Added KMS CMK support to EBS builder
Added the 'kms_key_id' parameter. This supports supplying a customer master key (CMK) when encrypting the EBS volume. The parameter is optional and only takes effect when 'encrypted' is true. When 'encrypted' is true but 'kms_key_id' is missing the 'aws/ebs' key will be used.
This commit is contained in:
parent
df7c376e77
commit
3eed6fd508
|
@ -21,6 +21,7 @@ type AMIConfig struct {
|
|||
AMIForceDeregister bool `mapstructure:"force_deregister"`
|
||||
AMIForceDeleteSnapshot bool `mapstructure:"force_delete_snapshot"`
|
||||
AMIEncryptBootVolume bool `mapstructure:"encrypt_boot"`
|
||||
AMIKmsKeyId string `mapstructure:"kms_key_id"`
|
||||
SnapshotTags map[string]string `mapstructure:"snapshot_tags"`
|
||||
}
|
||||
|
||||
|
|
|
@ -18,9 +18,13 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
|
|||
config := state.Get("config").(Config)
|
||||
ec2conn := state.Get("ec2").(*ec2.EC2)
|
||||
ui := state.Get("ui").(packer.Ui)
|
||||
kmsKeyId := config.AMIConfig.AMIKmsKeyId
|
||||
|
||||
// Encrypt boot not set, so skip step
|
||||
if !config.AMIConfig.AMIEncryptBootVolume {
|
||||
if kmsKeyId != "" {
|
||||
ui.Say(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId))
|
||||
}
|
||||
return multistep.ActionContinue
|
||||
}
|
||||
|
||||
|
@ -36,11 +40,16 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
|
|||
|
||||
ui.Say(fmt.Sprintf("Copying AMI: %s(%s)", region, id))
|
||||
|
||||
if kmsKeyId != "" {
|
||||
ui.Say(fmt.Sprintf("Encypting with KMS Key ID: %s", kmsKeyId))
|
||||
}
|
||||
|
||||
copyOpts := &ec2.CopyImageInput{
|
||||
Name: &config.AMIName, // Try to overwrite existing AMI
|
||||
SourceImageId: aws.String(id),
|
||||
SourceRegion: aws.String(region),
|
||||
Encrypted: aws.Bool(true),
|
||||
KmsKeyId: aws.String(kmsKeyId),
|
||||
}
|
||||
|
||||
copyResp, err := ec2conn.CopyImage(copyOpts)
|
||||
|
|
|
@ -77,6 +77,8 @@ builder.
|
|||
|
||||
- `encrypted` (boolean) - Indicates whether to encrypt the volume or not
|
||||
|
||||
- `kms_key_id` (string) - The ID of the KMS key to use for volume encryption
|
||||
|
||||
- `iops` (integer) - The number of I/O operations per second (IOPS) that the
|
||||
volume supports. See the documentation on
|
||||
[IOPs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html)
|
||||
|
|
Loading…
Reference in New Issue