diff --git a/builder/amazon/chroot/builder.go b/builder/amazon/chroot/builder.go index 973d1c1b6..18bf8ce3c 100644 --- a/builder/amazon/chroot/builder.go +++ b/builder/amazon/chroot/builder.go @@ -254,6 +254,11 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe &StepRegisterAMI{ RootVolumeSize: b.config.RootVolumeSize, }, + &awscommon.StepCreateEncryptedAMICopy{ + KeyID: b.config.AMIKmsKeyId, + EncryptBootVolume: b.config.AMIEncryptBootVolume, + Name: b.config.AMIName, + }, &awscommon.StepAMIRegionCopy{ AccessConfig: &b.config.AccessConfig, Regions: b.config.AMIRegions, diff --git a/builder/amazon/ebs/step_encrypted_ami.go b/builder/amazon/common/step_encrypted_ami.go similarity index 87% rename from builder/amazon/ebs/step_encrypted_ami.go rename to builder/amazon/common/step_encrypted_ami.go index 59f3298bd..40e985322 100644 --- a/builder/amazon/ebs/step_encrypted_ami.go +++ b/builder/amazon/common/step_encrypted_ami.go @@ -1,4 +1,4 @@ -package ebs +package common import ( "fmt" @@ -7,22 +7,23 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" "github.com/mitchellh/multistep" - awscommon "github.com/mitchellh/packer/builder/amazon/common" "github.com/mitchellh/packer/packer" ) -type stepCreateEncryptedAMICopy struct { - image *ec2.Image +type StepCreateEncryptedAMICopy struct { + image *ec2.Image + KeyID string + EncryptBootVolume bool + Name string } -func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.StepAction { - config := state.Get("config").(Config) +func (s *StepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.StepAction { ec2conn := state.Get("ec2").(*ec2.EC2) ui := state.Get("ui").(packer.Ui) - kmsKeyId := config.AMIConfig.AMIKmsKeyId + kmsKeyId := s.KeyID // Encrypt boot not set, so skip step - if !config.AMIConfig.AMIEncryptBootVolume { + if !s.EncryptBootVolume { if kmsKeyId != "" { log.Printf(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId)) } @@ -46,7 +47,7 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste } copyOpts := &ec2.CopyImageInput{ - Name: &config.AMIName, // Try to overwrite existing AMI + Name: &s.Name, // Try to overwrite existing AMI SourceImageId: aws.String(id), SourceRegion: aws.String(region), Encrypted: aws.Bool(true), @@ -62,15 +63,15 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste } // Wait for the copy to become ready - stateChange := awscommon.StateChangeConf{ + stateChange := StateChangeConf{ Pending: []string{"pending"}, Target: "available", - Refresh: awscommon.AMIStateRefreshFunc(ec2conn, *copyResp.ImageId), + Refresh: AMIStateRefreshFunc(ec2conn, *copyResp.ImageId), StepState: state, } ui.Say("Waiting for AMI copy to become ready...") - if _, err := awscommon.WaitForState(&stateChange); err != nil { + if _, err := WaitForState(&stateChange); err != nil { err := fmt.Errorf("Error waiting for AMI Copy: %s", err) state.Put("error", err) ui.Error(err.Error()) @@ -146,7 +147,7 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste return multistep.ActionContinue } -func (s *stepCreateEncryptedAMICopy) Cleanup(state multistep.StateBag) { +func (s *StepCreateEncryptedAMICopy) Cleanup(state multistep.StateBag) { if s.image == nil { return } diff --git a/builder/amazon/ebs/builder.go b/builder/amazon/ebs/builder.go index e8a1a15f6..a5ce0cd86 100644 --- a/builder/amazon/ebs/builder.go +++ b/builder/amazon/ebs/builder.go @@ -182,7 +182,11 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe AMIName: b.config.AMIName, }, &stepCreateAMI{}, - &stepCreateEncryptedAMICopy{}, + &awscommon.StepCreateEncryptedAMICopy{ + KeyID: b.config.AMIKmsKeyId, + EncryptBootVolume: b.config.AMIEncryptBootVolume, + Name: b.config.AMIName, + }, &awscommon.StepAMIRegionCopy{ AccessConfig: &b.config.AccessConfig, Regions: b.config.AMIRegions, diff --git a/website/source/docs/builders/amazon-chroot.html.md b/website/source/docs/builders/amazon-chroot.html.md index 97f575b2e..1ab369f65 100644 --- a/website/source/docs/builders/amazon-chroot.html.md +++ b/website/source/docs/builders/amazon-chroot.html.md @@ -131,6 +131,14 @@ each category, the available configuration keys are alphabetized. - `force_delete_snapshot` (boolean) - Force Packer to delete snapshots associated with AMIs, which have been deregistered by `force_deregister`. Default `false`. +- `encrypt_boot` (boolean) - Instruct packer to automatically create a copy of the + AMI with an encrypted boot volume (discarding the initial unencrypted AMI in the + process). Default `false`. + +- `kms_key_id` (string) - The ID of the KMS key to use for boot volume encryption. + This only applies to the main `region`, other regions where the AMI will be copied + will be encrypted by the default EBS KMS key. + - `from_scratch` (boolean) - Build a new volume instead of starting from an existing AMI root volume snapshot. Default `false`. If true, `source_ami` is no longer used and the following options become required: diff --git a/website/source/docs/builders/amazon-ebssurrogate.html.md b/website/source/docs/builders/amazon-ebssurrogate.html.md index 6dae386a8..beb676071 100644 --- a/website/source/docs/builders/amazon-ebssurrogate.html.md +++ b/website/source/docs/builders/amazon-ebssurrogate.html.md @@ -163,14 +163,6 @@ builder. - `force_delete_snapshot` (boolean) - Force Packer to delete snapshots associated with AMIs, which have been deregistered by `force_deregister`. Default `false`. -- `encrypt_boot` (boolean) - Instruct packer to automatically create a copy of the - AMI with an encrypted boot volume (discarding the initial unencrypted AMI in the - process). Default `false`. - -- `kms_key_id` (string) - The ID of the KMS key to use for boot volume encryption. - This only applies to the main `region`, other regions where the AMI will be copied - will be encrypted by the default EBS KMS key. - - `iam_instance_profile` (string) - The name of an [IAM instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html) to launch the EC2 instance with.