DEV Community

Ari Kalfus
Ari Kalfus

Posted on

True CI/CD Pipeline for "Golden Image" AMIs

From a comment on the announcement article:

For this contest, you'll only be able to submit projects that you started after this announcement post was published.

Well, I guess I am disqualified. But, leaving this post up as a resource for anyone that may like it.

My Workflow

I have a process that creates custom AMIs as a "golden image" and provisions infrastructure using Terraform for custom penetration testing resources in AWS. This workflow can be used for any type of image, however!

I leverage Packer with Ansible provisioners to build an EC2 image, then have Packer freeze that server into an AMI image. I use Molecule and Terraform Plan (using a free Terraform Cloud account and Hashicorp's Terraform GitHub Action) to test PRs. Merges to main trigger Packer builds that create a new AMI in my AWS account. Terraform then runs and creates new infrastructure based off of the new AMI.

Submission Category:

DIY Deployments

Yaml File or Link to Code

The repo where this is all contained is:

GitHub logo artis3n / cloud-hackbox

Create custom AMIs with Packer and Ansible to enable rapid provisioning of offensive infrastructure in AWS using Terraform.


A repository to build and provision custom pentest resources in AWS.

GitHub Workflow Status GitHub Workflow Status GitHub last commit GitHub GitHub followers Twitter Follow

Supported hackboxes:

  • Kali Linux

Additional desired hackboxes:

  • ParrotOS


pip install pipenv
# Installs Terraform, Packer, and Pipenv dependencies (e.g. Ansible)
make install
# If you want to run Molecule tests
pipenv install --dev
# Set your AWS credentials
# If you have default or ephemeral credentials saved in ~/.aws/credentials you can forego these env vars
Enter fullscreen mode Exit fullscreen mode

Then choose a hackbox and follow the instructions to build and provision it.


Kali Linux AMI

Packer file: kali/kali-ami.json

Builds a Kali Linux AMI with the following:

  • Updates all packages on the system
  • Installs and configures a number of frequently used packages

This AMI also pre-configures UFW. The following UFW rules are pre-configured:

  • deny all incoming
  • allow all outgoing
  • enable ssh on tcp/22 with brute force mitigation (ufw limit)

Let's step through the 2 workflows I use for this smooth CI/CD process.


The CI workflow runs molecule to ensure any changes to the Ansible playbook for the AMI work and terraform to ensure any changes to that code results in the infrastructure that you expect. PRs must pass both checks before they can be merged.


In this workflow file, I build the new AMI with Packer and deploy it to my AWS account whenever new code is merged to main. I do not run Terraform afterward in this file because my use case is on-demand infrastructure in the future, but this can be accomplished with the following addition:

- name: Packer build
  run: packer build kali/kali-ami.json
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

# New steps

- uses: hashicorp/setup-terraform@v1
      cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

- name: Init
  run: cd kali/terraform && terraform init

- name: Provision
  run: cd kali/terraform && terraform apply -auto-approve
Enter fullscreen mode Exit fullscreen mode

We can be confident about the -auto-approve as we have reviewed any changes in the plan during the PR review process.

Additional Resources / Info

Top comments (0)