I’m dealing with developers who work in windows and deploy to IIS. I haven’t built windows Amazon Machine Images before, so there were a couple of things to make work in packer. The first is a user data script passed over to enable and configure winRM at boot. The second was opening up the security groups to allow winRM communication to pass through. The third was installing and calling EC2 Config to prep the windows AMI for next boot.
The winRM script is located in cicd/powershell/setupWinRM.ps1.
It contains:
[shell] write-output “Running User Data Script” Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore # Don’t set this before Set-ExecutionPolicy as it throws an error√µ # WinRM cmd.exe /c winrm quickconfig -q
dsm macbook:powershell DougMunsinger$ cat setupWinRM.ps1
write-host “(host) Running User Data Script”
$ErrorActionPreference = “stop”
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
write-output “Setting up WinRM”
write-host “(host) setting up WinRM”
cmd.exe /c winrm quickconfig ‘-transport:http’
cmd.exe /c winrm set “winrm/config” ‘@{MaxTimeoutms=”1800000″}’
cmd.exe /c winrm set “winrm/config/winrs” ‘@{MaxMemoryPerShellMB=”1024″}’
cmd.exe /c winrm set “winrm/config/service” ‘@{AllowUnencrypted=”true”}’
cmd.exe /c winrm set “winrm/config/client” ‘@{AllowUnencrypted=”true”}’
cmd.exe /c winrm set “winrm/config/service/auth” ‘@{Basic=”true”}’
cmd.exe /c winrm set “winrm/config/client/auth” ‘@{Basic=”true”}’
cmd.exe /c winrm set “winrm/config/service/auth” ‘@{CredSSP=”true”}’
cmd.exe /c winrm set “winrm/config/listener?Address=*+Transport=HTTP” ‘@{Port=”5985″}’
cmd.exe /c netsh advfirewall firewall set rule group=”remote administration” new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5985 “Port 5985”
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
[/shell]
and then the cicd/packer/packer.json file that built this is:
[shell]
dsm macbook:powershell DougMunsinger$ cat ../packer/packer.json
{
“builders”: [
{
“name”: “us-east-1-iis-build”,
“iam_instance_profile”: “devops-pipeline”,
“type”: “amazon-ebs”,
“region”: “us-east-1”,
“source_ami”: “ami-0bf148826ef491d16”,
“instance_type”: “t2.large”,
“security_group_ids”: [“sg-0e24938e3dca4c429″,”sg-009c866599f597da3”, “sg-7936603b”],
“subnet_id”: “subnet-c33f5ba4”,
“ami_name”: “catapult-windows-iis-{{timestamp}}”,
“user_data_file”: “cicd/powershell/setupWinRM.ps1”,
“communicator”: “winrm”,
“winrm_username”: “Administrator”,
“winrm_use_ssl”: false,
“winrm_insecure”: true
}
],
“provisioners”: [
{
“type”: “powershell”,
“inline”: [
“Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole”,
“Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServer”
]
},
{
“type”: “powershell”,
“script”: “cicd/powershell/installEc2Config.ps1”
},
{
“type”: “windows-restart”,
“restart_check_command”: “powershell -command \”& {Write-Output ‘Machine restarted.’}\””
},
{
“type”: “powershell”,
“inline”: [
“C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\InitializeInstance.ps1 -Schedule”,
“C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\SysprepInstance.ps1 -NoShutdown”
]
}
]
}
[/shell]
and then the final call is to cicd/powershell/installEc2Config.ps1:
[shell]
chrome_install.ps1 installEc2Config.ps1 setupWinRM.ps1 undoWinRMConfig.ps1
dsm macbook:powershell DougMunsinger$ cat installEc2Config.ps1
mkdir -Force C:\src
$url = “https://s3.amazonaws.com/ec2-downloads-windows/EC2Launch/latest/EC2-Windows-Launch.zip”
$output = “C:\src\EC2-Windows-Launch.zip”
Invoke-WebRequest -Uri $url -OutFile $output
$url = “https://s3.amazonaws.com/ec2-downloads-windows/EC2Launch/latest/install.ps1”
$output = “C:\src\install_ec2Config.ps1”
Invoke-WebRequest -Uri $url -OutFile $output
C:\src\install_ec2Config.ps1
dsm macbook:powershell DougMunsinger$
[/shell]
and this does all the right things – the AMI can be brought up and it will set its hostname and Administrator passwords automatically at boot.
— doug