shariq.site

I had a need to create a hardened (CIS) base image for a project.The AMI created from this project was not used directly, but rather as a base image to other application-specific Stacks.

The following is a Packer file:

{
    "variables": {
        "aws_access_key": "",
        "aws_secret_key": "",
        "aws_region": "{{ env `AWS_DEFAULT_REGION` }}",
        "bitbucket_branch": "",
        "bitbucket_buildnumber": "",
        "bitbucket_commit": "",
        "bootstrap_commit": ""
    },
    "builders": [{
        "type": "amazon-ebs",
        "access_key": "{{user `aws_access_key`}}",
        "secret_key": "{{user `aws_secret_key`}}",
        "region": "ap-southeast-2",
        "vpc_id": "vpc-1cceEXAMPLE8178",
        "subnet_id": "subnet-b8fEXAMPLE1e0dc",
        "associate_public_ip_address": true,
        "ssh_private_ip": false,
        "ssh_pty": true,
        "source_ami": "ami-240EXAMPLEef546",
        "instance_type": "c4.large",
        "ssh_username": "ec2-user",
        "ami_name": "CIS-AWSLinux-Base {{isotime | clean_ami_name}}",
        "ami_users": ["<Account_Number>"],
        "launch_block_device_mappings":[{
          "device_name":"/dev/xvda",
          "volume_size":30,
          "volume_type":"gp2",
          "encrypted":false,
          "delete_on_termination":true
       }],
        "tags": {
            "OS_Version": "AWSLinux",
            "Name": "CIS-AWSLinux-Base",
            "Timestamp": "{{timestamp}}",
            "AMI_Branch": "{{user `bitbucket_branch`}}",
            "AMI_Build_Number": "{{ user `bitbucket_buildnumber`}}",
            "AMI_Commit": "{{ user `bitbucket_commit`}}",
            "Bootstrap_Commit": "{{ user `bootstrap_commit`}}"
        }
    }],
    "provisioners": [{
        "type": "shell",
        "inline": [
            "sleep 30",
            "sudo bash -c 'echo export PATH=\\$PATH:/opt/aws/bin/ >> /etc/profile'",
            "sudo yum clean all",
            "sudo yum -y update",
            "sudo yum -y install epel-release",
            "sudo yum install -y libselinux libselinux-utils libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils awslogs",
            "sudo sh -c 'selinux=1 security=selinux enforcing=1'",
            "sudo sh -c 'touch /.autorelabel'",
            "sudo cp -prv /boot/grub/menu.lst /boot/grub/menu.lst.default",
            "sudo sed -i 's/selinux=0/selinux=1 security=selinux enforcing=1/g' /boot/grub/menu.lst",
            "sudo sed -i 's/selinux=0/selinux=1 security=selinux enforcing=1/g' /etc/grub.conf",
            "sudo yum -y install augeas git python36 python-pip36 bc unzip wget telnet jq nfs-utils",
            "sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm",
            "sudo pip install pystache argparse python-daemon requests",
            "sudo pip install --upgrade pbr",
            "sudo pip install --upgrade pip",
            "sudo mkdir /efs",
            "sudo chmod 755 /efs",
            "sudo sed -i 's/^server/#server/g' /etc/ntp.conf",
            "sudo sed -ie \"\\$aserver 169.254.169.123 prefer iburst\" /etc/ntp.conf",
            "sudo sed -i 's/daemon//g' /etc/init.d/ntpd",
            "sudo sed -i 's/$OPTIONS//g' /etc/init.d/ntpd",
            "sudo rm -f /root/.ssh/authorized_keys"
        ]
    }],
    "post-processors": [
        [{
            "type": "manifest",
            "output": "manifest.json",
            "strip_path": true
        }]
    ]
}

Build as follows:

packer build -var bitbucket_commit=${MAINCOMMIT} -var chef_commit=${CHEFCOMMIT} -var bootstrap_commit=${BOOTSTRAPCOMMIT} -var bitbucket_branch=${BITBUCKET_BRANCH} -var bitbucket_buildnumber=${BITBUCKET_BUILD_NUMBER} packer.json