throw error if encrypted ami is shared

builder/amazon/common/ami_config.go

@@ -55,6 +55,10 @@ func (c *AMIConfig) Prepare(ctx *interpolate.Context) []error {
 		c.AMIRegions = regions
 	}
 
+	if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume {
+		errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume"))
+	}
+
 	if len(errs) > 0 {
 		return errs
 	}

builder/amazon/common/ami_config_test.go

@@ -58,3 +58,12 @@ func TestAMIConfigPrepare_regions(t *testing.T) {
 	c.AMISkipRegionValidation = false
 
 }
+
+func TestAMIConfigPrepare_EncryptBoot(t *testing.T) {
+	c := testAMIConfig()
+	c.AMIUsers = []string{"testAccountID"}
+	c.AMIEncryptBootVolume = true
+	if err := c.Prepare(nil); err == nil {
+		t.Fatal("should have error")
+	}
+}