search

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder
https://www.packer.io/docs/builders/amazon
Mozilla Public License 2.0
72 stars 110 forks source link

AWS SSM: Native support for SSM session similar to Ansible Provisioner #215

Open hc-github-team-packer opened 2 years ago

hc-github-team-packer commented 2 years ago

This issue was originally opened by @shanmugakarna in https://github.com/hashicorp/packer/issues/11714 and has been migrated to this repository. The original issue description is below.

Description

Ansible supports aws_ssm connection type natively without a port-forwarding the tunnel and connecting to it via SSH. But, Packer still need WinRM to check initial connectivity before starting provisioners. The below example talks about WinRM, though this would be true for SSH as well.

ansible_connection: aws_ssm
ansible_shell_type: powershell
ansible_aws_ssm_bucket_name: demo-ansible-ssm-bucket
ansible_aws_ssm_region: us-east-1

Use Case(s)

Though ansible doesn't need WinRM to be enabled when using ansible_connection: aws_ssm, we still need to enable winrm just because Packer expects to check WinRM connection before triggering provisioners.

Potential configuration

If packer itself test the connectivity to the instance via aws ssm start-session --target "i-**************", will completely remove the need to enable WinRM on AWS EC2 AMIs.

Potential References

https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ssm_connection.html

RichiCoder1 commented 2 years ago

I've actually got this working via ssh_interface= "session_manager" and can provide the deets. Been using it for a bunch of smaller builds without issue I think.

shanmugakarna commented 2 years ago

I think this issue can be closed as the documentation says ssh_interface works for WinRM as well. https://www.packer.io/plugins/builders/amazon/ebs#ssh_interface

ameir commented 2 years ago

I have a need for this as well, but for different reasons. Right now, SSM is used to create a tunnel to port 22, and a keypair (or SSH agent) is used to SSH over that tunnel.

I operate in a keypair-less environment, and using SSH over SSM, Packer creates a dynamic keypair (I'm unable to go the SSH agent route). Native SSM allows for a connection to be made to the host that's similar to SSH and does not require a keypair.

If Packer could use this flow directly vs using SSH, it would simplify connectivity and obviate the need for SSH keys.

jw-maynard commented 6 months ago

I think this issue can be closed as the documentation says ssh_interface works for WinRM as well. https://www.packer.io/plugins/builders/amazon/ebs#ssh_interface

@shanmugakarna where do you see that? I see that it does not work for WinRM

Session manager connectivity is currently only implemented for the SSH communicator, not the WinRM communicator.