mantle/aws: add configuration for default VolumeType, IMDSv2 support, and boot mode

mantle/cmd/ore/aws/upload.go

@@ -64,6 +64,9 @@ After a successful run, the final line of output will be a line of JSON describi
 	uploadGrantUsers         []string
 	uploadGrantUsersSnapshot []string
 	uploadTags               []string
+	uploadIMDSv2Only         bool
+	uploadVolumeType         string
+	uploadX86BootMode        string
 )
 
 func init() {
@@ -85,6 +88,9 @@ func init() {
 	cmdUpload.Flags().StringSliceVar(&uploadGrantUsers, "grant-user", []string{}, "grant launch permission to this AWS user ID")
 	cmdUpload.Flags().StringSliceVar(&uploadGrantUsersSnapshot, "grant-user-snapshot", []string{}, "grant snapshot volume permission to this AWS user ID")
 	cmdUpload.Flags().StringSliceVar(&uploadTags, "tags", []string{}, "list of key=value tags to attach to the AMI")
+	cmdUpload.Flags().BoolVar(&uploadIMDSv2Only, "imdsv2-only", false, "enable IMDSv2-only support")
+	cmdUpload.Flags().StringVar(&uploadVolumeType, "volume-type", "gp3", "EBS volume type (gp3, gp2, io1, st1, sc1, standard, etc.)")
+	cmdUpload.Flags().StringVar(&uploadX86BootMode, "x86-boot-mode", "uefi-preferred", "Set boot mode (uefi-preferred, uefi)")
 }
 
 func defaultBucketNameForRegion(region string) string {
@@ -243,7 +249,7 @@ func runUpload(cmd *cobra.Command, args []string) error {
 	}
 
 	// create AMIs and grant permissions
-	amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture)
+	amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture, uploadVolumeType, uploadIMDSv2Only, uploadX86BootMode)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "unable to create HVM image: %v\n", err)
 		os.Exit(1)

mantle/platform/api/aws/images.go

@@ -329,21 +329,28 @@ func (a *API) CreateImportRole(bucket string) error {
 	return nil
 }
 
-func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string) (string, error) {
+func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string, volumetype string, imdsv2Only bool, X86BootMode string) (string, error) {
 	var awsArch string
+	var bootmode string
 	if architecture == "" {
 		architecture = runtime.GOARCH
 	}
 	switch architecture {
 	case "amd64", "x86_64":
 		awsArch = ec2.ArchitectureTypeX8664
+		bootmode = X86BootMode
 	case "arm64", "aarch64":
 		awsArch = ec2.ArchitectureTypeArm64
+		bootmode = "uefi"
 	default:
 		return "", fmt.Errorf("unsupported ec2 architecture %q", architecture)
 	}
 
-	return a.createImage(&ec2.RegisterImageInput{
+	// default to gp3
+	if volumetype == "" {
+		volumetype = "gp3"
+	}
+	params := &ec2.RegisterImageInput{
 		Name:               aws.String(name),
 		Description:        aws.String(description),
 		Architecture:       aws.String(awsArch),
@@ -356,7 +363,7 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d
 					SnapshotId:          aws.String(snapshotID),
 					DeleteOnTermination: aws.Bool(true),
 					VolumeSize:          aws.Int64(int64(diskSizeGiB)),
-					VolumeType:          aws.String("gp2"),
+					VolumeType:          aws.String(volumetype),
 				},
 			},
 			{
@@ -366,7 +373,13 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d
 		},
 		EnaSupport:      aws.Bool(true),
 		SriovNetSupport: aws.String("simple"),
-	})
+		BootMode:        aws.String(bootmode),
+	}
+	if imdsv2Only {
+		params.ImdsSupport = aws.String("v2.0")
+	}
+
+	return a.createImage(params)
 }
 
 func (a *API) deregisterImageIfExists(name string) error {

src/cosalib/aws.py

@@ -5,9 +5,10 @@
 import sys
 
 from cosalib.cmdlib import (
-    retry_stop,
+    flatten_image_yaml,
     retry_boto_exception,
-    retry_callback
+    retry_callback,
+    retry_stop
 )
 from tenacity import (
     retry,
@@ -126,6 +127,17 @@ def aws_run_ore(build, args):
     region = "us-east-1"
     if args.region is not None and len(args.region) > 0:
         region = args.region[0]
+    # Capture any input from image.yaml
+    image_yaml = flatten_image_yaml(
+        '/usr/lib/coreos-assembler/image-default.yaml',
+        flatten_image_yaml('src/config/image.yaml')
+    )
+    if 'aws-imdsv2-only' in image_yaml and image_yaml['aws-imdsv2-only']:
+        ore_args.extend(['--imdsv2-only'])
+    if 'aws-volume-type' in image_yaml:
+        ore_args.extend(['--volume-type', image_yaml['aws-volume-type']])
+    if 'aws-x86-boot-mode' in image_yaml:
+        ore_args.extend(['--x86-boot-mode', image_yaml['aws-x86-boot-mode']])
 
     ore_args.extend([
         '--region', f"{region}",

src/image-default.yaml

@@ -27,3 +27,8 @@ squashfs-compression: zstd
 vmware-hw-version: 13
 vmware-os-type: rhel7_64Guest
 vmware-secure-boot: true
+
+# Defaults for AWS
+aws-imdsv2-only: true
+aws-volume-type: "gp3"
+aws-x86-boot-mode: "uefi-preferred"