From 7ea17e1630d195adba5b7dd03e91d7318d1eec56 Mon Sep 17 00:00:00 2001 From: poida Date: Fri, 2 Dec 2016 21:30:14 +1100 Subject: [PATCH] Allow custom encrypted AMIs to be shared When using a custom KMS key to encrypt the boot volume of an AMI, packer should allow it to be shared with other users. --- builder/amazon/common/ami_config.go | 4 ++-- builder/amazon/common/ami_config_test.go | 11 +++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/builder/amazon/common/ami_config.go b/builder/amazon/common/ami_config.go index fa442cb5c..8914b1934 100644 --- a/builder/amazon/common/ami_config.go +++ b/builder/amazon/common/ami_config.go @@ -58,8 +58,8 @@ func (c *AMIConfig) Prepare(ctx *interpolate.Context) []error { c.AMIRegions = regions } - if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume { - errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume")) + if len(c.AMIUsers) > 0 && len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume { + errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume unless key is specified with kms_key_id")) } if len(errs) > 0 { diff --git a/builder/amazon/common/ami_config_test.go b/builder/amazon/common/ami_config_test.go index 9d52cfc3b..df9533724 100644 --- a/builder/amazon/common/ami_config_test.go +++ b/builder/amazon/common/ami_config_test.go @@ -59,11 +59,18 @@ func TestAMIConfigPrepare_regions(t *testing.T) { } -func TestAMIConfigPrepare_EncryptBoot(t *testing.T) { +func TestAMIConfigPrepare_Share_EncryptedBoot(t *testing.T) { c := testAMIConfig() c.AMIUsers = []string{"testAccountID"} c.AMIEncryptBootVolume = true + + c.AMIKmsKeyId = "" if err := c.Prepare(nil); err == nil { - t.Fatal("should have error") + t.Fatal("shouldn't be able to share ami with encrypted boot volume unless the kms_key_id param is provided") + } + + c.AMIKmsKeyId = "89c3fb9a-de87-4f2a-aedc-fddc5138193c" + if err := c.Prepare(nil); err != nil { + t.Fatal("should be able to share ami with encrypted boot volume if the kms_key_id param is provided") } }