Add validation checks for session_manager

* Session manager connectivity only supported via SSH
* Session manager requires the use of an iam instance profile with system manager permissions

builder/amazon/common/run_config.go

@@ -400,7 +400,7 @@ type RunConfig struct {
 	//    variable.
 	//
 	//    When using `session_manager` the machine running Packer must have
-	//	  the AWS Session Manager Plugin installed and within its path.
+	//	  the AWS Session Manager Plugin installed and within the users' or system path.
 	//    https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
 	SSHInterface string `mapstructure:"ssh_interface"`
 }
@@ -450,6 +450,20 @@ func (c *RunConfig) Prepare(ctx *interpolate.Context) []error {
 		errs = append(errs, fmt.Errorf("Unknown interface type: %s", c.SSHInterface))
 	}
 
+	// Connectivity via Session Manager has a few requirements
+	if c.SSHInterface == "session_manager" {
+		if c.Comm.Type == "winrm" {
+			msg := fmt.Errorf(`connectivity via %q is not currently supported with the %q communicator; please use "ssh"`, c.SSHInterface, c.Comm.Type)
+			errs = append(errs, msg)
+		}
+
+		// TODO (nywilken) add support for temporary iam instance policy generation
+		if c.IamInstanceProfile == "" {
+			msg := fmt.Errorf(`no iam_instance_profile defined; when using %q a valid instance profile with SSM managed instance permissions is required`, c.SSHInterface)
+			errs = append(errs, msg)
+		}
+	}
+
 	if c.Comm.SSHKeyPairName != "" {
 		if c.Comm.Type == "winrm" && c.Comm.WinRMPassword == "" && c.Comm.SSHPrivateKeyFile == "" {
 			errs = append(errs, fmt.Errorf("ssh_private_key_file must be provided to retrieve the winrm password when using ssh_keypair_name."))
@@ -539,3 +553,7 @@ func (c *RunConfig) Prepare(ctx *interpolate.Context) []error {
 func (c *RunConfig) IsSpotInstance() bool {
 	return c.SpotPrice != "" && c.SpotPrice != "0"
 }
+
+func (c *RunConfig) SSMAgentEnabled() bool {
+	return c.SSHInterface == "session_manager" && c.IamInstanceProfile != ""
+}

builder/amazon/ebs/builder.go

@@ -239,7 +239,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 			SecurityGroupIds:       b.config.SecurityGroupIds,
 			CommConfig:             &b.config.RunConfig.Comm,
 			TemporarySGSourceCidrs: b.config.TemporarySGSourceCidrs,
-			SkipSSHRuleCreation:    b.config.SSHInterface == "session_manager",
+			SkipSSHRuleCreation:    b.config.SSMAgentEnabled(),
 		},
 		&awscommon.StepIamInstanceProfile{
 			IamInstanceProfile:                        b.config.IamInstanceProfile,
@@ -259,7 +259,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 		&awscommon.StepCreateSSMTunnel{
 			AWSSession:      session,
 			DstPort:         b.config.Comm.Port(),
-			SSMAgentEnabled: b.config.SSHInterface == "session_manager",
+			SSMAgentEnabled: b.config.SSMAgentEnabled(),
 		},
 		&communicator.StepConnect{
 			// StepConnect is provided settings for WinRM and SSH, but

website/pages/partials/builder/amazon/common/RunConfig-not-required.mdx

@@ -311,6 +311,6 @@
        variable.
     
        When using `session_manager` the machine running Packer must have
-    	  the AWS Session Manager Plugin installed and within its path.
+    	  the AWS Session Manager Plugin installed and within the users' or system path.
        https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html