Packer build renders Windows EC2 Instance unreachable

I have Windows image that I use for hosting IIS on EC2.

Recently I’ve been trying to automate the image build using packer, which managed to build a Windows AMI with IIS installed and setup on it.

However, launching this AMI seems to make the instance unreachable - the EC2 system log is blank and SSM no longer recognizes the instance.

I had to add a user_data_file to the packer build to get WinRM to connect during the build, I suspect this is where the issue stems from but I haven’t been able to to figure out why.

Has anyone had this issue or managed to figure out a workaround?

Here is the user_data_file that is used by the packer build:

<powershell>

write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

Set-Item WSMan:\localhost\MaxTimeoutms 1800000
Set-Item WSMan:\localhost\Service\Auth\Basic $true

$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTP" '@{Port="5985"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985"
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm

</powershell>

Here is the packer build template:


locals {
  environment = "<removed>"
  name        = "web"
  region      = "ca-central-1"
  timestamp   = regex_replace(timestamp(), "[- TZ:]", "")
}

source "amazon-ebs" "web" {
  profile  = "<removed>"
  ami_name = "${local.environment}-${local.name}-${local.timestamp}"

  source_ami_filter {
    filters = {
      name             = "Windows_Server-2019-English-Full-Base-2022.02.10"
      root-device-type = "ebs"
    }
    most_recent = true
    owners      = ["amazon"]
  }

  region = "ca-central-1"

  instance_type  = "t2.medium"
  user_data_file = "./ec2-userdata.ps1"
  communicator   = "winrm"
  winrm_username = "Administrator"
}

build {
  sources = [
    "source.amazon-ebs.web"
  ]

  provisioner "powershell" {
    script = "./iis-setup.ps1"
  }
}

Any help at all would be greatly appreciated

Notes:

  • the iis-setup.ps1 has been reduced to just a Write-Host statement at this point
  • before using the packer built AMI, I had system logs and SSM working using the Windows_Server-2019-English-Full-Base-2022.02.10 image without issues
  • my packer build template was based off of this tutorial
  • I’ve found this topic that seems similar but hasn’t been resolved

@nikolai have u tried the below approach

Hi @krishna1

I eventually got it to connect using the solution from this PR on the original tutorial that I used.

Haven’t had a chance to try the link you provided due to another issue I’m experiencing at the moment.

Once, I have that one resolved I’ll give your solution a try and get back to you.

Cheers,

Nikolai