Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
If you have ever wanted to grab a marketplace AMI (ex: OpenVPN) you'll know that the process is painful. This solves the pain.

Usage

  • You will need to first make sure you have subscribed to the marketplace product
  • Get the AMI of the marketplace
  • Copy the script to machine
  • awsume (or otherwise authorize) to AWS
  • chmod the script to be executable if needed chmod +x marketplace-ami-encryptor.sh

Usage ./marketplace-ami-encryptor.sh {region} {ami} {name}
Example: ./marketplace-ami-encryptor.sh us-east-1 ami-f6eed4e0 OpenVPN

This make take a few minutes. Output looks like

Creating instance from marketplace AMI ami-f6eed4e0
Waiting for instance i-0d3a37ce1eb4b3f24 to be running and status OK...
Creating encrypted image
Waiting for AMI ami-01bfa37a, to be available...
Terminating unencrypted instance...
Everything is good! Your new AMI 'OpenVPN Encrypted' is available as ami-01bfa37a
#!/bin/bash
set -e
export AWS_DEFAULT_REGION=$1
MARKETPLACE_AMI=$2
NAME=$3
# Run Instance from Base AMI
echo "Creating instance from marketplace AMI $MARKETPLACE_AMI"
INSTANCE=`aws ec2 run-instances --image-id $MARKETPLACE_AMI --count 1 --instance-type t2.micro --query 'Instances[0].InstanceId'`
INSTANCE=`sed -e 's/^"//' -e 's/"$//' <<<"$INSTANCE"`
echo "Waiting for instance $INSTANCE to be running and status OK..."
aws ec2 wait instance-status-ok --instance-ids $INSTANCE
echo "Creating account AMI copy"
AMI_COPY=`aws ec2 create-image --instance-id $INSTANCE --block-device-mappings DeviceName=/dev/sda1,Ebs={Encrypted=True} --name "$MARKETPLACE_AMI Copy for $NAME" --query 'ImageId'`
AMI_COPY=`sed -e 's/^"//' -e 's/"$//' <<<"$AMI_COPY"`
echo "Waiting for AMI COPY $AMI_COPY to be available..."
aws ec2 wait image-available --image-ids $AMI_COPY
echo "Terminating unencrypted instance..."
TERMINATION=`aws ec2 terminate-instances --instance-ids $INSTANCE`
echo "Creating Encrypted AMI"
AMI_ENC=`aws ec2 copy-image --source-image-id $AMI_COPY --name "$NAME Encrypted" --encrypted --source-region $AWS_DEFAULT_REGION --region $AWS_DEFAULT_REGION --query 'ImageId'`
AMI_ENC=`sed -e 's/^"//' -e 's/"$//' <<<"$AMI_ENC"`
echo "Waiting for Encrypted AMI $AMI_ENC to be available..."
aws ec2 wait image-available --image-ids $AMI_ENC
echo "Deleting unneeded AMI Copy"
REMOVED=`aws ec2 deregister-image --image-id $AMI_COPY`
aws ec2 wait instance-terminated --instance-ids $INSTANCE
echo "Everything is good! Your new AMI '$NAME Encrypted' is available as $AMI"
@pbashyal-nmdp

This comment has been minimized.

Copy link

@pbashyal-nmdp pbashyal-nmdp commented Aug 17, 2018

The last line 37 $AMI needs to be $AMI_ENC.

Thanks for this script, it was super handy!

@vgrsec

This comment has been minimized.

Copy link

@vgrsec vgrsec commented Sep 20, 2018

I got the following when running the script:

./marketplace-ami-encryptor.sh us-east-1 ami-3b6dfa44 OpenVPN
Creating instance from marketplace AMI ami-3b6dfa44

An error occurred (VPCResourceNotSpecified) when calling the RunInstances operation: The specified instance type can only be used in a VPC. A subnet ID or network interface ID is required to carry out the request.

It appears to be something to do with t2.micro needing vpc info, when I changed it to m3.medium it worked ok.

hashicorp/terraform#4367

@Diggitysc

This comment has been minimized.

Copy link

@Diggitysc Diggitysc commented Nov 7, 2018

Please change line 17:

AMI_COPY=`aws` ec2 create-image --instance-id $INSTANCE --block-device-mappings DeviceName=/dev/sda1,Ebs={Encrypted=True} --name "$MARKETPLACE_AMI Copy for $NAME" --query 'ImageId'

to

AMI_COPY=`aws` ec2 create-image --instance-id $INSTANCE --block-device-mappings DeviceName=/dev/sda1,Ebs={DeleteOnTermination=True} --name "$MARKETPLACE_AMI Copy for $NAME" --query 'ImageId'

To avoid the error:

An error occurred (InvalidBlockDeviceMapping) when calling the CreateImage operation: the encrypted flag cannot be specified since device /dev/sda1 has a conflicting encryption setting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment