From 913385c4eaee0496d32e865aa892705d492eed99 Mon Sep 17 00:00:00 2001 From: fred-vogt-dod Date: Sat, 24 Sep 2022 15:12:43 -0700 Subject: [PATCH] Allow for encrypted multi-region, cross account use --- amazon-eks-al2.pkr.hcl | 30 ++++++++++++++++----- scripts/partition-disks.sh | 2 +- variables.pkr.hcl | 54 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+), 7 deletions(-) diff --git a/amazon-eks-al2.pkr.hcl b/amazon-eks-al2.pkr.hcl index f1b15f9..9c33ec5 100644 --- a/amazon-eks-al2.pkr.hcl +++ b/amazon-eks-al2.pkr.hcl @@ -1,7 +1,7 @@ locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") - target_ami_name = "${var.ami_name_prefix}-${var.eks_version}-${local.timestamp}" + target_ami_name = "${var.ami_name_prefix}-${var.eks_version}-v${local.timestamp}" } data "amazon-ami" "this" { @@ -27,6 +27,7 @@ source "amazon-ebs" "this" { device_name = "/dev/sdb" volume_size = var.data_volume_size volume_type = "gp2" + encrypted = true } ami_description = "EKS Kubernetes Worker AMI with AmazonLinux2 image" @@ -36,9 +37,11 @@ source "amazon-ebs" "this" { launch_block_device_mappings { delete_on_termination = true - device_name = "/dev/sda1" + device_name = "/dev/xvda" volume_size = var.root_volume_size volume_type = "gp2" + encrypted = true + kms_key_id = var.kms_key_id } launch_block_device_mappings { @@ -46,18 +49,33 @@ source "amazon-ebs" "this" { device_name = "/dev/sdb" volume_size = var.data_volume_size volume_type = "gp2" + encrypted = true + kms_key_id = var.kms_key_id } + encrypt_boot = var.encrypt_boot + kms_key_id = var.kms_key_id + region = var.aws_region run_tags = { Name = local.target_ami_name } - source_ami = data.amazon-ami.this.id - ssh_pty = true - ssh_username = var.source_ami_ssh_user - subnet_id = var.subnet_id + source_ami = data.amazon-ami.this.id + + subnet_id = var.subnet_id + ssh_pty = true + ssh_interface = var.ssh_interface + ssh_username = var.source_ami_ssh_user + + temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip + + ami_regions = var.ami_regions + region_kms_key_ids = var.region_kms_key_ids + ami_org_arns = var.ami_org_arns + ami_users = var.ami_users + snapshot_users = var.snapshot_users tags = { os_version = "Amazon Linux 2" diff --git a/scripts/partition-disks.sh b/scripts/partition-disks.sh index 4b9b727..ebc3d95 100755 --- a/scripts/partition-disks.sh +++ b/scripts/partition-disks.sh @@ -51,7 +51,7 @@ migrate_and_mount_disk() { fi } -disk_name='/dev/nvme2n1' +disk_name='/dev/nvme1n1' # partition the disk parted -a optimal -s $disk_name \ diff --git a/variables.pkr.hcl b/variables.pkr.hcl index 0b26021..9f1449c 100644 --- a/variables.pkr.hcl +++ b/variables.pkr.hcl @@ -16,6 +16,24 @@ variable "root_volume_size" { default = 10 } +variable "encrypt_boot" { + description = "Whether or not to encrypt the resulting AMI when copying a provisioned instance to an AMI." + type = bool + default = false +} + +variable "kms_key_id" { + description = "ID, alias or ARN of the KMS key to use for AMI encryption. This only applies to the main." + type = string + default = null +} + +variable "region_kms_key_ids" { + description = "Regions to copy the ami to, along with the custom kms key id (alias or arn) to use for encryption for that region." + type = map(string) + default = null +} + variable "eks_version" { description = "The EKS cluster version associated with the AMI created" type = string @@ -81,3 +99,39 @@ variable "ami_name_prefix" { type = string default = "amazon-eks-node" } + +variable "temporary_security_group_source_public_ip" { + description = "When enabled, use public IP of the host (obtained from https://checkip.amazonaws.com) as IPv4 CIDR block to be authorized access to the instance, when packer is creating a temporary security group" + type = bool + default = false +} + +variable "ssh_interface" { + description = "If set, either the public IP address, private IP address, public DNS name or private DNS name will be used as the host for SSH. The default behaviour if inside a VPC is to use the public IP address if available, otherwise the private IP address will be used. If not in a VPC the public DNS name will be used." + type = string + default = "private_ip" +} + +variable "ami_regions" { + description = "A list of regions to copy the AMI to. Tags and attributes are copied along with the AMI. AMI copying takes time depending on the size of the AMI, but will generally take many minutes." + type = list(string) + default = [] +} + +variable "ami_org_arns" { + description = "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s)." + type = list(string) + default = [] +} + +variable "ami_users" { + description = "A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it." + type = list(string) + default = [] +} + +variable "snapshot_users" { + description = "A list of account IDs that have access to create volumes from the snapshot(s)." + type = list(string) + default = [] +}