Enable cross account sharing of private AMIs

For private AMIs like FIPS stemcells one has to explicitly configure
the accounts that can launch instances of such private AMIs.

.gitignore

@@ -1,2 +1,3 @@
-.idea
-config.json
+.idea/
+local/
+light-stemcell-builder

config/config.go

@@ -41,6 +41,7 @@ type AmiConfiguration struct {
 	KmsKeyAliasName    string            `json:"kms_key_alias_name"`
 	Visibility         string            `json:"visibility"`
 	Tags               map[string]string `json:"tags,omitempty"`
+	SharedWithAccounts []string          `json:"shared_with_accounts"`
 }
 
 type AmiRegion struct {

driver/create_ami_driver.go

@@ -137,6 +137,24 @@ func (d *SDKCreateAmiDriver) Create(driverConfig resources.AmiDriverConfig) (res
 		d.logger.Printf("Error tagging Snapshot: %s, Error: %s ", driverConfig.SnapshotID, err.Error())
 	}
 
+	for i := range driverConfig.SharedWithAccounts {
+		account := driverConfig.SharedWithAccounts[i]
+
+		_, err := d.ec2Client.ModifyImageAttribute(&ec2.ModifyImageAttributeInput{
+			ImageId: amiIDptr,
+			LaunchPermission: &ec2.LaunchPermissionModifications{
+				Add: []*ec2.LaunchPermission{
+					{
+						UserId: &account,
+					},
+				},
+			},
+		})
+		if err != nil {
+			return resources.Ami{}, fmt.Errorf("failed to share AMI '%s' with account '%s': %w", *amiIDptr, account, err)
+		}
+	}
+
 	d.logger.Printf("waiting for AMI: %s to be available\n", *amiIDptr)
 	err = d.ec2Client.WaitUntilImageAvailable(&ec2.DescribeImagesInput{
 		ImageIds: []*string{amiIDptr},

driver/create_ami_driver_test.go

@@ -94,4 +94,34 @@ var _ = Describe("CreateAmiDriver", func() {
 		_, err = ec2Client.DeregisterImage(&ec2.DeregisterImageInput{ImageId: &ami.ID}) // Ignore DeregisterImageOutput
 		Expect(err).ToNot(HaveOccurred())
 	})
+
+	It("shares the AMI with other accounts", func() {
+		amiDriverConfig := resources.AmiDriverConfig{
+			SnapshotID: ebsSnapshotID,
+			AmiProperties: resources.AmiProperties{
+				Name:               fmt.Sprintf("BOSH-%s", strings.ToUpper(uuid.NewV4().String())),
+				VirtualizationType: resources.HvmAmiVirtualization,
+				Accessibility:      resources.PublicAmiAccessibility,
+				SharedWithAccounts: []string{awsAccount},
+			},
+		}
+
+		ds := driverset.NewStandardRegionDriverSet(GinkgoWriter, creds)
+
+		amiDriver := ds.CreateAmiDriver()
+		ami, err := amiDriver.Create(amiDriverConfig)
+		Expect(err).ToNot(HaveOccurred())
+
+		awsSession, err := session.NewSession(creds.GetAwsConfig())
+		Expect(err).ToNot(HaveOccurred())
+		ec2Client := ec2.New(awsSession)
+
+		attribute := "launchPermission"
+		output, err := ec2Client.DescribeImageAttribute(&ec2.DescribeImageAttributeInput{
+			ImageId:   &ami.ID,
+			Attribute: &attribute,
+		})
+		Expect(err).ToNot(HaveOccurred())
+		Expect(*output.LaunchPermissions[0].UserId).To(Equal(awsAccount))
+	})
 })

driver/driver_suite_test.go

@@ -22,6 +22,8 @@ var s3MachineImageUrl, s3MachineImageFormat string
 
 var kmsKeyId string
 
+var awsAccount string
+
 var amiFixtureID string
 
 func TestDrivers(t *testing.T) {
@@ -71,6 +73,9 @@ var _ = SynchronizedBeforeSuite(
 		// KMS Key info
 		kmsKeyId = os.Getenv("AWS_KMS_KEY_ID")
 		Expect(kmsKeyId).ToNot(BeEmpty(), "AWS_KMS_KEY_ID must be set")
+
+		awsAccount = os.Getenv("AWS_ACCOUNT")
+		Expect(awsAccount).ToNot(BeEmpty(), "AWS_ACCOUNT must be set")
 	},
 )
 

publisher/standard_region.go

@@ -36,6 +36,7 @@ func NewStandardRegionPublisher(logDest io.Writer, c Config) *StandardRegionPubl
 			KmsKeyId:           c.KmsKeyId,
 			KmsKeyAliasName:    c.KmsKeyAliasName,
 			Tags:               c.Tags,
+			SharedWithAccounts: c.SharedWithAccounts,
 		},
 		logger: log.New(logDest, "StandardRegionPublisher ", log.LstdFlags),
 	}

resources/ami.go

@@ -36,6 +36,7 @@ type AmiProperties struct {
 	KmsKeyAliasName    string
 	KmsKeyAlias        string
 	Tags               map[string]string
+	SharedWithAccounts []string
 }
 
 // AmiDriverConfig allows an AmiDriver to create an AMI from either a snapshot ID or an existing AMI (copy)