Allow custom encrypted AMIs to be shared

When using a custom KMS key to encrypt the boot volume of an AMI, packer should allow it to be shared with other users.
2016-12-02 21:30:14 +11:00 · 2016-12-02 21:30:14 +11:00 · 7ea17e1630
parent 3eed6fd508
commit 7ea17e1630
2 changed files with 11 additions and 4 deletions
--- a/builder/amazon/common/ami_config.go
+++ b/builder/amazon/common/ami_config.go
@ -58,8 +58,8 @@ func (c *AMIConfig) Prepare(ctx *interpolate.Context) []error {
 		c.AMIRegions = regions
 	}

-	if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume {
-		errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume"))
+	if len(c.AMIUsers) > 0 && len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume {
+		errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume unless key is specified with kms_key_id"))
 	}

 	if len(errs) > 0 {
--- a/builder/amazon/common/ami_config_test.go
+++ b/builder/amazon/common/ami_config_test.go
@ -59,11 +59,18 @@ func TestAMIConfigPrepare_regions(t *testing.T) {

 }

-func TestAMIConfigPrepare_EncryptBoot(t *testing.T) {
+func TestAMIConfigPrepare_Share_EncryptedBoot(t *testing.T) {
 	c := testAMIConfig()
 	c.AMIUsers = []string{"testAccountID"}
 	c.AMIEncryptBootVolume = true
+
+	c.AMIKmsKeyId = ""
 	if err := c.Prepare(nil); err == nil {
-		t.Fatal("should have error")
+		t.Fatal("shouldn't be able to share ami with encrypted boot volume unless the kms_key_id param is provided")
+	}
+
+	c.AMIKmsKeyId = "89c3fb9a-de87-4f2a-aedc-fddc5138193c"
+	if err := c.Prepare(nil); err != nil {
+		t.Fatal("should be able to share ami with encrypted boot volume if the kms_key_id param is provided")
 	}
 }