builder.google:

* make CustomerEncryptionKey our own type so that it can be hcl2 generated
* make Account setting unexported so that it doesn't temper with HCL2 generation ( the field is set a bit later after processing )

builder/googlecompute/builder.go

@@ -36,7 +36,7 @@ func (b *Builder) Prepare(raws ...interface{}) ([]string, error) {
 // representing a GCE machine image.
 func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (packer.Artifact, error) {
 	driver, err := NewDriverGCE(
-		ui, b.config.ProjectId, b.config.Account, b.config.VaultGCPOauthEngine)
+		ui, b.config.ProjectId, b.config.account, b.config.VaultGCPOauthEngine)
 	if err != nil {
 		return nil, err
 	}

builder/googlecompute/config.go

@@ -72,7 +72,7 @@ type Config struct {
 	//     "kmsKeyName": "projects/${project}/locations/${region}/keyRings/computeEngine/cryptoKeys/computeEngine/cryptoKeyVersions/4"
 	//  }
 	//  ```
-	ImageEncryptionKey *compute.CustomerEncryptionKey `mapstructure:"image_encryption_key" required:"false"`
+	ImageEncryptionKey *CustomerEncryptionKey `mapstructure:"image_encryption_key" required:"false"`
 	// The name of the image family to which the resulting image belongs. You
 	// can create disks by specifying an image family instead of a specific
 	// image name. The image family always returns its latest image that is not
@@ -181,7 +181,7 @@ type Config struct {
 	// Example: "us-central1-a"
 	Zone string `mapstructure:"zone" required:"true"`
 
-	Account            *jwt.Config
+	account            *jwt.Config
 	stateTimeout       time.Duration
 	imageAlreadyExists bool
 	ctx                interpolate.Context
@@ -344,7 +344,7 @@ func NewConfig(raws ...interface{}) (*Config, []string, error) {
 		if err != nil {
 			errs = packer.MultiErrorAppend(errs, err)
 		}
-		c.Account = cfg
+		c.account = cfg
 	}
 
 	if c.OmitExternalIP && c.Address != "" {
@@ -391,3 +391,23 @@ func (c *Config) CalcTimeout() error {
 	c.stateTimeout = stateTimeout
 	return nil
 }
+
+type CustomerEncryptionKey struct {
+	// KmsKeyName: The name of the encryption key that is stored in Google
+	// Cloud KMS.
+	KmsKeyName string `json:"kmsKeyName,omitempty"`
+
+	// RawKey: Specifies a 256-bit customer-supplied encryption key, encoded
+	// in RFC 4648 base64 to either encrypt or decrypt this resource.
+	RawKey string `json:"rawKey,omitempty"`
+}
+
+func (k *CustomerEncryptionKey) ComputeType() *compute.CustomerEncryptionKey {
+	if k == nil {
+		return nil
+	}
+	return &compute.CustomerEncryptionKey{
+		KmsKeyName: k.KmsKeyName,
+		RawKey:     k.RawKey,
+	}
+}

builder/googlecompute/step_create_image.go

@@ -40,7 +40,7 @@ func (s *StepCreateImage) Run(ctx context.Context, state multistep.StateBag) mul
 
 	imageCh, errCh := driver.CreateImage(
 		config.ImageName, config.ImageDescription, config.ImageFamily, config.Zone,
-		config.DiskName, config.ImageLabels, config.ImageLicenses, config.ImageEncryptionKey)
+		config.DiskName, config.ImageLabels, config.ImageLicenses, config.ImageEncryptionKey.ComputeType())
 	var err error
 	select {
 	case err = <-errCh:

builder/googlecompute/step_create_image_test.go

@@ -47,7 +47,7 @@ func TestStepCreateImage(t *testing.T) {
 	assert.Equal(t, d.CreateImageDisk, c.DiskName, "Incorrect disk passed to driver.")
 	assert.Equal(t, d.CreateImageLabels, c.ImageLabels, "Incorrect image_labels passed to driver.")
 	assert.Equal(t, d.CreateImageLicenses, c.ImageLicenses, "Incorrect image_licenses passed to driver.")
-	assert.Equal(t, d.CreateImageEncryptionKey, c.ImageEncryptionKey, "Incorrect image_encryption_key passed to driver.")
+	assert.Equal(t, d.CreateImageEncryptionKey, c.ImageEncryptionKey.ComputeType(), "Incorrect image_encryption_key passed to driver.")
 }
 
 func TestStepCreateImage_errorOnChannel(t *testing.T) {

builder/googlecompute/step_create_windows_password.go

@@ -56,8 +56,8 @@ func (s *StepCreateWindowsPassword) Run(ctx context.Context, state multistep.Sta
 	binary.BigEndian.PutUint32(buf, uint32(priv.E))
 
 	email := ""
-	if c.Account != nil {
-		email = c.Account.Email
+	if c.account != nil {
+		email = c.account.Email
 	}
 
 	data := WindowsPasswordConfig{