· 7 years ago · May 21, 2018, 02:02 AM
1Packer has the ability to import Virtualbox OVA artifacts into AWS
2using Amazons Import/Export feature. There are a number of prerequisites,
3the setup of which are detailed below.
4
51. Create an S3 bucket to hold uploaded temporary build artifacts
6
7$ aws s3 mb s3://my-organisation.com-eu-west-1-vmimport-bucket --region eu-west-1
8make_bucket: s3://my-organisation.com-eu-west-1-vmimport-bucket/
9
10
112. Set up the VM Import Service Role. This is a special role within the
12 AWS account that users can assume to perform VM imports and exports. It
13 is used internally by the AWS import service rather than being attached
14 to a specific user or group. Note that the user performing the import
15 will still need to be granted required permissions as shown below
16
172.1 Create the role policy document trust-policy.json with the following
18 contents
19
20{
21 "Version":"2012-10-17",
22 "Statement":[
23 {
24 "Sid":"",
25 "Effect":"Allow",
26 "Principal":{
27 "Service":"vmie.amazonaws.com"
28 },
29 "Action":"sts:AssumeRole",
30 "Condition":{
31 "StringEquals":{
32 "sts:ExternalId":"vmimport"
33 }
34 }
35 }
36 ]
37}
38
392.2 Now create the role using the AWS cli
40
41$ aws iam create-role --role-name vmimport --assume-role-policy-document file:///path/to/trust-policy.json
42{
43 "Role": {
44 "CreateDate": "2016-07-25T10:42:49.317Z",
45 "Path": "/",
46 "Arn": "arn:aws:iam::993562413670:role/vmimport",
47 "RoleId": "AROAJVAKXW5OAPT2FI4LI",
48 "RoleName": "vmimport",
49 "AssumeRolePolicyDocument": {
50 "Version": "2012-10-17",
51 "Statement": [
52 {
53 "Sid": "",
54 "Action": "sts:AssumeRole",
55 "Condition": {
56 "StringEquals": {
57 "sts:ExternalId": "vmimport"
58 }
59 },
60 "Effect": "Allow",
61 "Principal": {
62 "Service": "vmie.amazonaws.com"
63 }
64 }
65 ]
66 }
67 }
68}
69
702.3 Create a policy file with the required permissions on the bucket
71 created in step 1 e.g. with contents as below, and name it
72 role-policy.json.
73
74{
75 "Version":"2012-10-17",
76 "Statement":[
77 {
78 "Effect":"Allow",
79 "Action":[
80 "s3:ListBucket",
81 "s3:GetBucketLocation"
82 ],
83 "Resource":[
84 "arn:aws:s3:::my-organisation.com-eu-west-1-vmimport-bucket"
85 ]
86 },
87 {
88 "Effect":"Allow",
89 "Action":[
90 "s3:GetObject"
91 ],
92 "Resource":[
93 "arn:aws:s3:::my-organisation.com-eu-west-1-vmimport-bucket/*"
94 ]
95 },
96 {
97 "Effect":"Allow",
98 "Action":[
99 "ec2:ModifySnapshotAttribute",
100 "ec2:CopySnapshot",
101 "ec2:RegisterImage",
102 "ec2:Describe*"
103 ],
104 "Resource":"*"
105 }
106 ]
107}
108
109
110
1112.4 Run the following command to associate the role policy with the
112 vmimport role
113
114$ aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file:///path/to/role-policy.json
115
116
1173. Create a group and set up the required permissions on EC2 and S3 object
118 needed to upload and convert VM images to AMI's
119
1203.1 Create a VMImport group
121
122$ aws iam create-group --group-name VMImport
123
1243.2 Now create a policy document with the required permissions and name it
125 vmimportexport-group-policy.json as per the contents below
126
127{
128 "Version": "2012-10-17",
129 "Statement": [
130 {
131 "Effect": "Allow",
132 "Action": [
133 "s3:ListAllMyBuckets"
134 ],
135 "Resource": "*"
136 },
137 {
138 "Effect": "Allow",
139 "Action": [
140 "s3:CreateBucket",
141 "s3:DeleteBucket",
142 "s3:DeleteObject",
143 "s3:GetBucketLocation",
144 "s3:GetObject",
145 "s3:ListBucket",
146 "s3:PutObject"
147 ],
148 "Resource": ["arn:aws:s3:::my-organisation.com-eu-west-1-vmimport-bucket","arn:aws:s3:::my-organisation.com-vmimport-bucket/*"]
149 },
150 {
151 "Effect": "Allow",
152 "Action": [
153 "ec2:CancelConversionTask",
154 "ec2:CancelExportTask",
155 "ec2:CreateImage",
156 "ec2:CreateInstanceExportTask",
157 "ec2:CreateTags",
158 "ec2:DeleteTags",
159 "ec2:DescribeConversionTasks",
160 "ec2:DescribeExportTasks",
161 "ec2:DescribeInstanceAttribute",
162 "ec2:DescribeInstanceStatus",
163 "ec2:DescribeInstances",
164 "ec2:DescribeTags",
165 "ec2:ImportInstance",
166 "ec2:ImportVolume",
167 "ec2:StartInstances",
168 "ec2:StopInstances",
169 "ec2:TerminateInstances",
170 "ec2:ImportImage",
171 "ec2:ImportSnapshot",
172 "ec2:DescribeImportImageTasks",
173 "ec2:DescribeImportSnapshotTasks",
174 "ec2:CancelImportTask",
175 "ec2:DescribeImageAtrribute",
176 "ec2:DescribeImages"
177 ],
178 "Resource": "*"
179 }
180 ]
181}
182
1833.3 Create the policy
184
185$ aws iam create-policy --policy-name "AWSVMImportExportOnly" --policy-document file:///path/to/vmimportexport-group-policy.json
186{
187 "Policy": {
188 "IsAttachable": true,
189 "Path": "/",
190 "PolicyId": "ANPAI6BFYVZC6XHH6QZ5G",
191 "DefaultVersionId": "v1",
192 "Arn": "arn:aws:iam::993562413670:policy/AWSVMImportExportOnly",
193 "AttachmentCount": 0,
194 "UpdateDate": "2016-07-25T11:58:20.737Z",
195 "PolicyName": "AWSVMImportExportOnly",
196 "CreateDate": "2016-07-25T11:58:20.737Z"
197 }
198}
199
2003.4 Attach the policy to the group
201
202$ aws iam attach-group-policy --group-name VMImport --policy-arn "arn:aws:iam::993562413670:policy/AWSVMImportExportOnly"
203
204
2054. Create a user and make that user a member of the group created above
206
2074.1 Create the user
208
209$ aws iam create-user --user-name packer
210
2114.2 Add the user to the VMImport group
212
213$ aws iam add-user-to-group --user-name packer --group-name VMImport
214
2154.3 Create an access key for the user. This will create the AWS 'Access
216 Key ID' and 'Secret Access Key'
217
218$ aws iam create-access-key --user-name packer
219
220
2215. The AWS Access Key ID and Secret Access Key must be made available to
222 packer. The accepted way to do this is to export the ID and Access Key
223 as environment variables that packer can then be configured to read and
224 use in the 'amazon-import' post-processor.
225 Example template below:
226
227{
228 "variables": {
229 ...
230 "aws_access_key": "{{env `PACKER_AWS_ACCESS_KEY`}}",
231 "aws_secret_key": "{{env `PACKER_AWS_SECRET_KEY`}}",
232 "template": "centos"
233 ...
234 },
235
236 ...
237
238 "post-processors": [
239 {
240 "type": "amazon-import",
241 "only": ["amazon-builder"],
242 "access_key": "{{user `aws_access_key`}}",
243 "secret_key": "{{user `aws_secret_key`}}",
244 "region": "eu-west-1",
245 "s3_bucket_name": "my-organisation.com-eu-west-1-vmimport-bucket",
246 "s3_key_name": "{{user `template`}}-import-{{isotime \"2006-01-02-150405\"}}.ova",
247 "skip_clean": "false",
248 "tags": {
249 "Description": "Packer amazon-import: {{user `template`}} {{isotime \"2006-01-02 15:04:05\"}}",
250 "Name": "{{user `template`}}"
251 }
252 }
253 ]
254}
255
256
257Enable Amazon Import Feature for Additional Regions
258---------------------------------------------------
259
2601. Create a bucket for the desired region
261
262$ aws s3 mb s3://my-organisation.com-eu-west-2-vmimport-bucket --region eu-west-2
263
264
2652. Delete the existing role policy document associated with the vmimport
266 role
267
268$ aws iam delete-role-policy --role-name vmimport --policy-name vmimport
269
270
2713. Add the bucket created in step 1 to the 'role-policy.json' file
272
273 ...
274 "s3:GetBucketLocation"
275 ],
276 "Resource":[
277 "arn:aws:s3:::my-organisation.com-eu-west-1-vmimport-bucket",
278 "arn:aws:s3:::my-organisation.com-eu-west-2-vmimport-bucket"
279 ]
280 },
281 {
282 "Effect":"Allow",
283 "Action":[
284 "s3:GetObject"
285 ],
286 "Resource":[
287 "arn:aws:s3:::my-organisation.com-eu-west-1-vmimport-bucket/*",
288 "arn:aws:s3:::my-organisation.com-eu-west-2-vmimport-bucket/*"
289 ...
290
291
2924. Associate the updated role policy with the vmimport role
293
294$aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file:///path/to/role-policy.json
295
296
2975. Detach the existing AWSVMImportExportOnly group policy from the
298 VMImport group
299
300$ aws iam detach-group-policy --group-name VMImport --policy-arn "arn:aws:iam::993562413670:policy/AWSVMImportExportOnly"
301
302
3036. Delete the policy
304
305$ aws iam delete-policy --policy-arn "arn:aws:iam::993562413670:policy/AWSVMImportExportOnly"
306
307
3087. Update the group policy file with the updated bucket list
309
310 ...
311 "s3:PutObject"
312 ],
313 "Resource": [
314 "arn:aws:s3:::my-organisation.com-eu-west-1-vmimport-bucket",
315 "arn:aws:s3:::my-organisation.com-eu-west-1-vmimport-bucket/*",
316 "arn:aws:s3:::my-organisation.com-eu-west-2-vmimport-bucket",
317 "arn:aws:s3:::my-organisation.com-eu-west-2-vmimport-bucket/*"
318 ]
319 },
320 {
321 "Effect": "Allow",
322 "Action": [
323 "ec2:CancelConversionTask",
324 ...
325
326
3278. Recreate the policy
328
329
330$ aws iam create-policy --policy-name "AWSVMImportExportOnly" --policy-document file:///path/to/vmimportexport-group-policy.json
331{
332 "Policy": {
333 "Arn": "arn:aws:iam::993562413670:policy/AWSVMImportExportOnly",
334 "PolicyId": "ANPAJLETXFWZ6MQUYVFL6",
335 "AttachmentCount": 0,
336 "PolicyName": "AWSVMImportExportOnly",
337 "Path": "/",
338 "CreateDate": "2016-12-15T15:30:37.805Z",
339 "DefaultVersionId": "v1",
340 "UpdateDate": "2016-12-15T15:30:37.805Z",
341 "IsAttachable": true
342 }
343}
344
345
3469. Reattach the policy to the VMImport group
347
348$ aws iam attach-group-policy --group-name VMImport --policy-arn "arn:aws:iam::993562413670:policy/AWSVMImportExportOnly"