'temporary_security_group_source_cidrs' not working

steffakasid commented 6 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Overview of the Issue

I try to secure my packer build by setting temporary_security_group_source_cidrs but don't get it working.

Reproduction Steps

I use the packer template below.

And I have the following user configuration:

{
  "kms_key_id": "alias/xxxx",
  "subnet_id": "subnet-xxxx",
  "psp_element": "xxxx",
  "app_name": "amazon-eks",
  "app_id": "12345",
  "temporary_security_group_source_cidrs": "x.x.x.0/22"
}

Packer version

From packer version v1.9.5

Simplified Packer Template

{
  "variables": {
    "source_ami": "{{env `SOURCE_AMI`}}",
    "ami_name": "{{user `app_name`}}-node-{{env `K8S_VERSION`}}-{{timestamp}}",
    "qualys_activation_id" : "{{env `QUALYS_ACTIVATION_ID`}}"
  },
  "builders": [
    {
      "type": "amazon-ebs",
      "region": "eu-central-1",
      "encrypt_boot": true,
      "kms_key_id": "{{user `kms_key_id`}}",
      "source_ami": "{{user `source_ami`}}",
      "instance_type": "t2.micro",
      "ssh_username": "ec2-user",
      "ami_name": "{{user `ami_name`}}",
      "ami_description": "EKS Kubernetes Worker AMI with AmazonLinux2 image",
      "ssh_interface": "private_ip",
      "temporary_security_group_source_cidrs": "{{user `security-group-cidrs`}}",
      "subnet_id": "{{user `subnet_id`}}",
      "shutdown_behavior": "terminate",
      "iam_instance_profile": "eks-ami-profile",
      "tags": {
        "ApplicationName": "{{user `app_name`}}",
        "ApplicationID": "{{user `app_id`}}",
        "BasedOn": "{{user `source_ami`}}",
        "CostReference": "{{user `psp_element`}}",
        "Name": "{{user `ami_name`}}",
        "Subsystem": "common"
      },
      "run_tags": {
        "ApplicationName": "{{user `app_name`}}",
        "ReferenceName": "{{user `app_name`}}",
        "ApplicationID": "{{user `app_id`}}",
        "ReferenceID": "{{user `app_id`}}",
        "CostReference": "{{user `psp_element`}}",
        "Name": "{{user `ami_name`}}-builder",
        "Subsystem": "common",
        "Environment": "DEV"
      }
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "environment_vars": [
        "QUALYS_ACTIVATION_ID={{user `qualys_activation_id`}}"
      ],
      "script": "../bash/pc-amazonlinux.sh",
      "execute_command": "sudo env {{ .Vars }} {{ .Path }}"
    },
    {
      "type": "shell",
      "script": "../bash/setvm.MaxMapCount.sh"
    }
  ],
  "post-processors": [
    {
      "type": "manifest"
    }
  ]
}

Operating system and Environment details

OS, Architecture, and any other information you can provide about the environment.

Log Fragments and crash.log files

amazon-ebs: output will be in this color.
==> amazon-ebs: Prevalidating any provided VPC information
==> amazon-ebs: Prevalidating AMI Name: amazon-eks-node-1.25-1701774898
    amazon-ebs: Found Image ID: ami-03c7889efe89e1eeb
==> amazon-ebs: Creating temporary keypair: packer_656f06
==> amazon-ebs: Creating temporary security group for this instance: packer_656f06[34]c89b-813d-9786-0d12937acf83
==> amazon-ebs: Authorizing access to port 22 from [0.0.0.0/0] in the temporary security groups...

The build finishs successful but the custom temporary_security_group_source_cidrs seems not to be used. Is this a bug or do I have an issue in my configuration...

steffakasid commented 6 months ago

Looks like others have issues too: https://github.com/hashicorp/packer-plugin-amazon/issues/114

lbajolet-hashicorp commented 6 months ago

Hi @steffakasid,

Thanks for reporting this, since this concerns the Amazon plugin, I'll transfer it over there.

Unfortunately, I can't promise we'll fix this soon as we have other priorities on hand, but we do welcome contributions if you're up for it, we can help if need be, and will happily review!

steffakasid commented 6 months ago

I think the value is not correctly mapped/parsed from the config and then overwritten here:

So the length at this point seems to be 0. Do you have an example how the temporary_security_group_source_cidrs must set in the config? Are there any possibilities to debug/run the code locally without having access to an AWS account?

Regards Steffen

hashicorp / packer-plugin-amazon