_API_KEY. Everything else should just work from there. The token is valid for 6 hours. Note that there are pretty aggressive rate limits on the broker for getting credentials so if you're doing a lot of testing in a row you'll end up waiting for the timeouts, but the script should handle it gracefully.
Any feedback would be appreciated. This should unblock the 3.12 release. There's more stuff coming with tools to prune AMIs and build the catalog from the tag metadata instead of YAML files; but I'll follow up with those a little later.