From 93d760adaea0e5cc538cd8c83c3af1de522f4a6d Mon Sep 17 00:00:00 2001 From: fred-vogt-dod Date: Sat, 24 Sep 2022 15:12:43 -0700 Subject: [PATCH] Allow for encrypted multi-region, cross account use --- amazon-eks-al2.pkr.hcl | 32 ++++++++++++++---- scripts/partition-disks.sh | 2 +- variables.pkr.hcl | 67 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 94 insertions(+), 7 deletions(-) diff --git a/amazon-eks-al2.pkr.hcl b/amazon-eks-al2.pkr.hcl index f1b15f9..3c8a83b 100644 --- a/amazon-eks-al2.pkr.hcl +++ b/amazon-eks-al2.pkr.hcl @@ -1,7 +1,7 @@ locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") - target_ami_name = "${var.ami_name_prefix}-${var.eks_version}-${local.timestamp}" + target_ami_name = "${var.ami_name_prefix}-${var.eks_version}-v${local.timestamp}" } data "amazon-ami" "this" { @@ -27,6 +27,7 @@ source "amazon-ebs" "this" { device_name = "/dev/sdb" volume_size = var.data_volume_size volume_type = "gp2" + encrypted = true } ami_description = "EKS Kubernetes Worker AMI with AmazonLinux2 image" @@ -36,9 +37,11 @@ source "amazon-ebs" "this" { launch_block_device_mappings { delete_on_termination = true - device_name = "/dev/sda1" + device_name = "/dev/xvda" volume_size = var.root_volume_size volume_type = "gp2" + encrypted = true + kms_key_id = var.kms_key_id } launch_block_device_mappings { @@ -46,18 +49,35 @@ source "amazon-ebs" "this" { device_name = "/dev/sdb" volume_size = var.data_volume_size volume_type = "gp2" + encrypted = true + kms_key_id = var.kms_key_id } + encrypt_boot = var.encrypt_boot + kms_key_id = var.kms_key_id + region = var.aws_region run_tags = { Name = local.target_ami_name } - source_ami = data.amazon-ami.this.id - ssh_pty = true - ssh_username = var.source_ami_ssh_user - subnet_id = var.subnet_id + source_ami = data.amazon-ami.this.id + + subnet_id = var.subnet_id + ssh_pty = true + ssh_interface = var.ssh_interface + ssh_username = var.source_ami_ssh_user + + associate_public_ip_address = var.associate_public_ip_address + temporary_security_group_source_cidrs = var.temporary_security_group_source_cidrs + temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip + + ami_regions = var.ami_regions + region_kms_key_ids = var.region_kms_key_ids + ami_org_arns = var.ami_org_arns + ami_users = var.ami_users + snapshot_users = var.snapshot_users tags = { os_version = "Amazon Linux 2" diff --git a/scripts/partition-disks.sh b/scripts/partition-disks.sh index 4b9b727..ebc3d95 100755 --- a/scripts/partition-disks.sh +++ b/scripts/partition-disks.sh @@ -51,7 +51,7 @@ migrate_and_mount_disk() { fi } -disk_name='/dev/nvme2n1' +disk_name='/dev/nvme1n1' # partition the disk parted -a optimal -s $disk_name \ diff --git a/variables.pkr.hcl b/variables.pkr.hcl index 0b26021..f187d7a 100644 --- a/variables.pkr.hcl +++ b/variables.pkr.hcl @@ -16,6 +16,24 @@ variable "root_volume_size" { default = 10 } +variable "encrypt_boot" { + description = "Whether or not to encrypt the resulting AMI when copying a provisioned instance to an AMI." + type = bool + default = false +} + +variable "kms_key_id" { + description = "ID, alias or ARN of the KMS key to use for AMI encryption. This only applies to the main." + type = string + default = null +} + +variable "region_kms_key_ids" { + description = "Regions to copy the ami to, along with the custom kms key id (alias or arn) to use for encryption for that region." + type = map(string) + default = null +} + variable "eks_version" { description = "The EKS cluster version associated with the AMI created" type = string @@ -81,3 +99,52 @@ variable "ami_name_prefix" { type = string default = "amazon-eks-node" } + +variable "associate_public_ip_address" { + description = "If using a non-default VPC, public IP addresses are not provided by default. If this is true, your new instance will get a Public IP." + type = bool + default = false +} + + +variable "temporary_security_group_source_cidrs" { + description = "A list of IPv4 CIDR blocks to be authorized access to the instance, when packer is creating a temporary security group." + type = list(string) + default = [] +} + +variable "temporary_security_group_source_public_ip" { + description = "When enabled, use public IP of the host (obtained from https://checkip.amazonaws.com) as IPv4 CIDR block to be authorized access to the instance, when packer is creating a temporary security group" + type = bool + default = false +} + +variable "ssh_interface" { + description = "If set, either the public IP address, private IP address, public DNS name or private DNS name will be used as the host for SSH. The default behaviour if inside a VPC is to use the public IP address if available, otherwise the private IP address will be used. If not in a VPC the public DNS name will be used." + type = string + default = "private_ip" +} + +variable "ami_regions" { + description = "A list of regions to copy the AMI to. Tags and attributes are copied along with the AMI. AMI copying takes time depending on the size of the AMI, but will generally take many minutes." + type = list(string) + default = [] +} + +variable "ami_org_arns" { + description = "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s)." + type = list(string) + default = [] +} + +variable "ami_users" { + description = "A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it." + type = list(string) + default = [] +} + +variable "snapshot_users" { + description = "A list of account IDs that have access to create volumes from the snapshot(s)." + type = list(string) + default = [] +}