all in one ami

Author: t-aleksander

.github/workflows/ami.yml

@@ -0,0 +1,48 @@
+name: Build Defguard AMI
+
+on:
+  push:
+    tags:
+      - "ami_c-*_px-*_gw-*"
+
+jobs:
+  build-ami:
+    name: Build Defguard AMI
+    runs-on: [self-hosted, Linux, X64]
+
+    steps:
+      - name: Extract versions
+        id: versions
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          CORE_VERSION=$(echo $TAG | sed 's/.*c-\([^_]*\).*/\1/')
+          PROXY_VERSION=$(echo $TAG | sed 's/.*px-\([^_]*\).*/\1/')
+          GATEWAY_VERSION=$(echo $TAG | sed 's/.*gw-\(.*\)/\1/')
+          echo "CORE_VERSION=$CORE_VERSION" >> $GITHUB_OUTPUT
+          echo "PROXY_VERSION=$PROXY_VERSION" >> $GITHUB_OUTPUT
+          echo "GATEWAY_VERSION=$GATEWAY_VERSION" >> $GITHUB_OUTPUT
+          echo "Core version: $CORE_VERSION"
+          echo "Proxy version: $PROXY_VERSION"
+          echo "Gateway version: $GATEWAY_VERSION"
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup `packer`
+        uses: hashicorp/setup-packer@main
+
+      - name: Run `packer init`
+        run: "packer init ./cloudformation/ami/defguard.pkr.hcl"
+
+      - name: Build AMI with `packer`
+        run: |
+          packer validate --var "core_version=${{ steps.versions.outputs.CORE_VERSION }}" \
+              --var "proxy_version=${{ steps.versions.outputs.PROXY_VERSION }}" \
+              --var "gateway_version=${{ steps.versions.outputs.GATEWAY_VERSION }}" \
+              ./cloudformation/ami/defguard.pkr.hcl
+          packer build --var "core_version=${{ steps.versions.outputs.CORE_VERSION }}" \
+              --var "proxy_version=${{ steps.versions.outputs.PROXY_VERSION }}" \
+              --var "gateway_version=${{ steps.versions.outputs.GATEWAY_VERSION }}" \
+              ./cloudformation/ami/defguard.pkr.hcl
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.github/workflows/release.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - main
-      - fix-gateway-chart
 
 jobs:
   release:

cloudformation/ami/defguard-install.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -e
+
+echo "Updating apt repositories..."
+sudo apt update
+
+echo "Installing dependencies..."
+sudo apt install -y ca-certificates curl
+
+echo "Adding Defguard GPG key..."
+sudo install -m 0755 -d /etc/apt/keyrings
+sudo curl -fsSL https://apt.defguard.net/defguard.asc -o /etc/apt/keyrings/defguard.asc
+sudo chmod a+r /etc/apt/keyrings/defguard.asc
+
+echo "Adding Defguard repository..."
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ trixie release " | \
+   sudo tee /etc/apt/sources.list.d/defguard.list > /dev/null
+
+echo "Updating apt repositories after adding Defguard repo..."
+sudo apt update
+
+echo "Installing Defguard packages with specific versions..."
+echo "  defguard version: ${CORE_VERSION}"
+echo "  defguard-proxy version: ${PROXY_VERSION}"
+echo "  defguard-gateway version: ${GATEWAY_VERSION}"
+
+sudo apt install -y \
+  defguard=${CORE_VERSION} \
+  defguard-proxy=${PROXY_VERSION} \
+  defguard-gateway=${GATEWAY_VERSION}
+
+sudo systemctl stop defguard
+sudo systemctl disable defguard
+sudo systemctl stop defguard-proxy
+sudo systemctl disable defguard-proxy
+sudo systemctl stop defguard-gateway
+sudo systemctl disable defguard-gateway

cloudformation/ami/defguard.pkr.hcl

@@ -0,0 +1,70 @@
+packer {
+  required_plugins {
+    amazon = {
+      version = ">= 1.6.0"
+      source  = "github.com/hashicorp/amazon"
+    }
+  }
+}
+
+variable "core_version" {
+  type = string
+}
+
+variable "gateway_version" {
+  type = string
+}
+
+variable "proxy_version" {
+  type = string
+}
+
+variable "region" {
+  type    = string
+  default = "us-east-1"
+}
+
+variable "instance_type" {
+  type    = string
+  default = "t3.micro"
+}
+
+source "amazon-ebs" "defguard" {
+  ami_name      = "defguard-C-${var.core_version}-PX-${var.gateway_version}-GW-${var.proxy_version}-amd64"
+  instance_type = var.instance_type
+  region        = var.region
+  source_ami_filter {
+    filters = {
+      name                = "debian-13-amd64-*"
+      root-device-type    = "ebs"
+      virtualization-type = "hvm"
+    }
+    most_recent = true
+    owners      = ["136693071363"]
+  }
+  ssh_username = "admin"
+}
+
+build {
+  name = "defguard"
+  sources = [
+    "source.amazon-ebs.defguard"
+  ]
+
+  provisioner "shell" {
+    script = "./defguard-install.sh"
+    environment_vars = [
+      "CORE_VERSION=${var.core_version}",
+      "PROXY_VERSION=${var.proxy_version}",
+      "GATEWAY_VERSION=${var.gateway_version}"
+    ]
+  }
+
+  provisioner "shell" {
+    inline = ["rm /home/admin/.ssh/authorized_keys"]
+  }
+
+  provisioner "shell" {
+    inline = ["sudo rm /root/.ssh/authorized_keys"]
+  }
+}