Skip to main content

Gist: Build, Scan, Approve & Share AWS AMIs with Atmos + Packer

· 2 min read
Andriy Knysh
Andriy Knysh
Principal Architect @ Cloud Posse

A common question from the community is: how do I use Atmos with Packer to build AMIs, and automate the whole build → approve → share process? We've published a new gist that shows exactly that — a reference recipe combining several Atmos features into one production-shaped workflow.

What This Gist Does

The gist builds a hardened Amazon Linux 2023 AMI with Packer orchestrated by Atmos, validates it on a live test instance, optionally scans it, gates promotion behind a manual approval, tags the approved image ScanStatus=approved, and shares it across AWS accounts — all driven from a GitHub Actions pipeline and a set of atmos ami custom commands.

Like all gists, it's shared as-is to demonstrate the pattern. It's not part of the CI-tested examples, so adapt it to your environment and your current version of Atmos before relying on it.

Features Used

It combines, in one recipe:

  • Packer components in Atmosatmos packer init/build/output.
  • Stacks for Packer — every build input is a stack var, not hardcoded HCL.
  • Go templating — the source AMI name resolves from an environment variable at build time.
  • Nested custom commands — an atmos ami <subcommand> tree (get-ami-id, tag, share, launch/terminate test instances).
  • CI/CD with a governance gate — OIDC auth, ephemeral runners, and a manual approval Environment.
  • Tag-based launch governance — a reference IAM/SCP policy restricting launches to approved AMIs.

The optional, proprietary steps (private package repos, commercial scanners) are isolated and off by default, so the recipe works with just a standard AWS account.

Try It Out

# Copy the gist into a new repo of your own
cp -r gists/aws-ami-packer-github-actions/ my-ami-pipeline/
cd my-ami-pipeline/

# Build locally (after editing stacks/al2023.yaml for your environment)
atmos packer init  al2023 -s al2023
atmos packer build al2023 -s al2023

# Operate the result with custom commands
atmos ami get-ami-id      al2023 -s al2023
atmos ami launch-instance al2023 -s al2023 --type t3.small
atmos ami share           al2023 -s al2023 --accounts 123456789012,123456789013

Get Involved

Open the gist