我试图在EC2上使用Packer创建AMI和Terraform来部署它,但我不能使Terraformremote-exec
提供程序与自动生成的管理员密码一起工作,而它使用固定密码。
封隔器文件
packer {
required_plugins {
amazon = {
version = ">= 0.0.1"
source = "github.com/hashicorp/amazon"
}
}
}
variable "image_name" {
type = string
}
variable "password" {
type = string
}
source "amazon-ebs" "windows" {
ami_name = var.image_name
communicator = "winrm"
instance_type = "t2.micro"
winrm_insecure = true
#winrm_password = var.password
winrm_port = 5986
winrm_use_ssl = true
winrm_username = "Administrator"
source_ami_filter {
filters = {
#name = "Windows_Server-2019*English-Full-Base*"
name = "Windows_Server-2016-English-Full-Base-*"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["amazon"]
}
user_data = <<EOUD
<powershell>
# Set administrator password
#net user Administrator ${var.password}
#wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:Localhostlistenerlistener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:LocalMachineMy -DnsName "packer"
New-Item -Path WSMan:LocalHostListener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
</powershell>
EOUD
}
build {
name = "build-win"
sources = ["source.amazon-ebs.windows"]
provisioner "file" {
destination = "C:\"
source = "./data"
}
provisioner "powershell" {
script = "./setup.ps1"
timeout = "10m"
}
provisioner "powershell" {
inline = [
"C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule",
"C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SysprepInstance.ps1 -NoShutdown"
]
}
post-processor "manifest" {
output = "manifest.json"
strip_path = true
}
}
Setup.ps1
try {
# Set display file extension
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 0 /f
# Enable multiple Remote Desktop connections
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal Server" -Name "fdenyTSConnections" -Value 0
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal Server" -Name "fSingleSessionPerUser" -Value 0
# Install chocolatey
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
# Set non interactive chocolatey
choco feature enable -n allowGlobalConfirmation
}
catch {
Exit 1
}
Packer工作正常:winrm
使用生成的密码连接。
起程拓殖文件
resource "aws_instance" "it" {
ami = var.ami
get_password_data = true
instance_type = "t3.micro"
key_name = "my_key"
subnet_id = var.subnet_id
vpc_security_group_ids = var.security_groups
connection {
agent = false
insecure = true
host = self.public_ip
https = true
#password = var.password
password = rsadecrypt(self.password_data, file("my_key/id_rsa"))
port = 5986
type = "winrm"
user = "Administrator"
}
provisioner "remote-exec" {
inline = var.inline
on_failure = continue
}
}
resource "local_file" "foo" {
content = rsadecrypt(aws_instance.it.password_data, file("my_key/id_rsa"))
filename = "${path.module}/foo.bar"
}
…但是remote-exec
不连接!(
请注意,我必须添加on_failure = continue
来创建实例,而不管remote-exec
错误,并且通过resource "local_file" "foo"
,我验证我获得的管理员密码是正确的!(我可以使用它通过远程桌面连接到实例)。
如果我取消注释行用一个固定的密码……一切都很完美!(
更具体地说,这些行是我取消注释以使用固定密码的行。
封隔器文件
...
source "amazon-ebs" "windows" {
...
#winrm_password = var.password
...
user_data = <<EOUD
<powershell>
...
#net user Administrator ${var.password}
#wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
...
</powershell>
EOUD
}
...
起程拓殖文件
resource "aws_instance" "it" {
...
connection {
...
#password = var.password
...
}
...
}
你能看到一些错误在我的代码中使用自动生成的管理员密码?
谢谢!
@MattSchuchard的建议有助于构建一个图像,但实例。user_data<powershell>..</powershell>
脚本在此之后不工作。我使用filename="cloud-config.txt"contentType ="文本/cloud-config"