From 24bc50ce1bef88beae4ec7a122f84ecf71476336 Mon Sep 17 00:00:00 2001 From: Jason McIntosh Date: Thu, 30 May 2019 17:16:36 -0500 Subject: [PATCH 1/3] Enable encrypted AMIs with custom KMS Keys --- builder/amazon/common/ami_config.go | 17 +++++++++++++++-- builder/amazon/common/ami_config_test.go | 5 ++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/builder/amazon/common/ami_config.go b/builder/amazon/common/ami_config.go index 3e858d1f3..b8062fdca 100644 --- a/builder/amazon/common/ami_config.go +++ b/builder/amazon/common/ami_config.go @@ -59,8 +59,21 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context errs = append(errs, c.prepareRegions(accessConfig)...) - if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume != nil && *c.AMIEncryptBootVolume { - errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume")) + //if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume != nil && *c.AMIEncryptBootVolume { + //errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume")) + //} + + if len(c.AMIUsers) > 0 { + if len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume != nil && *c.AMIEncryptBootVolume { + errs = append(errs, fmt.Errorf("Cannot share AMI encrypted with default KMS key")) + } + if len(c.AMIRegionKMSKeyIDs) > 0 { + for _, kmsKey := range c.AMIRegionKMSKeyIDs { + if len(kmsKey) == 0 { + errs = append(errs, fmt.Errorf("Cannot share AMI encrypted with default KMS key for other regions")) + } + } + } } var kmsKeys []string diff --git a/builder/amazon/common/ami_config_test.go b/builder/amazon/common/ami_config_test.go index f3d098d69..0e72d30dc 100644 --- a/builder/amazon/common/ami_config_test.go +++ b/builder/amazon/common/ami_config_test.go @@ -169,10 +169,9 @@ func TestAMIConfigPrepare_Share_EncryptedBoot(t *testing.T) { if err := c.Prepare(accessConf, nil); err == nil { t.Fatal("shouldn't be able to share ami with encrypted boot volume") } - c.AMIKmsKeyId = "89c3fb9a-de87-4f2a-aedc-fddc5138193c" - if err := c.Prepare(accessConf, nil); err == nil { - t.Fatal("shouldn't be able to share ami with encrypted boot volume") + if err := c.Prepare(accessConf, nil); err != nil { + t.Fatal("should be able to share ami with encrypted boot volume") } } From 24a4e2f23ec25260037e3868f240cee617b77212 Mon Sep 17 00:00:00 2001 From: Jason McIntosh Date: Thu, 30 May 2019 17:18:33 -0500 Subject: [PATCH 2/3] Updated comments --- builder/amazon/common/ami_config.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/builder/amazon/common/ami_config.go b/builder/amazon/common/ami_config.go index b8062fdca..8535c2330 100644 --- a/builder/amazon/common/ami_config.go +++ b/builder/amazon/common/ami_config.go @@ -59,10 +59,7 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context errs = append(errs, c.prepareRegions(accessConfig)...) - //if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume != nil && *c.AMIEncryptBootVolume { - //errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume")) - //} - + // Prevent sharing of default KMS key encrypted volumes with other aws users if len(c.AMIUsers) > 0 { if len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume != nil && *c.AMIEncryptBootVolume { errs = append(errs, fmt.Errorf("Cannot share AMI encrypted with default KMS key")) From abef9820c73c6842409ac99e1deff6d1746d1eed Mon Sep 17 00:00:00 2001 From: Jason McIntosh Date: Thu, 30 May 2019 17:25:36 -0500 Subject: [PATCH 3/3] Fixed spacing on comment --- builder/amazon/common/ami_config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builder/amazon/common/ami_config.go b/builder/amazon/common/ami_config.go index 8535c2330..343d7f1bd 100644 --- a/builder/amazon/common/ami_config.go +++ b/builder/amazon/common/ami_config.go @@ -59,7 +59,7 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context errs = append(errs, c.prepareRegions(accessConfig)...) - // Prevent sharing of default KMS key encrypted volumes with other aws users + // Prevent sharing of default KMS key encrypted volumes with other aws users if len(c.AMIUsers) > 0 { if len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume != nil && *c.AMIEncryptBootVolume { errs = append(errs, fmt.Errorf("Cannot share AMI encrypted with default KMS key"))