packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

AWS SSM: Native support for SSM session similar to Ansible Provisioner

Open hc-github-team-packer opened this issue 3 years ago • 4 comments

This issue was originally opened by @shanmugakarna in https://github.com/hashicorp/packer/issues/11714 and has been migrated to this repository. The original issue description is below.

Description

Ansible supports aws_ssm connection type natively without a port-forwarding the tunnel and connecting to it via SSH. But, Packer still need WinRM to check initial connectivity before starting provisioners. The below example talks about WinRM, though this would be true for SSH as well.

ansible_connection: aws_ssm
ansible_shell_type: powershell
ansible_aws_ssm_bucket_name: demo-ansible-ssm-bucket
ansible_aws_ssm_region: us-east-1

Use Case(s)

Though ansible doesn't need WinRM to be enabled when using ansible_connection: aws_ssm, we still need to enable winrm just because Packer expects to check WinRM connection before triggering provisioners.

Potential configuration

If packer itself test the connectivity to the instance via aws ssm start-session --target "i-**************", will completely remove the need to enable WinRM on AWS EC2 AMIs.

Potential References

https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ssm_connection.html

hc-github-team-packer avatar Apr 18 '22 15:04 hc-github-team-packer

I've actually got this working via ssh_interface= "session_manager" and can provide the deets. Been using it for a bunch of smaller builds without issue I think.

RichiCoder1 avatar May 18 '22 02:05 RichiCoder1

I think this issue can be closed as the documentation says ssh_interface works for WinRM as well. https://www.packer.io/plugins/builders/amazon/ebs#ssh_interface

shanxops avatar May 31 '22 07:05 shanxops

I have a need for this as well, but for different reasons. Right now, SSM is used to create a tunnel to port 22, and a keypair (or SSH agent) is used to SSH over that tunnel.

I operate in a keypair-less environment, and using SSH over SSM, Packer creates a dynamic keypair (I'm unable to go the SSH agent route). Native SSM allows for a connection to be made to the host that's similar to SSH and does not require a keypair.

If Packer could use this flow directly vs using SSH, it would simplify connectivity and obviate the need for SSH keys.

ameir avatar Aug 23 '22 18:08 ameir

I think this issue can be closed as the documentation says ssh_interface works for WinRM as well. https://www.packer.io/plugins/builders/amazon/ebs#ssh_interface

@shanmugakarna where do you see that? I see that it does not work for WinRM

Session manager connectivity is currently only implemented for the SSH communicator, not the WinRM communicator.

jw-maynard avatar Mar 09 '24 23:03 jw-maynard