feat(windows) add AWS EC2 builds (2019 and 2022)

Jenkinsfile_k8s

@@ -95,7 +95,7 @@ pipeline {
           }
         }
         excludes {
-          // Only build Ubuntu images for arm64 CPU in AWS (notValues)
+          // Only build arm64 VMs when OS is Ubuntu (notValues) as Windows Server amr64 does not exist anywhere
           exclude {
             axis {
               name 'cpu_architecture'
@@ -105,36 +105,6 @@ pipeline {
               name 'agent_type'
               notValues 'ubuntu-22.04'
             }
-            axis {
-              name 'compute_type'
-              values 'amazon-ebs'
-            }
-          }
-          // Exclude 'amazon-ebs' Windows builds while testing for Linux AMI
-          exclude {
-            axis {
-              name 'agent_type'
-              values 'windows-2019', 'windows-2022'
-            }
-            axis {
-              name 'compute_type'
-              values 'amazon-ebs'
-            }
-          }
-          // Only build Ubuntu images for arm64 CPU in Azure (notValues)
-          exclude {
-            axis {
-              name 'cpu_architecture'
-              values 'arm64'
-            }
-            axis {
-              name 'agent_type'
-              notValues 'ubuntu-22.04'
-            }
-            axis {
-              name 'compute_type'
-              values 'azure-arm'
-            }
           }
           // No build on Windows or Docker, not yet implemented
           exclude {

build-jenkins-agent-ubuntu.pkr.hcl

@@ -6,8 +6,6 @@ build {
   source "amazon-ebs.base" {
     name         = "ubuntu"
     ssh_username = "ubuntu"
-    # Egg-and-chicken: what is the base image to start from (eg. what is my egg)?
-    source_ami = try(local.images_versions["aws"]["ubuntu"][var.agent_os_version][var.architecture], "N/A")
   }
 
   source "azure-arm.base" {
@@ -17,7 +15,7 @@ build {
     image_publisher = "canonical"
     # List available SKUs with the command `az vm image list-skus --offer 0001-com-ubuntu-server-jammy --location eastus --publisher canonical --output table`
     image_sku = local.az_instance_image_sku[var.architecture]
-    image_version = try(local.images_versions["azure"]["ubuntu"][var.agent_os_version][var.architecture], "N/A")
+    image_version = try(local.images_versions["azure"][var.agent_os_type][var.agent_os_version][var.architecture], "N/A")
     os_type   = "Linux"
   }
 

build-jenkins-agent-windows.pkr.hcl

@@ -1,4 +1,14 @@
 build {
+  source "amazon-ebs.base" {
+    name           = "windows"
+    communicator   = "winrm"
+    user_data_file = "./provisioning/setupWinRM.ps1"
+    winrm_insecure = true
+    winrm_timeout  = "20m"
+    winrm_use_ssl  = true
+    winrm_username = local.windows_winrm_user[var.image_type]
+  }
+
   source "azure-arm.base" {
     name         = "windows"
     communicator = "winrm"
@@ -9,7 +19,7 @@ build {
     image_sku       = "${var.agent_os_version}-datacenter-core-g2"
     image_version   = try(local.images_versions["azure"]["windows"][var.agent_os_version][var.architecture], "N/A")
     os_type         = "Windows"
-    os_disk_size_gb = local.windows_disk_size_gb
+    os_disk_size_gb = local.disk_size_gb
     winrm_insecure  = true
     winrm_timeout   = "20m"
     winrm_use_ssl   = true
@@ -50,19 +60,18 @@ build {
   }
 
   provisioner "file" {
+    # Previous provisioner might restart
     pause_before = "1m"
     source       = "./provisioning/addSSHPubKey.ps1"
     destination  = "C:/"
   }
 
   provisioner "file" {
-    pause_before = "1m"
     source       = "./provisioning/visualstudio.vsconfig"
     destination  = "C:/"
   }
 
   provisioner "powershell" {
-    pause_before      = "1m"
     environment_vars  = local.provisioning_env_vars
     elevated_user     = local.windows_winrm_user[var.image_type]
     elevated_password = build.Password
@@ -73,6 +82,8 @@ build {
   # ref. https:#www.packer.io/docs/builders/azure/arm#windows
   provisioner "windows-restart" {
     max_retries = 3
+    # Previous provisioner might restart
+    pause_before = "1m"
   }
 
   provisioner "file" {
@@ -101,20 +112,13 @@ build {
   }
 
   provisioner "powershell" {
-    pause_before     = "2m" # long pause as 1m is not enough
     environment_vars = local.provisioning_env_vars
     inline = [
       "$ErrorActionPreference = 'Stop'",
       "goss --version",
-      "goss --use-alpha=1 --gossfile C:/goss-windows-${var.agent_os_version}.yaml --loglevel DEBUG validate",
-      "goss --use-alpha=1 --gossfile C:/goss-windows.yaml --loglevel DEBUG validate",
-      "goss --use-alpha=1 --gossfile C:/goss-common.yaml --loglevel DEBUG validate",
-    ]
-  }
-
-  provisioner "powershell" {
-    environment_vars = local.provisioning_env_vars
-    inline = [
+      "goss --use-alpha=1 --gossfile C:/goss-windows-${var.agent_os_version}.yaml --loglevel DEBUG validate --max-concurrent=4",
+      "goss --use-alpha=1 --gossfile C:/goss-windows.yaml --loglevel DEBUG validate --max-concurrent=4",
+      "goss --use-alpha=1 --gossfile C:/goss-common.yaml --loglevel DEBUG validate --max-concurrent=4",
       "Remove-Item -Force C:/goss-windows.yaml",
       "Remove-Item -Force C:/goss-common.yaml",
       "Remove-Item -Force C:/visualstudio.vsconfig",
@@ -131,4 +135,16 @@ build {
       "while($true) { $imageState = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select ImageState; if($imageState.ImageState -ne 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; Start-Sleep -s 10  } else { break } }"
     ]
   }
+
+  # This provisioner must be the last for AWS EBS builds, after reboots
+  provisioner "powershell" {
+    only              = ["amazon-ebs.windows"]
+    elevated_user     = local.windows_winrm_user[var.image_type]
+    elevated_password = build.Password
+
+    inline = [
+      "& 'C:/Program Files/Amazon/EC2Launch/ec2launch' reset --block",
+      "& 'C:/Program Files/Amazon/EC2Launch/ec2launch' sysprep --block",
+    ]
+  }
 }

images-versions.yaml

@@ -14,6 +14,11 @@ aws:
     "22.04":
       amd64: ami-09ab820c5a11a5cf7
       arm64: ami-011c271ddbf145636
+  windows:
+    "2019":
+      amd64: ami-08b54f8d132ebd12d
+    "2022":
+      amd64: ami-091cb95e3a8474173
 docker:
   ubuntu:
     "22.04":

locals.pkr.hcl

@@ -5,7 +5,6 @@ locals {
   image_name            = format("jenkins-agent-%s-%s-%s", var.agent_os_type, var.agent_os_version, var.architecture)
   unique_image_name     = format("%s-%s", local.image_name, local.now_unix_timestamp)
 
-
   aws_instance_types = {
     "amd64" = "t3.xlarge"
     "arm64" = "t4g.xlarge"
@@ -19,7 +18,7 @@ locals {
   windows_winrm_user = {
     "azure-arm" = "packer"
     "docker"    = "packer"
-    "amazon-ebs" = "Administrator"
+    "amazon-ebs" = "Administrator" # In AWS EC2, WinRM super admin must be the "Administrator" account
   }
 
   images_versions = yamldecode(file("./images-versions.yaml"))
@@ -34,7 +33,7 @@ locals {
     "staging_packer_images" = ["East US 2"]
     "dev_packer_images"     = ["East US 2"]
   }
-  windows_disk_size_gb = 150 # Must be greater than 127 Gb to allow Azure template to work with
+  disk_size_gb = 150 # Must be greater than 127 Gb to allow Azure template for Windows
   provisioning_env_vars = concat(
     [for key, value in yamldecode(file(var.provision_env_file)) : "${upper(key)}=${value}"],
     [

provisioning/windows-provision.ps1

@@ -165,7 +165,11 @@ $downloads = [ordered]@{
     };
     'hadolint' = @{
         'url' = 'https://github.com/hadolint/hadolint/releases/download/v{0}/hadolint-Windows-x86_64.exe' -f $env:HADOLINT_VERSION;
-        'local' = "$baseDir\hadolint.exe"
+        'local' = "$baseDir\hadolint.exe";
+        'postExpand' = {
+            ## First call to hadolint is slow (initialize some local resources). Lets pre-heat it to avoid timeouts during tests later
+            & "$baseDir\hadolint.exe" -v;
+        };
     };
     'cst' = @{
         'url' = 'https://github.com/GoogleContainerTools/container-structure-test/releases/download/v{0}/container-structure-test-windows-amd64.exe' -f $env:CST_VERSION;

sources.pkr.hcl

@@ -1,26 +1,34 @@
 # This source defines all the common settings for any AWS AMI (whatever Operating System)
 source "amazon-ebs" "base" {
-
-
   ami_name      = "${local.image_name}-${var.architecture}-${local.now_unix_timestamp}"
   instance_type = local.aws_instance_types[var.architecture]
 
+  # Egg-and-chicken: what is the base image to start from (eg. what is my egg)?
+  # Note: tracked by updatecli
+  source_ami = try(local.images_versions["aws"][var.agent_os_type][var.agent_os_version][var.architecture], "N/A")
 
   # Define custom rootfs for build to avoid later filesystem extension during agent startups
   launch_block_device_mappings {
     delete_on_termination = true
     device_name           = "/dev/sda1"
-    volume_size           = local.windows_disk_size_gb # TODO: check if we can rename this local to cover both windows and Ubuntu
+    volume_size           = local.disk_size_gb # TODO: check if we can rename this local to cover both windows and Ubuntu
     volume_type           = "gp3"
   }
 
+  # Enforce IMDS v2 as per https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/
+  imds_support = "v2.0"
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens = "required"
+    http_put_response_hop_limit = 1 # Do not allow access to IMDS through NAT-ed containers
+    instance_metadata_tags = "disabled"
+  }
 
   # Where to export the AMI
   ami_regions = [
     var.aws_destination_region
   ]
 
-
   # To improve audit and garbage collecting, we provide tags
   tags = {
     Name          = "${local.image_name}-Packer-${var.architecture}"

tests/goss-common.yaml

@@ -51,11 +51,6 @@ command:
     exit-status: 0
     stdout:
       - 0.4.9
-  hadolint:
-    exec: hadolint -v
-    exit-status: 0
-    stdout:
-      - 2.12.0
   jq:
     exec: jq --version
     exit-status: 0

tests/goss-linux.yaml

@@ -37,6 +37,11 @@ command:
     exit-status: 0
     stdout:
       - 1.55.2
+  hadolint:
+    exec: hadolint --version
+    exit-status: 0
+    stdout:
+      - 2.12.0
   helm:
     exec: helm version
     exit-status: 0