Native EBS Snapshot Asset Handling

[commiterate]

Description

Upload raw disk images as EBS snapshots using the EBS direct APIs.

Note that this requires the AWS::EC2::Image CloudFormation resource proposed in aws-cloudformation/cloudformation-coverage-roadmap#2175 to let users create an AMI from this EBS snapshot.

Background

The EBS direct APIs let users create EBS snapshots by uploading a block device directly to EBS.

This is significantly faster compared to ec2:ImportSnapshot which requires users to upload a disk image to S3 first.

Use cases include:

• Creating NixOS AMIs from NixOS raw disk images produced by the NixOS systemd-repart helper.
  • Useful for the AWS official NitroTPM examples for attestable NixOS AMIs (cc: @agraf @iorlov-dev @mariusknaust).
• Creating Linux AMIs from raw disk images produced by mkosi.
• Creating macOS AMIs from raw disk images produced by diskutil + hdiutil.
• Creating Windows AMIs from raw disk images produced by QEMU and converted with qemu-img.

Proposal

Introduce a new aws_ebs_assets module with an aws_ebs_assets.SnapshotAsset class. Example usage should look like this (assuming the proposed AWS::EC2::Image CloudFormation resource exists):

import { SnapshotAsset } from 'aws-cdk-lib/aws-ebs-assets';
import { CfnImage } from 'aws-cdk-lib/aws-ec2';

// Create an EBS snapshot.
const asset = new SnapshotAsset(this, 'MySnapshot', {
  path: 'path/to/local/raw/disk/image',
});

// Create an AMI.
const ami = new CfnImage(this, 'MyImage', {
  source: {
    register: {
      architecture: 'arm64',
      bootMode: 'uefi',
      blockDeviceMappings: [
        {
          ebs: {
            snapshotId: asset.snapshotId,
          },
        },
      ],
    },
  },
});

Note that we can't control the snapshot name so if we want to store the asset hash for deduplication like with S3 assets, it must be in the snapshot descripton or tags.

Roles

Role	User
Proposed by	@commiterate
Author(s)	Pending
API Bar Raiser	Pending
Stakeholders	Pending

See RFC Process for details

Workflow

• Tracking issue created (label: status/proposed)
• API bar raiser assigned (ping us at #aws-cdk-rfcs if needed)
• Kick off meeting
• RFC pull request submitted (label: status/review)
• Community reach out (via Slack and/or Twitter)
• API signed-off (label status/api-approved applied to pull request)
• Final comments period (label: status/final-comments-period)
• Approved and merged (label: status/approved)
• Execution plan submitted (label: status/planning)
• Plan approved and merged (label: status/implementing)
• Implementation complete (label: status/done)

---

Author is responsible to progress the RFC according to this checklist, and
apply the relevant labels to this issue so that the RFC table in README gets
updated.