Packer + Terraform + EC2 Windows Server：无法使 winrm remote-exec provisioning er 工作

我试图在EC2上使用Packer创建AMI和Terraform来部署它，但我不能使Terraformremote-exec提供程序与自动生成的管理员密码一起工作，而它使用固定密码。

封隔器文件

packer {
required_plugins {
amazon = {
version = ">= 0.0.1"
source  = "github.com/hashicorp/amazon"
}
}
}
variable "image_name" {
type = string
}
variable "password" {
type = string
}
source "amazon-ebs" "windows" {
ami_name       = var.image_name
communicator   = "winrm"
instance_type  = "t2.micro"
winrm_insecure = true
#winrm_password = var.password
winrm_port     = 5986
winrm_use_ssl  = true
winrm_username = "Administrator"
source_ami_filter {
filters = {
#name                = "Windows_Server-2019*English-Full-Base*"
name                = "Windows_Server-2016-English-Full-Base-*"
root-device-type    = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners      = ["amazon"]
}
user_data = <<EOUD
<powershell>
# Set administrator password
#net user Administrator ${var.password}
#wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:Localhostlistenerlistener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:LocalMachineMy -DnsName "packer"
New-Item -Path WSMan:LocalHostListener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
</powershell>
EOUD
}
build {
name    = "build-win"
sources = ["source.amazon-ebs.windows"]
provisioner "file" {
destination = "C:\"
source      = "./data"
}
provisioner "powershell" {
script  = "./setup.ps1"
timeout = "10m"
}
provisioner "powershell" {
inline = [
"C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule",
"C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SysprepInstance.ps1 -NoShutdown"
]
}
post-processor "manifest" {
output     = "manifest.json"
strip_path = true
}
}

Setup.ps1

try {
# Set display file extension
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 0 /f
# Enable multiple Remote Desktop connections
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal Server" -Name "fdenyTSConnections" -Value 0
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal Server" -Name "fSingleSessionPerUser" -Value 0
# Install chocolatey
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
# Set non interactive chocolatey
choco feature enable -n allowGlobalConfirmation
}
catch {
Exit 1
}

Packer工作正常:winrm使用生成的密码连接。

起程拓殖文件

resource "aws_instance" "it" {
ami                    = var.ami
get_password_data      = true
instance_type          = "t3.micro"
key_name               = "my_key"
subnet_id              = var.subnet_id
vpc_security_group_ids = var.security_groups
connection {
agent    = false
insecure = true
host     = self.public_ip
https    = true
#password = var.password
password = rsadecrypt(self.password_data, file("my_key/id_rsa"))
port     = 5986
type     = "winrm"
user     = "Administrator"
}
provisioner "remote-exec" {
inline     = var.inline
on_failure = continue
}
}
resource "local_file" "foo" {
content  = rsadecrypt(aws_instance.it.password_data, file("my_key/id_rsa"))
filename = "${path.module}/foo.bar"
}

…但是remote-exec不连接!(

请注意，我必须添加on_failure = continue来创建实例，而不管remote-exec错误，并且通过resource "local_file" "foo"，我验证我获得的管理员密码是正确的!(我可以使用它通过远程桌面连接到实例)。

如果我取消注释行用一个固定的密码……一切都很完美!(

更具体地说，这些行是我取消注释以使用固定密码的行。

封隔器文件

...
source "amazon-ebs" "windows" {
...
#winrm_password = var.password
...
user_data = <<EOUD
<powershell>
...
#net user Administrator ${var.password}
#wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
...
</powershell>
EOUD
}
...

起程拓殖文件

resource "aws_instance" "it" {
...
connection {
...
#password = var.password
...
}
...
}

你能看到一些错误在我的代码中使用自动生成的管理员密码?

谢谢!