This article is a quick guide for adding a Microsoft Windows template to use with your Amazon AWS EC2 deployment. It is part of the Getting Started with Workspot article series.
Create the Workspot Template
Initial Template Creation
Create a Windows 10 VM in a virtualized environment such as Hyper-V using ISO image
Install all the latest updates on the VM.
Export the VHD of the Windows 10 VM.
Upload the VHD template to AWS
Upload VHD to AWS S3 bucket using AWS CLI (command line interface). Install AWS CLI in the local machine if needed.
Connect to your AWS account:
aws --version
aws configure
AWS commands to create a S3 bucket and upload VHD to the bucket:
aws s3 mb s3://workspotbucket
aws s3 ls
aws s3 cp win10_21h2_vm.vhd s3://workspotbucket
Create an AMI with the uploaded VHD
Configuration JSON files will be used from the local machine to create an AMI from VHD.
VM Import/Export requires a role to perform certain operations on your behalf. You must create a service role named vmimport with a trust relationship policy document that allows VM Import/Export to assume the role, and you must attach an IAM policy to the role.
To create the service role:
Create a file named trust-policy.json on your computer. Add the following policy to the file:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "vmimport"
}
}
}
]
}Use the create-role command to create a role named vmimport and grant VM Import/Export access to it. Ensure that you specify the full path to the location of the trust-policy.json file that you created in the previous step, and that you include the file:// prefix as shown the following example:
aws iam create-role --role-name vmimport --assume-role-policy-document "file://C:\import\trust-policy.json"
Create a file named role-policy.json with the following policy, where disk-image-file-bucket is the bucket for disk images:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<disk-image-file-bucket>",
"arn:aws:s3:::<disk-image-file-bucket>/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}Use the following put-role-policy command to attach the policy to the role created above. Ensure that you specify the full path to the location of the role-policy.json file.
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\import\role-policy.json"
The following is an example container.json file that specifies the image using a URL in Amazon S3.
[
{
"Description": " My Win10 Enterprise",
"Format": "vhd",
"Url": "s3://my-import-bucket/vms/my-win10-vm.vhd "
}
]Import an image using the below command which creates an AMI:
aws ec2 import-image --description "My server VM" --disk-containers "file://C:\import\containers.json"
The Following JSON files were created in our AWS EC2 implementation.
AWS commands which were run to create the AMI:
Create-role vmimport command, however vmimport role already exist for this AWS account.
Put-role-policy command
Create AMI import image command
AMI image conversion progress command (with import task id)
Create a Template EC2 Instance VM
On the AWS Management Console, create a Template EC2 Instance VM (cs-ec2-win10-template) with the custom AMI.
Ensure that tags are allowed in instance metadata for the EC2 instance and that the Metadata Version is set to “Select” or “V1 and V2” (which are equivalent). “V2 Only” will not work.
Note: Do this step before installing the Workspot Agent. The Workspot agent installation will leverage the instance metadata to capture template details.
Metadata settings in the Instance’s “Advanced Details”
Sign into Template EC2 Instance and Install Workspot Agent
Sign into the Template EC2 instance through utility server.
Download and install the Workspot Agent as described in Workspot Desktop Agent Installation and Configuration.
Configure through WorkspotConfigEditor or configure the Agent XML file with appropriate domain join values.
Install the custom applications, run optimization scripts, and install latest windows patches.
Shutdown the EC2 instance.
Create an AMI VM image
Create an AMI image from the EC2 instance with SAME NAME as the Template EC2 instance VM.
Note: The new AMI name must match the template EC2 instance name because Workspot Control queries the AMI list for this name.
Register in Workspot Control using “Setup > Cloud > cloudname > Register Template.”
