thomasvincent/amazon-linux-cis-hardened.pkr.hcl

## amazon-linux-cis-hardened.pkr.hcl
variable "vpc_id" {
  type        = string
  description = "VPC ID for the instance"
  default     = "{{env `BUILD_VPC_ID`}}"
}

variable "subnet_id" {
  type        = string
  description = "Subnet ID for the instance"
  default     = "{{env `BUILD_SUBNET_ID`}}"
}

variable "aws_region" {
  type        = string
  description = "AWS region to build the AMI in"
  default     = "{{env `AWS_REGION`}}"
}

variable "ami_name" {
  type        = string
  description = "Name of the AMI"
  default     = "Prod-CIS-Latest-AMZN-{{isotime \"02-Jan-06 03_04_05\"}}"
}

variable "packer_chef_bootstrap_dir" {
  type        = string
  description = "Directory containing Chef bootstrap files"
}

variable "chef_dir" {
  type        = string
  description = "Chef installation directory"
}

variable "packer_uid" {
  type        = string
  description = "Packer user ID"
}

variable "packer_gid" {
  type        = string
  description = "Packer group ID"
}

variable "chef_client_config_tpl" {
  type        = string
  description = "Chef client configuration template"
}

variable "chef_run_list" {
  type        = string
  description = "Chef run list for provisioning"
}

source "amazon-ebs" "cis_ami" {
  ami_name                = var.ami_name
  instance_type           = "t2.micro"
  region                  = var.aws_region
  ssh_username            = "ec2-user"
  vpc_id                  = var.vpc_id
  subnet_id               = var.subnet_id
  associate_public_ip_address = true

  ami_description = "Amazon Linux CIS with Cloudwatch Logs agent"

  tags = {
    Name = var.ami_name
  }

  source_ami_filter {
    filters = {
      virtualization-type = "hvm"
      name                = "amzn-ami*-ebs"
      root-device-type    = "ebs"
    }
    owners      = ["137112412989", "591542846629", "801119661308", "102837901569", "013907871322", "206029621532", "286198878708", "443319210888"]
    most_recent = true
  }
}

build {
  sources = [
    source.amazon-ebs.cis_ami
  ]

  provisioner "file" {
    source      = var.packer_chef_bootstrap_dir
    destination = "/tmp/bootstrap"
  }

  provisioner "shell" {
    inline = [
      "sudo mkdir -p ${var.chef_dir}",
      "sudo mkdir -p /tmp/packer-chef-client",
      "sudo chown ${var.packer_uid}.${var.packer_gid} /tmp/packer-chef-client",
      "sudo sh /tmp/bootstrap/bootstrap.sh"
    ]
  }

  provisioner "chef-client" {
    server_url        = "http://localhost:8889"
    config_template   = "${var.chef_client_config_tpl}/client.rb.tpl"
    skip_clean_node   = true
    skip_clean_client = true
    run_list          = var.chef_run_list
  }

  provisioner "shell" {
    inline = [
      "rm .ssh/authorized_keys ; sudo rm /root/.ssh/authorized_keys"
    ]
  }
}
	variable "vpc_id" {
	type = string
	description = "VPC ID for the instance"
	default = "{{env `BUILD_VPC_ID`}}"
	}

	variable "subnet_id" {
	type = string
	description = "Subnet ID for the instance"
	default = "{{env `BUILD_SUBNET_ID`}}"
	}

	variable "aws_region" {
	type = string
	description = "AWS region to build the AMI in"
	default = "{{env `AWS_REGION`}}"
	}

	variable "ami_name" {
	type = string
	description = "Name of the AMI"
	default = "Prod-CIS-Latest-AMZN-{{isotime \"02-Jan-06 03_04_05\"}}"
	}

	variable "packer_chef_bootstrap_dir" {
	type = string
	description = "Directory containing Chef bootstrap files"
	}

	variable "chef_dir" {
	type = string
	description = "Chef installation directory"
	}

	variable "packer_uid" {
	type = string
	description = "Packer user ID"
	}

	variable "packer_gid" {
	type = string
	description = "Packer group ID"
	}

	variable "chef_client_config_tpl" {
	type = string
	description = "Chef client configuration template"
	}

	variable "chef_run_list" {
	type = string
	description = "Chef run list for provisioning"
	}

	source "amazon-ebs" "cis_ami" {
	ami_name = var.ami_name
	instance_type = "t2.micro"
	region = var.aws_region
	ssh_username = "ec2-user"
	vpc_id = var.vpc_id
	subnet_id = var.subnet_id
	associate_public_ip_address = true

	ami_description = "Amazon Linux CIS with Cloudwatch Logs agent"

	tags = {
	Name = var.ami_name
	}

	source_ami_filter {
	filters = {
	virtualization-type = "hvm"
	name = "amzn-ami*-ebs"
	root-device-type = "ebs"
	}
	owners = ["137112412989", "591542846629", "801119661308", "102837901569", "013907871322", "206029621532", "286198878708", "443319210888"]
	most_recent = true
	}
	}

	build {
	sources = [
	source.amazon-ebs.cis_ami
	]

	provisioner "file" {
	source = var.packer_chef_bootstrap_dir
	destination = "/tmp/bootstrap"
	}

	provisioner "shell" {
	inline = [
	"sudo mkdir -p ${var.chef_dir}",
	"sudo mkdir -p /tmp/packer-chef-client",
	"sudo chown ${var.packer_uid}.${var.packer_gid} /tmp/packer-chef-client",
	"sudo sh /tmp/bootstrap/bootstrap.sh"
	]
	}

	provisioner "chef-client" {
	server_url = "http://localhost:8889"
	config_template = "${var.chef_client_config_tpl}/client.rb.tpl"
	skip_clean_node = true
	skip_clean_client = true
	run_list = var.chef_run_list
	}

	provisioner "shell" {
	inline = [
	"rm .ssh/authorized_keys ; sudo rm /root/.ssh/authorized_keys"
	]
	}
	}