PowerShell scripts fails for packer SSH communicator for Windows AMI

Question

I'm trying to build a Windows AMI using Packer with the SSH communicator using AWS SSM session_manager (ssh_interface). Packer is able to connect to the builder Windows instance using SSH and session_manager but my PowerShell scripts are not executing on the packer builder instance. It looks like an issue with the shell with the SSH communicator in the PowerShell provisioner. What my PowerShell script does is download a couple of packages (like MSEdge browser and Symon) and install them on the instance. I'm getting the following error while doing the packer build:

    base-ami-windows-builder.amazon-ebs.windows-base-ami: Adding tag: "Name": "Packer Builder"
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Instance ID: i-0f03b00afd90f9f16
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Waiting for instance (i-0f03b00afd90f9f16) to become ready...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Using SSH communicator to connect: localhost
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Waiting for SSH to become available...
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Starting portForwarding session "ns.com-0c4ad564a90e86797".
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Starting session with SessionId: ns.com-0c4ad564a90e86797
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Port 8807 opened for sessionId ns.com-0c4ad564a90e86797.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Waiting for connections...
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Connection accepted for session [ns.com-0c4ad564a90e86797]
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Connected to SSH!
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning with Powershell...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning with powershell script: /var/folders/2j/s33gtchs13n2jkn_6qc8w0fm0000gn/T/powershell-provisioner37195405
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Hello from PowerShell
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning with Powershell...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning with powershell script: ./basic-tools-installation.ps1
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Folder doesn't exists
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:     Directory: C:\
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Mode                LastWriteTime         Length Name
    base-ami-windows-builder.amazon-ebs.windows-base-ami: ----                -------------         ------ ----
    base-ami-windows-builder.amazon-ebs.windows-base-ami: d-----        6/16/2022   2:35 PM                setupfiles
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:     Directory: C:\setupfiles
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Mode                LastWriteTime         Length Name
    base-ami-windows-builder.amazon-ebs.windows-base-ami: ----                -------------         ------ ----
    base-ami-windows-builder.amazon-ebs.windows-base-ami: d-----        6/16/2022   2:35 PM                logs
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Created folders
    base-ami-windows-builder.amazon-ebs.windows-base-ami: The FolderName is C:\setupfiles
    base-ami-windows-builder.amazon-ebs.windows-base-ami: The LogFolderName is C:\setupfiles\logs
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Installing Microsoft Edge browser
    base-ami-windows-builder.amazon-ebs.windows-base-ami: The Download path is C:\Users\Administrator\AppData\Local\Temp\edgeinstall\MicrosoftEdgeEnterpriseX64.msi
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Verifying Microsoft Edge browser installation...
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: DisplayName           DisplayVersion Publisher InstallDate
    base-ami-windows-builder.amazon-ebs.windows-base-ami: -----------           -------------- --------- -----------
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Microsoft Edge Update 1.3.145.49
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Retrieving Sysmon...
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon Retrived
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Changing working directory to C:\setupfiles
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Unzip Sysmon...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Write-Progress : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer. Contact
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Microsoft Customer Support Services.
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: At
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1:1132
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: char:9
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: +         Write-Progress -Activity $cmdletName -Status $status -Percent ...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:     + CategoryInfo          : ReadError: (:) [Write-Progress], HostException
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:     + FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.PowerShell.Commands.WriteProgressCommand
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Unzip Complete.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Retrieving Configuration File...
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Configuration File Retrieved.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Installing Sysmon...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: System Monitor v13.34 - System activity monitor
    base-ami-windows-builder.amazon-ebs.windows-base-ami: By Mark Russinovich and Thomas Garnier
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Copyright (C) 2014-2022 Microsoft Corporation
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysinternals - www.sysinternals.com
    base-ami-windows-builder.amazon-ebs.windows-base-ami:
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Loading configuration file with schema version 4.50
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon schema version: 4.81
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Configuration file validated.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon64 installed.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: SysmonDrv installed.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Starting SysmonDrv.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: SysmonDrv started.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Starting Sysmon64..
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon64 started.
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Sysmon Installed!
    base-ami-windows-builder.amazon-ebs.windows-base-ami: Windows defender is enabled
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Exception calling "EndProcessing" with "0" argument(s): "Win32 internal error "Access is denied" 0x5 occurred while
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: reading the console output buffer. Contact Microsoft Customer Support Services."
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: At line:146 char:17
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: +                 $__cmdletization_objectModelWrapper.EndProcessing()
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:     + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:     + FullyQualifiedErrorId : HostException
==> base-ami-windows-builder.amazon-ebs.windows-base-ami:
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Provisioning step had errors: Running the cleanup provisioner, if present...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Terminating the source AWS instance...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Bad exit status: -1
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Cleaning up any extra volumes...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: No volumes to clean up, skipping
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Deleting temporary security group...
==> base-ami-windows-builder.amazon-ebs.windows-base-ami: Deleting temporary keypair...
Build 'base-ami-windows-builder.amazon-ebs.windows-base-ami' errored after 11 minutes 9 seconds: Script exited with non-zero exit status: 1.Allowed exit codes are: [0]

==> Wait completed after 11 minutes 9 seconds

I've tried the execute_command specified in the Packer documentation, but getting the same error.

My PowerShell script:

$FolderName = "C:\setupfiles"
$LogFolderName = "$FolderName\logs"

if(Get-Item -Path $FolderName -ErrorAction Ignore)
{
    Write-Host "Folder Exists"
    
    #Create logs folder
    if(Get-Item -Path $LogFolderName -ErrorAction Ignore)
    {
        Write-Host "Logs folder already exists"
    }
    else
    {
        # PowerShell create logs directory if not exists
        Write-Host "Creating log folder"
        New-Item $LogFolderName -ItemType Directory
    }
}
else
{
    Write-Host "Folder doesn't exists"
    
    # PowerShell create directories if not exists
    New-Item $FolderName -ItemType Directory
    New-Item $LogFolderName -ItemType Directory
    Write-Host "Created folders"
}

Write-Host "The FolderName is $FolderName"

Write-Host "The LogFolderName is $LogFolderName"

# Installing Microsoft Edge browser

Write-Host "Installing Microsoft Edge browser"
md -Path $env:temp\edgeinstall -erroraction SilentlyContinue | Out-Null
$Download = join-path $env:temp\edgeinstall MicrosoftEdgeEnterpriseX64.msi

Write-Host "The Download path is $Download"

Invoke-WebRequest 'https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/a2662b5b-97d0-4312-8946-598355851b3b/MicrosoftEdgeEnterpriseX64.msi'  -OutFile $Download

Start-Process "$Download" -ArgumentList "/quiet"

Start-Sleep -Seconds 30

# Verifying Microsoft Edge installation

Write-Host "Verifying Microsoft Edge browser installation..."

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

$INSTALLED | ?{ $_.DisplayName -match 'edge' } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

# SysMon Installation
Write-Host "Retrieving Sysmon..."

Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -Outfile $FolderName\Sysmon.zip

Write-Host "Sysmon Retrived"

Write-Host "Changing working directory to $FolderName"

Set-Location $FolderName

Write-Host "Unzip Sysmon..."

Expand-Archive Sysmon.zip

Set-Location $FolderName\Sysmon

Write-Host "Unzip Complete."

Write-Host "Retrieving Configuration File..."

Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -Outfile sysmonconfig-export.xml

Write-Host "Configuration File Retrieved."

Write-Host "Installing Sysmon..."

.\sysmon64.exe -accepteula -i sysmonconfig-export.xml

Write-Host "Sysmon Installed!"

# Check the status of Windows Defender
$Windows_Defender_status = Get-MpComputerStatus
if ($Windows_Defender_status.AntivirusEnabled -eq "true")
  {
      Write-Output "Windows defender is enabled"
      Update-MpSignature -UpdateSource MicrosoftUpdateServer
  }
else
  {
      Write-Output "Installing Windows defender...."
      Add-WindowsFeature Windows-Defender
  }

Used the following Packer template:

source "amazon-ebs" "windows-base-ami" {
    source_ami           = "ami-07d4836e0aad1ece7"  ## Windows server 2019 provided by Amazon
    instance_type        = "${var.aws_instance_type}"
    ami_name             = "${var.ami_name}-${local.timestamp}-${var.regionAbbreviation}-${var.aws_env}"
    shutdown_behavior    = "terminate"
    subnet_id            = "${var.aws_subnet_id}"
    vpc_id               = "${var.aws_vpc_id}"
    region               = "${var.aws_region}"
    iam_instance_profile = var.iam_instance_profile
    ssh_username         = "Administrator"
    ssh_timeout          = "22h"
    ssh_interface        = "session_manager"
    communicator         = "ssh"
    ssh_port             = 22
    user_data_file       = "./openssh-user-data.ps1"
    launch_block_device_mappings {
    device_name = "/dev/sda1"
    volume_size = 40
    volume_type = "gp2"
    delete_on_termination = true
    }

}

build {
    name = "base-ami-windows-builder"
    sources = ["source.amazon-ebs.windows-base-ami"]


    provisioner "powershell" {
        execute_command = "powershell -executionpolicy bypass \"& { if (Test-Path variable:global:ProgressPreference){$ProgressPreference='SilentlyContinue'};. {{.Vars}}; &'{{.Path}}'; exit $LastExitCode }\""
        script = "./basic-tools-installation.ps1"
    }

}

user_data_file (openssh-user-data.ps1 in the template above):

<powershell>

# Install sshd
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Save the private key from intance metadata
# New-Item -Path C:\Windows\System32\OpenSSH\administrators_authorized_keys -ItemType File
# Set-Content -Path C:\Windows\System32\OpenSSH\administrators_authorized_keys -Value ((New-Object System.Net.WebClient).DownloadString('http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key'))

# Save the private key from intance metadata
New-Item -Path C:\ProgramData\ssh\administrators_authorized_keys -ItemType File
Set-Content -Path C:\ProgramData\ssh\administrators_authorized_keys -Value ((New-Object System.Net.WebClient).DownloadString('http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key'))

# Set sshd to automatic and start
Set-Service -Name sshd -StartupType "Automatic"
Start-Service sshd

# Set appropriate permissions on administrators_authorized_keys by copying them from an existing key 
Get-ACL C:\ProgramData\ssh\ssh_host_dsa_key | Set-ACL C:\ProgramData\ssh\administrators_authorized_keys

# Set ssh-agent to automatic and start
# Must set to automatic first as the default state is disabled
Set-Service -Name ssh-agent -StartupType "Automatic"
Start-Service ssh-agent

</powershell>

The same PowerShell script worked with the WinRM communicator. Is there any issue in executing the PowerShell script through the SSH communicator? Could someone help me with this?

score 0 · Answer 1 · answered Sep 01 '23 at 01:20

0

I ran into a similar issue but with Invoke-WebRequest. Adding $ProgressPreference = "SilentlyContinue" seemed to solve the issue, not sure why though. Hope it helps one year later!

answered Sep 01 '23 at 01:20

Dan

1

PowerShell scripts fails for packer SSH communicator for Windows AMI

1 Answers1