packer-cn/post-processor/googlecompute-import/post-processor.go

370 lines
13 KiB
Go

//go:generate struct-markdown
//go:generate mapstructure-to-hcl2 -type Config
package googlecomputeimport
import (
"context"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"fmt"
"io/ioutil"
"os"
"strings"
"time"
"google.golang.org/api/compute/v1"
"google.golang.org/api/option"
"google.golang.org/api/storage/v1"
"github.com/hashicorp/hcl/v2/hcldec"
"github.com/hashicorp/packer/builder/googlecompute"
"github.com/hashicorp/packer/packer-plugin-sdk/common"
packersdk "github.com/hashicorp/packer/packer-plugin-sdk/packer"
"github.com/hashicorp/packer/packer-plugin-sdk/template/config"
"github.com/hashicorp/packer/packer-plugin-sdk/template/interpolate"
"github.com/hashicorp/packer/post-processor/artifice"
"github.com/hashicorp/packer/post-processor/compress"
)
type Config struct {
common.PackerConfig `mapstructure:",squash"`
//The JSON file containing your account credentials.
//If specified, the account file will take precedence over any `googlecompute` builder authentication method.
AccountFile string `mapstructure:"account_file" required:"true"`
// This allows service account impersonation as per the [docs](https://cloud.google.com/iam/docs/impersonating-service-accounts).
ImpersonateServiceAccount string `mapstructure:"impersonate_service_account" required:"false"`
//The project ID where the GCS bucket exists and where the GCE image is stored.
ProjectId string `mapstructure:"project_id" required:"true"`
IAP bool `mapstructure-to-hcl:",skip"`
//The name of the GCS bucket where the raw disk image will be uploaded.
Bucket string `mapstructure:"bucket" required:"true"`
//The name of the GCS object in `bucket` where
//the RAW disk image will be copied for import. This is treated as a
//[template engine](/docs/templates/engine). Therefore, you
//may use user variables and template functions in this field. Defaults to
//`packer-import-{{timestamp}}.tar.gz`.
GCSObjectName string `mapstructure:"gcs_object_name"`
//The description of the resulting image.
ImageDescription string `mapstructure:"image_description"`
//The name of the image family to which the resulting image belongs.
ImageFamily string `mapstructure:"image_family"`
//A list of features to enable on the guest operating system. Applicable only for bootable images. Valid
//values are `MULTI_IP_SUBNET`, `UEFI_COMPATIBLE`,
//`VIRTIO_SCSI_MULTIQUEUE` and `WINDOWS` currently.
ImageGuestOsFeatures []string `mapstructure:"image_guest_os_features"`
//Key/value pair labels to apply to the created image.
ImageLabels map[string]string `mapstructure:"image_labels"`
//The unique name of the resulting image.
ImageName string `mapstructure:"image_name" required:"true"`
//Skip removing the TAR file uploaded to the GCS
//bucket after the import process has completed. "true" means that we should
//leave it in the GCS bucket, "false" means to clean it out. Defaults to
//`false`.
SkipClean bool `mapstructure:"skip_clean"`
VaultGCPOauthEngine string `mapstructure:"vault_gcp_oauth_engine"`
//A key used to establish the trust relationship between the platform owner and the firmware. You may only specify one platform key, and it must be a valid X.509 certificate.
ImagePlatformKey string `mapstructure:"image_platform_key"`
//A key used to establish a trust relationship between the firmware and the OS. You may specify multiple comma-separated keys for this value.
ImageKeyExchangeKey []string `mapstructure:"image_key_exchange_key"`
//A database of certificates that have been revoked and will cause the system to stop booting if a boot file is signed with one of them. You may specify single or multiple comma-separated values for this value.
ImageSignaturesDB []string `mapstructure:"image_signatures_db"`
//A database of certificates that are trusted and can be used to sign boot files. You may specify single or multiple comma-separated values for this value.
ImageForbiddenSignaturesDB []string `mapstructure:"image_forbidden_signatures_db"`
account *googlecompute.ServiceAccount
ctx interpolate.Context
}
type PostProcessor struct {
config Config
}
func (p *PostProcessor) ConfigSpec() hcldec.ObjectSpec { return p.config.FlatMapstructure().HCL2Spec() }
func (p *PostProcessor) Configure(raws ...interface{}) error {
err := config.Decode(&p.config, &config.DecodeOpts{
PluginType: BuilderId,
Interpolate: true,
InterpolateContext: &p.config.ctx,
InterpolateFilter: &interpolate.RenderFilter{
Exclude: []string{
"gcs_object_name",
},
},
}, raws...)
if err != nil {
return err
}
errs := new(packersdk.MultiError)
// Set defaults
if p.config.GCSObjectName == "" {
p.config.GCSObjectName = "packer-import-{{timestamp}}.tar.gz"
}
// Check and render gcs_object_name
if err = interpolate.Validate(p.config.GCSObjectName, &p.config.ctx); err != nil {
errs = packersdk.MultiErrorAppend(
errs, fmt.Errorf("Error parsing gcs_object_name template: %s", err))
}
if p.config.AccountFile != "" {
if p.config.VaultGCPOauthEngine != "" && p.config.ImpersonateServiceAccount != "" {
errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("You cannot "+
"specify impersonate_service_account, account_file and vault_gcp_oauth_engine at the same time"))
}
cfg, err := googlecompute.ProcessAccountFile(p.config.AccountFile)
if err != nil {
errs = packersdk.MultiErrorAppend(errs, err)
}
p.config.account = cfg
}
templates := map[string]*string{
"bucket": &p.config.Bucket,
"image_name": &p.config.ImageName,
"project_id": &p.config.ProjectId,
}
for key, ptr := range templates {
if *ptr == "" {
errs = packersdk.MultiErrorAppend(
errs, fmt.Errorf("%s must be set", key))
}
}
if len(errs.Errors) > 0 {
return errs
}
return nil
}
func (p *PostProcessor) PostProcess(ctx context.Context, ui packersdk.Ui, artifact packersdk.Artifact) (packersdk.Artifact, bool, bool, error) {
generatedData := artifact.State("generated_data")
if generatedData == nil {
// Make sure it's not a nil map so we can assign to it later.
generatedData = make(map[string]interface{})
}
p.config.ctx.Data = generatedData
var err error
var opts option.ClientOption
opts, err = googlecompute.NewClientOptionGoogle(p.config.account, p.config.VaultGCPOauthEngine, p.config.ImpersonateServiceAccount)
if err != nil {
return nil, false, false, err
}
switch artifact.BuilderId() {
case compress.BuilderId, artifice.BuilderId:
break
default:
err := fmt.Errorf(
"Unknown artifact type: %s\nCan only import from Compress post-processor and Artifice post-processor artifacts.",
artifact.BuilderId())
return nil, false, false, err
}
p.config.GCSObjectName, err = interpolate.Render(p.config.GCSObjectName, &p.config.ctx)
if err != nil {
return nil, false, false, fmt.Errorf("Error rendering gcs_object_name template: %s", err)
}
rawImageGcsPath, err := UploadToBucket(opts, ui, artifact, p.config.Bucket, p.config.GCSObjectName)
if err != nil {
return nil, false, false, err
}
shieldedVMStateConfig, err := CreateShieldedVMStateConfig(p.config.ImageGuestOsFeatures, p.config.ImagePlatformKey, p.config.ImageKeyExchangeKey, p.config.ImageSignaturesDB, p.config.ImageForbiddenSignaturesDB)
if err != nil {
return nil, false, false, err
}
gceImageArtifact, err := CreateGceImage(opts, ui, p.config.ProjectId, rawImageGcsPath, p.config.ImageName, p.config.ImageDescription, p.config.ImageFamily, p.config.ImageLabels, p.config.ImageGuestOsFeatures, shieldedVMStateConfig)
if err != nil {
return nil, false, false, err
}
if !p.config.SkipClean {
err = DeleteFromBucket(opts, ui, p.config.Bucket, p.config.GCSObjectName)
if err != nil {
return nil, false, false, err
}
}
return gceImageArtifact, false, false, nil
}
func FillFileContentBuffer(certOrKeyFile string) (*compute.FileContentBuffer, error) {
data, err := ioutil.ReadFile(certOrKeyFile)
if err != nil {
err := fmt.Errorf("Unable to read Certificate or Key file %s", certOrKeyFile)
return nil, err
}
shield := &compute.FileContentBuffer{
Content: base64.StdEncoding.EncodeToString(data),
FileType: "X509",
}
block, _ := pem.Decode(data)
if block == nil || block.Type != "CERTIFICATE" {
_, err = x509.ParseCertificate(data)
} else {
_, err = x509.ParseCertificate(block.Bytes)
}
if err != nil {
shield.FileType = "BIN"
}
return shield, nil
}
func CreateShieldedVMStateConfig(imageGuestOsFeatures []string, imagePlatformKey string, imageKeyExchangeKey []string, imageSignaturesDB []string, imageForbiddenSignaturesDB []string) (*compute.InitialStateConfig, error) {
shieldedVMStateConfig := &compute.InitialStateConfig{}
for _, v := range imageGuestOsFeatures {
if v == "UEFI_COMPATIBLE" {
if imagePlatformKey != "" {
shieldedData, err := FillFileContentBuffer(imagePlatformKey)
if err != nil {
return nil, err
}
shieldedVMStateConfig.Pk = shieldedData
}
for _, v := range imageKeyExchangeKey {
shieldedData, err := FillFileContentBuffer(v)
if err != nil {
return nil, err
}
shieldedVMStateConfig.Keks = append(shieldedVMStateConfig.Keks, shieldedData)
}
for _, v := range imageSignaturesDB {
shieldedData, err := FillFileContentBuffer(v)
if err != nil {
return nil, err
}
shieldedVMStateConfig.Dbs = append(shieldedVMStateConfig.Dbs, shieldedData)
}
for _, v := range imageForbiddenSignaturesDB {
shieldedData, err := FillFileContentBuffer(v)
if err != nil {
return nil, err
}
shieldedVMStateConfig.Dbxs = append(shieldedVMStateConfig.Dbxs, shieldedData)
}
}
}
return shieldedVMStateConfig, nil
}
func UploadToBucket(opts option.ClientOption, ui packersdk.Ui, artifact packersdk.Artifact, bucket string, gcsObjectName string) (string, error) {
service, err := storage.NewService(context.TODO(), opts)
if err != nil {
return "", err
}
ui.Say("Looking for tar.gz file in list of artifacts...")
source := ""
for _, path := range artifact.Files() {
ui.Say(fmt.Sprintf("Found artifact %v...", path))
if strings.HasSuffix(path, ".tar.gz") {
source = path
break
}
}
if source == "" {
return "", fmt.Errorf("No tar.gz file found in list of artifacts")
}
artifactFile, err := os.Open(source)
if err != nil {
err := fmt.Errorf("error opening %v", source)
return "", err
}
ui.Say(fmt.Sprintf("Uploading file %v to GCS bucket %v/%v...", source, bucket, gcsObjectName))
storageObject, err := service.Objects.Insert(bucket, &storage.Object{Name: gcsObjectName}).Media(artifactFile).Do()
if err != nil {
ui.Say(fmt.Sprintf("Failed to upload: %v", storageObject))
return "", err
}
return storageObject.SelfLink, nil
}
func CreateGceImage(opts option.ClientOption, ui packersdk.Ui, project string, rawImageURL string, imageName string, imageDescription string, imageFamily string, imageLabels map[string]string, imageGuestOsFeatures []string, shieldedVMStateConfig *compute.InitialStateConfig) (packersdk.Artifact, error) {
service, err := compute.NewService(context.TODO(), opts)
if err != nil {
return nil, err
}
// Build up the imageFeatures
imageFeatures := make([]*compute.GuestOsFeature, len(imageGuestOsFeatures))
for _, v := range imageGuestOsFeatures {
imageFeatures = append(imageFeatures, &compute.GuestOsFeature{
Type: v,
})
}
gceImage := &compute.Image{
Description: imageDescription,
Family: imageFamily,
GuestOsFeatures: imageFeatures,
Labels: imageLabels,
Name: imageName,
RawDisk: &compute.ImageRawDisk{Source: rawImageURL},
SourceType: "RAW",
ShieldedInstanceInitialState: shieldedVMStateConfig,
}
ui.Say(fmt.Sprintf("Creating GCE image %v...", imageName))
op, err := service.Images.Insert(project, gceImage).Do()
if err != nil {
ui.Say("Error creating GCE image")
return nil, err
}
ui.Say("Waiting for GCE image creation operation to complete...")
for op.Status != "DONE" {
op, err = service.GlobalOperations.Get(project, op.Name).Do()
if err != nil {
return nil, err
}
time.Sleep(5 * time.Second)
}
// fail if image creation operation has an error
if op.Error != nil {
var imageError string
for _, error := range op.Error.Errors {
imageError += error.Message
}
err = fmt.Errorf("failed to create GCE image %s: %s", imageName, imageError)
return nil, err
}
return &Artifact{paths: []string{op.TargetLink}}, nil
}
func DeleteFromBucket(opts option.ClientOption, ui packersdk.Ui, bucket string, gcsObjectName string) error {
service, err := storage.NewService(context.TODO(), opts)
if err != nil {
return err
}
ui.Say(fmt.Sprintf("Deleting import source from GCS %s/%s...", bucket, gcsObjectName))
err = service.Objects.Delete(bucket, gcsObjectName).Do()
if err != nil {
ui.Say(fmt.Sprintf("Failed to delete: %v/%v", bucket, gcsObjectName))
return err
}
return nil
}