From 8112ed67a701903a5d66bba23fee239088831111 Mon Sep 17 00:00:00 2001 From: gnought <1684105+gnought@users.noreply.github.com> Date: Mon, 26 Aug 2024 01:23:39 +0800 Subject: [PATCH 1/5] refactor --- builder/common/step_iam_instance_profile.go | 120 ++++++++++---------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/builder/common/step_iam_instance_profile.go b/builder/common/step_iam_instance_profile.go index 23731fc5d..7b804ac41 100644 --- a/builder/common/step_iam_instance_profile.go +++ b/builder/common/step_iam_instance_profile.go @@ -30,6 +30,17 @@ type StepIamInstanceProfile struct { Ctx interpolate.Context } +func handleError(state multistep.StateBag, err error, message ...string) multistep.StepAction { + log.Printf("[DEBUG] %s", err.Error()) + state.Get("ui").(packersdk.Ui).Error(err.Error()) + if len(message) > 0 { + state.Put("error", fmt.Errorf("%s: %s", message[0], err)) + } else { + state.Put("error", err) + } + return multistep.ActionHalt +} + func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateBag) multistep.StepAction { iamsvc := state.Get("iam").(*iam.IAM) ui := state.Get("ui").(packersdk.Ui) @@ -44,10 +55,7 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB }, ) if err != nil { - err := fmt.Errorf("Couldn't find specified instance profile: %s", err) - log.Printf("[DEBUG] %s", err.Error()) - state.Put("error", err) - return multistep.ActionHalt + return handleError(state, err, "Couldn't find specified instance profile: %s") } } log.Printf("Using specified instance profile: %v", s.IamInstanceProfile) @@ -59,11 +67,9 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB // Create the profile profileName := fmt.Sprintf("packer-%s", uuid.TimeOrderedUUID()) - policy, err := json.Marshal(s.TemporaryIamInstanceProfilePolicyDocument) + inlinePolicyJSON, err := json.Marshal(s.TemporaryIamInstanceProfilePolicyDocument) if err != nil { - ui.Error(err.Error()) - state.Put("error", err) - return multistep.ActionHalt + return handleError(state, err, "Error parsing policy document") } ui.Say(fmt.Sprintf("Creating temporary instance profile for this instance: %s", profileName)) @@ -71,52 +77,34 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB region := state.Get("region").(*string) iamProfileTags, err := TagMap(s.Tags).IamTags(s.Ctx, *region, state) if err != nil { - err := fmt.Errorf("Error creating IAM tags: %s", err) - state.Put("error", err) - return multistep.ActionHalt - } - profileResp, err := iamsvc.CreateInstanceProfile(&iam.CreateInstanceProfileInput{ - InstanceProfileName: aws.String(profileName), - Tags: iamProfileTags, - }) - if err != nil { - ui.Error(err.Error()) - state.Put("error", err) - return multistep.ActionHalt - } - s.createdInstanceProfileName = aws.StringValue(profileResp.InstanceProfile.InstanceProfileName) - - log.Printf("[DEBUG] Waiting for temporary instance profile: %s", s.createdInstanceProfileName) - err = iamsvc.WaitUntilInstanceProfileExists(&iam.GetInstanceProfileInput{ - InstanceProfileName: aws.String(s.createdInstanceProfileName), - }) - - if err == nil { - log.Printf("[DEBUG] Found instance profile %s", s.createdInstanceProfileName) - } else { - err := fmt.Errorf("Timed out waiting for instance profile %s: %s", s.createdInstanceProfileName, err) - log.Printf("[DEBUG] %s", err.Error()) - state.Put("error", err) - return multistep.ActionHalt + return handleError(state, err, "Error creating IAM tags") } ui.Say(fmt.Sprintf("Creating temporary role for this instance: %s", profileName)) - + trustPolicy := `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }` roleResp, err := iamsvc.CreateRole(&iam.CreateRoleInput{ RoleName: aws.String(profileName), Description: aws.String("Temporary role for Packer"), - AssumeRolePolicyDocument: aws.String("{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}]}"), + AssumeRolePolicyDocument: aws.String(trustPolicy), Tags: iamProfileTags, }) if err != nil { - ui.Error(err.Error()) - state.Put("error", err) - return multistep.ActionHalt + return handleError(state, err, "Error creating role") } + s.createdRoleName = *roleResp.Role.RoleName - s.createdRoleName = aws.StringValue(roleResp.Role.RoleName) - - log.Printf("[DEBUG] Waiting for temporary role: %s", s.createdInstanceProfileName) + log.Printf("[DEBUG] Waiting for temporary role: %s", s.createdRoleName) err = iamsvc.WaitUntilRoleExistsWithContext( aws.BackgroundContext(), &iam.GetRoleInput{ @@ -127,39 +115,51 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB if err == nil { log.Printf("[DEBUG] Found temporary role %s", s.createdRoleName) } else { - err := fmt.Errorf("Timed out waiting for temporary role %s: %s", s.createdRoleName, err) - log.Printf("[DEBUG] %s", err.Error()) - state.Put("error", err) - return multistep.ActionHalt + return handleError(state, err, fmt.Sprintf("Timed out waiting for temporary role %s", s.createdRoleName)) } ui.Say(fmt.Sprintf("Attaching policy to the temporary role: %s", profileName)) _, err = iamsvc.PutRolePolicy(&iam.PutRolePolicyInput{ - RoleName: roleResp.Role.RoleName, + RoleName: aws.String(s.createdRoleName), PolicyName: aws.String(profileName), - PolicyDocument: aws.String(string(policy)), + PolicyDocument: aws.String(string(inlinePolicyJSON)), }) if err != nil { - ui.Error(err.Error()) - state.Put("error", err) - return multistep.ActionHalt + return handleError(state, err, "Error attaching policy to role") } + s.createdPolicyName = profileName - s.createdPolicyName = aws.StringValue(roleResp.Role.RoleName) + profileResp, err := iamsvc.CreateInstanceProfile(&iam.CreateInstanceProfileInput{ + InstanceProfileName: aws.String(profileName), + Tags: iamProfileTags, + }) + if err != nil { + return handleError(state, err, "Error creating instance profile") + } + s.createdInstanceProfileName = *profileResp.InstanceProfile.InstanceProfileName + + log.Printf("[DEBUG] Waiting for temporary instance profile: %s", s.createdInstanceProfileName) + err = iamsvc.WaitUntilInstanceProfileExists(&iam.GetInstanceProfileInput{ + InstanceProfileName: aws.String(s.createdInstanceProfileName), + }) + + if err == nil { + log.Printf("[DEBUG] Found instance profile %s", s.createdInstanceProfileName) + } else { + return handleError(state, err, fmt.Sprintf("Timed out waiting for instance profile %s", s.createdInstanceProfileName)) + } _, err = iamsvc.AddRoleToInstanceProfile(&iam.AddRoleToInstanceProfileInput{ - RoleName: roleResp.Role.RoleName, - InstanceProfileName: profileResp.InstanceProfile.InstanceProfileName, + InstanceProfileName: aws.String(s.createdInstanceProfileName), + RoleName: aws.String(s.createdRoleName), }) if err != nil { - ui.Error(err.Error()) - state.Put("error", err) - return multistep.ActionHalt + return handleError(state, err, "Error attaching role to instance profile") } s.roleIsAttached = true - state.Put("iamInstanceProfile", aws.StringValue(profileResp.InstanceProfile.InstanceProfileName)) + state.Put("iamInstanceProfile", s.createdInstanceProfileName) } return multistep.ActionContinue @@ -170,7 +170,7 @@ func (s *StepIamInstanceProfile) Cleanup(state multistep.StateBag) { ui := state.Get("ui").(packersdk.Ui) var err error - if s.roleIsAttached == true { + if s.roleIsAttached { ui.Say("Detaching temporary role from instance profile...") _, err := iamsvc.RemoveRoleFromInstanceProfile(&iam.RemoveRoleFromInstanceProfileInput{ From 2aff2d1bdd6dbd7755596a043f2a7f49120ad1b0 Mon Sep 17 00:00:00 2001 From: gnought <1684105+gnought@users.noreply.github.com> Date: Mon, 26 Aug 2024 01:37:05 +0800 Subject: [PATCH 2/5] refactor --- builder/common/step_iam_instance_profile.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/builder/common/step_iam_instance_profile.go b/builder/common/step_iam_instance_profile.go index 7b804ac41..aa079becb 100644 --- a/builder/common/step_iam_instance_profile.go +++ b/builder/common/step_iam_instance_profile.go @@ -71,8 +71,7 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB if err != nil { return handleError(state, err, "Error parsing policy document") } - - ui.Say(fmt.Sprintf("Creating temporary instance profile for this instance: %s", profileName)) + ui.Sayf("Creating temporary instance profile for this instance: %s", profileName) region := state.Get("region").(*string) iamProfileTags, err := TagMap(s.Tags).IamTags(s.Ctx, *region, state) @@ -80,7 +79,7 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB return handleError(state, err, "Error creating IAM tags") } - ui.Say(fmt.Sprintf("Creating temporary role for this instance: %s", profileName)) + ui.Sayf("Creating temporary role for this instance: %s", profileName) trustPolicy := `{ "Version": "2012-10-17", "Statement": [ @@ -118,7 +117,7 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB return handleError(state, err, fmt.Sprintf("Timed out waiting for temporary role %s", s.createdRoleName)) } - ui.Say(fmt.Sprintf("Attaching policy to the temporary role: %s", profileName)) + ui.Sayf("Attaching policy to the temporary role: %s", profileName) _, err = iamsvc.PutRolePolicy(&iam.PutRolePolicyInput{ RoleName: aws.String(s.createdRoleName), From 1fe33b6e979d5220d51f0586d3d4e3320a1deb55 Mon Sep 17 00:00:00 2001 From: gnought <1684105+gnought@users.noreply.github.com> Date: Mon, 26 Aug 2024 02:21:31 +0800 Subject: [PATCH 3/5] feat: auto-create temp instance profile for session manager when iam_instance_profile is undefined --- builder/common/run_config.go | 10 ++-- builder/common/step_iam_instance_profile.go | 62 ++++++++++++++++----- builder/ebs/builder.go | 1 + builder/ebssurrogate/builder.go | 1 + builder/ebsvolume/builder.go | 1 + builder/instance/builder.go | 1 + 6 files changed, 57 insertions(+), 19 deletions(-) diff --git a/builder/common/run_config.go b/builder/common/run_config.go index 9cdc62fa7..84b486d39 100644 --- a/builder/common/run_config.go +++ b/builder/common/run_config.go @@ -8,6 +8,7 @@ package common import ( "fmt" + "log" "net" "os" "regexp" @@ -796,10 +797,8 @@ func (c *RunConfig) Prepare(ctx *interpolate.Context) []error { msg := fmt.Errorf(`session_manager connectivity is not supported with the "winrm" communicator; please use "ssh"`) errs = append(errs, msg) } - - if c.IamInstanceProfile == "" && c.TemporaryIamInstanceProfilePolicyDocument == nil { - msg := fmt.Errorf(`no iam_instance_profile defined; session_manager connectivity requires a valid instance profile with AmazonSSMManagedInstanceCore permissions. Alternatively a temporary_iam_instance_profile_policy_document can be used.`) - errs = append(errs, msg) + if c.IamInstanceProfile != "" { + log.Printf("[WARNING] (aws): session_manager connectivity requires a valid instance profile with AmazonSSMManagedInstanceCore permissions. Please make sure iam_instance_profile has proper permissions.") } } @@ -963,8 +962,7 @@ func (c *RunConfig) IsSpotInstance() bool { } func (c *RunConfig) SSMAgentEnabled() bool { - hasIamInstanceProfile := c.IamInstanceProfile != "" || c.TemporaryIamInstanceProfilePolicyDocument != nil - return c.SSHInterface == "session_manager" && hasIamInstanceProfile + return c.SSHInterface == "session_manager" } // IsBurstableInstanceType checks if the InstanceType for the config is one diff --git a/builder/common/step_iam_instance_profile.go b/builder/common/step_iam_instance_profile.go index aa079becb..ca8dfe6ec 100644 --- a/builder/common/step_iam_instance_profile.go +++ b/builder/common/step_iam_instance_profile.go @@ -17,11 +17,16 @@ import ( "github.com/hashicorp/packer-plugin-sdk/uuid" ) +const ( + AmazonSSMManagedInstanceCorePolicyArn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +) + type StepIamInstanceProfile struct { PollingConfig *AWSPollingConfig IamInstanceProfile string SkipProfileValidation bool TemporaryIamInstanceProfilePolicyDocument *PolicyDocument + SSMAgentEnabled bool createdInstanceProfileName string createdRoleName string createdPolicyName string @@ -63,14 +68,10 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB return multistep.ActionContinue } - if s.TemporaryIamInstanceProfilePolicyDocument != nil { + if s.SSMAgentEnabled || s.TemporaryIamInstanceProfilePolicyDocument != nil { // Create the profile profileName := fmt.Sprintf("packer-%s", uuid.TimeOrderedUUID()) - inlinePolicyJSON, err := json.Marshal(s.TemporaryIamInstanceProfilePolicyDocument) - if err != nil { - return handleError(state, err, "Error parsing policy document") - } ui.Sayf("Creating temporary instance profile for this instance: %s", profileName) region := state.Get("region").(*string) @@ -119,15 +120,44 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB ui.Sayf("Attaching policy to the temporary role: %s", profileName) - _, err = iamsvc.PutRolePolicy(&iam.PutRolePolicyInput{ - RoleName: aws.String(s.createdRoleName), - PolicyName: aws.String(profileName), - PolicyDocument: aws.String(string(inlinePolicyJSON)), - }) - if err != nil { - return handleError(state, err, "Error attaching policy to role") + if s.TemporaryIamInstanceProfilePolicyDocument != nil { + inlinePolicyJSON, err := json.Marshal(s.TemporaryIamInstanceProfilePolicyDocument) + if err != nil { + return handleError(state, err, "Error parsing policy document") + } + _, err = iamsvc.PutRolePolicy(&iam.PutRolePolicyInput{ + RoleName: aws.String(s.createdRoleName), + PolicyName: aws.String(profileName), + PolicyDocument: aws.String(string(inlinePolicyJSON)), + }) + if err != nil { + return handleError(state, err, "Error attaching policy to role") + } + s.createdPolicyName = profileName + } + if s.SSMAgentEnabled { + ssmPolicyArn := aws.String(AmazonSSMManagedInstanceCorePolicyArn) + _, err = iamsvc.AttachRolePolicy(&iam.AttachRolePolicyInput{ + PolicyArn: ssmPolicyArn, + RoleName: aws.String(s.createdRoleName), + }) + if err != nil { + return handleError(state, err, "Error attaching AmazonSSMManagedInstanceCore policy to role") + } + log.Printf("[DEBUG] Waiting for AmazonSSMManagedInstanceCore attached policy ready") + err = iamsvc.WaitUntilPolicyExistsWithContext( + aws.BackgroundContext(), + &iam.GetPolicyInput{ + PolicyArn: ssmPolicyArn, + }, + s.PollingConfig.getWaiterOptions()..., + ) + if err == nil { + log.Printf("[DEBUG] Found AmazonSSMManagedInstanceCore attached policy in %s", s.createdRoleName) + } else { + return handleError(state, err, fmt.Sprintf("Timed out waiting for AmazonSSMManagedInstanceCore attached policy in %s", s.createdRoleName)) + } } - s.createdPolicyName = profileName profileResp, err := iamsvc.CreateInstanceProfile(&iam.CreateInstanceProfileInput{ InstanceProfileName: aws.String(profileName), @@ -172,6 +202,12 @@ func (s *StepIamInstanceProfile) Cleanup(state multistep.StateBag) { if s.roleIsAttached { ui.Say("Detaching temporary role from instance profile...") + if s.SSMAgentEnabled { + iamsvc.DetachRolePolicy(&iam.DetachRolePolicyInput{ + PolicyArn: aws.String(AmazonSSMManagedInstanceCorePolicyArn), + RoleName: aws.String(s.createdRoleName), + }) + } _, err := iamsvc.RemoveRoleFromInstanceProfile(&iam.RemoveRoleFromInstanceProfileInput{ InstanceProfileName: aws.String(s.createdInstanceProfileName), RoleName: aws.String(s.createdRoleName), diff --git a/builder/ebs/builder.go b/builder/ebs/builder.go index 1c18fdd9f..e3b232464 100644 --- a/builder/ebs/builder.go +++ b/builder/ebs/builder.go @@ -348,6 +348,7 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) PollingConfig: b.config.PollingConfig, IamInstanceProfile: b.config.IamInstanceProfile, SkipProfileValidation: b.config.SkipProfileValidation, + SSMAgentEnabled: b.config.SSMAgentEnabled(), TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument, Tags: b.config.RunTags, Ctx: b.config.ctx, diff --git a/builder/ebssurrogate/builder.go b/builder/ebssurrogate/builder.go index 8be0644cf..624f3b33f 100644 --- a/builder/ebssurrogate/builder.go +++ b/builder/ebssurrogate/builder.go @@ -432,6 +432,7 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) PollingConfig: b.config.PollingConfig, IamInstanceProfile: b.config.IamInstanceProfile, SkipProfileValidation: b.config.SkipProfileValidation, + SSMAgentEnabled: b.config.SSMAgentEnabled(), TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument, Tags: b.config.RunTags, Ctx: b.config.ctx, diff --git a/builder/ebsvolume/builder.go b/builder/ebsvolume/builder.go index f56a3ba45..2698aa630 100644 --- a/builder/ebsvolume/builder.go +++ b/builder/ebsvolume/builder.go @@ -318,6 +318,7 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) PollingConfig: b.config.PollingConfig, IamInstanceProfile: b.config.IamInstanceProfile, SkipProfileValidation: b.config.SkipProfileValidation, + SSMAgentEnabled: b.config.SSMAgentEnabled(), TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument, Tags: b.config.RunTags, Ctx: b.config.ctx, diff --git a/builder/instance/builder.go b/builder/instance/builder.go index 79e75a2f3..f9449876b 100644 --- a/builder/instance/builder.go +++ b/builder/instance/builder.go @@ -387,6 +387,7 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) PollingConfig: b.config.PollingConfig, IamInstanceProfile: b.config.IamInstanceProfile, SkipProfileValidation: b.config.SkipProfileValidation, + SSMAgentEnabled: b.config.SSMAgentEnabled(), TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument, Tags: b.config.RunTags, Ctx: b.config.ctx, From f6553b06083ba172f40099af21335559504fca60 Mon Sep 17 00:00:00 2001 From: gnought <1684105+gnought@users.noreply.github.com> Date: Mon, 26 Aug 2024 02:43:56 +0800 Subject: [PATCH 4/5] feat: support China region --- builder/common/helper_funcs.go | 7 +++++ builder/common/step_iam_instance_profile.go | 35 ++++++++++++--------- builder/ebs/builder.go | 9 +++--- builder/ebssurrogate/builder.go | 9 +++--- builder/ebsvolume/builder.go | 9 +++--- builder/instance/builder.go | 9 +++--- 6 files changed, 47 insertions(+), 31 deletions(-) diff --git a/builder/common/helper_funcs.go b/builder/common/helper_funcs.go index 1475a6d24..d608a68bf 100644 --- a/builder/common/helper_funcs.go +++ b/builder/common/helper_funcs.go @@ -76,3 +76,10 @@ func DestroyAMIs(imageids []*string, ec2conn *ec2.EC2) error { } return nil } + +func AwsPartition(isRestricted bool) string { + if isRestricted { + return "aws-cn" + } + return "aws" +} diff --git a/builder/common/step_iam_instance_profile.go b/builder/common/step_iam_instance_profile.go index ca8dfe6ec..7f0480ddb 100644 --- a/builder/common/step_iam_instance_profile.go +++ b/builder/common/step_iam_instance_profile.go @@ -18,7 +18,7 @@ import ( ) const ( - AmazonSSMManagedInstanceCorePolicyArn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + AmazonSSMManagedInstanceCorePolicyArnPart = "iam::aws:policy/AmazonSSMManagedInstanceCore" ) type StepIamInstanceProfile struct { @@ -27,6 +27,7 @@ type StepIamInstanceProfile struct { SkipProfileValidation bool TemporaryIamInstanceProfilePolicyDocument *PolicyDocument SSMAgentEnabled bool + IsRestricted bool createdInstanceProfileName string createdRoleName string createdPolicyName string @@ -81,18 +82,22 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB } ui.Sayf("Creating temporary role for this instance: %s", profileName) - trustPolicy := `{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "ec2.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - }` + service := "ec2.amazonaws.com" + if s.IsRestricted { + service = "ec2.amazonaws.com.cn" + } + trustPolicy := fmt.Sprintf(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "%s" + }, + "Action": "sts:AssumeRole" + } + ] + }`, service) roleResp, err := iamsvc.CreateRole(&iam.CreateRoleInput{ RoleName: aws.String(profileName), Description: aws.String("Temporary role for Packer"), @@ -136,7 +141,7 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB s.createdPolicyName = profileName } if s.SSMAgentEnabled { - ssmPolicyArn := aws.String(AmazonSSMManagedInstanceCorePolicyArn) + ssmPolicyArn := aws.String(fmt.Sprintf("arn:%s:%s", AwsPartition(s.IsRestricted), AmazonSSMManagedInstanceCorePolicyArnPart)) _, err = iamsvc.AttachRolePolicy(&iam.AttachRolePolicyInput{ PolicyArn: ssmPolicyArn, RoleName: aws.String(s.createdRoleName), @@ -204,7 +209,7 @@ func (s *StepIamInstanceProfile) Cleanup(state multistep.StateBag) { if s.SSMAgentEnabled { iamsvc.DetachRolePolicy(&iam.DetachRolePolicyInput{ - PolicyArn: aws.String(AmazonSSMManagedInstanceCorePolicyArn), + PolicyArn: aws.String(fmt.Sprintf("arn:%s:%s", AwsPartition(s.IsRestricted), AmazonSSMManagedInstanceCorePolicyArnPart)), RoleName: aws.String(s.createdRoleName), }) } diff --git a/builder/ebs/builder.go b/builder/ebs/builder.go index e3b232464..637336469 100644 --- a/builder/ebs/builder.go +++ b/builder/ebs/builder.go @@ -345,10 +345,11 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) Ctx: b.config.ctx, }, &awscommon.StepIamInstanceProfile{ - PollingConfig: b.config.PollingConfig, - IamInstanceProfile: b.config.IamInstanceProfile, - SkipProfileValidation: b.config.SkipProfileValidation, - SSMAgentEnabled: b.config.SSMAgentEnabled(), + PollingConfig: b.config.PollingConfig, + IamInstanceProfile: b.config.IamInstanceProfile, + SkipProfileValidation: b.config.SkipProfileValidation, + SSMAgentEnabled: b.config.SSMAgentEnabled(), + IsRestricted: b.config.IsChinaCloud(), TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument, Tags: b.config.RunTags, Ctx: b.config.ctx, diff --git a/builder/ebssurrogate/builder.go b/builder/ebssurrogate/builder.go index 624f3b33f..536d821d3 100644 --- a/builder/ebssurrogate/builder.go +++ b/builder/ebssurrogate/builder.go @@ -429,10 +429,11 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) Ctx: b.config.ctx, }, &awscommon.StepIamInstanceProfile{ - PollingConfig: b.config.PollingConfig, - IamInstanceProfile: b.config.IamInstanceProfile, - SkipProfileValidation: b.config.SkipProfileValidation, - SSMAgentEnabled: b.config.SSMAgentEnabled(), + PollingConfig: b.config.PollingConfig, + IamInstanceProfile: b.config.IamInstanceProfile, + SkipProfileValidation: b.config.SkipProfileValidation, + SSMAgentEnabled: b.config.SSMAgentEnabled(), + IsRestricted: b.config.IsChinaCloud(), TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument, Tags: b.config.RunTags, Ctx: b.config.ctx, diff --git a/builder/ebsvolume/builder.go b/builder/ebsvolume/builder.go index 2698aa630..3e0149cb2 100644 --- a/builder/ebsvolume/builder.go +++ b/builder/ebsvolume/builder.go @@ -315,10 +315,11 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) Ctx: b.config.ctx, }, &awscommon.StepIamInstanceProfile{ - PollingConfig: b.config.PollingConfig, - IamInstanceProfile: b.config.IamInstanceProfile, - SkipProfileValidation: b.config.SkipProfileValidation, - SSMAgentEnabled: b.config.SSMAgentEnabled(), + PollingConfig: b.config.PollingConfig, + IamInstanceProfile: b.config.IamInstanceProfile, + SkipProfileValidation: b.config.SkipProfileValidation, + SSMAgentEnabled: b.config.SSMAgentEnabled(), + IsRestricted: b.config.IsChinaCloud(), TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument, Tags: b.config.RunTags, Ctx: b.config.ctx, diff --git a/builder/instance/builder.go b/builder/instance/builder.go index f9449876b..1533c8034 100644 --- a/builder/instance/builder.go +++ b/builder/instance/builder.go @@ -384,10 +384,11 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook) Ctx: b.config.ctx, }, &awscommon.StepIamInstanceProfile{ - PollingConfig: b.config.PollingConfig, - IamInstanceProfile: b.config.IamInstanceProfile, - SkipProfileValidation: b.config.SkipProfileValidation, - SSMAgentEnabled: b.config.SSMAgentEnabled(), + PollingConfig: b.config.PollingConfig, + IamInstanceProfile: b.config.IamInstanceProfile, + SkipProfileValidation: b.config.SkipProfileValidation, + SSMAgentEnabled: b.config.SSMAgentEnabled(), + IsRestricted: b.config.IsChinaCloud(), TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument, Tags: b.config.RunTags, Ctx: b.config.ctx, From 0b70ffc4ed35772f5a369d02aab9ccdbcf237b21 Mon Sep 17 00:00:00 2001 From: gnought <1684105+gnought@users.noreply.github.com> Date: Mon, 26 Aug 2024 03:09:36 +0800 Subject: [PATCH 5/5] lint fix --- builder/common/step_iam_instance_profile.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builder/common/step_iam_instance_profile.go b/builder/common/step_iam_instance_profile.go index 7f0480ddb..558f8a767 100644 --- a/builder/common/step_iam_instance_profile.go +++ b/builder/common/step_iam_instance_profile.go @@ -208,7 +208,7 @@ func (s *StepIamInstanceProfile) Cleanup(state multistep.StateBag) { ui.Say("Detaching temporary role from instance profile...") if s.SSMAgentEnabled { - iamsvc.DetachRolePolicy(&iam.DetachRolePolicyInput{ + _, _ = iamsvc.DetachRolePolicy(&iam.DetachRolePolicyInput{ PolicyArn: aws.String(fmt.Sprintf("arn:%s:%s", AwsPartition(s.IsRestricted), AmazonSSMManagedInstanceCorePolicyArnPart)), RoleName: aws.String(s.createdRoleName), })