Added KMS CMK support to EBS builder
Added the 'kms_key_id' parameter. This supports supplying a customer master key (CMK) when encrypting the EBS volume. The parameter is optional and only takes effect when 'encrypted' is true. When 'encrypted' is true but 'kms_key_id' is missing the 'aws/ebs' key will be used.
This commit is contained in:
poida
parent
df7c376e77
commit
3eed6fd508
|
|
@ -21,6 +21,7 @@ type AMIConfig struct {
|
||||||
AMIForceDeregister bool `mapstructure:"force_deregister"`
|
AMIForceDeregister bool `mapstructure:"force_deregister"`
|
||||||
AMIForceDeleteSnapshot bool `mapstructure:"force_delete_snapshot"`
|
AMIForceDeleteSnapshot bool `mapstructure:"force_delete_snapshot"`
|
||||||
AMIEncryptBootVolume bool `mapstructure:"encrypt_boot"`
|
AMIEncryptBootVolume bool `mapstructure:"encrypt_boot"`
|
||||||
|
AMIKmsKeyId string `mapstructure:"kms_key_id"`
|
||||||
SnapshotTags map[string]string `mapstructure:"snapshot_tags"`
|
SnapshotTags map[string]string `mapstructure:"snapshot_tags"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,9 +18,13 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
|
||||||
config := state.Get("config").(Config)
|
config := state.Get("config").(Config)
|
||||||
ec2conn := state.Get("ec2").(*ec2.EC2)
|
ec2conn := state.Get("ec2").(*ec2.EC2)
|
||||||
ui := state.Get("ui").(packer.Ui)
|
ui := state.Get("ui").(packer.Ui)
|
||||||
|
kmsKeyId := config.AMIConfig.AMIKmsKeyId
|
||||||
|
|
||||||
// Encrypt boot not set, so skip step
|
// Encrypt boot not set, so skip step
|
||||||
if !config.AMIConfig.AMIEncryptBootVolume {
|
if !config.AMIConfig.AMIEncryptBootVolume {
|
||||||
|
if kmsKeyId != "" {
|
||||||
|
ui.Say(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId))
|
||||||
|
}
|
||||||
return multistep.ActionContinue
|
return multistep.ActionContinue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -36,11 +40,16 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
|
||||||
|
|
||||||
ui.Say(fmt.Sprintf("Copying AMI: %s(%s)", region, id))
|
ui.Say(fmt.Sprintf("Copying AMI: %s(%s)", region, id))
|
||||||
|
|
||||||
|
if kmsKeyId != "" {
|
||||||
|
ui.Say(fmt.Sprintf("Encypting with KMS Key ID: %s", kmsKeyId))
|
||||||
|
}
|
||||||
|
|
||||||
copyOpts := &ec2.CopyImageInput{
|
copyOpts := &ec2.CopyImageInput{
|
||||||
Name: &config.AMIName, // Try to overwrite existing AMI
|
Name: &config.AMIName, // Try to overwrite existing AMI
|
||||||
SourceImageId: aws.String(id),
|
SourceImageId: aws.String(id),
|
||||||
SourceRegion: aws.String(region),
|
SourceRegion: aws.String(region),
|
||||||
Encrypted: aws.Bool(true),
|
Encrypted: aws.Bool(true),
|
||||||
|
KmsKeyId: aws.String(kmsKeyId),
|
||||||
}
|
}
|
||||||
|
|
||||||
copyResp, err := ec2conn.CopyImage(copyOpts)
|
copyResp, err := ec2conn.CopyImage(copyOpts)
|
||||||
|
|
|
||||||
|
|
@ -77,6 +77,8 @@ builder.
|
||||||
|
|
||||||
- `encrypted` (boolean) - Indicates whether to encrypt the volume or not
|
- `encrypted` (boolean) - Indicates whether to encrypt the volume or not
|
||||||
|
|
||||||
|
- `kms_key_id` (string) - The ID of the KMS key to use for volume encryption
|
||||||
|
|
||||||
- `iops` (integer) - The number of I/O operations per second (IOPS) that the
|
- `iops` (integer) - The number of I/O operations per second (IOPS) that the
|
||||||
volume supports. See the documentation on
|
volume supports. See the documentation on
|
||||||
[IOPs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html)
|
[IOPs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue