open-nomad/e2e/terraform/packer/windows-2016-amd64/userdata.ps1
Tim Gross 9f05d62338
E2E with HCP Consul/Vault (#12267)
Use HCP Consul and HCP Vault for the Consul and Vault clusters used in E2E testing. This has the following benefits:

* Without the need to support mTLS bootstrapping for Consul and Vault, we can simplify the mTLS configuration by leaning on Terraform instead of janky bash shell scripting.
* Vault bootstrapping is no longer required, so we can eliminate even more janky shell scripting
* Our E2E exercises HCP, which is important to us as an organization
* With the reduction in configurability, we can simplify the Terraform configuration and drop the complicated `provision.sh`/`provision.ps1` scripts we were using previously. We can template Nomad configuration files and upload them with the `file` provisioner.
* Packer builds for Linux and Windows become much simpler.

tl;dr way less janky shell scripting!
2022-03-18 09:27:28 -04:00

135 lines
4.6 KiB
PowerShell
Executable file

<powershell>
Set-StrictMode -Version latest
$ErrorActionPreference = "Stop"
$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
if (!$RunningAsAdmin) {
Write-Error "Must be executed in Administrator level shell."
exit 1
}
# Force TLS1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Write-Output "Running User Data Script"
Write-Host "(host) Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# -------------------------------------------
# WinRM
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
$Cert = New-SelfSignedCertificate `
-CertstoreLocation Cert:\LocalMachine\My `
-DnsName "packer"
New-Item `
-Path WSMan:\LocalHost\Listener `
-Transport HTTPS `
-Address * `
-CertificateThumbPrint $Cert.Thumbprint `
-Force
Write-output "Setting up WinRM"
Write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
# -------------------------------------------
# Disks and Directories
# Bring ebs volume online with read-write access
Get-Disk | Where-Object IsOffline -Eq $True | Set-Disk -IsOffline $False
Get-Disk | Where-Object isReadOnly -Eq $True | Set-Disk -IsReadOnly $False
New-Item -ItemType Directory -Force -Path C:\opt -ErrorAction Stop
# -------------------------------------------
# SSH
Try {
# install portable SSH instead of the Windows feature because we
# need to target 2016
$repo = "https://github.com/PowerShell/Win32-OpenSSH"
$version = "v8.0.0.0p1-Beta"
$url = "${repo}/releases/download/${version}/OpenSSH-Win64.zip"
# TODO: check sha!
Write-Output "Downloading OpenSSH from: $url"
Invoke-WebRequest -Uri $url -Outfile "OpenSSH-Win64.zip" -ErrorAction Stop
Expand-Archive ".\OpenSSH-Win64.zip" "C:\Program Files" -ErrorAction Stop
Rename-Item -Path "C:\Program Files\OpenSSH-Win64" -NewName "OpenSSH" -ErrorAction Stop
& "C:\Program Files\OpenSSH\install-sshd.ps1"
# Start the service
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic' -ErrorAction Stop
Start-Service ssh-agent
Set-Service -Name ssh-agent -StartupType 'Automatic' -ErrorAction Stop
# Enable host firewall rule if it doesn't exist
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' `
-Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -ErrorAction Stop
# Note: there appears to be a regression in recent versions of
# Terraform for file provisioning over ssh for Windows with
# powershell as the default shell
# See: https://github.com/hashicorp/terraform/issues/30661
#
# Set powershell as the OpenSSH login shell
# New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" `
# -Name DefaultShell `
# -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
# -PropertyType String -Force -ErrorAction Stop
Write-Output "Installed OpenSSH."
} Catch {
Write-Output "Failed to install OpenSSH."
Write-Output $_
$host.SetShouldExit(-1)
throw
}
md "C:\Users\Administrator\.ssh\"
$myKey = "C:\Users\Administrator\.ssh\authorized_keys"
$adminKey = "C:\ProgramData\ssh\administrators_authorized_keys"
Invoke-RestMethod `
-Uri "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key" `
-Outfile $myKey
cp $myKey $adminKey
icacls $adminKey /reset
icacls $adminKey /inheritance:r
icacls $adminKey /grant BUILTIN\Administrators:`(F`)
icacls $adminKey /grant SYSTEM:`(F`)
</powershell>