Merge pull request #7707 from CARFAX/master

Enable encrypted AMI sharing across accounts
This commit is contained in:
Megan Marsh 2019-06-03 13:08:06 -07:00 committed by GitHub
commit 078d888dba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 5 deletions

View File

@ -59,8 +59,18 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context
errs = append(errs, c.prepareRegions(accessConfig)...) errs = append(errs, c.prepareRegions(accessConfig)...)
if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume != nil && *c.AMIEncryptBootVolume { // Prevent sharing of default KMS key encrypted volumes with other aws users
errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume")) if len(c.AMIUsers) > 0 {
if len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume != nil && *c.AMIEncryptBootVolume {
errs = append(errs, fmt.Errorf("Cannot share AMI encrypted with default KMS key"))
}
if len(c.AMIRegionKMSKeyIDs) > 0 {
for _, kmsKey := range c.AMIRegionKMSKeyIDs {
if len(kmsKey) == 0 {
errs = append(errs, fmt.Errorf("Cannot share AMI encrypted with default KMS key for other regions"))
}
}
}
} }
var kmsKeys []string var kmsKeys []string

View File

@ -169,10 +169,9 @@ func TestAMIConfigPrepare_Share_EncryptedBoot(t *testing.T) {
if err := c.Prepare(accessConf, nil); err == nil { if err := c.Prepare(accessConf, nil); err == nil {
t.Fatal("shouldn't be able to share ami with encrypted boot volume") t.Fatal("shouldn't be able to share ami with encrypted boot volume")
} }
c.AMIKmsKeyId = "89c3fb9a-de87-4f2a-aedc-fddc5138193c" c.AMIKmsKeyId = "89c3fb9a-de87-4f2a-aedc-fddc5138193c"
if err := c.Prepare(accessConf, nil); err == nil { if err := c.Prepare(accessConf, nil); err != nil {
t.Fatal("shouldn't be able to share ami with encrypted boot volume") t.Fatal("should be able to share ami with encrypted boot volume")
} }
} }