Skip to content

UKHomeOffice/dq-packer-encrypt-copy

BranchesTags
 
 

Repository files navigation

Packer encrypt copy

This will be useful if:

  • You can't copy images that are public (aws limitation)
  • You can't copy images between accounts that are encrypted (aws limitation)
  • You don't mind your origin image being unencrypted
  • You want your running images with your actual data to be encrypted
  • You maybe have pay as you go licences RHEL or Windows that would be lost through other means (you can't specify the billing code yourself if you share/copy snapshots)

What happens:

  • packer brings up an ec2 instance with the AMI in the destination account
  • packer makes an unencrypted AMI from that
  • packer makes an encrypted copy from that AMI
  • packer destroys the unencrypted AMI
  • new AMI in the destination account with a name like something copied from ami-xxxxx so you can follow it back

Things to be aware of / downsides:

  • There is a chance that when packer starts the image, something happens that won't happen on subsequent boots or changes things (cloud-init maybe?) and you'll end up imaging an 'unsealed' image.

Vulnerabilities

We base our "encrypt-copy" image on Hashicorp's latest "Packer" Docker image.
However, their image is not updated very frequently (at time of writing it is 3 months old) therefore vulnerabilities will creep in.
We attempt to fix these by updating and upgrading the Alpine packages.
However, some (e.g. golang) do not appear to be resolvable so they are added to the .trivyignore file.
These counter-measures (added packages and ignorefile) should be revisited every month when our routine vulnerability process is run.

Usage:

Docker

docker run \
  --rm \
  -e region=eu-west-2 \
  -e aws_id=... \
  -e aws_key=... \
  -e filters="--owner 000000 --filters "Name=name,Values=something*"" \
  -e os="<OS TO BE COPIED>"
  UKHomeOffice/dq-packer-encrypt-copy

Drone

  packer-copy-notprod:
    image: UKHomeOffice/dq-packer-encrypt-copy
    commands:
      - export region=eu-west-2
      - export aws_id=$${NOTPROD_ACC_ID}
      - export aws_key=$${NOTPROD_ACC_KEY}
      - export filters="--owner 000000 --filters "Name=name,Values=something*""
      - export os="<OS TO BE COPIED>"
      - ./build.sh
    secrets:
        - NOTPROD_ACC_ID
        - NOTPROD_ACC_KEY
    when:
      event: push
      branch: master

Improvements

  • allow instance_type to be configurable
  • skip temp ssh key pair creation
  • skip temp security group creation
  • test with windows

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

10 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 66.9%
  • Shell 22.3%
  • Dockerfile 10.8%