diff --git a/os-images/AWS/photon/photon-3-arm64.pkr.hcl b/os-images/AWS/photon/photon-3-arm64.pkr.hcl new file mode 100644 index 000000000..570eb1182 --- /dev/null +++ b/os-images/AWS/photon/photon-3-arm64.pkr.hcl @@ -0,0 +1,294 @@ +# CLI Variables +variable "ci_build" { type = bool } +variable "aws_region" { type = string } +variable "ssh_keypair_name" { type = string } +variable "ssh_private_key_file" { type = string } +variable "distro_arch" { type = string } +variable "distro_version" { type = string } +variable "skip_create_ami" { + type = bool + default = false +} +variable "runner_version" { + description = "The version (no v prefix) of the GitHub Actions Runner software to install https://github.com/actions/runner/releases" + type = string + default = "2.300.2" +} +variable "install_github_actions_runner" { + description = "Create a user to run the GitHub Actions Runner under." + type = bool + default = false +} + +# Variables set by pkrvars file +variable "instance_type" { + type = string + default = "c5a.large" +} +variable "ssh_username" { + type = string + default = "root" +} + +# Remaining variables +variable "build_type" { + type = string + default = "ci" +} +variable "ami_owner" { + type = string + default = "937850989293" +} + +variable "distro_name" { + type = string + default = "PhotonOS" +} + +variable "ami_filter" { + type = string +} + +variable "ami_name_prefix" { + type = string + default = "salt-project" +} + +variable "state_name" { + type = string + default = "provision" +} + +variable "salt_provision_type" { + type = string + default = "stable" +} + +variable "salt_provision_version" { + type = string + default = "3006.0" +} + +variable "salt_provision_root_dir" { + type = string + default = "/tmp/salt-provision" +} + +locals { + build_timestamp = timestamp() + ami_name = "${var.ami_name_prefix}/${var.build_type}/${lower(var.distro_name)}/${var.distro_version}/${var.distro_arch}/${formatdate("YYYYMMDD.hhmm", local.build_timestamp)}" + ami_description = "${upper(var.build_type)} Image of ${var.distro_name} ${var.distro_version} ${var.distro_arch}" + distro_slug = "${lower(var.distro_name)}-${var.distro_version}-${var.distro_arch}" +} + +data "amazon-ami" "image" { + filters = { + name = var.ami_filter + root-device-type = "ebs" + state = "available" + virtualization-type = "hvm" + architecture = var.distro_arch + } + most_recent = true + owners = [ + var.ami_owner + ] + region = var.aws_region +} + +source "amazon-ebs" "image" { + ami_description = local.ami_description + ami_name = local.ami_name + instance_type = var.instance_type + + ebs_optimized = true + shutdown_behavior = "terminate" + + skip_create_ami = var.skip_create_ami + + ami_users = [ + "178480506716", + "540082622920" + ] + + # ami_groups = [ + # "all" + # ] + + launch_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + volume_size = 40 + volume_type = "gp3" + } + + region = var.aws_region + + run_tags = { + Name = "Packer {{ upper `${var.build_type}` }} ${var.distro_name} ${var.distro_version} ${var.distro_arch} Builder" + Owner = "SRE" + Salt-Golden-Image = true + create-salt-golden-image = true + created-by = "packer" + } + security_group_filter { + filters = { + group-name = "*-prod-*-golden-images-provision-${var.ci_build ? "private" : "public"}-*" + } + } + source_ami = data.amazon-ami.image.id + ssh_interface = "${var.ci_build ? "private" : "public"}_ip" + ssh_keypair_name = var.ssh_keypair_name + ssh_private_key_file = var.ssh_private_key_file + ssh_username = var.ssh_username + associate_public_ip_address = var.ci_build == false + subnet_filter { + filters = { + "tag:Name" = "*-prod-vpc-${var.ci_build ? "private" : "public"}-*" + } + most_free = true + random = false + } + tags = { + Build-Date = "${local.build_timestamp}" + Build-Type = var.build_type + Name = "Salt Project // ${upper(var.build_type)} // ${var.distro_name} ${var.distro_version} ${var.distro_arch}" + OS-Arch = "${var.distro_arch}" + OS-Name = "${var.distro_name}" + OS-Version = "${var.distro_version}" + Owner = "SRE" + Provision-State-Name = "${var.state_name}" + Salt-Golden-Image = true + created-by = "packer" + no-delete = false + ssh-username = var.ssh_username + "spb:start-github-runner" = false + } +} + +build { + sources = [ + "source.amazon-ebs.image" + ] + + provisioner "shell" { + inline = [ + "df -h" + ] + inline_shebang = "/bin/sh -ex" + } + + provisioner "shell" { + inline = [ + "systemctl mask tmp.mount", + "tdnf makecache", + "tdnf update -y", + "tdnf install -y linux" + ] + inline_shebang = "/bin/sh -ex" + } + + provisioner "shell" { + inline_shebang = "/bin/sh -ex" + inline = [ + "tdnf install -y git vim sudo openssh-server dbus curl rpm tar unzip gnupg" + ] + } + + provisioner "shell" { + execute_command = "sudo -E -H bash -c '{{ .Vars }} {{ .Path }}'" + inline = [ + "curl -f https://s3.amazonaws.com/amazoncloudwatch-agent/assets/amazon-cloudwatch-agent.gpg -o /tmp/amazon-cloudwatch-agent.gpg", + "gpg --import /tmp/amazon-cloudwatch-agent.gpg", + "curl -f https://s3.amazonaws.com/amazoncloudwatch-agent/${var.distro_arch == "x86_64" ? "centos" : "redhat"}/${var.distro_arch == "x86_64" ? "amd64" : "arm64"}/latest/amazon-cloudwatch-agent.rpm -o /tmp/amazon-cloudwatch-agent.rpm", + "curl -f https://s3.amazonaws.com/amazoncloudwatch-agent/${var.distro_arch == "x86_64" ? "centos" : "redhat"}/${var.distro_arch == "x86_64" ? "amd64" : "arm64"}/latest/amazon-cloudwatch-agent.rpm.sig -o /tmp/amazon-cloudwatch-agent.rpm.sig", + "gpg --verify /tmp/amazon-cloudwatch-agent.rpm.sig /tmp/amazon-cloudwatch-agent.rpm", + "rpm -U /tmp/amazon-cloudwatch-agent.rpm", + "systemctl restart amazon-cloudwatch-agent", + ] + inline_shebang = "/bin/sh -ex" + } + + provisioner "shell" { + execute_command = "sudo -E -H bash -c '{{ .Vars }} {{ .Path }}'" + inline = [ + "curl -f https://awscli.amazonaws.com/awscli-exe-linux-${var.distro_arch == "x86_64" ? "x86_64" : "aarch64"}.zip -o /tmp/awscliv2.zip", + "cd /tmp; unzip awscliv2.zip", + "cd /tmp; ./aws/install", + ] + inline_shebang = "/bin/sh -ex" + } + + provisioner "shell-local" { + environment_vars = [ + "DISTRO_SLUG=${local.distro_slug}", + "SALT_ROOT_DIR=${var.salt_provision_root_dir}", + "INSTALL_GITHUB_ACTIONS_RUNNER=${var.install_github_actions_runner ? "yes" : "no"}", + "INSTALL_GITHUB_ACTIONS_RUNNER_DEPENDENCIES=false", + "GITHUB_ACTIONS_RUNNER_TARBALL_URL=https://github.com/actions/runner/releases/download/v${var.runner_version}/actions-runner-linux-${var.distro_arch == "x86_64" ? "x64" : "arm64"}-${var.runner_version}.tar.gz" + ] + script = "os-images/AWS/files/prep-linux.sh" + } + + provisioner "shell" { + environment_vars = [ + "OS_ARCH=${var.distro_arch == "arm64" ? "aarch64" : "x86_64"}", + "SALT_VERSION=${var.salt_provision_version}", + "SALT_PROVISION_TYPE=${var.salt_provision_type}" + ] + script = "os-images/files/provision-salt.sh" + } + + provisioner "file" { + destination = "${var.salt_provision_root_dir}/" + direction = "upload" + generated = true + source = ".tmp/${local.distro_slug}" + } + + provisioner "shell" { + environment_vars = [ + "SALT_ROOT_DIR=${var.salt_provision_root_dir}", + "SALT_STATE=${var.state_name}" + ] + pause_after = "5s" + script = "os-images/files/provision-system.sh" + } + + provisioner "shell" { + inline_shebang = "/bin/sh -ex" + inline = [ + "tdnf clean all", + "rm -rf /var/cache/tdnf" + ] + } + + provisioner "shell" { + environment_vars = [ + "SALT_ROOT_DIR=${var.salt_provision_root_dir}" + ] + script = "os-images/files/cleanup-salt.sh" + } + + provisioner "shell" { + environment_vars = [ + "SSH_USERNAME=${var.ssh_username}" + ] + script = "os-images/AWS/files/cleanup-linux.sh" + } + + post-processor "manifest" { + custom_data = { + arch = var.distro_arch + ami_name = local.ami_name + ami_description = local.ami_description + ssh_username = var.ssh_username + instance_type = var.instance_type + is_windows = false + cloudwatch-agent-available = true + slug = "${lower(var.distro_name)}-${var.distro_version}${var.distro_arch == "arm64" ? "-${var.distro_arch}" : ""}" + } + output = "manifest.json" + strip_path = true + } +} diff --git a/os-images/AWS/photon/photon-3-arm64.pkrvars.hcl b/os-images/AWS/photon/photon-3-arm64.pkrvars.hcl new file mode 100644 index 000000000..a5af5a666 --- /dev/null +++ b/os-images/AWS/photon/photon-3-arm64.pkrvars.hcl @@ -0,0 +1,4 @@ +ami_filter = "photon-ami-3.*" +ami_owner = "937850989293" +distro_arch = "arm64" +instance_type = "m6g.large" diff --git a/os-images/AWS/photon/photon-3-x86_64.pkr.hcl b/os-images/AWS/photon/photon-3-x86_64.pkr.hcl index 474a486a2..0a3803e9b 100644 --- a/os-images/AWS/photon/photon-3-x86_64.pkr.hcl +++ b/os-images/AWS/photon/photon-3-x86_64.pkr.hcl @@ -182,10 +182,10 @@ build { inline = [ "systemctl mask tmp.mount", "find /etc/yum.repos.d -type f -exec sed -i 's!dl.bintray.com/vmware!packages.vmware.com/photon/$releasever!' {} ';'", + "tdnf update -y", "tdnf install -y linux", "tdnf remove -y linux-aws", "tdnf install -y fipsify linux-hmacgen", - "tdnf update -y", "if ! grep -q fips=1 /boot/systemd.cfg; then sed -i 's/^systemd_cmdline=.*/& fips=1/' /boot/systemd.cfg; fi", "if ! grep -q 'FipsMode yes' /etc/ssh/sshd_config; then echo 'FipsMode yes' >> /etc/ssh/sshd_config; fi", "reboot" diff --git a/os-images/AWS/photon/photon-3-x86_64.pkrvars.hcl b/os-images/AWS/photon/photon-3-x86_64.pkrvars.hcl index 0bdd03ebc..24d32b93b 100644 --- a/os-images/AWS/photon/photon-3-x86_64.pkrvars.hcl +++ b/os-images/AWS/photon/photon-3-x86_64.pkrvars.hcl @@ -1,3 +1,4 @@ ami_filter = "photon-ami-3.*" +ami_owner = "937850989293" distro_arch = "x86_64" instance_type = "t3a.large"