packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

'temporary_security_group_source_cidrs' not working

Open steffakasid opened this issue 1 year ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Overview of the Issue

I try to secure my packer build by setting temporary_security_group_source_cidrs but don't get it working.

Reproduction Steps

I use the packer template below.

And I have the following user configuration:

{
  "kms_key_id": "alias/xxxx",
  "subnet_id": "subnet-xxxx",
  "psp_element": "xxxx",
  "app_name": "amazon-eks",
  "app_id": "12345",
  "temporary_security_group_source_cidrs": "x.x.x.0/22"
}

Packer version

From packer version v1.9.5

Simplified Packer Template

{
  "variables": {
    "source_ami": "{{env `SOURCE_AMI`}}",
    "ami_name": "{{user `app_name`}}-node-{{env `K8S_VERSION`}}-{{timestamp}}",
    "qualys_activation_id" : "{{env `QUALYS_ACTIVATION_ID`}}"
  },
  "builders": [
    {
      "type": "amazon-ebs",
      "region": "eu-central-1",
      "encrypt_boot": true,
      "kms_key_id": "{{user `kms_key_id`}}",
      "source_ami": "{{user `source_ami`}}",
      "instance_type": "t2.micro",
      "ssh_username": "ec2-user",
      "ami_name": "{{user `ami_name`}}",
      "ami_description": "EKS Kubernetes Worker AMI with AmazonLinux2 image",
      "ssh_interface": "private_ip",
      "temporary_security_group_source_cidrs": "{{user `security-group-cidrs`}}",
      "subnet_id": "{{user `subnet_id`}}",
      "shutdown_behavior": "terminate",
      "iam_instance_profile": "eks-ami-profile",
      "tags": {
        "ApplicationName": "{{user `app_name`}}",
        "ApplicationID": "{{user `app_id`}}",
        "BasedOn": "{{user `source_ami`}}",
        "CostReference": "{{user `psp_element`}}",
        "Name": "{{user `ami_name`}}",
        "Subsystem": "common"
      },
      "run_tags": {
        "ApplicationName": "{{user `app_name`}}",
        "ReferenceName": "{{user `app_name`}}",
        "ApplicationID": "{{user `app_id`}}",
        "ReferenceID": "{{user `app_id`}}",
        "CostReference": "{{user `psp_element`}}",
        "Name": "{{user `ami_name`}}-builder",
        "Subsystem": "common",
        "Environment": "DEV"
      }
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "environment_vars": [
        "QUALYS_ACTIVATION_ID={{user `qualys_activation_id`}}"
      ],
      "script": "../bash/pc-amazonlinux.sh",
      "execute_command": "sudo env {{ .Vars }} {{ .Path }}"
    },
    {
      "type": "shell",
      "script": "../bash/setvm.MaxMapCount.sh"
    }
  ],
  "post-processors": [
    {
      "type": "manifest"
    }
  ]
}

Operating system and Environment details

OS, Architecture, and any other information you can provide about the environment.

Log Fragments and crash.log files

amazon-ebs: output will be in this color.
==> amazon-ebs: Prevalidating any provided VPC information
==> amazon-ebs: Prevalidating AMI Name: amazon-eks-node-1.25-1701774898
    amazon-ebs: Found Image ID: ami-03c7889efe89e1eeb
==> amazon-ebs: Creating temporary keypair: packer_656f06
==> amazon-ebs: Creating temporary security group for this instance: packer_656f06[34]c89b-813d-9786-0d12937acf83
==> amazon-ebs: Authorizing access to port 22 from [0.0.0.0/0] in the temporary security groups...

The build finishs successful but the custom temporary_security_group_source_cidrs seems not to be used. Is this a bug or do I have an issue in my configuration...

steffakasid avatar Dec 05 '23 12:12 steffakasid

Looks like others have issues too: https://github.com/hashicorp/packer-plugin-amazon/issues/114

steffakasid avatar Dec 05 '23 12:12 steffakasid

Hi @steffakasid,

Thanks for reporting this, since this concerns the Amazon plugin, I'll transfer it over there.

Unfortunately, I can't promise we'll fix this soon as we have other priorities on hand, but we do welcome contributions if you're up for it, we can help if need be, and will happily review!

lbajolet-hashicorp avatar Dec 06 '23 20:12 lbajolet-hashicorp

I think the value is not correctly mapped/parsed from the config and then overwritten here: image

So the length at this point seems to be 0. Do you have an example how the temporary_security_group_source_cidrs must set in the config? Are there any possibilities to debug/run the code locally without having access to an AWS account?

Regards Steffen

steffakasid avatar Dec 12 '23 10:12 steffakasid