What’s the correct way of making the shared account AMIs available to other regions?
We have the amis we need for the dev account in us-east-2, but we need them in sa-east-1 (same account). We’re using the ref arch.
Here are the steps to unlock a new region for the AMI: 1. Create a new `ami-encryption` KMS key in the shared account for the target region. This can be done through the `account-baseline` module in the shared account. In this case, you want to copy paste [this entry](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/v0.73.1/examples/for-production/infrastructure-live/shared/_global/account-baseline/terragrunt.hcl#L64-L81) under a new key name with the `region` set to the target region. For the purpose of making these instructions clear, we will assume the KMS key was named `ami-encryption-sa-east-1`. 1. To deploy the key, open a PR with your changes and have it flow through the pipeline to be applied. 1. Once the KMS key is created, you want to modify the AMI build script to copy the AMI in the new region. This can be done by adding the region to the `COPY_REGIONS` array in the ami build script (e.g., for bastion host https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/v0.73.1/examples/for-production/infrastructure-live/shared/us-west-2/_regional/amis/build_bastion_host.sh#L21). 1. Also make sure the KMS key name referenced for the region matches what you created in step (1), [here](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/v0.73.1/examples/for-production/infrastructure-live/shared/us-west-2/_regional/amis/build_bastion_host.sh#L62) 1. Once the script is updated, check it in and open a PR. The ECS Deploy Runner should automatically create the new AMI and replicate it to the target region.