search

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder
https://www.packer.io/docs/builders/amazon
Mozilla Public License 2.0
72 stars 110 forks source link

imds_support unset (legacy) not working on source image with ImdsSupport: v2.0 #472

Closed sam-chen-zocdoc closed 5 months ago

sam-chen-zocdoc commented 6 months ago

Overview of the Issue

Using latest packer v1.10.2 with plugin packer-plugin-amazon_v1.3.1_x5.0_linux_amd64 on amazon linux 2023 as source ami

"ImdsSupport": "v2.0", Instance metadata V2, always enabled on resulting AMI even with imds_support: ""

Reproduction Steps

choose source ami with "ImdsSupport": "v2.0", i.e.:

"Name": "al2023-ami-2023.4.20240319.1-kernel-6.1-x86_64",
"ImageId": "ami-0c101f26f147fa7fd",

set imds_support: "" block in example.pkr.hcl and see if the AMI created is having IMDSv2 enforced

Plugin and Packer version

From packer version v1.10.2

Simplified Packer Buildfile

packer {
  required_plugins {
    amazon = {
      version = "~>1"
      source  = "github.com/hashicorp/amazon"
    }
  }
}

variable "security_group_ids" {
  type    = string
  default = ""
}

variable "subnet_id" {
  type    = string
  default = ""
}

variable "vpc_id" {
  type    = string
  default = ""
}

data "amazon-ami" "al2023" {
  filters = {
    architecture        = "x86_64"
    description         = "Amazon Linux 2023 AMI * x86_64 HVM kernel-*"
    image-type          = "machine"
    root-device-type    = "ebs"
    state               = "available"
    virtualization-type = "hvm"
  }
  most_recent = true
  owners      = ["amazon"]
}

locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }

source "amazon-ebs" "basic-example" {
  ami_name      = "packer-example-${local.timestamp}"
  communicator  = "ssh"
  instance_type = "t2.micro"
  source_ami    = data.amazon-ami.al2023.id
  ssh_username  = "ec2-user"
  metadata_options {
    http_endpoint               = "enabled"
    http_tokens                 = "optional"
    http_put_response_hop_limit = 1
  }
  imds_support = ""
  vpc_id = "${var.vpc_id}"
  security_group_ids = ["${var.security_group_ids}"]
  subnet_id          = "${var.subnet_id}"
  region             = "us-east-1"
}

build {
  sources = ["source.amazon-ebs.basic-example"]
      provisioner "shell" {
        inline = ["curl -s http://169.254.169.254/latest/meta-data/"]
      }
}

Operating system and Environment details

centos8 container amd_64 arch

Log Fragments and crash.log files

no error

describe resulting ami

{
    "Images": [
        {
            "Architecture": "x86_64",
            "CreationDate": "2024-03-28T16:32:49.000Z",
            "ImageId": "REDACTED",
            "ImageLocation": "REDACTED/packer-example-20240328163139",
            "ImageType": "machine",
            "Public": false,
            "OwnerId": "REDACTED",
            "PlatformDetails": "Linux/UNIX",
            "UsageOperation": "RunInstances",
            "State": "available",
            "BlockDeviceMappings": [
                {
                    "DeviceName": "/dev/xvda",
                    "Ebs": {
                        "DeleteOnTermination": true,
                        "Iops": 3000,
                        "SnapshotId": "redacted",
                        "VolumeSize": 8,
                        "VolumeType": "gp3",
                        "Throughput": 125,
                        "Encrypted": false
                    }
                }
            ],
            "EnaSupport": true,
            "Hypervisor": "xen",
            "Name": "packer-example-20240328163139",
            "RootDeviceName": "/dev/xvda",
            "RootDeviceType": "ebs",
            "SriovNetSupport": "simple",
            "VirtualizationType": "hvm",
            "BootMode": "uefi-preferred",
            "ImdsSupport": "v2.0",
            "SourceInstanceId": "REDACTED"
        }
    ]
}
lbajolet-hashicorp commented 5 months ago

Hi @sam-chen-zocdoc,

This is actually an unsupported workflow on the AWS side, if an AMI enforces IMDSv2, it cannot go back to supporting both v1 and v2.

The option we're exporting mimics what the AWS APIs allow, so either empty (default to whatever was present in the original AMI), or v2 to enforce IMDSv2 on newly created AMIs.

I'll close this issue: this is not a bug on our end, as this is not something we can't address within Packer or the AWS Plugin.

Please feel free to reopen if you think we've missed something.

Thanks!