From e515aefee348d619233c192bfccc8822e8527172 Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Thu, 16 Apr 2020 14:48:17 -0400 Subject: [PATCH] Add validation checks for session_manager * Session manager connectivity only supported via SSH * Session manager requires the use of an iam instance profile with system manager permissions --- builder/amazon/common/run_config.go | 20 ++++++++++++++++++- builder/amazon/ebs/builder.go | 4 ++-- .../amazon/common/RunConfig-not-required.mdx | 2 +- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/builder/amazon/common/run_config.go b/builder/amazon/common/run_config.go index b0c8fef8f..d45b78618 100644 --- a/builder/amazon/common/run_config.go +++ b/builder/amazon/common/run_config.go @@ -400,7 +400,7 @@ type RunConfig struct { // variable. // // When using `session_manager` the machine running Packer must have - // the AWS Session Manager Plugin installed and within its path. + // the AWS Session Manager Plugin installed and within the users' or system path. // https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html SSHInterface string `mapstructure:"ssh_interface"` } @@ -450,6 +450,20 @@ func (c *RunConfig) Prepare(ctx *interpolate.Context) []error { errs = append(errs, fmt.Errorf("Unknown interface type: %s", c.SSHInterface)) } + // Connectivity via Session Manager has a few requirements + if c.SSHInterface == "session_manager" { + if c.Comm.Type == "winrm" { + msg := fmt.Errorf(`connectivity via %q is not currently supported with the %q communicator; please use "ssh"`, c.SSHInterface, c.Comm.Type) + errs = append(errs, msg) + } + + // TODO (nywilken) add support for temporary iam instance policy generation + if c.IamInstanceProfile == "" { + msg := fmt.Errorf(`no iam_instance_profile defined; when using %q a valid instance profile with SSM managed instance permissions is required`, c.SSHInterface) + errs = append(errs, msg) + } + } + if c.Comm.SSHKeyPairName != "" { if c.Comm.Type == "winrm" && c.Comm.WinRMPassword == "" && c.Comm.SSHPrivateKeyFile == "" { errs = append(errs, fmt.Errorf("ssh_private_key_file must be provided to retrieve the winrm password when using ssh_keypair_name.")) @@ -539,3 +553,7 @@ func (c *RunConfig) Prepare(ctx *interpolate.Context) []error { func (c *RunConfig) IsSpotInstance() bool { return c.SpotPrice != "" && c.SpotPrice != "0" } + +func (c *RunConfig) SSMAgentEnabled() bool { + return c.SSHInterface == "session_manager" && c.IamInstanceProfile != "" +} diff --git a/builder/amazon/ebs/builder.go b/builder/amazon/ebs/builder.go index b8aafd4c8..f7289f2a6 100644 --- a/builder/amazon/ebs/builder.go +++ b/builder/amazon/ebs/builder.go @@ -239,7 +239,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack SecurityGroupIds: b.config.SecurityGroupIds, CommConfig: &b.config.RunConfig.Comm, TemporarySGSourceCidrs: b.config.TemporarySGSourceCidrs, - SkipSSHRuleCreation: b.config.SSHInterface == "session_manager", + SkipSSHRuleCreation: b.config.SSMAgentEnabled(), }, &awscommon.StepIamInstanceProfile{ IamInstanceProfile: b.config.IamInstanceProfile, @@ -259,7 +259,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack &awscommon.StepCreateSSMTunnel{ AWSSession: session, DstPort: b.config.Comm.Port(), - SSMAgentEnabled: b.config.SSHInterface == "session_manager", + SSMAgentEnabled: b.config.SSMAgentEnabled(), }, &communicator.StepConnect{ // StepConnect is provided settings for WinRM and SSH, but diff --git a/website/pages/partials/builder/amazon/common/RunConfig-not-required.mdx b/website/pages/partials/builder/amazon/common/RunConfig-not-required.mdx index ab59a4360..383d98c06 100644 --- a/website/pages/partials/builder/amazon/common/RunConfig-not-required.mdx +++ b/website/pages/partials/builder/amazon/common/RunConfig-not-required.mdx @@ -311,6 +311,6 @@ variable. When using `session_manager` the machine running Packer must have - the AWS Session Manager Plugin installed and within its path. + the AWS Session Manager Plugin installed and within the users' or system path. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html \ No newline at end of file