| 6 Nov 2024 |
 Arian | Hello! Welcome | 17:56:15 |
| Arian | @commiterate:matrix.org do you happen to know if its possible for us to register the nixos AMIs in the public ssm parameter store like Ubuntu does? | 17:57:08 |
| Arian | Like. It lives in the /Amazon namespace. Idk how they got access to that. | 17:57:22 |
 commiterate | I don't think creation of public SSM parameters is allowed. It's basically an AWS-internal thing.
SSM parameters can only be shared across accounts with AWS RAM. RAM only supports accounts, organizational units, or organizations (so no public option). They don't support resource-level IAM policies so we can't add one with a Principal: "*".
| 22:50:06 |
| commiterate | Wait nevermind, they do support resource-level policies.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutResourcePolicy.html | 22:52:11 |
| Arian | So it's just for a set of blessed images? | 22:53:04 |
| commiterate | Advanced parameters (since standard ones don't support resource-level policies) has a cost though: https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html | 22:53:11 |
| commiterate | Yeah it looks like they hardcode what parameters are public. | 22:53:25 |
| commiterate | Even with the resource-level IAM policy, it seems people must refer to the parameter by its full ARN instead of just the name (if only the name is provided, it guesses the full ARN using the caller's account + region). | 23:03:22 |
| commiterate | So tl;dr we need to negotiate with AWS to get us on the hardcoded list. | 23:06:33 |
| commiterate | I don't have any ins at SSM so I'd be asking a TAM just like you. | 23:08:58 |
| commiterate | * I don't have any contacts at SSM so I'd be asking a TAM just like you. | 23:09:23 |
| Arian | Yeh I'll bring it up. I'm just curious as it's a bit of a nicer experience then describe-image | 23:09:58 |
| Arian | (in my opinion) | 23:10:07 |
| commiterate | It's definitely nicer because it removes account IDs from the equation and DescribeImage can be quite slow. | 23:10:30 |
| commiterate | I just don't know how open they are to it. Amazon seems to have very flew blessed OSes/distros (Amazon Linux, RHEL, Ubuntu, Windows Server, macOS) and they probably only want SSM public parameters for images they publish/control.
https://docs.aws.amazon.com/managedservices/latest/appguide/ams-amis.html
Everyone else I imagine they just redirect to the AWS marketplace. | 23:13:18 |
| commiterate | * I just don't know how open they are to it. Amazon seems to have very flew blessed OSes/distros (Amazon Linux, RHEL, Ubuntu, Windows Server, macOS) and they probably only want SSM public parameters for images they publish/control.
Everyone else I imagine they just redirect to the AWS marketplace.
| 23:14:30 |
| commiterate | Wait really? | 23:16:35 |
| commiterate | Well that's fun. I'll need to bring that up as part of chasing down the team that actually owns ImportImage and ImportSnapshot and ask they to add Cfn support because Image Bulider isn't the team and doesn't seem keen on taking ownership of those APIs. | 23:17:54 |
| Arian | Yeh if your image doesn't contain an /etc/fstab it crashes | 23:33:23 |
| Arian | Then I haedcoded an /etc/fstab and it crashed again | 23:34:05 |
| Arian | They do some analysis of the image by mounting it | 23:34:14 |
| Arian | Also import image takes *waaaay* longer than import-snapshot | 23:34:25 |
| Arian | Like 25-30 minutes | 23:34:30 |
| 7 Nov 2024 |
| commiterate | Feature request on the public Cfn roadmap: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/2175
Will be chasing AWS internally for this one as well. | 00:16:05 |
| commiterate | * Feature request on the public Cfn roadmap: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/2175 | 00:29:24 |
 colemickens | Please do let me know if there's any help I can lend to this PR, besides testing/reviewing: https://github.com/NixOS/nixpkgs/pull/343939 | 15:46:40 |
| Arian | Just seems to need a rebase and a re-review | 15:49:10 |
| Arian | We did go into breaking changes freeze for 24.11 though. So idk if I can still merge it :/ | 15:49:31 |
|  quyse joined the room. | 19:52:46 |
