SwampDragons/test_CIS_hardened.json

## test_CIS_hardened.json
{
  "builders": [
  {
    "type": "amazon-ebs",
    "region": "us-west-2",
    "instance_type": "t2.micro",
    "source_ami_filter": {
           "filters": {
               "virtualization-type": "hvm",
               "name": "CIS Microsoft Windows Server 2016 Benchmark v1.1.0.*Level 1*",
               "root-device-type": "ebs"
           },
           "owners": ["679593333241"],
           "most_recent": true
       },
    "ami_name": "default-packer",
    "user_data_file": "./user_data_file_bootstrap.txt",
    "communicator": "winrm",
    "force_deregister": true,
    "winrm_username": "Administrator",
    "winrm_insecure": true,
    "winrm_use_ntlm": true,
    "winrm_use_ssl": true
  }],
  "provisioners": [
    {
      "type": "powershell",
      "inline": ["Write-Host \"HELLO I AM CONNECTED\""]
    }
  ]
}

## user_data_file_boostrap.txt
<powershell>

# MAKE SURE IN YOUR PACKER CONFIG TO SET:
#
#
#    "winrm_username": "Administrator",
#    "winrm_insecure": true,
#    "winrm_use_ssl": true,
#
#


write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm

</powershell>
	{
	"builders": [
	{
	"type": "amazon-ebs",
	"region": "us-west-2",
	"instance_type": "t2.micro",
	"source_ami_filter": {
	"filters": {
	"virtualization-type": "hvm",
	"name": "CIS Microsoft Windows Server 2016 Benchmark v1.1.0.Level 1",
	"root-device-type": "ebs"
	},
	"owners": ["679593333241"],
	"most_recent": true
	},
	"ami_name": "default-packer",
	"user_data_file": "./user_data_file_bootstrap.txt",
	"communicator": "winrm",
	"force_deregister": true,
	"winrm_username": "Administrator",
	"winrm_insecure": true,
	"winrm_use_ntlm": true,
	"winrm_use_ssl": true
	}],
	"provisioners": [
	{
	"type": "powershell",
	"inline": ["Write-Host \"HELLO I AM CONNECTED\""]
	}
	]
	}
	<powershell>

	# MAKE SURE IN YOUR PACKER CONFIG TO SET:
	#
	#
	# "winrm_username": "Administrator",
	# "winrm_insecure": true,
	# "winrm_use_ssl": true,
	#
	#


	write-output "Running User Data Script"
	write-host "(host) Running User Data Script"

	Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

	# Don't set this before Set-ExecutionPolicy as it throws an error
	$ErrorActionPreference = "stop"

	# Remove HTTP listener
	Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

	# Create a self-signed certificate to let ssl work
	$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
	New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

	# WinRM
	write-output "Setting up WinRM"
	write-host "(host) setting up WinRM"

	cmd.exe /c winrm quickconfig -q
	cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
	cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
	cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
	cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
	cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
	cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
	cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
	cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
	cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
	cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
	cmd.exe /c net stop winrm
	cmd.exe /c sc config winrm start= auto
	cmd.exe /c net start winrm

	</powershell>