Merge pull request #4584 from mitchellh/chrootbootencrypt

builder/amazon-chroot: support encrypted boot volume
2017-02-26 17:55:31 -08:00 · 2017-02-26 17:55:31 -08:00 · bbc6d402ce
parent ed95c4b5c2 1351a9ce1a
commit bbc6d402ce
5 changed files with 32 additions and 22 deletions
--- a/builder/amazon/chroot/builder.go
+++ b/builder/amazon/chroot/builder.go
@ -254,6 +254,11 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 		&StepRegisterAMI{
 			RootVolumeSize: b.config.RootVolumeSize,
 		},
+		&awscommon.StepCreateEncryptedAMICopy{
+			KeyID:             b.config.AMIKmsKeyId,
+			EncryptBootVolume: b.config.AMIEncryptBootVolume,
+			Name:              b.config.AMIName,
+		},
 		&awscommon.StepAMIRegionCopy{
 			AccessConfig: &b.config.AccessConfig,
 			Regions:      b.config.AMIRegions,
--- a/builder/amazon/common/step_encrypted_ami.go
+++ b/builder/amazon/common/step_encrypted_ami.go
@ -1,4 +1,4 @@
-package ebs
+package common

 import (
 	"fmt"
@ -7,22 +7,23 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/mitchellh/multistep"
-	awscommon "github.com/mitchellh/packer/builder/amazon/common"
 	"github.com/mitchellh/packer/packer"
 )

-type stepCreateEncryptedAMICopy struct {
-	image *ec2.Image
+type StepCreateEncryptedAMICopy struct {
+	image             *ec2.Image
+	KeyID             string
+	EncryptBootVolume bool
+	Name              string
 }

-func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.StepAction {
-	config := state.Get("config").(Config)
+func (s *StepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.StepAction {
 	ec2conn := state.Get("ec2").(*ec2.EC2)
 	ui := state.Get("ui").(packer.Ui)
-	kmsKeyId := config.AMIConfig.AMIKmsKeyId
+	kmsKeyId := s.KeyID

 	// Encrypt boot not set, so skip step
-	if !config.AMIConfig.AMIEncryptBootVolume {
+	if !s.EncryptBootVolume {
 		if kmsKeyId != "" {
 			log.Printf(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId))
 		}
@ -46,7 +47,7 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 	}

 	copyOpts := &ec2.CopyImageInput{
-		Name:          &config.AMIName, // Try to overwrite existing AMI
+		Name:          &s.Name, // Try to overwrite existing AMI
 		SourceImageId: aws.String(id),
 		SourceRegion:  aws.String(region),
 		Encrypted:     aws.Bool(true),
@ -62,15 +63,15 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 	}

 	// Wait for the copy to become ready
-	stateChange := awscommon.StateChangeConf{
+	stateChange := StateChangeConf{
 		Pending:   []string{"pending"},
 		Target:    "available",
-		Refresh:   awscommon.AMIStateRefreshFunc(ec2conn, *copyResp.ImageId),
+		Refresh:   AMIStateRefreshFunc(ec2conn, *copyResp.ImageId),
 		StepState: state,
 	}

 	ui.Say("Waiting for AMI copy to become ready...")
-	if _, err := awscommon.WaitForState(&stateChange); err != nil {
+	if _, err := WaitForState(&stateChange); err != nil {
 		err := fmt.Errorf("Error waiting for AMI Copy: %s", err)
 		state.Put("error", err)
 		ui.Error(err.Error())
@ -146,7 +147,7 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 	return multistep.ActionContinue
 }

-func (s *stepCreateEncryptedAMICopy) Cleanup(state multistep.StateBag) {
+func (s *StepCreateEncryptedAMICopy) Cleanup(state multistep.StateBag) {
 	if s.image == nil {
 		return
 	}
--- a/builder/amazon/ebs/builder.go
+++ b/builder/amazon/ebs/builder.go
@ -182,7 +182,11 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			AMIName:             b.config.AMIName,
 		},
 		&stepCreateAMI{},
-		&stepCreateEncryptedAMICopy{},
+		&awscommon.StepCreateEncryptedAMICopy{
+			KeyID:             b.config.AMIKmsKeyId,
+			EncryptBootVolume: b.config.AMIEncryptBootVolume,
+			Name:              b.config.AMIName,
+		},
 		&awscommon.StepAMIRegionCopy{
 			AccessConfig: &b.config.AccessConfig,
 			Regions:      b.config.AMIRegions,
--- a/website/source/docs/builders/amazon-chroot.html.md
+++ b/website/source/docs/builders/amazon-chroot.html.md
@ -131,6 +131,14 @@ each category, the available configuration keys are alphabetized.
 -   `force_delete_snapshot` (boolean) - Force Packer to delete snapshots associated with
    AMIs, which have been deregistered by `force_deregister`. Default `false`.

+-   `encrypt_boot` (boolean) - Instruct packer to automatically create a copy of the
+    AMI with an encrypted boot volume (discarding the initial unencrypted AMI in the
+    process). Default `false`.
+
+-   `kms_key_id` (string) - The ID of the KMS key to use for boot volume encryption.
+    This only applies to the main `region`, other regions where the AMI will be copied
+    will be encrypted by the default EBS KMS key.
+
 -   `from_scratch` (boolean) - Build a new volume instead of starting from an
    existing AMI root volume snapshot. Default `false`. If true, `source_ami` is
    no longer used and the following options become required:
--- a/website/source/docs/builders/amazon-ebssurrogate.html.md
+++ b/website/source/docs/builders/amazon-ebssurrogate.html.md
@ -163,14 +163,6 @@ builder.
 -   `force_delete_snapshot` (boolean) - Force Packer to delete snapshots associated with
    AMIs, which have been deregistered by `force_deregister`. Default `false`.

-   `encrypt_boot` (boolean) - Instruct packer to automatically create a copy of the
-    AMI with an encrypted boot volume (discarding the initial unencrypted AMI in the
-    process). Default `false`.
-
-   `kms_key_id` (string) - The ID of the KMS key to use for boot volume encryption.
-    This only applies to the main `region`, other regions where the AMI will be copied
-    will be encrypted by the default EBS KMS key.
-
 -   `iam_instance_profile` (string) - The name of an [IAM instance
    profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html)
    to launch the EC2 instance with.