lib/kitchen/driver/ec2.rb in kitchen-ec2-2.2.0 vs lib/kitchen/driver/ec2.rb in kitchen-ec2-2.2.1

- old
+ new

@@ -59,10 +59,11 @@ default_config :instance_type do |driver| driver.default_instance_type end default_config :ebs_optimized, false default_config :security_group_ids, nil + default_config :security_group_filter, nil default_config :tags, "created-by" => "test-kitchen" default_config :user_data do |driver| if driver.windows_os? driver.default_windows_user_data end @@ -208,11 +209,11 @@ should be minimal, but neither Test Kitchen nor its maintainers are responsible for your incurred costs. END # If no security group IDs are specified, create one automatically. - unless config[:security_group_ids] + unless config[:security_group_ids] || config[:security_group_filter] create_security_group(state) config[:security_group_ids] = [state[:auto_security_group_id]] end # If no SSH key pair name is specified, create one automatically. @@ -620,10 +621,40 @@ end instance.transport.connection(state).execute(cmd) end def default_windows_user_data + base_script = Kitchen::Util.outdent!(<<-EOH) + $OSVersion = (get-itemproperty -Path "HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" -Name ProductName).ProductName + If($OSVersion.contains('2016')) + { + $logfile='C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Log\\kitchen-ec2.log' + # EC2Launch doesn't init extra disks by default + C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\InitializeDisks.ps1 + } + Else + { + $logfile='C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs\\kitchen-ec2.log' + } + # Allow script execution + Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force + #PS Remoting and & winrm.cmd basic config + $enableArgs=@{Force=$true} + $command=Get-Command Enable-PSRemoting + if($command.Parameters.Keys -contains "skipnetworkprofilecheck"){ + $enableArgs.skipnetworkprofilecheck=$true + } + Enable-PSRemoting @enableArgs + & winrm.cmd set winrm/config '@{MaxTimeoutms="1800000"}' >> $logfile + & winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile + & winrm.cmd set winrm/config/winrs '@{MaxShellsPerUser="50"}' >> $logfile + & winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile + #Firewall Config + & netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any >> $logfile + Set-ItemProperty -Name LocalAccountTokenFilterPolicy -Path HKLM:\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system -Value 1 + EOH + # Preparing custom static admin user if we defined something other than Administrator custom_admin_script = "" if !(instance.transport[:username] =~ /administrator/i) && instance.transport[:password] custom_admin_script = Kitchen::Util.outdent!(<<-EOH) "Disabling Complex Passwords" >> $logfile @@ -640,39 +671,14 @@ "Adding $username to Administrators" >> $logfile & net.exe localgroup Administrators /add $username >> $logfile EOH end - if actual_platform.version =~ /2016/ - logfile_name = 'C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Log\\kitchen-ec2.log' - disk_init = 'C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\InitializeDisks.ps1' - else - logfile_name = 'C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs\\kitchen-ec2.log' - disk_init = "" - end # Returning the fully constructed PowerShell script to user_data Kitchen::Util.outdent!(<<-EOH) <powershell> - $logfile="#{logfile_name}" - # EC2Launch doesn't init extra disks by default - #{disk_init} - # Allow script execution - Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force - #PS Remoting and & winrm.cmd basic config - $enableArgs=@{Force=$true} - $command=Get-Command Enable-PSRemoting - if($command.Parameters.Keys -contains "skipnetworkprofilecheck"){ - $enableArgs.skipnetworkprofilecheck=$true - } - Enable-PSRemoting @enableArgs - & winrm.cmd set winrm/config '@{MaxTimeoutms="1800000"}' >> $logfile - & winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile - & winrm.cmd set winrm/config/winrs '@{MaxShellsPerUser="50"}' >> $logfile - & winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile - #Firewall Config - & netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any >> $logfile - Set-ItemProperty -Name LocalAccountTokenFilterPolicy -Path HKLM:\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system -Value 1 + #{base_script} #{custom_admin_script} </powershell> EOH end @@ -762,9 +768,14 @@ (Etc.getlogin || "nologin").gsub(/\W/, ""), Socket.gethostname.gsub(/\W/, "")[0..20], Time.now.utc.iso8601, Array.new(8) { rand(36).to_s(36) }.join(""), ] + # In a perfect world this would generate the key locally and use ImportKey + # instead for better security, but given the use case that is very likely + # to rapidly exhaust local entropy by creating a lot of keys. So this is + # probably fine. If you want very high security, probably don't use this + # feature anyway. resp = ec2.client.create_key_pair(key_name: "kitchen-#{name_parts.join('-')}") state[:auto_key_id] = resp.key_name info("Created automatic key pair #{state[:auto_key_id]}") # Write the key out, but safely hence the weird sysopen. key_path = "#{config[:kitchen_root]}/.kitchen/#{instance.name}.pem"