Add AMI build scripts and configuration

Signed-off-by: Manuel Alejandro de Brito Fontes <[email protected]>

Author: aledbf

ami/LICENSE

@@ -0,0 +1,15 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

ami/Makefile

@@ -0,0 +1,26 @@
+
+PACKER_VARIABLES := binary_bucket_name binary_bucket_region eks_version eks_build_date cni_plugin_version root_volume_size data_volume_size hardening_flag http_proxy https_proxy no_proxy
+VPC_ID := vpc-0e8cf1ce122b1b059
+SUBNET_ID := subnet-0eddf1d7d0f9f9772
+AWS_REGION := us-west-2
+PACKER_FILE :=
+
+EKS_BUILD_DATE := 2020-11-02
+EKS_120_VERSION := 1.20.4
+EKS_121_VERSION := 1.21.2
+
+build:
+	packer build \
+		--var 'aws_region=$(AWS_REGION)' \
+		$(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)='$($(packerVar))',)) \
+		$(PACKER_FILE)
+
+# Ubuntu 20.04
+#-----------------------------------------------------
+# https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
+
+build-ubuntu2004-1.20:
+	$(MAKE) build PACKER_FILE=amazon-eks-node-ubuntu2004.json eks_version=$(EKS_120_VERSION) eks_build_date=2021-04-12
+
+build-ubuntu2004-1.21:
+	$(MAKE) build PACKER_FILE=amazon-eks-node-ubuntu2004.json eks_version=$(EKS_121_VERSION) eks_build_date=2021-07-05

ami/amazon-eks-node-ubuntu2004.json

@@ -0,0 +1,158 @@
+{
+  "variables":{
+    "aws_region":"us-east-2",
+    "ami_description":"EKS Kubernetes Worker AMI on Ubuntu 20.04 (k8s: {{user `eks_version`}})",
+    "eks_version":"",
+    "eks_build_date":"",
+    "cni_plugin_version": "v0.9.1",
+    "binary_bucket_name": "amazon-eks",
+    "binary_bucket_region": "us-west-2",
+    "hardening_flag": "false",
+    "root_volume_size": "30",
+    "data_volume_size": "10",
+    "vpc_id":"",
+    "subnet_id":"",
+    "http_proxy": "",
+    "https_proxy": "",
+    "no_proxy": "",
+
+    "source_ami_owner": "099720109477",
+    "source_ami_owner_govcloud": "513442679011",
+    "source_ami_ssh_user": "ubuntu",
+    "source_ami_arch":"x86_64",
+    "source_ami_name":"ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*",
+    "target_ami_name": "amazon-eks-node-{{user `eks_version`}}-ubuntu-20.04-{{ timestamp }}"
+  },
+  "builders":[
+    {
+      "type":"amazon-ebs",
+      "region":"{{user `aws_region`}}",
+      "source_ami_filter":{
+        "filters":{
+          "name":"{{user `source_ami_name`}}",
+          "root-device-type":"ebs",
+          "state":"available",
+          "virtualization-type":"hvm",
+          "architecture":"{{user `source_ami_arch`}}"
+        },
+        "owners":[
+          "{{user `source_ami_owner`}}",
+          "{{user `source_ami_owner_govcloud`}}"
+        ],
+        "most_recent":true
+      },
+      "instance_type":"m5.xlarge",
+      "ssh_username":"{{user `source_ami_ssh_user`}}",
+      "ssh_pty":true,
+      "subnet_id":"{{user `subnet_id`}}",
+      "launch_block_device_mappings":[
+        {
+          "device_name":"/dev/sda1",
+          "volume_size": "{{user `root_volume_size`}}",
+          "volume_type":"gp3",
+          "delete_on_termination":true
+        },
+        {
+          "device_name":"/dev/sdb",
+          "volume_size":"{{user `data_volume_size`}}",
+          "volume_type":"gp3",
+          "delete_on_termination":true
+        }
+      ],
+      "ami_block_device_mappings":[
+        {
+          "device_name":"/dev/sdb",
+          "volume_size":"{{user `data_volume_size`}}",
+          "volume_type":"gp2",
+          "delete_on_termination":true
+        }
+      ],
+      "tags":{
+        "Name":"{{user `target_ami_name`}}",
+        "BuildDate":"{{ isotime }}"
+      },
+      "ami_name":"{{user `target_ami_name`}}",
+      "ami_description":"{{user `ami_description` }}",
+      "ami_virtualization_type":"hvm",
+      "run_tags":{
+        "Name":"packer-{{user `target_ami_name`}}"
+      }
+    }
+  ],
+  "provisioners":[
+    {
+      "type": "shell",
+      "inline": [
+        "mkdir -p /etc/packer/files",
+        "chown -R {{user `source_ami_ssh_user`}}:{{user `source_ami_ssh_user`}} /etc/packer/files"
+      ],
+      "execute_command":"echo 'packer' | {{.Vars}} sudo -S -E bash -eux '{{.Path}}'"
+    },
+    {
+      "type": "file",
+      "source": "./files/",
+      "destination": "/etc/packer/files"
+    },
+    {
+      "type":"shell",
+      "scripts": [
+        "./scripts/ubuntu2004/boilerplate.sh"
+      ],
+      "environment_vars": [
+        "HTTP_PROXY={{user `http_proxy`}}",
+        "HTTPS_PROXY={{user `https_proxy`}}",
+        "NO_PROXY={{user `no_proxy`}}",
+        "KUBERNETES_VERSION={{user `eks_version`}}",
+        "KUBERNETES_BUILD_DATE={{user `eks_build_date`}}",
+        "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
+        "BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
+        "CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}",
+        "HARDENING_FLAG={{user `hardening_flag`}}"
+      ],
+      "execute_command":"echo 'packer' | {{.Vars}} sudo -S -E bash -eux '{{.Path}}'",
+      "expect_disconnect":true,
+      "pause_after":"30s"
+    },
+    {
+      "type":"shell",
+      "scripts":[
+        "./scripts/shared/docker.sh",
+        "./scripts/shared/eks.sh",
+        "./scripts/shared/cis-eks.sh"
+      ],
+      "environment_vars": [
+        "HTTP_PROXY={{user `http_proxy`}}",
+        "HTTPS_PROXY={{user `https_proxy`}}",
+        "NO_PROXY={{user `no_proxy`}}",
+        "KUBERNETES_VERSION={{user `eks_version`}}",
+        "KUBERNETES_BUILD_DATE={{user `eks_build_date`}}",
+        "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
+        "BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
+        "CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}",
+        "HARDENING_FLAG={{user `hardening_flag`}}"
+      ],
+      "execute_command":"echo 'packer' | {{.Vars}} sudo -S -E bash -eux '{{.Path}}'",
+      "expect_disconnect":true,
+      "pause_after":"30s"
+    },
+    {
+      "type":"shell",
+      "scripts": [
+        "./scripts/ubuntu2004/hardening.sh",
+        "./scripts/ubuntu2004/cleanup.sh"
+      ],
+      "environment_vars": [
+        "HTTP_PROXY={{user `http_proxy`}}",
+        "HTTPS_PROXY={{user `https_proxy`}}",
+        "NO_PROXY={{user `no_proxy`}}",
+        "KUBERNETES_VERSION={{user `eks_version`}}",
+        "KUBERNETES_BUILD_DATE={{user `eks_build_date`}}",
+        "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
+        "BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
+        "CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}",
+        "HARDENING_FLAG={{user `hardening_flag`}}"
+      ],
+      "execute_command":"echo 'packer' | {{.Vars}} sudo -S -E bash -eux '{{.Path}}'"
+    }
+  ]
+}

ami/copy-image.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+SOURCE_AMI=$1
+if [ -z "$SOURCE_AMI" ]; then
+    echo -e "Please provider a valid AMI image"
+    exit 1
+fi
+
+set -euo pipefail
+
+SOURCE_REGION=us-west-2
+TARGET_REGIONS=(
+    us-west-1
+    eu-west-1
+    eu-west-2
+    eu-central-1
+    us-east-1
+    us-east-2
+)
+
+if ! aws ec2 describe-images --region us-west-2 --image-ids "${SOURCE_AMI}" >/dev/null 2>&1; then
+    echo "The AMI image with ID ${SOURCE_AMI} does not exist."
+    exit 1
+fi
+
+NAME=$(aws ec2 describe-images --region us-west-2 --image-ids "${SOURCE_AMI}" --query 'Images[*].[Name]' --output text)
+
+for TO_REGION in ${TARGET_REGIONS[*]};do
+    aws ec2 copy-image \
+        --name "$NAME" \
+        --source-image-id "${SOURCE_AMI}" \
+        --source-region "${SOURCE_REGION}" \
+        --region "${TO_REGION}" \
+        --output text
+done