fix: Add config for windows ami (#1525)

* Add config for windows ami
* Update packer build to validate windows

Author: maths22

.github/workflows/packer-build.yml

@@ -18,17 +18,20 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: hashicorp/packer:1.7.8
+    strategy:
+      matrix:
+        image: ["linux-amzn2", "windows-core-2019"]
     defaults:
       run:
-        working-directory: images/linux-amzn2
+        working-directory: images/${{ matrix.image }}
     steps:
       - name: "Checkout"
         uses: actions/checkout@v2
 
       - name: packer init
         run: packer init .
 
-      - name: check terraform formatting
+      - name: check packer formatting
         run: packer fmt -recursive -check=true .        
 
       - name: packer validate

examples/prebuilt/README.md

@@ -4,7 +4,17 @@ This module shows how to create GitHub action runners using a prebuilt AMI for t
 
 ## Usages
 
-Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md). 
+Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md).
+
+## Variables
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ami_filter"></a> [ami\_filter](#input\_ami\_filter) | The amis to search.  Use the default for the provided amazon linux image, `github-runner-windows-core-2019-*` for the provided widnows image | `string` | `github-runner-amzn2-x86_64-2021*` | no |
+| <a name="input_github_app_key_base64"></a> [github\_app\_key\_base64](#input\_github\_app\_key\_base64) | The base64 encoded private key you downloaded from GitHub when creating the app | `string` | | yes |
+| <a name="input_github_app_id"></a> [github\_app\_id](#input\_github\_app\_id) | The id of the app you created on GitHub | `string` | | yes |
+| <a name="input_region"></a> [region](#input\_region) | The target aws region | `string` | `eu-west-1` | no |
+| <a name="input_runner_os"></a> [runner\_os](#input\_runner\_os) | The os of the image, either `linux` or `windows` | `string` | `linux` | no |
 
 ### Lambdas
 

examples/prebuilt/main.tf

@@ -1,6 +1,5 @@
 locals {
   environment = "prebuilt"
-  aws_region  = "eu-west-1"
 }
 
 resource "random_id" "random" {
@@ -12,7 +11,7 @@ data "aws_caller_identity" "current" {}
 module "runners" {
   source                          = "../../"
   create_service_linked_role_spot = true
-  aws_region                      = local.aws_region
+  aws_region                      = var.aws_region
   vpc_id                          = module.vpc.vpc_id
   subnet_ids                      = module.vpc.private_subnets
 
@@ -24,15 +23,17 @@ module "runners" {
     webhook_secret = random_id.random.hex
   }
 
-  webhook_lambda_zip                = "../../lambda_output/webhook.zip"
-  runner_binaries_syncer_lambda_zip = "../../lambda_output/runner-binaries-syncer.zip"
-  runners_lambda_zip                = "../../lambda_output/runners.zip"
+  webhook_lambda_zip                = "lambdas-download/webhook.zip"
+  runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
+  runners_lambda_zip                = "lambdas-download/runners.zip"
 
   runner_extra_labels = "default,example"
 
+  runner_os = var.runner_os
+
   # configure your pre-built AMI
   enabled_userdata = false
-  ami_filter       = { name = ["github-runner-amzn2-x86_64-2021*"] }
+  ami_filter       = { name = [var.ami_name_filter] }
   ami_owners       = [data.aws_caller_identity.current.account_id]
 
   # enable access to the runners via SSM

examples/prebuilt/providers.tf

@@ -1,3 +1,3 @@
 provider "aws" {
-  region = local.aws_region
+  region = var.aws_region
 }

examples/prebuilt/variables.tf

@@ -2,3 +2,18 @@
 variable "github_app_key_base64" {}
 
 variable "github_app_id" {}
+
+variable "runner_os" {
+  type    = string
+  default = "linux"
+}
+
+variable "ami_name_filter" {
+  type    = string
+  default = "github-runner-amzn2-x86_64-2021*"
+}
+
+variable "aws_region" {
+  type    = string
+  default = "eu-west-1"
+}

examples/prebuilt/vpc.tf

@@ -2,6 +2,6 @@ module "vpc" {
   source = "git::https://github.com/philips-software/terraform-aws-vpc.git?ref=2.2.0"
 
   environment                = local.environment
-  aws_region                 = local.aws_region
+  aws_region                 = var.aws_region
   create_private_hosted_zone = false
 }

images/README.md

@@ -4,7 +4,7 @@ The images inside this folder are pre-built images designed to shorten the boot
 
 These images share the same scripting as used in the user-data mechanism in `/modules/runners/templates/`. We use a `tempaltefile` mechanism to insert the relevant script fragments into the scripts used for provisioning the images.
 
-The example in `linux-amzn2` also uploads a `start-runner.sh` script that uses the exact same startup process as used in the user-data mechanism. This means that the image created here does not need any extra scripts injected or changes to boot up and connect to GH.
+The examples in `linux-amzn2` and `windows-core-2019` also upload a `start-runner` script that uses the exact same startup process as used in the user-data mechanism. This means that the image created here does not need any extra scripts injected or changes to boot up and connect to GH.
 
 ## Building your own
 

images/install-runner.ps1

@@ -0,0 +1,8 @@
+#!/bin/bash -e
+
+user_name=ec2-user
+
+## This wrapper file re-uses scripts in the /modules/runners/templates directory
+## of this repo. These are the same that are used by the user_data functionality 
+## to bootstrap the instance if it is started from an existing AMI.
+${install_runner}

images/start-runner.ps1

@@ -0,0 +1,3 @@
+Start-Transcript -Path "C:\runner-startup.log" -Append
+${start_runner}
+Stop-Transcript

images/windows-core-2019/bootstrap_win.ps1

@@ -0,0 +1,38 @@
+<powershell>
+
+Write-Output "Running User Data Script"
+Write-Host "(host) Running User Data Script"
+
+Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
+
+# Don't set this before Set-ExecutionPolicy as it throws an error
+$ErrorActionPreference = "stop"
+
+# Remove HTTP listener
+Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
+
+# Create a self-signed certificate to let ssl work
+$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
+New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
+
+# WinRM
+Write-Output "Setting up WinRM"
+Write-Host "(host) setting up WinRM"
+
+# I'm not really sure why we need the cmd.exe wrapper, but it works with it and doesn't work without it
+cmd.exe /c winrm quickconfig -q
+cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
+cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
+cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
+cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
+cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
+cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
+cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
+cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
+cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
+cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
+cmd.exe /c net stop winrm
+cmd.exe /c sc config winrm start= auto
+cmd.exe /c net start winrm
+
+</powershell>