add some extra layers of validation to make sure that people don't trip over magical encrypt_boot settings later in the build

This commit is contained in:
Megan Marsh 2019-10-25 16:09:20 -07:00
parent 0b9391b092
commit 7cf47fc463
2 changed files with 22 additions and 8 deletions

View File

@ -170,17 +170,23 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context
} }
} }
var kmsKeys []string kmsKeys := make([]string, 0)
if len(c.AMIKmsKeyId) > 0 { if len(c.AMIKmsKeyId) > 0 {
kmsKeys = append(kmsKeys, c.AMIKmsKeyId) kmsKeys = append(kmsKeys, c.AMIKmsKeyId)
} }
if len(c.AMIRegionKMSKeyIDs) > 0 { if len(c.AMIRegionKMSKeyIDs) > 0 {
for _, kmsKey := range c.AMIRegionKMSKeyIDs { for _, kmsKey := range c.AMIRegionKMSKeyIDs {
if len(kmsKey) == 0 { if len(kmsKey) > 0 {
kmsKeys = append(kmsKeys, c.AMIKmsKeyId) kmsKeys = append(kmsKeys, kmsKey)
} }
} }
} }
if len(kmsKeys) > 0 && !c.AMIEncryptBootVolume.True() {
errs = append(errs, fmt.Errorf("If you have set either "+
"region_kms_key_ids or kms_key_id, encrypt_boot must also be true."))
}
for _, kmsKey := range kmsKeys { for _, kmsKey := range kmsKeys {
if !validateKmsKey(kmsKey) { if !validateKmsKey(kmsKey) {
errs = append(errs, fmt.Errorf("%s is not a valid KMS Key Id.", kmsKey)) errs = append(errs, fmt.Errorf("%s is not a valid KMS Key Id.", kmsKey))
@ -188,8 +194,9 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context
} }
if len(c.SnapshotUsers) > 0 { if len(c.SnapshotUsers) > 0 {
if len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume.True() { if len(c.AMIKmsKeyId) == 0 && len(c.AMIRegionKMSKeyIDs) == 0 && c.AMIEncryptBootVolume.True() {
errs = append(errs, fmt.Errorf("Cannot share snapshot encrypted with default KMS key")) errs = append(errs, fmt.Errorf("Cannot share snapshot encrypted "+
"with default KMS key"))
} }
if len(c.AMIRegionKMSKeyIDs) > 0 { if len(c.AMIRegionKMSKeyIDs) > 0 {
for _, kmsKey := range c.AMIRegionKMSKeyIDs { for _, kmsKey := range c.AMIRegionKMSKeyIDs {

View File

@ -83,9 +83,16 @@ func (s *StepAMIRegionCopy) Run(ctx context.Context, state multistep.StateBag) m
s.RegionKeyIds = make(map[string]string) s.RegionKeyIds = make(map[string]string)
} }
// Make sure the kms_key_id for the original region is in the map // Make sure the kms_key_id for the original region is in the map, as
if _, ok := s.RegionKeyIds[s.OriginalRegion]; !ok { // long as the AMIKmsKeyId isn't being defaulted.
s.RegionKeyIds[s.OriginalRegion] = s.AMIKmsKeyId if s.AMIKmsKeyId != "" {
if _, ok := s.RegionKeyIds[s.OriginalRegion]; !ok {
s.RegionKeyIds[s.OriginalRegion] = s.AMIKmsKeyId
}
} else {
if regionKey, ok := s.RegionKeyIds[s.OriginalRegion]; ok {
s.AMIKmsKeyId = regionKey
}
} }
} }