Added KMS CMK support to EBS builder

Added the 'kms_key_id' parameter. This supports supplying a customer master key (CMK) when encrypting the EBS volume.

The parameter is optional and only takes effect when 'encrypted' is true. When 'encrypted' is true but 'kms_key_id' is missing the 'aws/ebs' key will be used.
This commit is contained in:
poida 2016-10-18 23:30:38 +11:00
parent df7c376e77
commit 3eed6fd508
3 changed files with 12 additions and 0 deletions

View File

@ -21,6 +21,7 @@ type AMIConfig struct {
AMIForceDeregister bool `mapstructure:"force_deregister"`
AMIForceDeleteSnapshot bool `mapstructure:"force_delete_snapshot"`
AMIEncryptBootVolume bool `mapstructure:"encrypt_boot"`
AMIKmsKeyId string `mapstructure:"kms_key_id"`
SnapshotTags map[string]string `mapstructure:"snapshot_tags"`
}

View File

@ -18,9 +18,13 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
config := state.Get("config").(Config)
ec2conn := state.Get("ec2").(*ec2.EC2)
ui := state.Get("ui").(packer.Ui)
kmsKeyId := config.AMIConfig.AMIKmsKeyId
// Encrypt boot not set, so skip step
if !config.AMIConfig.AMIEncryptBootVolume {
if kmsKeyId != "" {
ui.Say(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId))
}
return multistep.ActionContinue
}
@ -36,11 +40,16 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
ui.Say(fmt.Sprintf("Copying AMI: %s(%s)", region, id))
if kmsKeyId != "" {
ui.Say(fmt.Sprintf("Encypting with KMS Key ID: %s", kmsKeyId))
}
copyOpts := &ec2.CopyImageInput{
Name: &config.AMIName, // Try to overwrite existing AMI
SourceImageId: aws.String(id),
SourceRegion: aws.String(region),
Encrypted: aws.Bool(true),
KmsKeyId: aws.String(kmsKeyId),
}
copyResp, err := ec2conn.CopyImage(copyOpts)

View File

@ -77,6 +77,8 @@ builder.
- `encrypted` (boolean) - Indicates whether to encrypt the volume or not
- `kms_key_id` (string) - The ID of the KMS key to use for volume encryption
- `iops` (integer) - The number of I/O operations per second (IOPS) that the
volume supports. See the documentation on
[IOPs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html)