Add support for boot_mode option for Amazon EBS builder

[hegyre]

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Those PRs #131 and #340 add support for boot_mode, but only for the "Chroot" and "EBS Surrogate" builders.
I would need to be able to select the boot_mode also for "EBS" builder.

Use Case(s)

CIS hardening needs to disable vfat filesystem. However, as mentionned:

Disabling the vfat module can prevent boot on UEFI systems.

I'd like to test it out by creating an AMI while booting with Legacy-bios instead of UEFI.

Potential configuration

Same as documented on the EBS Surrogate builder documentation for boot_mode and optionnaly for uefi_data.
Valid options should be legacy-bios and uefi + the non-mentionned uefi-preferred from #362.

Potential References

• Add a boot mode option to builders #131
• Add uefi_preferred to boot_mode on Amazon builders #340
• AWS Builders : add uefi-preferred boot_mode #362
• AWS documentation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html

[lorengordon]

Note that the EBS builder uses the CreateImage API, which does not offer any option to set the BootMode. Instead, when using CreateImage, the BootMode will be inherited from the source instance.

The chroot and ebssurrogate builders use RegisterImage, which does support the BootMode option.

[hegyre]

Hello,
It's not for creating the image itself but for running the temporary EC2 instance.

[lorengordon]

Ahh, the BootMode is inherited from the selected source image. You cannot set it in the RunInstances API.

You can force BIOS mode by using a UEFI Preferred image, and selecting an older instance type, say an m4, that does not support Nitro (required for UEFI).

[hegyre]

Ah indeed that's unfortunate but we cannot force the boot mode on instance launch. It's always derived from the AMI.

The drawback is that we cannot test Legacy-bios on Nitro unless we copy an original AMI first and set the boot_mode, only then we can select it with Packer.

Anyway, I'll live with that. Thanks a lot for your quick reply here !

[lorengordon]

Yeah, the API support for BootMode is very limited. None of CreateImage, CopyImage, or RunInstances support setting the Boot Mode. It can only be set by RegisterImage. If you have access to paid AWS Support, it would probably be worth opening a feature request to enhance the API support for BootMode.

[lbajolet-hashicorp]

Hi @hegyre and @lorengordon,

Thanks for the discussion already here, and sorry we haven't pinged here sooner.

This looks like we can't do much on the plugin side for now, I'll leave the issue open to keep an eye on this topic, hopefully we'll have some flexibility some day to change the boot mode (though I presume this is tied to the AMI for a reason, partitioning/boot loading is very different between the two modes unfortunately).
If/when it becomes an option to run instances with a different boot mode, we can update this topic!

In the meantime regarding your use case @hegyre, I believe you may be able to workaround that limitation by creating a BIOS-compatible image for Centos using the ebssurrogate builder, and use that image as the base for what you're trying to achieve? Would that work for you?

Also looking at the CIS Hardening page you've linked, it looks like this is removed from a newer version of the guidelines? Is this still something you need to do for compliance?