The question has probably been asked before, but I couldn't find a reference. I am using packer to build custom Windows AWS AMI. After the packer build, I provisioned an EC2 instance using the AMI and noticed WinRM service is running and the Firewall rule I had set in user_data is also enabled. I don't want that to be part of my image build. How to get around it? Here is my packer template:
{
"variables": {
"ami_region": "us-east-1",
"build_version": "{{isotime \"2006.01.02.150405\"}}",
"aws_vpc": "vpc-0cf252de620488ef2",
"vpc_subnet": "subnet-06909f11bbb49a814"
},
"builders": [
{
"type": "amazon-ebs",
"profile": "default",
"region": "{{user `ami_region`}}",
"vpc_id": "{{user `aws_vpc`}}",
"subnet_id": "{{user `vpc_subnet`}}",
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"name": "Windows_Server-2016-English-Full-Base*",
"root-device-type": "ebs"
},
"owners": [
"amazon"
],
"most_recent": true
},
"ami_name": "WIN2016-CUSTOM-{{user `build_version`}}",
"instance_type": "t3.medium",
"associate_public_ip_address": true,
"user_data_file": "C:\\Users\\amita\\Documents\\DevOps\\AWS\\packer\\winrm.ps1",
"communicator": "winrm",
"winrm_username": "Administrator",
"winrm_port": 5986,
"winrm_timeout": "15m",
"winrm_use_ssl": true,
"winrm_insecure": true
}
],
"provisioners": [
{
"type": "powershell",
"script": "C:\\Users\\amita\\Documents\\DevOps\\AWS\\packer\\Install-Apps.ps1"
},
{
"type": "windows-restart",
"restart_check_command": "powershell -command \"& {Write-Output 'restarted.'}\""
},
{
"type": "powershell",
"inline": [
"C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\InitializeInstance.ps1 -Schedule",
"C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\SysprepInstance.ps1 -NoShutdown"
]
}
]
}
User-Data
<powershell>
write-output "Running User Data Script"
write-host "(host) Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# Create self-signed certificate
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
# Configure WinRM
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "WinRM_HTTPS"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
</powershell>
