search

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder
https://www.packer.io/docs/builders/amazon
Mozilla Public License 2.0
75 stars 112 forks source link

PowerShell provisioner is not working over SSH communicator #235

Open qburst-nikhilsoman opened 2 years ago

qburst-nikhilsoman commented 2 years ago

@nywilken @create-atl-delete I've used the above user_data_file and successfully authenticated via SSH over SSM on Windows. However, my PowerShell scripts are not executing on the packer builder instance. It looks like an issue with the shell with the SSH communicator in the PowerShell provisioner. What my PowerShell script does is download a couple of packages (like MSEdge browser and Symon) and install them on the instance. I'm getting the following error while doing the packer build:

    base-ami-windows-builder.amazon-ebs.windows-base-ami: Adding tag: "Name": "Packer Builder"
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Instance ID: i-0f03b00afd90f9f16
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Waiting for instance (i-0f03b00afd90f9f16) to become ready...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Using SSH communicator to connect: localhost
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Waiting for SSH to become available...
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Starting portForwarding session "ns.com-0c4ad564a90e86797".
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Starting session with SessionId: ns.com-0c4ad564a90e86797
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Port 8807 opened for sessionId ns.com-0c4ad564a90e86797.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Waiting for connections...
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Connection accepted for session [ns.com-0c4ad564a90e86797]
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Connected to SSH!
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning with Powershell...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning with powershell script: /var/folders/2j/s33gtchs13n2jkn_6qc8w0fm0000gn/T/powershell-provisioner37195405
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Hello from PowerShell
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning with Powershell...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning with powershell script: ./basic-tools-installation.ps1
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Folder doesn't exists
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:     Directory: C:\
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Mode                LastWriteTime         Length Name
    base-ami-windows-builder.amazon-ebs.windows-base-ami: ----                -------------         ------ ----
    base-ami-windows-builder.amazon-ebs.windows-base-ami: d-----        6/16/2022   2:35 PM                setupfiles
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:     Directory: C:\setupfiles
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Mode                LastWriteTime         Length Name
    base-ami-windows-builder.amazon-ebs.windows-base-ami: ----                -------------         ------ ----
    base-ami-windows-builder.amazon-ebs.windows-base-ami: d-----        6/16/2022   2:35 PM                logs
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Created folders
    base-ami-windows-builder.amazon-ebs.windows-base-ami: The FolderName is C:\setupfiles
    base-ami-windows-builder.amazon-ebs.windows-base-ami: The LogFolderName is C:\setupfiles\logs
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Installing Microsoft Edge browser
    base-ami-windows-builder.amazon-ebs.windows-base-ami: The Download path is C:\Users\Administrator\AppData\Local\Temp\edgeinstall\MicrosoftEdgeEnterpriseX64.msi
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Verifying Microsoft Edge browser installation...
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: DisplayName           DisplayVersion Publisher InstallDate
    base-ami-windows-builder.amazon-ebs.windows-base-ami: -----------           -------------- --------- -----------
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Microsoft Edge Update 1.3.145.49
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Retrieving Sysmon...
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon Retrived
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Changing working directory to C:\setupfiles
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Unzip Sysmon...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Write-Progress : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer. Contact
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Microsoft Customer Support Services.
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: At
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1:1132
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: char:9
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: +         Write-Progress -Activity $cmdletName -Status $status -Percent ...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:     + CategoryInfo          : ReadError: (:) [Write-Progress], HostException
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:     + FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.PowerShell.Commands.WriteProgressCommand
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Unzip Complete.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Retrieving Configuration File...
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Configuration File Retrieved.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Installing Sysmon...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: System Monitor v13.34 - System activity monitor
    base-ami-windows-builder.amazon-ebs.windows-base-ami: By Mark Russinovich and Thomas Garnier
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Copyright (C) 2014-2022 Microsoft Corporation
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysinternals - www.sysinternals.com
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Loading configuration file with schema version 4.50
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon schema version: 4.81
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Configuration file validated.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon64 installed.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: SysmonDrv installed.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Starting SysmonDrv.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: SysmonDrv started.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Starting Sysmon64..
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon64 started.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon Installed!
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Windows defender is enabled
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Exception calling "EndProcessing" with "0" argument(s): "Win32 internal error "Access is denied" 0x5 occurred while
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: reading the console output buffer. Contact Microsoft Customer Support Services."
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: At line:146 char:17
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: +                 $__cmdletization_objectModelWrapper.EndProcessing()
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:     + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:     + FullyQualifiedErrorId : HostException
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning step had errors: Running the cleanup provisioner, if present...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Terminating the source AWS instance...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Bad exit status: -1
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Cleaning up any extra volumes...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: No volumes to clean up, skipping
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Deleting temporary security group...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Deleting temporary keypair...
Build 'base-ami-windows-builder.amazon-ebs.windows-base-ami' errored after 11 minutes 9 seconds: Script exited with non-zero exit status: 1.Allowed exit codes are: [0]

==> Wait completed after 11 minutes 9 seconds

I've tried the execute_command specified in the Packer documentation, but getting the same error.

execute_command = "powershell -executionpolicy bypass \"& { if (Test-Path variable:global:ProgressPreference){$ProgressPreference='SilentlyContinue'};. {{.Vars}}; &'{{.Path}}'; exit $LastExitCode }\""

My PowerShell script:

$FolderName = "C:\setupfiles"
$LogFolderName = "$FolderName\logs"

if(Get-Item -Path $FolderName -ErrorAction Ignore)
{
    Write-Host "Folder Exists"

    #Create logs folder
    if(Get-Item -Path $LogFolderName -ErrorAction Ignore)
    {
        Write-Host "Logs folder already exists"
    }
    else
    {
        # PowerShell create logs directory if not exists
        Write-Host "Creating log folder"
        New-Item $LogFolderName -ItemType Directory
    }
}
else
{
    Write-Host "Folder doesn't exists"

    # PowerShell create directories if not exists
    New-Item $FolderName -ItemType Directory
    New-Item $LogFolderName -ItemType Directory
    Write-Host "Created folders"
}

Write-Host "The FolderName is $FolderName"

Write-Host "The LogFolderName is $LogFolderName"

# Installing Microsoft Edge browser

Write-Host "Installing Microsoft Edge browser"
md -Path $env:temp\edgeinstall -erroraction SilentlyContinue | Out-Null
$Download = join-path $env:temp\edgeinstall MicrosoftEdgeEnterpriseX64.msi

Write-Host "The Download path is $Download"

Invoke-WebRequest 'https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/a2662b5b-97d0-4312-8946-598355851b3b/MicrosoftEdgeEnterpriseX64.msi'  -OutFile $Download

Start-Process "$Download" -ArgumentList "/quiet"

Start-Sleep -Seconds 30

# Verifying Microsoft Edge installation

Write-Host "Verifying Microsoft Edge browser installation..."

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

$INSTALLED | ?{ $_.DisplayName -match 'edge' } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

# SysMon Installation
Write-Host "Retrieving Sysmon..."

Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -Outfile $FolderName\Sysmon.zip

Write-Host "Sysmon Retrived"

Write-Host "Changing working directory to $FolderName"

Set-Location $FolderName

Write-Host "Unzip Sysmon..."

Expand-Archive Sysmon.zip

Set-Location $FolderName\Sysmon

Write-Host "Unzip Complete."

Write-Host "Retrieving Configuration File..."

Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -Outfile sysmonconfig-export.xml

Write-Host "Configuration File Retrieved."

Write-Host "Installing Sysmon..."

.\sysmon64.exe -accepteula -i sysmonconfig-export.xml

Write-Host "Sysmon Installed!"

# Check the status of Windows Defender
$Windows_Defender_status = Get-MpComputerStatus
if ($Windows_Defender_status.AntivirusEnabled -eq "true")
  {
      Write-Output "Windows defender is enabled"
      Update-MpSignature -UpdateSource MicrosoftUpdateServer
  }
else
  {
      Write-Output "Installing Windows defender...."
      Add-WindowsFeature Windows-Defender
  }

Used the following Packer template:

source "amazon-ebs" "windows-base-ami" {
    source_ami           = "ami-07d4836e0aad1ece7"
    instance_type        = "${var.aws_instance_type}"
    ami_name             = "${var.ami_name}-${local.timestamp}-${var.regionAbbreviation}-${var.aws_env}"
    shutdown_behavior    = "terminate"
    subnet_id            = "${var.aws_subnet_id}"
    vpc_id               = "${var.aws_vpc_id}"
    region               = "${var.aws_region}"
    iam_instance_profile = var.iam_instance_profile
    ssh_username         = "Administrator"
    ssh_timeout          = "22h"
    ssh_interface        = "session_manager"
    communicator         = "ssh"
    ssh_port             = 22
    user_data_file       = "./openssh-user-data.ps1"
    launch_block_device_mappings {
    device_name = "/dev/sda1"
    volume_size = 40
    volume_type = "gp2"
    delete_on_termination = true
    }

}

build {
    name = "base-ami-windows-builder"
    sources = ["source.amazon-ebs.windows-base-ami"]

    provisioner "powershell" {
        execute_command = "powershell -executionpolicy bypass \"& { if (Test-Path variable:global:ProgressPreference){$ProgressPreference='SilentlyContinue'};. {{.Vars}}; &'{{.Path}}'; exit $LastExitCode }\""
        script = "./basic-tools-installation.ps1"
    }

}

user_data_file (openssh-user-data.ps1 in the template above):

<powershell>

# Install sshd
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Save the private key from intance metadata
# New-Item -Path C:\Windows\System32\OpenSSH\administrators_authorized_keys -ItemType File
# Set-Content -Path C:\Windows\System32\OpenSSH\administrators_authorized_keys -Value ((New-Object System.Net.WebClient).DownloadString('http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key'))

# Save the private key from intance metadata
New-Item -Path C:\ProgramData\ssh\administrators_authorized_keys -ItemType File
Set-Content -Path C:\ProgramData\ssh\administrators_authorized_keys -Value ((New-Object System.Net.WebClient).DownloadString('http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key'))

# Set sshd to automatic and start
Set-Service -Name sshd -StartupType "Automatic"
Start-Service sshd

# Set appropriate permissions on administrators_authorized_keys by copying them from an existing key 
Get-ACL C:\ProgramData\ssh\ssh_host_dsa_key | Set-ACL C:\ProgramData\ssh\administrators_authorized_keys

# Set ssh-agent to automatic and start
# Must set to automatic first as the default state is disabled
Set-Service -Name ssh-agent -StartupType "Automatic"
Start-Service ssh-agent

######## TRIED THIS, BUT DIDN'T WORK ########
# Set default shell to PS  \\ TRIED THIS, BUT DIDN'T WORK
# New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
######## TRIED THIS, BUT DIDN'T WORK ########

</powershell>

The same PowerShell script worked with the WinRM communicator. Is there any issue in executing PowerShell script through the SSH communicator?

Originally posted by @qburst-nikhilsoman in https://github.com/hashicorp/packer-plugin-amazon/issues/123#issuecomment-1157893313

UVduane commented 3 weeks ago

I get a similar error from trying to use Powershell provisioner over SSH. I'm trying to install Chocolatey using the PS snippet from their instructions. But, I think I've found a workaround for my problem. Can you try:

 ssh_pty       = true

In your source block?