How to use VPC with packer to generate AMI in AWS codebuild project?

Question

I'm trying to create an AMI by packer in a AWS codebuild project.

This AMI will be used to launch template
and the launch template will be used to ASG.
and when the ASG get an instance by this launch template, it should work with an existing target group for ALB.

for clarification, my expectation is...

1. generate AMI in a code build project by packer
2. create launch template with the #1 AMI
3. use the #2 launch template to ASG
4. ASG launch a new instance
5. existing target group do health check #4 instance.

In the step 5, my existing target group failed to do health check well for the new instance because it had different vpc.
(existing target group is using a custom VPC and the #4 instance had default vpc)

So, I backed to #1 to set the same VPC during the AMI generation.
But the codebuild project failed when it called the packer template in it.

it returned below

==> amazon-ebs: Prevalidating AMI Name...
    amazon-ebs: Found Image ID: ami-12345678
==> amazon-ebs: Creating temporary keypair: packer_6242d99f-6cdb-72db-3299-12345678
==> amazon-ebs: Launching a source AWS instance...
==> amazon-ebs: Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation. 

Before this update, there were no vpc and subnet related settings in the packer template, and they worked.
I added some vpc related permissions for this code build project but no lucks yet.

Below is my builders configuration on the packer-template.json

    "builders": [
        {
            "type": "amazon-ebs",
            "region": "{{user `aws_region`}}",
            "instance_type": "t2.micro",
            "ssh_username": "ubuntu",
            "associate_public_ip_address": true,
            "subnet_id": "subnet-12345678",
            "vpc_id": "vpc-12345678",
            "iam_instance_profile": "blah-profile-12345678",
            "security_group_id": "sg-12345678",
            "ami_name": "{{user `new_ami_name`}}",
            "ami_description": "AMI from Packer {{isotime \"20060102-030405\"}}",
            "source_ami_filter": {
                "filters": {
                    "virtualization-type": "hvm",
                    "name": "{{user `source_ami_name`}}",
                    "root-device-type": "ebs"
                },
                "owners": ["************"],
                "most_recent": true
            },
            "tags": {
                "Name": "{{user `new_ami_name`}}"
            }
        }
    ],

Added on this step (not exist before)

• subnet_id
• vpc_id
• iam_instance_profile
• security_group_id
  
  
  
• Q1. Is this correct configuration to use VPC on here?
  
  • Q1-1. If yes, which permissions are required to allow this task?
    
  • Q1-2. If not, could you let me know the correct format of this?
    
• Q2. Or... Is this correct way to get some instances which are able to communicate with my existing target groups...?

Thanks in advance. Your any kind of mentions will be helpful to me.

Answer 1

I got some helps from a local community.
And now I see I wrote too much wide and not good question without enough informations. There were several issues.

1. I should have used CloudTrail instead of CloudWatch to know which role and actions are making problems. My codebuild project had not ec2.RunInstances permission.
   1. After I saw this on CloudTrail, I updated the role policy for the codebuild project and it was passed. But there was another issue.
2. After launch the instance by packer, it failed to connect with ssh. I got some answers from Stack overflow by searching about packer's timeout issue by ssh. and update the security group to allow ssh for packer.

Will remove this question if it is required.
Thanks for my local community and the previous answers & questioners on Stack overflow.