add some extra layers of validation to make sure that people don't trip over magical encrypt_boot settings later in the build
This commit is contained in:
parent
0b9391b092
commit
7cf47fc463
|
@ -170,17 +170,23 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var kmsKeys []string
|
kmsKeys := make([]string, 0)
|
||||||
if len(c.AMIKmsKeyId) > 0 {
|
if len(c.AMIKmsKeyId) > 0 {
|
||||||
kmsKeys = append(kmsKeys, c.AMIKmsKeyId)
|
kmsKeys = append(kmsKeys, c.AMIKmsKeyId)
|
||||||
}
|
}
|
||||||
if len(c.AMIRegionKMSKeyIDs) > 0 {
|
if len(c.AMIRegionKMSKeyIDs) > 0 {
|
||||||
for _, kmsKey := range c.AMIRegionKMSKeyIDs {
|
for _, kmsKey := range c.AMIRegionKMSKeyIDs {
|
||||||
if len(kmsKey) == 0 {
|
if len(kmsKey) > 0 {
|
||||||
kmsKeys = append(kmsKeys, c.AMIKmsKeyId)
|
kmsKeys = append(kmsKeys, kmsKey)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(kmsKeys) > 0 && !c.AMIEncryptBootVolume.True() {
|
||||||
|
errs = append(errs, fmt.Errorf("If you have set either "+
|
||||||
|
"region_kms_key_ids or kms_key_id, encrypt_boot must also be true."))
|
||||||
|
|
||||||
|
}
|
||||||
for _, kmsKey := range kmsKeys {
|
for _, kmsKey := range kmsKeys {
|
||||||
if !validateKmsKey(kmsKey) {
|
if !validateKmsKey(kmsKey) {
|
||||||
errs = append(errs, fmt.Errorf("%s is not a valid KMS Key Id.", kmsKey))
|
errs = append(errs, fmt.Errorf("%s is not a valid KMS Key Id.", kmsKey))
|
||||||
|
@ -188,8 +194,9 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(c.SnapshotUsers) > 0 {
|
if len(c.SnapshotUsers) > 0 {
|
||||||
if len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume.True() {
|
if len(c.AMIKmsKeyId) == 0 && len(c.AMIRegionKMSKeyIDs) == 0 && c.AMIEncryptBootVolume.True() {
|
||||||
errs = append(errs, fmt.Errorf("Cannot share snapshot encrypted with default KMS key"))
|
errs = append(errs, fmt.Errorf("Cannot share snapshot encrypted "+
|
||||||
|
"with default KMS key"))
|
||||||
}
|
}
|
||||||
if len(c.AMIRegionKMSKeyIDs) > 0 {
|
if len(c.AMIRegionKMSKeyIDs) > 0 {
|
||||||
for _, kmsKey := range c.AMIRegionKMSKeyIDs {
|
for _, kmsKey := range c.AMIRegionKMSKeyIDs {
|
||||||
|
|
|
@ -83,9 +83,16 @@ func (s *StepAMIRegionCopy) Run(ctx context.Context, state multistep.StateBag) m
|
||||||
s.RegionKeyIds = make(map[string]string)
|
s.RegionKeyIds = make(map[string]string)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Make sure the kms_key_id for the original region is in the map
|
// Make sure the kms_key_id for the original region is in the map, as
|
||||||
if _, ok := s.RegionKeyIds[s.OriginalRegion]; !ok {
|
// long as the AMIKmsKeyId isn't being defaulted.
|
||||||
s.RegionKeyIds[s.OriginalRegion] = s.AMIKmsKeyId
|
if s.AMIKmsKeyId != "" {
|
||||||
|
if _, ok := s.RegionKeyIds[s.OriginalRegion]; !ok {
|
||||||
|
s.RegionKeyIds[s.OriginalRegion] = s.AMIKmsKeyId
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if regionKey, ok := s.RegionKeyIds[s.OriginalRegion]; ok {
|
||||||
|
s.AMIKmsKeyId = regionKey
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue