| 6 Nov 2024 |
 Arian | This example is literally importing from local disk? | 13:31:35 |
| Arian | Just like import image | 13:31:38 |
| Arian | See line 4 | 13:32:07 |
| Arian | That's pointing to your local disk image you built | 13:32:28 |
| Arian | You upload the image to S3. Then import it as a snapshot. Then register the snapshot as an image | 13:32:45 |
 tuxiqae | But that'd mean that I'd have to provision a running image first, wouldn't it? | 14:00:26 |
| Arian | You just point that to your nix image build | 14:01:36 |
| Arian | This is just doing what upload-ami does but in terraform | 14:01:52 |
| Arian | You upload the image you built to s3. Import it to EBS. Then register the ebs snapshot as an image | 14:02:21 |
| Arian | There's no ec2 instances involved. | 14:02:34 |
| Arian | Not sure what you mean with "provision a running image' | 14:02:56 |
| tuxiqae | Ah, I see, I'll give it a look soon, thanks | 14:04:32 |
| Arian | So you'd point line 4 to the image that you built with disko | 14:05:52 |
|  colemickens joined the room. | 17:19:49 |
| colemickens | 👋 | 17:19:55 |
| Arian | Hello! Welcome | 17:56:15 |
| Arian | @commiterate:matrix.org do you happen to know if its possible for us to register the nixos AMIs in the public ssm parameter store like Ubuntu does? | 17:57:08 |
| Arian | Like. It lives in the /Amazon namespace. Idk how they got access to that. | 17:57:22 |
 commiterate | I don't think creation of public SSM parameters is allowed. It's basically an AWS-internal thing.
SSM parameters can only be shared across accounts with AWS RAM. RAM only supports accounts, organizational units, or organizations (so no public option). They don't support resource-level IAM policies so we can't add one with a Principal: "*".
| 22:50:06 |
| commiterate | Wait nevermind, they do support resource-level policies.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutResourcePolicy.html | 22:52:11 |
| Arian | So it's just for a set of blessed images? | 22:53:04 |
| commiterate | Advanced parameters (since standard ones don't support resource-level policies) has a cost though: https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html | 22:53:11 |
| commiterate | Yeah it looks like they hardcode what parameters are public. | 22:53:25 |
| commiterate | Even with the resource-level IAM policy, it seems people must refer to the parameter by its full ARN instead of just the name (if only the name is provided, it guesses the full ARN using the caller's account + region). | 23:03:22 |
| commiterate | So tl;dr we need to negotiate with AWS to get us on the hardcoded list. | 23:06:33 |
| commiterate | I don't have any ins at SSM so I'd be asking a TAM just like you. | 23:08:58 |
| commiterate | * I don't have any contacts at SSM so I'd be asking a TAM just like you. | 23:09:23 |
| Arian | Yeh I'll bring it up. I'm just curious as it's a bit of a nicer experience then describe-image | 23:09:58 |
| Arian | (in my opinion) | 23:10:07 |
| commiterate | It's definitely nicer because it removes account IDs from the equation and DescribeImage can be quite slow. | 23:10:30 |
