github.com/aclaygray/packer@v1.3.2/website/source/docs/builders/amazon-instance.html.md (about) 1 --- 2 description: | 3 The amazon-instance Packer builder is able to create Amazon AMIs backed by 4 instance storage as the root device. For more information on the difference 5 between instance storage and EBS-backed instances, see the storage for the 6 root device section in the EC2 documentation. 7 layout: docs 8 page_title: 'Amazon instance-store - Builders' 9 sidebar_current: 'docs-builders-amazon-instance' 10 --- 11 12 # AMI Builder (instance-store) 13 14 Type: `amazon-instance` 15 16 The `amazon-instance` Packer builder is able to create Amazon AMIs backed by 17 instance storage as the root device. For more information on the difference 18 between instance storage and EBS-backed instances, see the ["storage for the 19 root device" section in the EC2 20 documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html#storage-for-the-root-device). 21 22 This builder builds an AMI by launching an EC2 instance from an existing 23 instance-storage backed AMI, provisioning that running machine, and then 24 bundling and creating a new AMI from that machine. This is all done in your own 25 AWS account. This builder will create temporary key pairs, security group rules, 26 etc. that provide it temporary access to the instance while the image is being 27 created. This simplifies configuration quite a bit. 28 29 This builder does *not* manage AMIs. Once it creates an AMI and stores it in 30 your account, it is up to you to use, delete, etc. the AMI. 31 32 -> **Note:** Temporary resources are, by default, all created with the prefix 33 `packer`. This can be useful if you want to restrict the security groups and 34 key pairs packer is able to operate on. 35 36 -> **Note:** This builder requires that the [Amazon EC2 AMI 37 Tools](https://aws.amazon.com/developertools/368) are installed onto the 38 machine. This can be done within a provisioner, but must be done before the 39 builder finishes running. 40 41 ~> Instance builds are not supported for Windows. Use [`amazon-ebs`](amazon-ebs.html) instead. 42 43 ## Configuration Reference 44 45 There are many configuration options available for this builder. They are 46 segmented below into two categories: required and optional parameters. Within 47 each category, the available configuration keys are alphabetized. 48 49 In addition to the options listed here, a 50 [communicator](/docs/templates/communicator.html) can be configured for this 51 builder. 52 53 ### Required: 54 55 - `access_key` (string) - The access key used to communicate with AWS. [Learn 56 how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials) 57 58 - `account_id` (string) - Your AWS account ID. This is required for bundling 59 the AMI. This is *not the same* as the access key. You can find your account 60 ID in the security credentials page of your AWS account. 61 62 - `ami_name` (string) - The name of the resulting AMI that will appear when 63 managing AMIs in the AWS console or via APIs. This must be unique. To help 64 make this unique, use a function like `timestamp` (see [configuration 65 templates](/docs/templates/engine.html) for more info) 66 67 - `instance_type` (string) - The EC2 instance type to use while building the 68 AMI, such as `m1.small`. 69 70 - `region` (string) - The name of the region, such as `us-east-1`, in which to 71 launch the EC2 instance to create the AMI. 72 73 - `s3_bucket` (string) - The name of the S3 bucket to upload the AMI. This 74 bucket will be created if it doesn't exist. 75 76 - `secret_key` (string) - The secret key used to communicate with AWS. [Learn 77 how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials) 78 79 - `source_ami` (string) - The initial AMI used as a base for the newly 80 created machine. 81 82 - `x509_cert_path` (string) - The local path to a valid X509 certificate for 83 your AWS account. This is used for bundling the AMI. This X509 certificate 84 must be registered with your account from the security credentials page in 85 the AWS console. 86 87 - `x509_key_path` (string) - The local path to the private key for the X509 88 certificate specified by `x509_cert_path`. This is used for bundling 89 the AMI. 90 91 ### Optional: 92 93 - `ami_block_device_mappings` (array of block device mappings) - Add one or 94 more [block device mappings](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) 95 to the AMI. These will be attached when booting a new instance from your 96 AMI. To add a block device during the Packer build see 97 `launch_block_device_mappings` below. Your options here may vary depending 98 on the type of VM you use. The block device mappings allow for the following 99 configuration: 100 101 - `delete_on_termination` (boolean) - Indicates whether the EBS volume is 102 deleted on instance termination. Default `false`. **NOTE**: If this 103 value is not explicitly set to `true` and volumes are not cleaned up by 104 an alternative method, additional volumes will accumulate after 105 every build. 106 107 - `device_name` (string) - The device name exposed to the instance (for 108 example, `/dev/sdh` or `xvdh`). Required for every device in the 109 block device mapping. 110 111 - `encrypted` (boolean) - Indicates whether to encrypt the volume or not 112 113 - `iops` (number) - The number of I/O operations per second (IOPS) that the 114 volume supports. See the documentation on 115 [IOPs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html) 116 for more information 117 118 - `no_device` (boolean) - Suppresses the specified device included in the 119 block device mapping of the AMI 120 121 - `snapshot_id` (string) - The ID of the snapshot 122 123 - `virtual_name` (string) - The virtual device name. See the documentation on 124 [Block Device 125 Mapping](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_BlockDeviceMapping.html) 126 for more information 127 128 - `volume_size` (number) - The size of the volume, in GiB. Required if not 129 specifying a `snapshot_id` 130 131 - `volume_type` (string) - The volume type. `gp2` for General Purpose (SSD) 132 volumes, `io1` for Provisioned IOPS (SSD) volumes, and `standard` for Magnetic 133 volumes 134 135 - `ami_description` (string) - The description to set for the 136 resulting AMI(s). By default this description is empty. This is a 137 [template engine](/docs/templates/engine.html), 138 see [Build template data](#build-template-data) for more information. 139 140 - `ami_groups` (array of strings) - A list of groups that have access to 141 launch the resulting AMI(s). By default no groups have permission to launch 142 the AMI. `all` will make the AMI publicly accessible. AWS currently doesn't 143 accept any value other than `all`. 144 145 - `ami_product_codes` (array of strings) - A list of product codes to 146 associate with the AMI. By default no product codes are associated with 147 the AMI. 148 149 - `ami_regions` (array of strings) - A list of regions to copy the AMI to. 150 Tags and attributes are copied along with the AMI. AMI copying takes time 151 depending on the size of the AMI, but will generally take many minutes. 152 153 - `ami_users` (array of strings) - A list of account IDs that have access to 154 launch the resulting AMI(s). By default no additional users other than the 155 user creating the AMI has permissions to launch it. 156 157 - `ami_virtualization_type` (string) - The type of virtualization for the AMI 158 you are building. This option is required to register HVM images. Can be 159 `paravirtual` (default) or `hvm`. 160 161 - `associate_public_ip_address` (boolean) - If using a non-default VPC, public 162 IP addresses are not provided by default. If this is toggled, your new 163 instance will get a Public IP. 164 165 - `availability_zone` (string) - Destination availability zone to launch 166 instance in. Leave this empty to allow Amazon to auto-assign. 167 168 - `block_duration_minutes` (int64) - Requires `spot_price` to 169 be set. The required duration for the Spot Instances (also known as Spot blocks). 170 This value must be a multiple of 60 (60, 120, 180, 240, 300, or 360). 171 You can't specify an Availability Zone group or a launch group if you specify a duration. 172 173 - `bundle_destination` (string) - The directory on the running instance where 174 the bundled AMI will be saved prior to uploading. By default this is `/tmp`. 175 This directory must exist and be writable. 176 177 - `bundle_prefix` (string) - The prefix for files created from bundling the 178 root volume. By default this is `image-{{timestamp}}`. The `timestamp` 179 variable should be used to make sure this is unique, otherwise it can 180 collide with other created AMIs by Packer in your account. 181 182 - `bundle_upload_command` (string) - The command to use to upload the 183 bundled volume. See the "custom bundle commands" section below for 184 more information. 185 186 - `bundle_vol_command` (string) - The command to use to bundle the volume. See 187 the "custom bundle commands" section below for more information. 188 189 - `custom_endpoint_ec2` (string) - This option is useful if you use a cloud 190 provider whose API is compatible with aws EC2. Specify another endpoint 191 like this `https://ec2.custom.endpoint.com`. 192 193 - `decode_authorization_messages` (boolean) - Enable automatic decoding of any 194 encoded authorization (error) messages using the `sts:DecodeAuthorizationMessage` API. 195 Note: requires that the effective user/role have permissions to `sts:DecodeAuthorizationMessage` 196 on resource `*`. Default `false`. 197 198 - `ebs_optimized` (boolean) - Mark instance as [EBS 199 Optimized](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html). 200 Default `false`. 201 202 - `ena_support` (boolean) - Enable enhanced networking (ENA but not SriovNetSupport) 203 on HVM-compatible AMIs. If set, add `ec2:ModifyInstanceAttribute` to your AWS IAM policy. 204 If false, this will disable enhanced networking in the final AMI as opposed to passing 205 the setting through unchanged from the source. Note: you must make sure enhanced 206 networking is enabled on your instance. See [Amazon's documentation on enabling enhanced 207 networking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html#enabling_enhanced_networking). 208 209 - `enable_t2_unlimited` (boolean) - Enabling T2 Unlimited allows the source 210 instance to burst additional CPU beyond its available [CPU Credits] 211 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/t2-credits-baseline-concepts.html) 212 for as long as the demand exists. 213 This is in contrast to the standard configuration that only allows an 214 instance to consume up to its available CPU Credits. 215 See the AWS documentation for [T2 Unlimited] 216 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/t2-unlimited.html) 217 and the 'T2 Unlimited Pricing' section of the [Amazon EC2 On-Demand 218 Pricing](https://aws.amazon.com/ec2/pricing/on-demand/) document for more 219 information. 220 By default this option is disabled and Packer will set up a [T2 221 Standard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/t2-std.html) 222 instance instead. 223 224 To use T2 Unlimited you must use a T2 instance type e.g. t2.micro. 225 Additionally, T2 Unlimited cannot be used in conjunction with Spot 226 Instances e.g. when the `spot_price` option has been configured. 227 Attempting to do so will cause an error. 228 229 !> **Warning!** Additional costs may be incurred by enabling T2 230 Unlimited - even for instances that would usually qualify for the 231 [AWS Free Tier](https://aws.amazon.com/free/). 232 233 - `force_deregister` (boolean) - Force Packer to first deregister an existing 234 AMI if one with the same name already exists. Defaults to `false`. 235 236 - `force_delete_snapshot` (boolean) - Force Packer to delete snapshots associated with 237 AMIs, which have been deregistered by `force_deregister`. Defaults to `false`. 238 239 - `iam_instance_profile` (string) - The name of an [IAM instance 240 profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html) 241 to launch the EC2 instance with. 242 243 - `launch_block_device_mappings` (array of block device mappings) - Add one 244 or more block devices before the Packer build starts. If you add instance 245 store volumes or EBS volumes in addition to the root device volume, the 246 created AMI will contain block device mapping information for those 247 volumes. Amazon creates snapshots of the source instance's root volume and 248 any other EBS volumes described here. When you launch an instance from this 249 new AMI, the instance automatically launches with these additional volumes, 250 and will restore them from snapshots taken from the source instance. 251 252 - `mfa_code` (string) - The MFA [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) 253 code. This should probably be a user variable since it changes all the time. 254 255 - `profile` (string) - The profile to use in the shared credentials file for 256 AWS. See Amazon's documentation on [specifying 257 profiles](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-profiles) 258 for more details. 259 260 - `region_kms_key_ids` (map of strings) - a map of regions to copy the ami to, 261 along with the custom kms key id (alias or arn) to use for encryption for that region. 262 Keys must match the regions provided in `ami_regions`. If you just want to 263 encrypt using a default ID, you can stick with `kms_key_id` and `ami_regions`. 264 If you want a region to be encrypted with that region's default key ID, you can 265 use an empty string `""` instead of a key id in this map. (e.g. `"us-east-1": ""`) 266 However, you cannot use default key IDs if you are using this in conjunction with 267 `snapshot_users` -- in that situation you must use custom keys. For valid formats 268 see _KmsKeyId_ in the 269 [AWS API docs - CopyImage](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyImage.html). 270 271 272 - `run_tags` (object of key/value strings) - Tags to apply to the instance 273 that is *launched* to create the AMI. These tags are *not* applied to the 274 resulting AMI unless they're duplicated in `tags`. This is a 275 [template engine](/docs/templates/engine.html), 276 see [Build template data](#build-template-data) for more information. 277 278 - `security_group_id` (string) - The ID (*not* the name) of the security group 279 to assign to the instance. By default this is not set and Packer will 280 automatically create a new temporary security group to allow SSH access. 281 Note that if this is specified, you must be sure the security group allows 282 access to the `ssh_port` given below. 283 284 - `security_group_ids` (array of strings) - A list of security groups as 285 described above. Note that if this is specified, you must omit the 286 `security_group_id`. 287 288 - `security_group_filter` (object) - Filters used to populate the `security_group_ids` field. 289 Example: 290 291 ``` json 292 { 293 "security_group_filter": { 294 "filters": { 295 "tag:Class": "packer" 296 } 297 } 298 } 299 ``` 300 301 This selects the SG's with tag `Class` with the value `packer`. 302 303 - `filters` (map of strings) - filters used to select a `security_group_ids`. 304 Any filter described in the docs for [DescribeSecurityGroups](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 305 is valid. 306 307 `security_group_ids` take precedence over this. 308 309 - `skip_region_validation` (boolean) - Set to true if you want to skip 310 validation of the region configuration option. Defaults to `false`. 311 312 - `snapshot_groups` (array of strings) - A list of groups that have access to 313 create volumes from the snapshot(s). By default no groups have permission to create 314 volumes form the snapshot(s). `all` will make the snapshot publicly accessible. 315 316 - `snapshot_users` (array of strings) - A list of account IDs that have access to 317 create volumes from the snapshot(s). By default no additional users other than the 318 user creating the AMI has permissions to create volumes from the backing snapshot(s). 319 320 - `source_ami_filter` (object) - Filters used to populate the `source_ami` field. 321 Example: 322 323 ``` json 324 { 325 "source_ami_filter": { 326 "filters": { 327 "virtualization-type": "hvm", 328 "name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*", 329 "root-device-type": "ebs" 330 }, 331 "owners": ["099720109477"], 332 "most_recent": true 333 } 334 } 335 ``` 336 337 This selects the most recent Ubuntu 16.04 HVM EBS AMI from Canonical. 338 NOTE: This will fail unless *exactly* one AMI is returned. In the above 339 example, `most_recent` will cause this to succeed by selecting the newest image. 340 341 - `filters` (map of strings) - filters used to select a `source_ami`. 342 NOTE: This will fail unless *exactly* one AMI is returned. 343 Any filter described in the docs for [DescribeImages](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html) 344 is valid. 345 346 - `owners` (array of strings) - Filters the images by their owner. You may 347 specify one or more AWS account IDs, "self" (which will use the account 348 whose credentials you are using to run Packer), or an AWS owner alias: 349 for example, "amazon", "aws-marketplace", or "microsoft". 350 This option is required for security reasons. 351 352 - `most_recent` (boolean) - Selects the newest created image when true. 353 This is most useful for selecting a daily distro build. 354 355 You may set this in place of `source_ami` or in conjunction with it. If you 356 set this in conjunction with `source_ami`, the `source_ami` will be added to 357 the filter. The provided `source_ami` must meet all of the filtering criteria 358 provided in `source_ami_filter`; this pins the AMI returned by the filter, 359 but will cause Packer to fail if the `source_ami` does not exist. 360 361 - `snapshot_tags` (object of key/value strings) - Tags to apply to snapshot. 362 They will override AMI tags if already applied to snapshot. 363 364 - `spot_price` (string) - The maximum hourly price to launch a spot instance 365 to create the AMI. It is a type of instances that EC2 starts when the 366 maximum price that you specify exceeds the current spot price. Spot price 367 will be updated based on available spot instance capacity and current spot 368 Instance requests. It may save you some costs. You can set this to `auto` 369 for Packer to automatically discover the best spot price or to `0` to use 370 an on-demand instance (default). 371 372 - `spot_price_auto_product` (string) - Required if `spot_price` is set 373 to `auto`. This tells Packer what sort of AMI you're launching to find the 374 best spot price. This must be one of: `Linux/UNIX`, `SUSE Linux`, `Windows`, 375 `Linux/UNIX (Amazon VPC)`, `SUSE Linux (Amazon VPC)`, `Windows (Amazon VPC)` 376 377 - `spot_tags` (object of key/value strings) - Requires `spot_price` to 378 be set. This tells Packer to apply tags to the spot request that is 379 issued. 380 381 - `sriov_support` (boolean) - Enable enhanced networking (SriovNetSupport but not ENA) 382 on HVM-compatible AMIs. If true, add `ec2:ModifyInstanceAttribute` to your AWS IAM 383 policy. Note: you must make sure enhanced networking is enabled on your instance. See [Amazon's 384 documentation on enabling enhanced networking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html#enabling_enhanced_networking). 385 Default `false`. 386 387 - `ssh_keypair_name` (string) - If specified, this is the key that will be 388 used for SSH with the machine. The key must match a key pair name loaded 389 up into Amazon EC2. By default, this is blank, and Packer will 390 generate a temporary key pair unless 391 [`ssh_password`](/docs/templates/communicator.html#ssh_password) is used. 392 [`ssh_private_key_file`](/docs/templates/communicator.html#ssh_private_key_file) 393 or `ssh_agent_auth` must be specified when `ssh_keypair_name` is utilized. 394 395 - `ssh_agent_auth` (boolean) - If true, the local SSH agent will be used to 396 authenticate connections to the source instance. No temporary key pair will 397 be created, and the values of `ssh_password` and `ssh_private_key_file` will 398 be ignored. To use this option with a key pair already configured in the source 399 AMI, leave the `ssh_keypair_name` blank. To associate an existing key pair 400 in AWS with the source instance, set the `ssh_keypair_name` field to the name 401 of the key pair. 402 403 - `ssh_private_ip` (boolean) - No longer supported. See 404 [`ssh_interface`](#ssh_interface). A fixer exists to migrate. 405 406 - `ssh_interface` (string) - One of `public_ip`, `private_ip`, 407 `public_dns` or `private_dns`. If set, either the public IP address, 408 private IP address, public DNS name or private DNS name will used as the host for SSH. 409 The default behaviour if inside a VPC is to use the public IP address if available, 410 otherwise the private IP address will be used. If not in a VPC the public DNS name 411 will be used. Also works for WinRM. 412 413 Where Packer is configured for an outbound proxy but WinRM traffic should be direct, 414 `ssh_interface` must be set to `private_dns` and `<region>.compute.internal` included 415 in the `NO_PROXY` environment variable. 416 417 - `subnet_id` (string) - If using VPC, the ID of the subnet, such as 418 `subnet-12345def`, where Packer will launch the EC2 instance. This field is 419 required if you are using an non-default VPC. 420 421 - `subnet_filter` (object) - Filters used to populate the `subnet_id` field. 422 Example: 423 424 ``` json 425 { 426 "subnet_filter": { 427 "filters": { 428 "tag:Class": "build" 429 }, 430 "most_free": true, 431 "random": false 432 } 433 } 434 ``` 435 436 This selects the Subnet with tag `Class` with the value `build`, which has 437 the most free IP addresses. 438 NOTE: This will fail unless *exactly* one Subnet is returned. By using 439 `most_free` or `random` one will be selected from those matching the filter. 440 441 - `filters` (map of strings) - filters used to select a `subnet_id`. 442 NOTE: This will fail unless *exactly* one Subnet is returned. 443 Any filter described in the docs for [DescribeSubnets](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSubnets.html) 444 is valid. 445 446 - `most_free` (boolean) - The Subnet with the most free IPv4 addresses 447 will be used if multiple Subnets matches the filter. 448 449 - `random` (boolean) - A random Subnet will be used if multiple Subnets 450 matches the filter. `most_free` have precendence over this. 451 452 `subnet_id` take precedence over this. 453 454 - `tags` (object of key/value strings) - Tags applied to the AMI. This is a 455 [template engine](/docs/templates/engine.html), 456 see [Build template data](#build-template-data) for more information. 457 458 - `temporary_key_pair_name` (string) - The name of the temporary key pair 459 to generate. By default, Packer generates a name that looks like 460 `packer_<UUID>`, where <UUID> is a 36 character unique identifier. 461 462 - `temporary_security_group_source_cidr` (string) - An IPv4 CIDR block to be authorized 463 access to the instance, when packer is creating a temporary security group. 464 The default is `0.0.0.0/0` (i.e., allow any IPv4 source). This is only used 465 when `security_group_id` or `security_group_ids` is not specified. 466 467 - `user_data` (string) - User data to apply when launching the instance. Note 468 that you need to be careful about escaping characters due to the templates 469 being JSON. It is often more convenient to use `user_data_file`, instead. 470 471 - `user_data_file` (string) - Path to a file that will be used for the user 472 data when launching the instance. 473 474 - `vpc_id` (string) - If launching into a VPC subnet, Packer needs the VPC ID 475 in order to create a temporary security group within the VPC. Requires `subnet_id` 476 to be set. If this field is left blank, Packer will try to get the VPC ID from the 477 `subnet_id`. 478 479 - `vpc_filter` (object) - Filters used to populate the `vpc_id` field. 480 Example: 481 482 ``` json 483 { 484 "vpc_filter": { 485 "filters": { 486 "tag:Class": "build", 487 "isDefault": "false", 488 "cidr": "/24" 489 } 490 } 491 } 492 ``` 493 494 This selects the VPC with tag `Class` with the value `build`, which is not the 495 default VPC, and have a IPv4 CIDR block of `/24`. 496 NOTE: This will fail unless *exactly* one VPC is returned. 497 498 - `filters` (map of strings) - filters used to select a `vpc_id`. 499 NOTE: This will fail unless *exactly* one VPC is returned. 500 Any filter described in the docs for [DescribeVpcs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcs.html) 501 is valid. 502 503 `vpc_id` take precedence over this. 504 505 - `x509_upload_path` (string) - The path on the remote machine where the X509 506 certificate will be uploaded. This path must already exist and be writable. 507 X509 certificates are uploaded after provisioning is run, so it is perfectly 508 okay to create this directory as part of the provisioning process. Defaults to 509 `/tmp`. 510 511 - `windows_password_timeout` (string) - The timeout for waiting for a Windows 512 password for Windows instances. Defaults to 20 minutes. Example value: `10m` 513 514 ## Basic Example 515 516 Here is a basic example. It is completely valid except for the access keys: 517 518 ``` json 519 { 520 "type": "amazon-instance", 521 "access_key": "YOUR KEY HERE", 522 "secret_key": "YOUR SECRET KEY HERE", 523 "region": "us-east-1", 524 "source_ami": "ami-d9d6a6b0", 525 "instance_type": "m1.small", 526 "ssh_username": "ubuntu", 527 528 "account_id": "0123-4567-0890", 529 "s3_bucket": "packer-images", 530 "x509_cert_path": "x509.cert", 531 "x509_key_path": "x509.key", 532 "x509_upload_path": "/tmp", 533 534 "ami_name": "packer-quick-start {{timestamp}}" 535 } 536 ``` 537 538 -> **Note:** Packer can also read the access key and secret access key from 539 environmental variables. See the configuration reference in the section above 540 for more information on what environmental variables Packer will look for. 541 542 ## Accessing the Instance to Debug 543 544 If you need to access the instance to debug for some reason, run this builder 545 with the `-debug` flag. In debug mode, the Amazon builder will save the private 546 key in the current directory and will output the DNS or IP information as well. 547 You can use this information to access the instance as it is running. 548 549 ## Build template data 550 551 In configuration directives marked as a template engine above, the 552 following variables are available: 553 554 - `BuildRegion` - The region (for example `eu-central-1`) where Packer is building the AMI. 555 - `SourceAMI` - The source AMI ID (for example `ami-a2412fcd`) used to build the AMI. 556 - `SourceAMIName` - The source AMI Name (for example `ubuntu/images/ebs-ssd/ubuntu-xenial-16.04-amd64-server-20180306`) used to build the AMI. 557 - `SourceAMITags` - The source AMI Tags, as a `map[string]string` object. 558 559 ## Custom Bundle Commands 560 561 A lot of the process required for creating an instance-store backed AMI involves 562 commands being run on the actual source instance. Specifically, the 563 `ec2-bundle-vol` and `ec2-upload-bundle` commands must be used to bundle the 564 root filesystem and upload it, respectively. 565 566 Each of these commands have a lot of available flags. Instead of exposing each 567 possible flag as a template configuration option, the instance-store AMI builder 568 for Packer lets you customize the entire command used to bundle and upload the 569 AMI. 570 571 These are configured with `bundle_vol_command` and `bundle_upload_command`. Both 572 of these configurations are [configuration 573 templates](/docs/templates/engine.html) and have support for 574 their own set of template variables. 575 576 ### Bundle Volume Command 577 578 The default value for `bundle_vol_command` is shown below. It is split across 579 multiple lines for convenience of reading. The bundle volume command is 580 responsible for executing `ec2-bundle-vol` in order to store and image of the 581 root filesystem to use to create the AMI. 582 583 ``` text 584 sudo -i -n ec2-bundle-vol \ 585 -k {{.KeyPath}} \ 586 -u {{.AccountId}} \ 587 -c {{.CertPath}} \ 588 -r {{.Architecture}} \ 589 -e {{.PrivatePath}}/* \ 590 -d {{.Destination}} \ 591 -p {{.Prefix}} \ 592 --batch \ 593 --no-filter 594 ``` 595 596 The available template variables should be self-explanatory based on the 597 parameters they're used to satisfy the `ec2-bundle-vol` command. 598 599 ~> **Warning!** Some versions of ec2-bundle-vol silently ignore all .pem and 600 .gpg files during the bundling of the AMI, which can cause problems on some 601 systems, such as Ubuntu. You may want to customize the bundle volume command to 602 include those files (see the `--no-filter` option of `ec2-bundle-vol`). 603 604 ### Bundle Upload Command 605 606 The default value for `bundle_upload_command` is shown below. It is split across 607 multiple lines for convenience of reading. Access key and secret key are omitted 608 if using instance profile. The bundle upload command is responsible for taking 609 the bundled volume and uploading it to S3. 610 611 ``` text 612 sudo -i -n ec2-upload-bundle \ 613 -b {{.BucketName}} \ 614 -m {{.ManifestPath}} \ 615 -a {{.AccessKey}} \ 616 -s {{.SecretKey}} \ 617 -d {{.BundleDirectory}} \ 618 --batch \ 619 --region {{.Region}} \ 620 --retry 621 ``` 622 623 The available template variables should be self-explanatory based on the 624 parameters they're used to satisfy the `ec2-upload-bundle` command. 625 Additionally, `{{.Token}}` is available when overriding this command. You must 626 create your own bundle command with the addition of `-t {{.Token}} ` if you are 627 assuming a role. 628 629 #### Bundle Upload Permissions 630 631 The `ec2-upload-bundle` requires a policy document that looks something like this: 632 633 ```json 634 { 635 "Version": "2012-10-17", 636 "Statement": [ 637 { 638 "Effect": "Allow", 639 "Action": [ 640 "s3:PutObject", 641 "s3:GetObject", 642 "s3:ListBucket", 643 "s3:GetBucketLocation", 644 "s3:PutObjectAcl" 645 ], 646 "Resource": "*" 647 } 648 ] 649 } 650 ``` 651 652 You may wish to constrain the resource to a specific bucket.