Why can I not retrieve my password from AWS?

473 views
Skip to first unread message

TJ Biddle

unread,
Sep 11, 2017, 4:59:23 PM9/11/17
to Packer
{
  "variables": {
    "aws_region": "us-west-2",
    "vpc_id": "vpc-xxx",
    "subnet_id": "subnet-xxx"
  },

  "builders": [{
    "type":                  "amazon-ebs",
    "ami_name":              "windows-jenkins-agent-with-docker {{isotime | clean_ami_name}}",
    "region":                "{{user `aws_region`}}",
    "instance_type":         "t2.medium",

    "vpc_id": "{{user `vpc_id`}}",
    "subnet_id": "{{user `subnet_id`}}",
    "ssh_keypair_name": "key_pair_name_here",
    "ssh_private_key_file": "/full/path/to/file.pem",

    "communicator": "winrm",
    "winrm_username": "Administrator",
    "winrm_use_ssl": true,

    "source_ami_filter": {
      "owners":      ["801119661308"],
      "most_recent": true,

      "filters": {
        "virtualization-type": "hvm",
        "name":                "*Windows_Server-2016-English-Full-Base*",
        "root-device-type":    "ebs"
      }
    },

    "run_tags": {
      "Name": "Packer-Temporary-Intance"
    },

    "run_volume_tags": {
      "Name": "Packer-Temporary-Volume"
    },

    "tags": {
      "OS_Version":   "Windows",
      "Release":      "2016 Base",
      "Source_AMI":   "{{.SourceAMI}}",
      "Build_Region": "{{.BuildRegion}}"
    }
  }],

  "provisioners": [
    {
      "type":        "file",
      "source":      "files/chocolatey-install.ps1",
      "destination": "C:\\chocolatey-install.ps1"
    },
    {
      "type":        "file",
      "source":      "files/init.ps1",
      "destination": "C:\\init.ps1"
    },
    {
      "type":        "file",
      "source":      "files/WinSW.NET4.xml",
      "destination": "C:\\WinSW.NET4.xml"
    },
    {
      "type": "windows-restart"
    }
  ]
}


user-data:
<powershell>

# This setup to get running via Powerhsell is taken from https://github.com/PeteGoo/packer-win-aws

write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

Set-Item WSMan:\localhost\MaxTimeoutms 1800000
Set-Item WSMan:\localhost\Service\Auth\Basic $true

$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm

</powershell>


I've been stuck on this for ages; what am I doing wrong?

All I want to do is get my password; but no matter what - it always just hangs on "Password not available yet." forever. 5 minutes, 10 minutes, 5 days.

Follow-up question:
1) Why do I need a user-data script; why is this not just baked in? Every time I touch Windows it's jumping hoop after hoop.

Rickard von Essen

unread,
Sep 12, 2017, 1:46:59 AM9/12/17
to packe...@googlegroups.com
Do Windows 2016 Server (full version) run on a t2.medium?
 
1) Why do I need a user-data script; why is this not just baked in?
Packer doesn't manage the operating system, it's a separation of concerns. There is literally a gazillion different OS'es and versions to bake in configuration for. 

Every time I touch Windows it's jumping hoop after hoop.
 That's pretty much how Windows works.
 

It might be good to step back and start with something that works and evolve from there. This works:

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/2ea34afc-88c9-4972-8a15-fb2c886c315f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

TJ Biddle

unread,
Sep 12, 2017, 9:25:49 AM9/12/17
to Packer
Yeah - I have no trouble running Packer; it spins up the instance and reports no errors. And I have an instance running on a t2.medium currently (Although I do have a different Windows instance that won't let me switch instance type to t2.medium, so I do know what your'e speaking of)

1) Hm; I guess - just seems strange to have winrm as the option to get setup; but then it needs extra setup. I guess that's the equivalent to openssh being setup already; just I would expect it to be default on Windows. Would be great if Packer had some documentation referencing it at least given it's popularity.

Thanks for the demo - I'll poke through that!
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

Alvaro Miranda Aguilera

unread,
Sep 13, 2017, 3:32:40 AM9/13/17
to packe...@googlegroups.com
Well, make the assumption nothing is set in windows is the best start.

in the same way you can use user_data to install openssh, so when the instance is up you can ssh into, very similar is for WinRM.

If you are using an AMI thats openssh/winrm enabled then sure you can use them.

Don't think is a packer documentation issue, but if you can share a link to the website and say where you would like to have some note/guide we can look into it.

Thanks!
Alvaro

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/6c3447c0-8954-4b61-b84c-e16c994d6838%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Alvaro

TJ Biddle

unread,
Sep 13, 2017, 4:34:30 PM9/13/17
to Packer
Alright - well my initial problem is still an issue here: That I can't retrieve my Windows Password in AWS after creating a Packer AMI.

Is my only solution to set the Administrative password to something static from the get-go?

TJ Biddle

unread,
Sep 13, 2017, 4:46:38 PM9/13/17
to Packer
Which looks like setting a password from the get-go fails as well: "The password does not meet the password policy requirements" using "net user Administrator changeME" (Which I've gotten before no matter how complex or simple the password is) on the default AMI ami-aa3cdcd2 in us-west-2.

Rickard von Essen

unread,
Sep 14, 2017, 3:16:38 AM9/14/17
to packe...@googlegroups.com
I was trying to repo with your template and realises that you are missing user_data_file *)


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages