ci(aws): mirror AMIs to satellite regions and publish IDs on download page#50
Merged
Conversation
AMIs are region-scoped: the AMI registered by register-ami in ap-southeast-2 is only directly launchable from ap-southeast-2. Consumers in other regions would otherwise have to copy-image themselves before they could launch. Add a copy-amis matrix job that fans out one (arch × suite × region) job per target — ap-southeast-6, eu-central-5, ap-south-1, and us-east-1 — and a copy-ami-to-region.sh script that does the copy, waits for the new AMI to reach 'available', tags the backing snapshot, and makes both the copy and its snapshot public. Idempotent: skips if the named AMI already exists in the target region.
The release-aggregate job already builds the manifest.json + index.html that consumers see at tools.ops.tamanu.io/linux-images/<version>/. Make register-ami and copy-amis each emit a small JSON fragment with the AMI ID, region, arch, suite, and Ubuntu version of the AMI they produced (or already-found, on idempotent re-runs). release-aggregate downloads them all, includes them in manifest.json under a new `amis` field, and renders a 'Launch on AWS' table on the download page with a one-click console URL per (region × arch × suite). The job's needs now include register-ami and copy-amis to make sure the fragments are present, but copy-amis can partially fail without blocking the release — release-aggregate uses always() + explicit result checks to require only the strictly necessary jobs (image builds + register-ami). Fragments from failed satellite regions simply don't appear in the table.
passcod
changed the title
eu-central-5 doesn't exist; the satellite region is Zurich (eu-central-2).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two changes that together cover region-mirroring and consumer
discoverability of the published AMIs:
1. Mirror published AMIs to satellite regions
AMIs are region-scoped: the AMI #49 registers in
ap-southeast-2isonly directly launchable from
ap-southeast-2. Consumers in otherregions would otherwise have to
aws ec2 copy-imageit themselves.Adds a
copy-amismatrix job that fans out per (arch × suite ×target-region) and a
scripts/copy-ami-to-region.shscript. For eachtarget it copies the source AMI, polls until it's
available, tagsthe backing snapshot, publishes the copy via launch / create-volume
permissions, and verifies
Public=True. Idempotent: skips if thenamed AMI already exists in the target region.
Target regions:
ap-southeast-6,eu-central-5,ap-south-1,us-east-1.ap-southeast-2is the source.2. Publish AMI IDs in the release manifest and download page
register-amiandcopy-amiseach now emit a small JSON fragmentwith the AMI ID, region, arch, suite, and Ubuntu version they
produced.
release-aggregatedownloads them all, adds them tomanifest.jsonunder a newamisfield, and renders a "Launch onAWS" table on the download page with a one-click AWS console URL per
(region × arch × suite).
release-aggregatenow needs bothregister-amiandcopy-amis,but uses
always()+ explicit result checks so a partialcopy-amisfailure (e.g. an opt-in region that isn't enabled yet)doesn't block the release. Fragments from failed satellite regions
simply don't appear in the table.