How to Build an AWS EC2 Machine Images (AMI) With Packer

An Amazon Machine Image (AMI) is a supported and maintained image provided by AWS that provides the information required to launch an instance. You must specify an AMI when you launch an instance. You can launch multiple instances from a single AMI when you require multiple instances with the same configuration. You can use different AMIs to launch instances when you require instances with different configurations.

An AMI provides the information required to launch an instance, which may include Base Operating system, application dependencies, and other runtime libraries required.

An AMI includes the following:

One or more Amazon Elastic Block Store (Amazon EBS) snapshots, or, for instance-store-backed AMIs, a template for the root volume of the instance (for example, an operating system, an application server, and applications).
Launch permissions that control which AWS accounts can use the AMI to launch instances.
A block device mapping that specifies the volumes to attach to the instance when it’s launched.

Ensure packer is installed

Since we are using packer, we have to make sure that it is installed before proceeding.

If you are an ubuntu user, use these commands to install packer:

1
2
3
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install packer

If you are using rhel based OS like Rocky Linux or Alma linux:

1
2
3
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum -y install packer

If you are using mac or homebrew package manager, use this command to install:

1
2
brew tap hashicorp/tap
brew install hashicorp/tap/packer

For other operating systems, checkout packer downloads page here.

Create packer project

Create a project directory and switch to it:

1
2
mkdir packer
cd packer

Under the project, create a folder called scripts that we will use for our provisioner.

1
mkdir scripts

This is my current directory structure

1
2
3
4
5
6
$ tree packer

packer
└── scripts

2 directories, 0 files

Creating Packer templates

Packer reads its configuration either from a json or hcl file. In this guide, we are going to create our configuration template in json. We are going to define variables, builders and provisioners.

Let us create an example nginx web server. Open a webserver.json template file using your favourite text editor, I am using vim in my case:

1
vim webserver.json

Add this content to the file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
{
    "variables": {
        "name_prefix": "webserver",
        "aws_region": "{{env `AWS_REGION`}}",
        "subnet_id": "subnet-xxxxx",
        "vpc_id": "vpc-xxxxx"
    },
    "builders": [{
        "type": "amazon-ebs",
        "region": "{{user `aws_region`}}",
        "instance_type": "t2.micro",
        "ssh_username": "rocky",
        "subnet_id": "{{user `subnet_id`}}",
        "vpc_id": "{{user `vpc_id`}}",
        "ami_name": "{{user `name_prefix`}}-v{{isotime \"200601021504\"}}",
        "ami_description": "Citizix Web Server Image",
        "associate_public_ip_address": "true",
        "ami_block_device_mappings" : [
            {
                "device_name" : "/dev/sda1",
                "volume_size" : "8",
                "delete_on_termination" : true
            }
        ],
        "source_ami_filter": {
            "filters": {
                "name": "Rocky-8-*.x86_64-*"
            },
            "owners": ["aws-marketplace"],
            "most_recent": true
        }
    }],
    "provisioners": [
        {
            "type": "shell",
            "scripts": [
                "scripts/webserver.sh"
            ]
        }
    ]
}

Under variables key section, set required variables. In my case I am setting the image name, aws region which is obtained from the env variable AWS_REGION, subnet id and vpc id.

Under builders key section, set the aws properties for the source image and the name of the image to build. The source_ami_filter will filter the latest rocky instance to use for the build. Consult the AMI Builder documentation for more details.

On provisioners section, provide the paths to your scripts to be executed during build. In my case, I am defining a script in scripts/webserver.sh.

Create provisioners scripts

Finally, let us define the script that will be executed when the ami is being build. In our case, since we want to set up nginx to serve basic content, we will install nginx and create a hello world file to be served.

Open the script file with your text editor:

1
sudo vim scripts/webserver.sh

Add this content to the file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#!/bin/bash -xe

sudo dnf -y update

sudo setenforce 0
sudo sed -i s/^SELINUX=.*$/SELINUX=permissive/ /etc/selinux/config

sudo dnf install -y epel-release
sudo dnf install -y vim wget curl telnet htop

sudo dnf install -y nginx

sudo bash -c "cat > /usr/share/nginx/html/hello.html <<EOC
Hello world from Citizix.
EOC"

sudo systemctl start --now nginx

Run the packer build

First ensure that you are logged in to aws. You I have a profile called citizix where I have added my credentials. The commands below will set the AWS region and citizix profile to be active.

1
2
export AWS_REGION=eu-west-1
export AWS_PROFILE=citizix

Next let is build our ami. We can save the build log to build-artifact.log so we can refer to it in future.

1
packer build -machine-readable webserver.json | tee build-artifact.log

Once done with provisioning, packer will Stop and destroy temporary instance used, then create an AMI. AMI ID is printed at the end.

Testing AMI Created

In this section, I’ll use Terraform to provision a new instance with created AMI. The same can be done from AWS console. We are going to create an AWS instance using the image we build. We will use terraform to achieve this.

Before proceeding, ensure that you have terraform installed. confirm with this command:

1
2
3
4
$ terraform --version

Terraform v1.2.0
on darwin_arm64

Create terraform projects directory.

1
mkdir terraform

We are querying the latest ami matching the webserver ami we created then using it. Add these content to main.tf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
provider "aws" {
  region = "eu-west-1"
}

data "aws_ami" "web" {
  most_recent = true
  owners      = ["self"]

  filter {
    name   = "name"
    values = ["webserver-*"]
  }

  filter {
    name   = "root-device-type"
    values = ["ebs"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
}

module "ec2-instance" {
  source                      = "terraform-aws-modules/ec2-instance/aws"
  version                     = "~> 4.0"
  name                        = "test-webserver-instance"
  ami                         = data.aws_ami.web.id
  associate_public_ip_address = true
  disable_api_termination     = false
  instance_type               = "t3.small"
  key_name                    = "id_citizix"
  monitoring                  = true
  subnet_id                   = "subnet-xxxxxx"

  vpc_security_group_ids = [
    aws_security_group.ec2-instance-sg.id
  ]

  root_block_device = [
    {
      volume_size           = 30
      volume_type           = "gp2"
      delete_on_termination = true
    },
  ]
}

resource "aws_security_group" "ec2-instance-sg" {
  name        = "test-webserver-instance-sg"
  description = "Test webserver instance SG "
  vpc_id      = "vpc-xxxxxxx"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = -1
    to_port     = -1
    protocol    = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

output "public-ip" {
  value = module.ec2-instance.public_ip
}

The next section is to create the resources usig terraform. Initialize terraform using this command:

1
terraform init

Show an execution plan.

1
terraform plan

Finally apply the changes. You will be shown the execution plan then prompted to confirm the changes by typing yes.

1
terraform apply

The new instance will be created and its public IP will be shown as part of the outputs. You can also see it in AWS console.

To confirm that out provisioner is working, visit http://server_ip/hello.html.

Once you are done with the test, you should delete the resources to avoid incurring costs. To destroy your test infrastructure, run this command:

1
terraform destroy

Conclusion

In this guide we learnt how to use packer to package an AWS ami with the help of a script provisioner.