From 3eed6fd5084ba8c34174313c898563b7823e97d1 Mon Sep 17 00:00:00 2001 From: poida Date: Tue, 18 Oct 2016 23:30:38 +1100 Subject: [PATCH] Added KMS CMK support to EBS builder Added the 'kms_key_id' parameter. This supports supplying a customer master key (CMK) when encrypting the EBS volume. The parameter is optional and only takes effect when 'encrypted' is true. When 'encrypted' is true but 'kms_key_id' is missing the 'aws/ebs' key will be used. --- builder/amazon/common/ami_config.go | 1 + builder/amazon/ebs/step_encrypted_ami.go | 9 +++++++++ website/source/docs/builders/amazon-ebs.html.md | 2 ++ 3 files changed, 12 insertions(+) diff --git a/builder/amazon/common/ami_config.go b/builder/amazon/common/ami_config.go index c59653863..fa442cb5c 100644 --- a/builder/amazon/common/ami_config.go +++ b/builder/amazon/common/ami_config.go @@ -21,6 +21,7 @@ type AMIConfig struct { AMIForceDeregister bool `mapstructure:"force_deregister"` AMIForceDeleteSnapshot bool `mapstructure:"force_delete_snapshot"` AMIEncryptBootVolume bool `mapstructure:"encrypt_boot"` + AMIKmsKeyId string `mapstructure:"kms_key_id"` SnapshotTags map[string]string `mapstructure:"snapshot_tags"` } diff --git a/builder/amazon/ebs/step_encrypted_ami.go b/builder/amazon/ebs/step_encrypted_ami.go index f51b944bc..8ab84e8e1 100644 --- a/builder/amazon/ebs/step_encrypted_ami.go +++ b/builder/amazon/ebs/step_encrypted_ami.go @@ -18,9 +18,13 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste config := state.Get("config").(Config) ec2conn := state.Get("ec2").(*ec2.EC2) ui := state.Get("ui").(packer.Ui) + kmsKeyId := config.AMIConfig.AMIKmsKeyId // Encrypt boot not set, so skip step if !config.AMIConfig.AMIEncryptBootVolume { + if kmsKeyId != "" { + ui.Say(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId)) + } return multistep.ActionContinue } @@ -36,11 +40,16 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste ui.Say(fmt.Sprintf("Copying AMI: %s(%s)", region, id)) + if kmsKeyId != "" { + ui.Say(fmt.Sprintf("Encypting with KMS Key ID: %s", kmsKeyId)) + } + copyOpts := &ec2.CopyImageInput{ Name: &config.AMIName, // Try to overwrite existing AMI SourceImageId: aws.String(id), SourceRegion: aws.String(region), Encrypted: aws.Bool(true), + KmsKeyId: aws.String(kmsKeyId), } copyResp, err := ec2conn.CopyImage(copyOpts) diff --git a/website/source/docs/builders/amazon-ebs.html.md b/website/source/docs/builders/amazon-ebs.html.md index 92e366e0e..0a656c19f 100644 --- a/website/source/docs/builders/amazon-ebs.html.md +++ b/website/source/docs/builders/amazon-ebs.html.md @@ -77,6 +77,8 @@ builder. - `encrypted` (boolean) - Indicates whether to encrypt the volume or not + - `kms_key_id` (string) - The ID of the KMS key to use for volume encryption + - `iops` (integer) - The number of I/O operations per second (IOPS) that the volume supports. See the documentation on [IOPs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html)