Merge pull request #4584 from mitchellh/chrootbootencrypt

builder/amazon-chroot: support encrypted boot volume

builder/amazon/chroot/builder.go

@@ -254,6 +254,11 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 		&StepRegisterAMI{
 			RootVolumeSize: b.config.RootVolumeSize,
 		},
+		&awscommon.StepCreateEncryptedAMICopy{
+			KeyID:             b.config.AMIKmsKeyId,
+			EncryptBootVolume: b.config.AMIEncryptBootVolume,
+			Name:              b.config.AMIName,
+		},
 		&awscommon.StepAMIRegionCopy{
 			AccessConfig: &b.config.AccessConfig,
 			Regions:      b.config.AMIRegions,

builder/amazon/common/step_encrypted_ami.go

@@ -1,4 +1,4 @@
-package ebs
+package common
 
 import (
 	"fmt"
@@ -7,22 +7,23 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/mitchellh/multistep"
-	awscommon "github.com/mitchellh/packer/builder/amazon/common"
 	"github.com/mitchellh/packer/packer"
 )
 
-type stepCreateEncryptedAMICopy struct {
-	image *ec2.Image
+type StepCreateEncryptedAMICopy struct {
+	image             *ec2.Image
+	KeyID             string
+	EncryptBootVolume bool
+	Name              string
 }
 
-func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.StepAction {
-	config := state.Get("config").(Config)
+func (s *StepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.StepAction {
 	ec2conn := state.Get("ec2").(*ec2.EC2)
 	ui := state.Get("ui").(packer.Ui)
-	kmsKeyId := config.AMIConfig.AMIKmsKeyId
+	kmsKeyId := s.KeyID
 
 	// Encrypt boot not set, so skip step
-	if !config.AMIConfig.AMIEncryptBootVolume {
+	if !s.EncryptBootVolume {
 		if kmsKeyId != "" {
 			log.Printf(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId))
 		}
@@ -46,7 +47,7 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 	}
 
 	copyOpts := &ec2.CopyImageInput{
-		Name:          &config.AMIName, // Try to overwrite existing AMI
+		Name:          &s.Name, // Try to overwrite existing AMI
 		SourceImageId: aws.String(id),
 		SourceRegion:  aws.String(region),
 		Encrypted:     aws.Bool(true),
@@ -62,15 +63,15 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 	}
 
 	// Wait for the copy to become ready
-	stateChange := awscommon.StateChangeConf{
+	stateChange := StateChangeConf{
 		Pending:   []string{"pending"},
 		Target:    "available",
-		Refresh:   awscommon.AMIStateRefreshFunc(ec2conn, *copyResp.ImageId),
+		Refresh:   AMIStateRefreshFunc(ec2conn, *copyResp.ImageId),
 		StepState: state,
 	}
 
 	ui.Say("Waiting for AMI copy to become ready...")
-	if _, err := awscommon.WaitForState(&stateChange); err != nil {
+	if _, err := WaitForState(&stateChange); err != nil {
 		err := fmt.Errorf("Error waiting for AMI Copy: %s", err)
 		state.Put("error", err)
 		ui.Error(err.Error())
@@ -146,7 +147,7 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 	return multistep.ActionContinue
 }
 
-func (s *stepCreateEncryptedAMICopy) Cleanup(state multistep.StateBag) {
+func (s *StepCreateEncryptedAMICopy) Cleanup(state multistep.StateBag) {
 	if s.image == nil {
 		return
 	}

builder/amazon/ebs/builder.go

@@ -182,7 +182,11 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			AMIName:             b.config.AMIName,
 		},
 		&stepCreateAMI{},
-		&stepCreateEncryptedAMICopy{},
+		&awscommon.StepCreateEncryptedAMICopy{
+			KeyID:             b.config.AMIKmsKeyId,
+			EncryptBootVolume: b.config.AMIEncryptBootVolume,
+			Name:              b.config.AMIName,
+		},
 		&awscommon.StepAMIRegionCopy{
 			AccessConfig: &b.config.AccessConfig,
 			Regions:      b.config.AMIRegions,

website/source/docs/builders/amazon-chroot.html.md

@@ -131,6 +131,14 @@ each category, the available configuration keys are alphabetized.
 -   `force_delete_snapshot` (boolean) - Force Packer to delete snapshots associated with
     AMIs, which have been deregistered by `force_deregister`. Default `false`.
 
+-   `encrypt_boot` (boolean) - Instruct packer to automatically create a copy of the
+    AMI with an encrypted boot volume (discarding the initial unencrypted AMI in the
+    process). Default `false`.
+
+-   `kms_key_id` (string) - The ID of the KMS key to use for boot volume encryption.
+    This only applies to the main `region`, other regions where the AMI will be copied
+    will be encrypted by the default EBS KMS key.
+
 -   `from_scratch` (boolean) - Build a new volume instead of starting from an
     existing AMI root volume snapshot. Default `false`. If true, `source_ami` is
     no longer used and the following options become required:

website/source/docs/builders/amazon-ebssurrogate.html.md

@@ -163,14 +163,6 @@ builder.
 -   `force_delete_snapshot` (boolean) - Force Packer to delete snapshots associated with
     AMIs, which have been deregistered by `force_deregister`. Default `false`.
 
--   `encrypt_boot` (boolean) - Instruct packer to automatically create a copy of the
-    AMI with an encrypted boot volume (discarding the initial unencrypted AMI in the
-    process). Default `false`.
-
--   `kms_key_id` (string) - The ID of the KMS key to use for boot volume encryption.
-    This only applies to the main `region`, other regions where the AMI will be copied
-    will be encrypted by the default EBS KMS key.
-
 -   `iam_instance_profile` (string) - The name of an [IAM instance
     profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html)
     to launch the EC2 instance with.