search

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder
https://www.packer.io/docs/builders/amazon
Mozilla Public License 2.0
75 stars 112 forks source link

External ID variable not passed correctly in `assume_role` block of `amazon-ebs` source #512

Open cdelgehier opened 1 month ago

cdelgehier commented 1 month ago

Overview of the Issue

When using Packer to build an AMI with the amazon-ebs builder, I encounter an issue with the external_id field in the assume_role block. Specifically, setting external_id as a variable (external_id = var.external_id) does not correctly populate the field. During the build process, the output shows an empty ExternalId:

Attempting to AssumeRole arn:aws:iam::xxxxx:role/packer (SessionName: "packer", ExternalId: "")

However, if I hardcode the external_id value directly into the assume_role block, the role assumption works as expected.

Reproduction Steps

  1. Define a variable external_id in the Packer variables file (variables.pkr.hcl or directly in the command line).
  2. Use the following Packer build configuration: 
    
variable "external_id" {
type      = string
sensitive = true
default   = "abcDEF1122"
}

packer { required_plugins { amazon = { version = ">= 1.3.3" source = "github.com/hashicorp/amazon" } } }

source "amazon-ebs" "amilinux" { source_ami = var.source_ami

ami_name = var.ami_name ami_description = var.ami_description

instance_type = "t3.small"

associate_public_ip_address = false region = var.aws_region

shutdown_behavior = "terminate" ssh_username = var.ssh_username ssh_interface = var.ssh_interface

assume_role { role_arn = "arn:aws:iam::${var.aws_account_id}:role/packer" session_name = "packer" external_id = var.external_id }

force_delete_snapshot = true

vpc_id = var.vpc_id subnet_id = var.subnet_id

}


### Plugin and Packer version

$> packer version Packer v1.11.2


### Operating system and Environment details

Docker image

hashicorp/packer:light-1.11.2



### Log Fragments and crash.log files

<details>
 <summary>Logs</summary>
$> PACKER_LOG=1 packer build -var-file=variables.json .

2024/10/08 12:55:17 [INFO] Packer version: 1.11.2 [go1.21.12 linux amd64]
2024/10/08 12:55:17 [INFO] PACKER_CONFIG env var not set; checking the default config file path
2024/10/08 12:55:17 [INFO] PACKER_CONFIG env var set; attempting to open config file: /root/.packerconfig

2024/10/08 12:55:17 [WARN] Config file doesn't exist: /root/.packerconfig

2024/10/08 12:55:17 [INFO] Setting cache directory: /root/.cache/packer

2024/10/08 12:55:17 [TRACE] listing potential installations for "github.com/hashicorp/amazon" that match ">= 1.3.3". plugingetter.ListInstallationsOptions{PluginDirectory:"/root/.config/packer/plugins", BinaryInstallationOptions:plugingetter.BinaryInstallationOptions{APIVersionMajor:"5", APIVersionMinor:"0", OS:"linux", ARCH:"amd64", Ext:"", Checksummers:[]plugingetter.Checksummer{plugingetter.Checksummer{Type:"sha256", Hash:(*sha256.digest)(0xc000146c80)}}, ReleasesOnly:false}}

2024/10/08 12:55:17 [TRACE] Found the following "github.com/hashicorp/amazon" installations: [{/root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 v1.3.3 x5.0}]

2024/10/08 12:55:17 [INFO] found external [chroot ebs ebssurrogate ebsvolume instance] builders from amazon plugin

2024/10/08 12:55:17 [INFO] found external [import] post-processors from amazon plugin

2024/10/08 12:55:17 found external [ami parameterstore secretsmanager] datasource from amazon plugin

2024/10/08 12:55:17 [TRACE] listing potential installations for  that match "". plugingetter.ListInstallationsOptions{PluginDirectory:"/root/.config/packer/plugins", BinaryInstallationOptions:plugingetter.BinaryInstallationOptions{APIVersionMajor:"5", APIVersionMinor:"0", OS:"linux", ARCH:"amd64", Ext:"", Checksummers:[]plugingetter.Checksummer{plugingetter.Checksummer{Type:"sha256", Hash:(*sha256.digest)(0xc000146d80)}}, ReleasesOnly:false}}

2024/10/08 12:55:18 [INFO] found external [chroot ebs ebssurrogate ebsvolume instance] builders from amazon plugin

2024/10/08 12:55:18 [INFO] found external [import] post-processors from amazon plugin

2024/10/08 12:55:18 found external [ami parameterstore secretsmanager] datasource from amazon plugin

2024/10/08 12:55:18 [TRACE] validateValue: not active for aws_region, so skipping

2024/10/08 12:55:18 [INFO] Starting external plugin /root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 start builder ebs

2024/10/08 12:55:18 Starting plugin: /root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 []string{"/root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.3.3_x5.0_linux_amd64", "start", "builder", "ebs"}

2024/10/08 12:55:18 Waiting for RPC address for: /root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.3.3_x5.0_linux_amd64

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 Plugin address: unix /tmp/packer-plugin1961548342

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 Waiting for connection...

2024/10/08 12:55:18 Received unix RPC address for /root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.3.3_x5.0_linux_amd64: addr is /tmp/packer-plugin1961548342

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 Serving a plugin connection...

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 [TRACE] starting builder ebs

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 [INFO] (aws): No AWS timeout and polling overrides have been set. Packer will default to waiter-specific delays and timeouts. If you would like to customize the length of time between retries and max number of retries you may do so by setting the environment variables AWS_POLL_DELAY_SECONDS and AWS_MAX_ATTEMPTS or the configuration options aws_polling_delay_seconds and aws_polling_max_attempts to your desired values.

2024/10/08 12:55:18 [INFO] Starting internal plugin packer-provisioner-shell

2024/10/08 12:55:18 Starting plugin: /bin/packer []string{"/bin/packer", "execute", "packer-provisioner-shell"}

2024/10/08 12:55:18 Waiting for RPC address for: /bin/packer

2024/10/08 12:55:18 packer-provisioner-shell plugin: [INFO] Packer version: 1.11.2 [go1.21.12 linux amd64]

2024/10/08 12:55:18 packer-provisioner-shell plugin: [INFO] PACKER_CONFIG env var not set; checking the default config file path

2024/10/08 12:55:18 packer-provisioner-shell plugin: [INFO] PACKER_CONFIG env var set; attempting to open config file: /root/.packerconfig

2024/10/08 12:55:18 packer-provisioner-shell plugin: [WARN] Config file doesn't exist: /root/.packerconfig

2024/10/08 12:55:18 packer-provisioner-shell plugin: [INFO] Setting cache directory: /root/.cache/packer

2024/10/08 12:55:18 packer-provisioner-shell plugin: args: []string{"packer-provisioner-shell"}

2024/10/08 12:55:18 packer-provisioner-shell plugin: Plugin address: unix /tmp/packer-plugin2488476714

2024/10/08 12:55:18 Received unix RPC address for /bin/packer: addr is /tmp/packer-plugin2488476714

2024/10/08 12:55:18 packer-provisioner-shell plugin: Waiting for connection...

2024/10/08 12:55:18 packer-provisioner-shell plugin: Serving a plugin connection...

2024/10/08 12:55:18 Build debug mode: false

2024/10/08 12:55:18 Force build: false

2024/10/08 12:55:18 On error: 

2024/10/08 12:55:18 Waiting on builds to complete...

2024/10/08 12:55:18 Starting build run: amazon-ebs.amilinux

2024/10/08 12:55:18 Running builder: amazon-ebs

2024/10/08 12:55:18 [INFO] (telemetry) Starting builder amazon-ebs.amilinux

amazon-ebs.amilinux: output will be in this color.

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 [INFO] Attempting to use session-derived credentials

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 [INFO] Successfully derived credentials from session

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 [INFO] AWS Auth provider used: "EC2RoleProvider"

2024/10/08 12:55:18 packer-plugin-amazon_v1.3.3_x5.0_linux_amd64 plugin: 2024/10/08 12:55:18 [INFO] Attempting to AssumeRole arn:aws:iam::1234556:role/packer (SessionName: "packer", ExternalId: "")

2024/10/08 12:55:19 [INFO] (telemetry) ending amazon-ebs.amilinux

There are a number of possible causes of this - the most common are:

  * The credentials used in order to assume the role are invalid

  * The credentials do not have appropriate permission to assume the role

  * The role ARN is not valid

Error: NoCredentialProviders: no valid providers in chain. Deprecated.

For verbose messaging see aws.Config.CredentialsChainVerboseErrors

==> Wait completed after 487 milliseconds 114 microseconds

2024/10/08 12:55:19 machine readable: error-count []string{"1"}

==> Some builds didn't complete successfully and had errors:

2024/10/08 12:55:19 machine readable: amazon-ebs.amilinux,error []string{"IAM Role (arn:aws:iam::1234556:role/packer) cannot be assumed.\n\nThere are a number of possible causes of this - the most common are:\n  * The credentials used in order to assume the role are invalid\n  * The credentials do not have appropriate permission to assume the role\n  * The role ARN is not valid\n\nError: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors\n"}

There are a number of possible causes of this - the most common are:

  * The credentials used in order to assume the role are invalid

  * The credentials do not have appropriate permission to assume the role

  * The role ARN is not valid

Error: NoCredentialProviders: no valid providers in chain. Deprecated.

For verbose messaging see aws.Config.CredentialsChainVerboseErrors

==> Builds finished but no artifacts were created.

Build 'amazon-ebs.amilinux' errored after 487 milliseconds 51 microseconds: IAM Role (arn:aws:iam::1234556:role/packer) cannot be assumed.

2024/10/08 12:55:19 [INFO] (telemetry) Finalizing.

There are a number of possible causes of this - the most common are:

  * The credentials used in order to assume the role are invalid

  * The credentials do not have appropriate permission to assume the role

  * The role ARN is not valid

Error: NoCredentialProviders: no valid providers in chain. Deprecated.

For verbose messaging see aws.Config.CredentialsChainVerboseErrors

==> Wait completed after 487 milliseconds 114 microseconds

==> Some builds didn't complete successfully and had errors:

--> amazon-ebs.amilinux: IAM Role (arn:aws:iam::1234556:role/packer) cannot be assumed.

There are a number of possible causes of this - the most common are:

  * The credentials used in order to assume the role are invalid

  * The credentials do not have appropriate permission to assume the role

  * The role ARN is not valid

Error: NoCredentialProviders: no valid providers in chain. Deprecated.

For verbose messaging see aws.Config.CredentialsChainVerboseErrors

==> Builds finished but no artifacts were created.

2024/10/08 12:55:19 waiting for all plugin processes to complete...

2024/10/08 12:55:19 /bin/packer: plugin process exited

2024/10/08 12:55:19 /root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.3.3_x5.0_linux_amd64: plugin process exited

</details>
cdelgehier commented 1 month ago

Finally I do a sed of a placeholder in the manifest to set my secret... I don't understand why it doesn't get the variable :(