Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'temporary_security_group_source_cidrs' not working #439

Open
steffakasid opened this issue Dec 5, 2023 · 3 comments
Open

'temporary_security_group_source_cidrs' not working #439

steffakasid opened this issue Dec 5, 2023 · 3 comments
Labels
bug stage/needs-investigation

Comments

@steffakasid
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Overview of the Issue

I try to secure my packer build by setting temporary_security_group_source_cidrs but don't get it working.

Reproduction Steps

I use the packer template below.

And I have the following user configuration:

{
  "kms_key_id": "alias/xxxx",
  "subnet_id": "subnet-xxxx",
  "psp_element": "xxxx",
  "app_name": "amazon-eks",
  "app_id": "12345",
  "temporary_security_group_source_cidrs": "x.x.x.0/22"
}

Packer version

From packer version v1.9.5

Simplified Packer Template

{
  "variables": {
    "source_ami": "{{env `SOURCE_AMI`}}",
    "ami_name": "{{user `app_name`}}-node-{{env `K8S_VERSION`}}-{{timestamp}}",
    "qualys_activation_id" : "{{env `QUALYS_ACTIVATION_ID`}}"
  },
  "builders": [
    {
      "type": "amazon-ebs",
      "region": "eu-central-1",
      "encrypt_boot": true,
      "kms_key_id": "{{user `kms_key_id`}}",
      "source_ami": "{{user `source_ami`}}",
      "instance_type": "t2.micro",
      "ssh_username": "ec2-user",
      "ami_name": "{{user `ami_name`}}",
      "ami_description": "EKS Kubernetes Worker AMI with AmazonLinux2 image",
      "ssh_interface": "private_ip",
      "temporary_security_group_source_cidrs": "{{user `security-group-cidrs`}}",
      "subnet_id": "{{user `subnet_id`}}",
      "shutdown_behavior": "terminate",
      "iam_instance_profile": "eks-ami-profile",
      "tags": {
        "ApplicationName": "{{user `app_name`}}",
        "ApplicationID": "{{user `app_id`}}",
        "BasedOn": "{{user `source_ami`}}",
        "CostReference": "{{user `psp_element`}}",
        "Name": "{{user `ami_name`}}",
        "Subsystem": "common"
      },
      "run_tags": {
        "ApplicationName": "{{user `app_name`}}",
        "ReferenceName": "{{user `app_name`}}",
        "ApplicationID": "{{user `app_id`}}",
        "ReferenceID": "{{user `app_id`}}",
        "CostReference": "{{user `psp_element`}}",
        "Name": "{{user `ami_name`}}-builder",
        "Subsystem": "common",
        "Environment": "DEV"
      }
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "environment_vars": [
        "QUALYS_ACTIVATION_ID={{user `qualys_activation_id`}}"
      ],
      "script": "../bash/pc-amazonlinux.sh",
      "execute_command": "sudo env {{ .Vars }} {{ .Path }}"
    },
    {
      "type": "shell",
      "script": "../bash/setvm.MaxMapCount.sh"
    }
  ],
  "post-processors": [
    {
      "type": "manifest"
    }
  ]
}

Operating system and Environment details

OS, Architecture, and any other information you can provide about the
environment.

Log Fragments and crash.log files

amazon-ebs: output will be in this color.
==> amazon-ebs: Prevalidating any provided VPC information
==> amazon-ebs: Prevalidating AMI Name: amazon-eks-node-1.25-1701774898
    amazon-ebs: Found Image ID: ami-03c7889efe89e1eeb
==> amazon-ebs: Creating temporary keypair: packer_656f06
==> amazon-ebs: Creating temporary security group for this instance: packer_656f06[34]c89b-813d-9786-0d12937acf83
==> amazon-ebs: Authorizing access to port 22 from [0.0.0.0/0] in the temporary security groups...

The build finishs successful but the custom temporary_security_group_source_cidrs seems not to be used. Is this a bug or do I have an issue in my configuration...
@steffakasid steffakasid added the bug label Dec 5, 2023
@steffakasid steffakasid mentioned this issue Dec 5, 2023
Open
@steffakasid
Copy link
Author

Looks like others have issues too: #114

@lbajolet-hashicorp
Copy link
Contributor

Hi @steffakasid,

Thanks for reporting this, since this concerns the Amazon plugin, I'll transfer it over there.

Unfortunately, I can't promise we'll fix this soon as we have other priorities on hand, but we do welcome contributions if you're up for it, we can help if need be, and will happily review!

@lbajolet-hashicorp lbajolet-hashicorp transferred this issue from hashicorp/packer Dec 6, 2023
@steffakasid
Copy link
Author

I think the value is not correctly mapped/parsed from the config and then overwritten here:
image

So the length at this point seems to be 0. Do you have an example how the temporary_security_group_source_cidrs must set in the config? Are there any possibilities to debug/run the code locally without having access to an AWS account?

Regards
Steffen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug stage/needs-investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steffakasid @lbajolet-hashicorp