Skip to content

Instantly share code, notes, and snippets.

Created March 13, 2022 14:32
Show Gist options
  • Save IMHOSUNG/cedde7b4fe807b4217f5934cb20765e7 to your computer and use it in GitHub Desktop.
Save IMHOSUNG/cedde7b4fe807b4217f5934cb20765e7 to your computer and use it in GitHub Desktop.
Build a custom Windows AMI on AWS using Packer

Windows AWS Packer example

An example of building a Windows Server 2019 AMI on AWS with Packer. The AMI will include Firefox, Putty, VSCode and extensions.

This is heavily based on the AWS Windows examples from

  1. Configure your environment with some AWS credentials
  2. Run packer build custom-windows.pkr.hcl
variable "ami_name" {
type = string
default = "custom-windows-{{timestamp}}"
variable "region" {
type = string
default = "eu-west-1"
source "amazon-ebs" "windows" {
ami_name = "${var.ami_name}"
instance_type = "t3.medium"
region = "${var.region}"
source_ami_filter {
filters = {
name = "Windows_Server-2019-English-Full-Base-*"
root-device-type = "ebs"
virtualization-type = "hvm"
most_recent = true
owners = ["amazon"]
communicator = "winrm"
winrm_username = "Administrator"
winrm_use_ssl = true
winrm_insecure = true
# This user data file sets up winrm and configures it so that the connection
# from Packer is allowed. Without this file being set, Packer will not
# connect to the instance.
user_data_file = "winrm_bootstrap.txt"
build {
sources = [""]
provisioner "powershell" {
script = "install.ps1"
provisioner "powershell" {
inline = [
# Re-initialise the AWS instance on startup
"C:/ProgramData/Amazon/EC2-Windows/Launch/Scripts/InitializeInstance.ps1 -Schedule",
# Remove system specific information from this image
"C:/ProgramData/Amazon/EC2-Windows/Launch/Scripts/SysprepInstance.ps1 -NoShutdown"
# Install Firefox, Putty, VSCode
try {
Write-Host "Downloading Firefox"
Invoke-WebRequest -Uri "" -OutFile FirefoxSetup.msi
Write-Host "Installing Firefox"
$firefox = (Start-Process msiexec.exe -ArgumentList "/i","FirefoxSetup.msi","/passive" -NoNewWindow -Wait -PassThru)
if ($firefox.ExitCode -ne 0) {
Write-Error "Error installing Firefox"
exit 1
Write-Host "Downloading Putty"
Invoke-WebRequest -Uri "" -OutFile putty-installer.msi
Write-Host "Installing Putty"
$putty = (Start-Process msiexec.exe -ArgumentList "/i","putty-installer.msi","/passive" -NoNewWindow -Wait -PassThru)
if ($putty.ExitCode -ne 0) {
Write-Error "Error installing Putty"
exit 1
Write-Host "Downloading VSCode"
Invoke-WebRequest -Uri "" -OutFile VSCodeSetup.exe
Write-Host "Installing VSCode"
$vscode = (Start-Process .\VSCodeSetup.exe -ArgumentList "/SILENT","/NORESTART","/MERGETASKS=!runcode" -NoNewWindow -Wait -PassThru)
if ($vscode.ExitCode -ne 0) {
Write-Error "Error installing VSCode"
exit 1
$vscode_extensions = @("ms-vscode-remote.remote-ssh")
foreach ($vse in $vscode_extensions) {
Write-Host "Installing VSCode extension $vse"
# Unfortunately this always seems to return 0 even if there's an error
$vscodeext = (Start-Process "C:\Program Files\Microsoft VS Code\bin\code.cmd" -ArgumentList "--install-extension",$vse,"--force" -NoNewWindow -Wait -PassThru)
if ($vscodeext.ExitCode -ne 0) {
Write-Error "Error installing VSCode extension"
exit 1
Write-Error $_.Exception
exit 1
write-output "Running User Data Script"
write-host "(host) Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment