25 KiB
description | layout | page_title | sidebar_current |
---|---|---|---|
The amazon-instance Packer builder is able to create Amazon AMIs backed by instance storage as the root device. For more information on the difference between instance storage and EBS-backed instances, see the storage for the root device section in the EC2 documentation. | docs | Amazon instance-store - Builders | docs-builders-amazon-instance |
AMI Builder (instance-store)
Type: amazon-instance
The amazon-instance
Packer builder is able to create Amazon AMIs backed by
instance storage as the root device. For more information on the difference
between instance storage and EBS-backed instances, see the "storage for the
root device" section in the EC2
documentation.
This builder builds an AMI by launching an EC2 instance from an existing instance-storage backed AMI, provisioning that running machine, and then bundling and creating a new AMI from that machine. This is all done in your own AWS account. The builder will create temporary key pairs, security group rules, etc. that provide it temporary access to the instance while the image is being created. This simplifies configuration quite a bit.
The builder does not manage AMIs. Once it creates an AMI and stores it in your account, it is up to you to use, delete, etc. the AMI.
-> Note: Temporary resources are, by default, all created with the prefix
packer
. This can be useful if you want to restrict the security groups and
key pairs packer is able to operate on.
-> Note: This builder requires that the Amazon EC2 AMI Tools are installed onto the machine. This can be done within a provisioner, but must be done before the builder finishes running.
~> Instance builds are not supported for Windows. Use amazon-ebs
instead.
Configuration Reference
There are many configuration options available for the builder. They are segmented below into two categories: required and optional parameters. Within each category, the available configuration keys are alphabetized.
In addition to the options listed here, a communicator can be configured for this builder.
Required:
-
access_key
(string) - The access key used to communicate with AWS. Learn how to set this. -
account_id
(string) - Your AWS account ID. This is required for bundling the AMI. This is not the same as the access key. You can find your account ID in the security credentials page of your AWS account. -
ami_name
(string) - The name of the resulting AMI that will appear when managing AMIs in the AWS console or via APIs. This must be unique. To help make this unique, use a function liketimestamp
(see configuration templates for more info) -
instance_type
(string) - The EC2 instance type to use while building the AMI, such asm1.small
. -
region
(string) - The name of the region, such asus-east-1
, in which to launch the EC2 instance to create the AMI. -
s3_bucket
(string) - The name of the S3 bucket to upload the AMI. This bucket will be created if it doesn't exist. -
secret_key
(string) - The secret key used to communicate with AWS. Learn how to set this. -
source_ami
(string) - The initial AMI used as a base for the newly created machine. -
x509_cert_path
(string) - The local path to a valid X509 certificate for your AWS account. This is used for bundling the AMI. This X509 certificate must be registered with your account from the security credentials page in the AWS console. -
x509_key_path
(string) - The local path to the private key for the X509 certificate specified byx509_cert_path
. This is used for bundling the AMI.
Optional:
-
ami_block_device_mappings
(array of block device mappings) - Add one or more block device mappings to the AMI. These will be attached when booting a new instance from your AMI. To add a block device during the Packer build seelaunch_block_device_mappings
below. Your options here may vary depending on the type of VM you use. The block device mappings allow for the following configuration:-
delete_on_termination
(boolean) - Indicates whether the EBS volume is deleted on instance termination. Defaultfalse
. NOTE: If this value is not explicitly set totrue
and volumes are not cleaned up by an alternative method, additional volumes will accumulate after every build. -
device_name
(string) - The device name exposed to the instance (for example,/dev/sdh
orxvdh
). Required when specifyingvolume_size
. -
encrypted
(boolean) - Indicates whether to encrypt the volume or not -
kms_key_id
(string) - The ARN for the KMS encryption key. When specifyingkms_key_id
,encrypted
needs to be set totrue
. -
iops
(number) - The number of I/O operations per second (IOPS) that the volume supports. See the documentation on IOPs for more information -
no_device
(boolean) - Suppresses the specified device included in the block device mapping of the AMI -
snapshot_id
(string) - The ID of the snapshot -
virtual_name
(string) - The virtual device name. See the documentation on Block Device Mapping for more information -
volume_size
(number) - The size of the volume, in GiB. Required if not specifying asnapshot_id
-
volume_type
(string) - The volume type.gp2
for General Purpose (SSD) volumes,io1
for Provisioned IOPS (SSD) volumes, andstandard
for Magnetic volumes
-
-
ami_description
(string) - The description to set for the resulting AMI(s). By default this description is empty. This is a template engine where theSourceAMI
variable is replaced with the source AMI ID andBuildRegion
variable is replaced with the value ofregion
. -
ami_groups
(array of strings) - A list of groups that have access to launch the resulting AMI(s). By default no groups have permission to launch the AMI.all
will make the AMI publicly accessible. AWS currently doesn't accept any value other thanall
. -
ami_product_codes
(array of strings) - A list of product codes to associate with the AMI. By default no product codes are associated with the AMI. -
ami_regions
(array of strings) - A list of regions to copy the AMI to. Tags and attributes are copied along with the AMI. AMI copying takes time depending on the size of the AMI, but will generally take many minutes. -
ami_users
(array of strings) - A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it. -
ami_virtualization_type
(string) - The type of virtualization for the AMI you are building. This option is required to register HVM images. Can beparavirtual
(default) orhvm
. -
associate_public_ip_address
(boolean) - If using a non-default VPC, public IP addresses are not provided by default. If this is toggled, your new instance will get a Public IP. -
availability_zone
(string) - Destination availability zone to launch instance in. Leave this empty to allow Amazon to auto-assign. -
bundle_destination
(string) - The directory on the running instance where the bundled AMI will be saved prior to uploading. By default this is/tmp
. This directory must exist and be writable. -
bundle_prefix
(string) - The prefix for files created from bundling the root volume. By default this isimage-{{timestamp}}
. Thetimestamp
variable should be used to make sure this is unique, otherwise it can collide with other created AMIs by Packer in your account. -
bundle_upload_command
(string) - The command to use to upload the bundled volume. See the "custom bundle commands" section below for more information. -
bundle_vol_command
(string) - The command to use to bundle the volume. See the "custom bundle commands" section below for more information. -
custom_endpoint_ec2
(string) - This option is useful if you use a cloud provider whose API is compatible with aws EC2. Specify another endpoint like thishttps://ec2.custom.endpoint.com
. -
ebs_optimized
(boolean) - Mark instance as EBS Optimized. Defaultfalse
. -
ena_support
(boolean) - Enable enhanced networking (ENA but not SriovNetSupport) on HVM-compatible AMIs. If true, addec2:ModifyInstanceAttribute
to your AWS IAM policy. Note: you must make sure enhanced networking is enabled on your instance. See Amazon's documentation on enabling enhanced networking. Defaultfalse
. -
force_deregister
(boolean) - Force Packer to first deregister an existing AMI if one with the same name already exists. Defaults tofalse
. -
force_delete_snapshot
(boolean) - Force Packer to delete snapshots associated with AMIs, which have been deregistered byforce_deregister
. Defaults tofalse
. -
iam_instance_profile
(string) - The name of an IAM instance profile to launch the EC2 instance with. -
launch_block_device_mappings
(array of block device mappings) - Add one or more block devices before the Packer build starts. If you add instance store volumes or EBS volumes in addition to the root device volume, the created AMI will contain block device mapping information for those volumes. Amazon creates snapshots of the source instance's root volume and any other EBS volumes described here. When you launch an instance from this new AMI, the instance automatically launches with these additional volumes, and will restore them from snapshots taken from the source instance. -
mfa_code
(string) - The MFA TOTP code. This should probably be a user variable since it changes all the time. -
profile
(string) - The profile to use in the shared credentials file for AWS. See Amazon's documentation on specifying profiles for more details. -
region_kms_key_ids
(map of strings) - a map of regions to copy the ami to, along with the custom kms key id to use for encryption for that region. Keys must match the regions provided inami_regions
. If you just want to encrypt using a default ID, you can stick withkms_key_id
andami_regions
. If you want a region to be encrypted with that region's default key ID, you can use an empty string""
instead of a key id in this map. (e.g."us-east-1": ""
) However, you cannot use default key IDs if you are using this in conjunction withsnapshot_users
-- in that situation you must use custom keys. -
run_tags
(object of key/value strings) - Tags to apply to the instance that is launched to create the AMI. These tags are not applied to the resulting AMI unless they're duplicated intags
. This is a template engine where theSourceAMI
variable is replaced with the source AMI ID andBuildRegion
variable is replaced with the value ofregion
. -
security_group_id
(string) - The ID (not the name) of the security group to assign to the instance. By default this is not set and Packer will automatically create a new temporary security group to allow SSH access. Note that if this is specified, you must be sure the security group allows access to thessh_port
given below. -
security_group_ids
(array of strings) - A list of security groups as described above. Note that if this is specified, you must omit thesecurity_group_id
. -
temporary_security_group_source_cidr
(string) - An IPv4 CIDR block to be authorized access to the instance, when packer is creating a temporary security group. The default is0.0.0.0/0
(ie, allow any IPv4 source). This is only used whensecurity_group_id
orsecurity_group_ids
is not specified. -
skip_metadata_api_check
- (boolean) Skip the AWS Metadata API check. Useful for AWS API implementations that do not have a metadata API endpoint. Setting totrue
prevents Packer from authenticating via the Metadata API. You may need to use other authentication methods like static credentials, configuration variables, or environment variables. -
skip_region_validation
(boolean) - Set to true if you want to skip validation of the region configuration option. Defaults tofalse
. -
snapshot_groups
(array of strings) - A list of groups that have access to create volumes from the snapshot(s). By default no groups have permission to create volumes form the snapshot(s).all
will make the snapshot publicly accessible. -
snapshot_users
(array of strings) - A list of account IDs that have access to create volumes from the snapshot(s). By default no additional users other than the user creating the AMI has permissions to create volumes from the backing snapshot(s). -
source_ami_filter
(object) - Filters used to populate thesource_ami
field. Example:{ "source_ami_filter": { "filters": { "virtualization-type": "hvm", "name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*", "root-device-type": "ebs" }, "owners": ["099720109477"], "most_recent": true } }
This selects the most recent Ubuntu 16.04 HVM EBS AMI from Canonical. NOTE: This will fail unless exactly one AMI is returned. In the above example,
most_recent
will cause this to succeed by selecting the newest image.-
filters
(map of strings) - filters used to select asource_ami
. NOTE: This will fail unless exactly one AMI is returned. Any filter described in the docs for DescribeImages is valid. -
owners
(array of strings) - This scopes the AMIs to certain Amazon account IDs. This is helpful to limit the AMIs to a trusted third party, or to your own account. -
most_recent
(boolean) - Selects the newest created image when true. This is most useful for selecting a daily distro build.
You may set this in place of
source_ami
or in conjunction with it. If you set this in conjunction withsource_ami
, thesource_ami
will be added to the filter. The providedsource_ami
must meet all of the filtering criteria provided insource_ami_filter
; this pins the AMI returned by the filter, but will cause Packer to fail if thesource_ami
does not exist. -
-
snapshot_tags
(object of key/value strings) - Tags to apply to snapshot. They will override AMI tags if already applied to snapshot. -
spot_price
(string) - The maximum hourly price to launch a spot instance to create the AMI. It is a type of instances that EC2 starts when the maximum price that you specify exceeds the current spot price. Spot price will be updated based on available spot instance capacity and current spot Instance requests. It may save you some costs. You can set this toauto
for Packer to automatically discover the best spot price or to0
to use an on-demand instance (default). -
spot_price_auto_product
(string) - Required ifspot_price
is set toauto
. This tells Packer what sort of AMI you're launching to find the best spot price. This must be one of:Linux/UNIX
,SUSE Linux
,Windows
,Linux/UNIX (Amazon VPC)
,SUSE Linux (Amazon VPC)
,Windows (Amazon VPC)
-
sriov_support
(boolean) - Enable enhanced networking (SriovNetSupport but not ENA) on HVM-compatible AMIs. If true, addec2:ModifyInstanceAttribute
to your AWS IAM policy. Note: you must make sure enhanced networking is enabled on your instance. See Amazon's documentation on enabling enhanced networking. Defaultfalse
. -
ssh_keypair_name
(string) - If specified, this is the key that will be used for SSH with the machine. The key must match a key pair name loaded up into Amazon EC2. By default, this is blank, and Packer will generate a temporary key pair unlessssh_password
is used.ssh_private_key_file
orssh_agent_auth
must be specified whenssh_keypair_name
is utilized. -
ssh_agent_auth
(boolean) - If true, the local SSH agent will be used to authenticate connections to the source instance. No temporary key pair will be created, and the values ofssh_password
andssh_private_key_file
will be ignored. To use this option with a key pair already configured in the source AMI, leave thessh_keypair_name
blank. To associate an existing key pair in AWS with the source instance, set thessh_keypair_name
field to the name of the key pair. -
ssh_private_ip
(boolean) - No longer supported. Seessh_interface
. A fixer exists to migrate. -
ssh_interface
(string) - One ofpublic_ip
,private_ip
,public_dns
orprivate_dns
. If set, either the public IP address, private IP address, public DNS name or private DNS name will used as the host for SSH. The default behaviour if inside a VPC is to use the public IP address if available, otherwise the private IP address will be used. If not in a VPC the public DNS name will be used. Also works for WinRM.Where Packer is configured for an outbound proxy but WinRM traffic should be direct,
ssh_interface
must be set toprivate_dns
and<region>.compute.internal
included in theNO_PROXY
environment variable. -
subnet_id
(string) - If using VPC, the ID of the subnet, such assubnet-12345def
, where Packer will launch the EC2 instance. This field is required if you are using an non-default VPC. -
tags
(object of key/value strings) - Tags applied to the AMI. This is a template engine where theSourceAMI
variable is replaced with the source AMI ID andBuildRegion
variable is replaced with the value ofregion
. -
temporary_key_pair_name
(string) - The name of the temporary key pair to generate. By default, Packer generates a name that looks likepacker_<UUID>
, where <UUID> is a 36 character unique identifier. -
user_data
(string) - User data to apply when launching the instance. Note that you need to be careful about escaping characters due to the templates being JSON. It is often more convenient to useuser_data_file
, instead. -
user_data_file
(string) - Path to a file that will be used for the user data when launching the instance. -
vpc_id
(string) - If launching into a VPC subnet, Packer needs the VPC ID in order to create a temporary security group within the VPC. Requiressubnet_id
to be set. If this field is left blank, Packer will try to get the VPC ID from thesubnet_id
. -
x509_upload_path
(string) - The path on the remote machine where the X509 certificate will be uploaded. This path must already exist and be writable. X509 certificates are uploaded after provisioning is run, so it is perfectly okay to create this directory as part of the provisioning process. Defaults to/tmp
. -
windows_password_timeout
(string) - The timeout for waiting for a Windows password for Windows instances. Defaults to 20 minutes. Example value:10m
Basic Example
Here is a basic example. It is completely valid except for the access keys:
{
"type": "amazon-instance",
"access_key": "YOUR KEY HERE",
"secret_key": "YOUR SECRET KEY HERE",
"region": "us-east-1",
"source_ami": "ami-d9d6a6b0",
"instance_type": "m1.small",
"ssh_username": "ubuntu",
"account_id": "0123-4567-0890",
"s3_bucket": "packer-images",
"x509_cert_path": "x509.cert",
"x509_key_path": "x509.key",
"x509_upload_path": "/tmp",
"ami_name": "packer-quick-start {{timestamp}}"
}
-> Note: Packer can also read the access key and secret access key from environmental variables. See the configuration reference in the section above for more information on what environmental variables Packer will look for.
Accessing the Instance to Debug
If you need to access the instance to debug for some reason, run the builder
with the -debug
flag. In debug mode, the Amazon builder will save the private
key in the current directory and will output the DNS or IP information as well.
You can use this information to access the instance as it is running.
Custom Bundle Commands
A lot of the process required for creating an instance-store backed AMI involves
commands being run on the actual source instance. Specifically, the
ec2-bundle-vol
and ec2-upload-bundle
commands must be used to bundle the
root filesystem and upload it, respectively.
Each of these commands have a lot of available flags. Instead of exposing each possible flag as a template configuration option, the instance-store AMI builder for Packer lets you customize the entire command used to bundle and upload the AMI.
These are configured with bundle_vol_command
and bundle_upload_command
. Both
of these configurations are configuration
templates and have support for
their own set of template variables.
Bundle Volume Command
The default value for bundle_vol_command
is shown below. It is split across
multiple lines for convenience of reading. The bundle volume command is
responsible for executing ec2-bundle-vol
in order to store and image of the
root filesystem to use to create the AMI.
sudo -i -n ec2-bundle-vol \
-k {{.KeyPath}} \
-u {{.AccountId}} \
-c {{.CertPath}} \
-r {{.Architecture}} \
-e {{.PrivatePath}}/* \
-d {{.Destination}} \
-p {{.Prefix}} \
--batch \
--no-filter
The available template variables should be self-explanatory based on the
parameters they're used to satisfy the ec2-bundle-vol
command.
~> Warning! Some versions of ec2-bundle-vol silently ignore all .pem and
.gpg files during the bundling of the AMI, which can cause problems on some
systems, such as Ubuntu. You may want to customize the bundle volume command to
include those files (see the --no-filter
option of ec2-bundle-vol
).
Bundle Upload Command
The default value for bundle_upload_command
is shown below. It is split across
multiple lines for convenience of reading. Access key and secret key are omitted
if using instance profile. The bundle upload command is responsible for taking
the bundled volume and uploading it to S3.
sudo -i -n ec2-upload-bundle \
-b {{.BucketName}} \
-m {{.ManifestPath}} \
-a {{.AccessKey}} \
-s {{.SecretKey}} \
-d {{.BundleDirectory}} \
--batch \
--region {{.Region}} \
--retry
The available template variables should be self-explanatory based on the
parameters they're used to satisfy the ec2-upload-bundle
command.
Additionally, {{.Token}}
is available when overriding this command. You must
create your own bundle command with the addition of -t {{.Token}}
if you are
assuming a role.
Bundle Upload Permissions
The ec2-upload-bundle
requires a policy document that looks something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObjectAcl"
],
"Resource": "*"
}
]
}
You may wish to constrain the resource to a specific bucket.