Packer: session_manager not working for windows

Thanks for reaching out! In order to help you, we need a complete, but minimal template that will help us reproduce the issue, and a little more information on what you're doing.

packer via SSM with windows in general works for me. See https://gist.github.com/pascal-hofmann/53e9f417e843384563f428dadcb3fd27 for an example.

Be aware of #9442 though.

OK i think this can be closed because I didnt fully understand

Will there be ssm support for winrm? Or some way of running the ssm provisioner for windows _without_ a custom bootstrap script?

Perhaps docs could include a note about how session_manager only supports ssh and to use ssh on windows you need (:sad-face:) a convoluted bootstrap script to get that setup

ssm provides no built in way to do this? I can ssm to an instance via aws cli and send it commands without having to configure ssh on the ec2 instance. Why does packer require this extra setup?

Hi @red8888 thanks for reaching out. I think a guide for using Session Manager with Windows is a nice idea; I'll create a separate issue for that. As for WinRM I updated the documentation to indicate that WinRM is not currently supported - See https://github.com/hashicorp/packer/pull/9461

Will there be ssm support for winrm?

This is not something that is actively being worked on, but it is likely to be supported in the future. During the implementation of SSM support for WinRM connectivity was found to be unstable after making the initial connection-it would hang during provision time-so we decided to ship with SSH connectivity to start. I encourage you to open an enhancement issue for WinRM if SSH is not a viable option.

to use ssh on windows you need (:sad-face:) a convoluted bootstrap script to get that setup ssm provides no built in way to do this?

To my knowledge this is not something SSM provides because the SSM agent does not rely on SSH for connectivity, which is a good segue into your last question.

I can ssm to an instance via aws cli and send it commands without having to configure ssh on the ec2 instance. Why does packer require this extra setup?

We started looking into adding SSM as a Packer communicator to give a similar experience to that offered by the AWS CLI. But in testing we found two limitations that prevented us for writing such a communicator: no documentation for connecting to the SSM Web socket Interactive Shell endpoints, and no support for uploading files to an SSM instance without using an external service like S3. So we dropped the idea for a communicator and looked to other SSM capabilities.

The idea of leveraging SSM's tunneling capability to proxy Packer's existing communicators to the remote instances was the next best option. As it allows users to secure access to an instance using SSM while continuing to use Packer's Amazon builders, provisioners, and post-processors with little to no change. The caveat of course being that users would still have to run a service such as SSH to remotely access their EC2 instances.

I understand how the need for setting up SSH with SSM can be a bit confusing so please let us know if you have any other ideas or suggestions for helping improve the experience. I also want to mention that PRs are always welcomed. Cheers!

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.