Example configurations for creating ssh opened Windows Server on AWS EC2 using Packer.
There are also Terraform configurations to create an actual instance from the AMI that is made by Packer and helper commands with Makefile.
This instance will consist of
- having Administrator account and normal user account(by default name "user_a"), see here
- SSH server running, but SSH password authentication will be disabled. see here
It checked to run the instance by specified below AMI name filter.
- Windows_Server-2019-English-Full-Base-*
- Windows_Server-2022-English-Full-Base-*
To make AMI through Packer. "SUBNET_ID" and "ADMIN_PASSWORD" must be specified based on your environment.
cd packer;\
packer init .;\
export PACKER_CACHE_DIR=".";\
export SUBNET_ID="****";\
export ADMIN_PASSWORD="****";\
packer build .
There is also another helper command as Make targets, see here
Packer
Terraform (if run helper commands)
make (if run helper commands)
The main contents to state this repo.
| Name | Version |
|---|---|
| packer | >= 1.7.3 |
| Name | Version |
|---|---|
| amazon | >= 1.0.0 |
| sshkey | >= 1.0.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| vpc_subnet_id | AWS VPC Subnet ID to run source instance | string |
"env("SUBNET_ID")" |
yes |
| admin_password | Account password for "Administrator" | string |
"env("ADMIN_PASSWORD")" |
yes |
| region | AMI will be made in the region | string |
"ap-northeast-1" |
no |
| ami_name_prefix | AMI name prefix, this prefix will combine timestamp string then set as a AMI name and tag:Name(example: "packer-windows-ssh-20220801010203") | string |
"packer-windows-ssh" |
no |
| instance_type | source instance launch on this instance type | string |
"t2.micro" |
no |
| userdata_template_path | This file will use as a userdata for setting up the instance, see here | string |
"./userdata.tpl" |
no |
| ssh_timeout | ssh timeout seconds | string |
"10m" |
no |
| source_ami_name_prefix | This string used as a name filter prefix for finding source AMI image(example :"Windows_Server-2019-English-Full-Base-*") | string |
"Windows_Server-2019-English-Full-Base-" |
no |
| admin_user_account | Administrator user account name the instance has | string |
"Administrator" |
no |
| normal_user_account | Nomal user account, it will make through userdata,see here | string |
"user_a" |
no |
By default, userdata.tpl file will be used to create userdata for setting up the source instance.
In the userdata,
- Install OpenSSH through "Add-WindowsCapability"
- Setup SSH Server (set Administrator and normal user public key to authorized_keys, change permission, disable Password authentication)
- Create Normal User and its USER_PROFILE through calling Win32 API userenv CreateProfile, The link helped me a lot.
Some key information(Normal user name, admin public key, user public key) wiil be replaced by Packer builtin function (templatefile)[https://www.packer.io/docs/templates/hcl_templates/functions/file/templatefile]
~~~
user_data = templatefile(var.userdata_template_path,
{
admin_key = data.sshkey.admin_key.public_key,
user_name = var.normal_user_account,
user_key = data.sshkey.normal_user_key.public_key
}
)
~~~
Optional contents.
Terraform configuration will be used to make an actual instance for debugging and confirming.
This configuration is combined with Makefile targets.
| Name | Version |
|---|---|
| terraform | >= 0.13.1 |
| Name | Version |
|---|---|
| aws | >= 4.20.0 |
| Name | Version |
|---|---|
| module.ec2_instance | ~> 3.0 |
| Name | Description |
|---|---|
| data.tls_public_key | extracted public key from Input variable file ssh_private_key_path |
| data.aws_ami | Source AMI instance to create ec2 instance |
| Name | Description |
|---|---|
| aws_security_group.windows_ssh | the security group will attach to the instance, open SSH(22) inbound traffic from 0.0.0.0/0 and no outbound traffic limitations |
| aws_key_pair.instance_key | will be registered as an instance's SSH key pair see Input Variables also |
| null_resource.check_ssh_connectivity_admin | to check SSH connectivity for Administrator, triggered by changing instance_id, if "var.with_ssh_check" is false then it'll be ignored. |
| null_resource.check_ssh_connectivity_normal | to check SSH connectivity for Normal user, triggered by changing instance_id, if "var.with_ssh_check" is false then it'll be ignored. |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_vpc_id | AWS VPC ID to run instance | string |
"" |
yes |
| vpc_subnet_id | AWS VPC Subnet ID to run instance | string |
"" |
yes |
| ssh_private_key_path | The Key will be used to extract its public key, and set as an instance key name of "key-${var.instance_name}" | string |
"" |
yes |
| instance_type | EC2 Instance run on the instance type | string |
"t2.micro" |
no |
| instance_name | EC2 Instance Name, It will set as an instance name and tag:Name | string |
"windows-ssh" |
no |
| instance_availability_zone | AZ to run the instance | string |
"ap-northeast-1a" |
no |
| security_group_name | It will be set as an "aws_security_group.windows_ssh" name, the security group will attach to the instance, open SSH(22) inbound traffic from 0.0.0.0/0 and no outbound traffic limitations | string |
"ssh_windows" |
no |
| ami_name_prefix | AMI filter rule name prefix to find the AMI Image that was built by Packer. The filter rule is name:"${ami_name_prefix}*" | string |
"packer-windows-ssh" |
no |
| with_ssh_check | If true, ssh connectivity check will run | bool |
true |
no |
| admin_user_account | Administrator user account name the instance has | string |
"Administrator" |
no |
| normal_user_account | Normal user account, it will make through userdata through Packer, see here | string |
"user_a" |
no |
| ssh_private_key_path_admin | SSH private key file path for Administrator user account | string |
"../packer/ssh_private_key_win_admin_rsa.pem" |
no |
| ssh_private_key_path_normal_user | SSH private key file path for Normal user account | string |
"../packer/ssh_private_key_win_normal_rsa.pem" |
no |
| Name | Description |
|---|---|
| public_ip | The instance public ip |
The Makefile provides helper commands for creating AMI through Packer, running the instance to use Terraform, etc.
Before running make targets, edit the .env file for specifying your VPC_ID and SUBNET_ID.
Make AMI Image in the packer directory.
- SUBNET_ID that is specified in .env will pass as a variable "subnet_id" on "packer build" command.
- requires input "admin_password" that will set as a User "Administrator"'s password.
- ssh keys that are made by Packer "sshkey" plugin will be put in the same directory(./packer), the path specified as "PACKER_CACHE_DIR", see here.
make AWS EC2 instance in the terraform directory.
- variable "aws_vpc_id" and "vpc_subnet_id" will pass based on the .env file.
- variable "ssh_private_key_path" will pass based on ADMIN_KEY variable in Makefile.
run "terraform destroy"
run targets "ami" "ec2" "clean".