generated from HariSekhon/Template-Repo
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathaws_eks.amazonlinux2.x86_64.pkr.hcl
executable file
·336 lines (295 loc) · 10.4 KB
/
aws_eks.amazonlinux2.x86_64.pkr.hcl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
#!/usr/bin/env packer build --force
#
# Author: Hari Sekhon
# Date: 2025-01-11 01:02:08 +0700 (Sat, 11 Jan 2025)
#
# vim:ts=2:sts=2:sw=2:et:filetype=conf
#
# https://github.com/HariSekhon/Templates
#
# License: see accompanying Hari Sekhon LICENSE file
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
# https://www.linkedin.com/in/HariSekhon
#
# ============================================================================ #
# P a c k e r - A W S E K S A M I
# ============================================================================ #
packer {
required_version = ">= 1.7.0, < 2.0.0"
required_plugins {
amazon = {
version = "~> 1.2"
source = "github.com/hashicorp/amazon"
}
}
}
locals {
scripts = "${path.root}/scripts"
#timestamp = regex_replace(timestamp(), "[- TZ:]", "")
timestamp = regex_replace(timestamp(), "[ :]", "") # strips spaces and colons from timestamp, the latter are not valid in AMI Names:
# * AMIName should only contain alphanumeric characters, parentheses (()), square brackets ([]), spaces ( ), periods (.), slashes (/), dashes (-), single quotes ('), at-signs (@), or underscores(_). You can use the `clean_resource_name` template filter to automatically clean your ami name.
#ami_target_name = "amazon-eks-node-${var.eks_version}-custom-{{timestamp}}" # epoch
ami_target_name = "amazon-eks-node-${var.eks_version}-al2-custom-${local.timestamp}"
ami_description = "EKS ${var.eks_version} Custom AMI (AmazonLinux2)"
# locals can access data sources but data sources cannot access locals, to prevent circular dependencies
#source_ami_id = data.amazon-ami.ubuntu.id
#ami_source_name = data.amazon-ami.ubuntu.name
#value = data.amazon-secretsmanager.NAME.value
#secret_string = data.amazon-secretsmanager.NAME.secret_string
#version_id = data.amazon-secretsmanager.NAME.version_id
#secret_value = jsondecode(data.amazon-secretsmanager.NAME.secret_string)["packer_test_key"]
tags = {
Name = "Packer Build EKS"
App = "MyApp" # XXX: Edit and add relevant tags
Environment = "Production"
BuildDate = "${timestamp()}"
}
crowdstrike_version = "7.17.0-17005"
# requires AWS profile / access key to be found, else errors out
#
# set second arg to the key if secret had multiple keys, else set to null
#crowdstrike_secret = aws_secretsmanager("crowdstrike", "CID") # always pulls latest version AWSCURRENT, previous versions not supported
#my_version = "${consul_key("myservice/version")}"
# requires VAULT_TOKEN and VAULT_ADDR environment variables to be set
#
#foo2 = vault("/secret/data/hello", "foo")
}
variable "eks_version" {
type = string
default = "1.28"
description = "Version of AWS EKS Kubernetes (important for Kubelet => Master compatibility)"
validation {
# regex(...) fails if it cannot find a match
condition = can(regex("^\\d+\\.\\d+$", var.eks_version))
error_message = "EKS version not in expected '<int>.<int>' major.minor version format."
}
}
variable "aws_region" {
type = string
default = env("AWS_DEFAULT_REGION") != "" ? env("AWS_DEFAULT_REGION") : "eu-west-1"
}
#variable "aws_packer_role" {
# type = string
# default = ""
#}
variable "instance_type" {
type = string
default = "t3.micro"
}
variable "ami_source_arch" {
type = string
default = "x86_64"
}
variable "ami_virtualization_type" {
type = string
default = "hvm"
}
variable "ami_root_device_type" {
type = string
default = "ebs"
}
variable "iam_instance_profile" {
type = string
default = "Packer"
}
variable "encrypt_boot" {
type = bool
default = false # must set kms_key_id if true
}
variable "kms_key_id" {
type = string
default = ""
}
variable "vpc_id" {
type = string
default = ""
}
variable "subnet_id" {
type = string
default = ""
}
variable "ssh_username" {
type = string
default = "ec2-user"
}
variable "root_volume_size" {
type = string
default = "100" # GB
}
variable "volume_type" {
type = string
default = "gp2"
}
#variable "availability_zone_names" {
# type = list(string)
# default = [
# "eu-west-2a",
# "eu-west-2b",
# "eu-west-2c"
# ]
#}
data "amazon-ami" "result" {
#assume_role = {
# external_id = "EXTERNAL_ID"
# role_arn = var.packer_role
# session_name = "Packer"
#}
filters = {
architecture = var.ami_source_arch
# can't compose variables except in locals and can't reference locals in data{}
name = "amazon-eks-node-${var.eks_version}-*"
root-device-type = var.ami_root_device_type
virtualization-type = var.ami_virtualization_type
state = "available"
}
most_recent = true
#owners = ["${var.ami_source_owner}", "${var.ami_source_owner_govcloud}"]
owners = ["602401143452"] # Amazon EKS AMI account ID - can't reference locals in data{}
region = var.aws_region
}
# https://developer.hashicorp.com/packer/integrations/hashicorp/amazon
# https://developer.hashicorp.com/packer/integrations/hashicorp/amazon/latest/components/data-source/ami
# https://developer.hashicorp.com/packer/integrations/hashicorp/amazon/latest/components/builder/ebs
source "amazon-ebs" "eks_ami" {
#assume_role = {
# external_id = "EXTERNAL_ID"
# role_arn = var.aws_packer_role
# session_name = "Packer"
#}
#ami_name = "eks-1-28-custom-ami-{{timestamp}}"
ami_name = local.ami_target_name
ami_description = local.ami_description
ami_virtualization_type = var.ami_virtualization_type
instance_type = var.instance_type
region = var.aws_region
source_ami = data.amazon-ami.result.id
#source_ami_filter {
# filters = {
# name = var.ami_source_name
# architecture = var.ami_source_arch
# root-device-type = var.ami_root_device_type
# virtualization-type = var.ami_virtualization_type
# state = "available"
# }
# most_recent = true
# owners = [
# "602401143452" # Amazon EKS AMI account ID
# #"${var.source_ami_owner}", "${var.source_ami_owner_govcloud}"
# ]
#}
encrypt_boot = var.encrypt_boot
iam_instance_profile = var.iam_instance_profile
kms_key_id = var.kms_key_id
launch_block_device_mappings {
delete_on_termination = true
device_name = "/dev/xvda"
encrypted = var.encrypt_boot
kms_key_id = var.kms_key_id
volume_size = var.root_volume_size
volume_type = var.volume_type
}
ssh_pty = true
#ssh_username = "packer"
#ssh_password = "packer"
ssh_username = var.ssh_username
#subnet_id = "<your-subnet-id>" # Optional: Specify a subnet if required
subnet_id = var.subnet_id
vpc_id = var.vpc_id
ssh_timeout = "30m" # default: 5m - waits 5 mins for SSH to come up otherwise kills VM
# ensure filesystem is fsync'd
#shutdown_command = "echo 'packer' | sudo -S shutdown -P now"
# ec2-user should have passwordless sudo
# not valid here
#shutdown_command = "sudo -S shutdown -P now"
tags = local.tags
}
build {
name = "eks-${var.eks_version}-ami"
sources = ["source.amazon-ebs.eks_ami"]
provisioner "shell-local" {
inline = [
"echo Build UUID: ${build.PackerRunUUID}",
"echo Source '${source.name}' type '${source.type}'",
"env | grep PACKER || :",
]
}
provisioner "shell" {
# don't sudo this one or subsequent commands running as just user will fail
execute_command = "{{ .Vars }} bash -euo pipefail '{{ .Path }}'"
inline = [
"mkdir -v /tmp/packer",
]
}
# Download CrowdStrike RPM from pre-staged S3 bucket
#
# Run this script in Makefile before packer build, otherwise tries to stat this
# first and fails:
#
# * Bad source '/tmp/packer/falcon-sensor-7.17.0-17005.AmazonLinux-2.rpm': stat
# /tmp/packer/falcon-sensor-7.17.0-17005.AmazonLinux-2.rpm: no such file or
# directory
#
#provisioner "shell-local" {
# scripts = [
# "${local.scripts}/download_crowdstrike.sh"
# ]
# execute_command = "{{ .Vars }} bash -euo pipefail '{{ .Path }}' '${local.crowdstrike_version}'"
# environment_vars = [
# "AWS_PROFILE=cicd", # the profile that has the permissions to download the RPM
# "AWS_CONFIG_FILE=../../aws/cicd/config.ini"
# ]
#}
# Upload CrowdStrike RPM to EC2 VM of AMI build
#provisioner "file" {
# source = "/tmp/packer/falcon-sensor-${local.crowdstrike_version}.AmazonLinux-2.rpm"
# destination = "/tmp/packer/falcon-sensor-${local.crowdstrike_version}.AmazonLinux-2.rpm"
# direction = "upload"
#}
provisioner "file" {
source = "${local.scripts}/lib"
destination = "/tmp/packer/lib"
}
provisioner "shell" {
inline = [
"echo OS:",
"echo",
"cat /etc/*release",
"echo",
"echo Environment:",
"echo",
"env | sort"
]
}
#provisioner "shell" {
# scripts = [
# "${local.scripts}/install_crowdstrike.sh",
# ]
# #execute_command = "{{ .Vars }} bash -euo pipefail '{{ .Path }}'"
# environment_vars = ["CROWDSTRIKE_FALCON_SENSOR_SECRET=${local.crowdstrike_secret}"]
#}
provisioner "shell" {
scripts = [
"${local.scripts}/yum_update_packages.sh",
"${local.scripts}/install_ntp.sh",
"${local.scripts}/install_aws_ssm_agent.sh",
"${local.scripts}/install_auditd.sh",
"${local.scripts}/configure_auditd_rsyslog_logserver.sh",
#"${local.scripts}/install_eks_tools.sh",
"${local.scripts}/final.sh"
]
execute_command = "{{ .Vars }} sudo -E bash -euo pipefail '{{ .Path }}'"
# max_retries = 5
# timeout = "5m"
}
post-processor "compress" {}
# post-processor blocks run in parallel
#
# doesn't publish the AMI without this post-processor
post-processor "checksum" { # checksum image
checksum_types = ["md5", "sha512"] # checksum the artifact
keep_input_artifact = true # keep the artifact
output = "output-{{.BuildName}}/{{.BuildName}}.{{.ChecksumType}}" # default: packer_{{.BuildName}}_{{.BuilderType}}_{{.ChecksumType}}.checksum, at top level not in the directory with the .ova, and it keeps appending to it
}
}