HCL2: Confusing or incomplete subnet_filter, ami_filter, security_group_filter, source_ami_filter, and vpc_filter

[jlindsey]

Overview of the Issue

When attempting to translate an existing JSON build configuration into the HCL2 syntax, I have a builders block in the old style like so:

builders": [
    {
        "name": "base-ubuntu",
        "type": "amazon-ebs",
        "ami_name": "rhm/ubuntu/base-{{timestamp}}",

         // ...

        "subnet_filter": {
            "filters": {
                "tag:Name": "gateway-vpc-private*"
            },
            "random": true
        }

        // ...
]

But it is unclear how to translate the subnet_filter block, as : is not a valid HCL2 identifier character and identifiers cannot be quoted.

Reproduction Steps

1. Create an HCL2 configuration as in the example below
2. Attempt to run packer build on it

Packer version

Packer v1.5.1

Simplified Packer Buildfile

Example

source "amazon-ebs" "base-ubuntu" {
  ami_name      = "rhm/ubuntu/base-${timestamp}"
  ami_users     = ["xxx"]
  region        = "us-east-1"
  instance_type = "m5.large"
  ebs_optimized = true
  ena_support   = true

  source_ami_filter {
    owners      = ["099720109477"]
    most_recent = true

    filters {
      virtualization-type = "hvm"
      name                = "ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"
      root-device-type    = "ebs"
    }
  }

  communicator     = "ssh"
  ssh_username     = "ubuntu"
  ssh_keypair_name = "gateway"
  ssh_agent_auth   = true
  ssh_interface    = "private_ip"

  subnet_filter {
    random = true
    filters {
      "tag:Name" = "gateway-vpc-private*"
    }
  }

  tags {
    Name     = "Ubuntu Base"
    Packer   = "true"
    BuiltAt  = "${isotime}"
    Platform = "Ubuntu"
    Release  = "18.04"
  }
}

build {
  sources = ["source.amazon-ebs.base-ubuntu"]

  provisioner "ansible" {
    playbook_file = "${pwd}/ansible/base.yml"
    galaxy_file   = "${pwd}/ansible/requirements.yml"
    groups        = ["base"]

    extra_arguments = [
      "--vault-password-file",
      ".vault-password",
    ]
  }
}

Operating system and Environment details

screenfetch

 OS: 64bit Mac OS X 10.15.2 19C57
 Kernel: x86_64 Darwin 19.2.0
 Uptime: 1d 12m
 Packages: 130
 Shell: zsh 5.7.1
 Resolution: 1920x1080 ,1080x1920
 DE: Aqua
 WM: Quartz Compositor
 WM Theme: Blue
 Disk: 11G / 251G (19%)
 CPU: Intel Core i7-9750H @ 2.60GHz
 GPU: Intel UHD Graphics 630 / Radeon Pro 555X
 RAM: 8944MiB / 16384MiB

Log Fragments and crash.log files

With example as above:

2020/02/03 09:26:42 [INFO] Packer version: 1.5.1 [go1.13.5 darwin amd64]
2020/02/03 09:26:42 Attempting to open config file: /Users/jlindsey/.packerconfig
2020/02/03 09:26:42 [WARN] Config file doesn't exist: /Users/jlindsey/.packerconfig
2020/02/03 09:26:42 Setting cache directory: /Users/jlindsey/projects/packer/packer_cache

Error: Invalid argument name
  on builds/base.pkr.hcl line 29, in source "amazon-ebs" "base-ubuntu":

  29:       "tag:Name" = "gateway-vpc-private*"

Argument names must not be quoted.

2020/02/03 09:26:42 Build debug mode: false
2020/02/03 09:26:42 Force build: false
2020/02/03 09:26:42 On error:
2020/02/03 09:26:42 Waiting on builds to complete...
==> Builds finished but no artifacts were created.
2020/02/03 09:26:42 [INFO] (telemetry) Finalizing.
  on builds/base.pkr.hcl line 29, in source "amazon-ebs" "base-ubuntu":
  29:       "tag:Name" = "gateway-vpc-private*"

Argument names must not be quoted.



==> Builds finished but no artifacts were created.
2020/02/03 09:26:43 waiting for all plugin processes to complete...

[sylviamoss]

Hi @jlindsey! Thanks for reaching out.
You're right. This type of field like the subnet_filter is failing to parser and we need to implement it correctly. We’ll take a look when we get a chance for the next release.

[drakedevel]

This also applies to all the other _filter parameters: ami_filter, security_group_filter, source_ami_filter, and vpc_filter.

In addition to those, this also applies everywhere where tags are set -- EC2 permits lots more characters in tag keys/values than are permitted for HCL block parameters. It's relatively common to namespace tags with a domain name (like kubernetes.io/cluster/<name>), as well, and in that particular example, it'd be useful to be able to substitute a variable into a tag key (also impossible with blocks).

Grepping builder/amazon for BlockAttrsSpec, it seems like pretty much every instance is broken (in the sense that it prevents a user from doing something reasonable), with the exception of region_kms_key_ids (although even for that, a map value seems like it would be better, so it can be supplied as a variable).

It seems to me like the best strategy would probably be to mirror Terraform's syntax for these. Filters look like this (docs):

data "aws_subnet" "selected" {
  filter {
    name   = "tag:Name"
    values = ["Main"]
  }
}

(This also permits filtering for multiple values on the same tag!)

Setting tags looks like this (docs):

resource "aws_subnet" "main" {
  ...
  tags = {
    Name = "Main"
  }
}

[azr]

Hello there I have opened #8889 to solve this; basically the PR allows for singular repeatable blocks to solve this, for example:

tags {
  key = value
}

#becomes

tag {
  name = "foo:something"
  value = "bar:baz"
}

We keep the old way around for retrocompat.

Please tell us wether this fixed it for you ( binaries are here )

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.