Merge pull request #3382 from ahamidi/encrypted-boot-volume

Create AMI with encrypted boot volume
2016-10-02 01:02:43 +02:00 · 2016-10-02 01:02:43 +02:00 · cffc8e892c
parent 75333ee625 c6a527dc46
commit cffc8e892c
6 changed files with 220 additions and 0 deletions
--- a/builder/amazon/common/ami_config.go
+++ b/builder/amazon/common/ami_config.go
@ -19,6 +19,7 @@ type AMIConfig struct {
 	AMITags                 map[string]string `mapstructure:"tags"`
 	AMIEnhancedNetworking   bool              `mapstructure:"enhanced_networking"`
 	AMIForceDeregister      bool              `mapstructure:"force_deregister"`
+	AMIEncryptBootVolume    bool              `mapstructure:"encrypt_boot"`
 }

 func (c *AMIConfig) Prepare(ctx *interpolate.Context) []error {
@ -54,6 +55,10 @@ func (c *AMIConfig) Prepare(ctx *interpolate.Context) []error {
 		c.AMIRegions = regions
 	}

+	if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume {
+		errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume"))
+	}
+
 	if len(errs) > 0 {
 		return errs
 	}
--- a/builder/amazon/common/ami_config_test.go
+++ b/builder/amazon/common/ami_config_test.go
@ -58,3 +58,12 @@ func TestAMIConfigPrepare_regions(t *testing.T) {
 	c.AMISkipRegionValidation = false

 }
+
+func TestAMIConfigPrepare_EncryptBoot(t *testing.T) {
+	c := testAMIConfig()
+	c.AMIUsers = []string{"testAccountID"}
+	c.AMIEncryptBootVolume = true
+	if err := c.Prepare(nil); err == nil {
+		t.Fatal("should have error")
+	}
+}
--- a/builder/amazon/ebs/builder.go
+++ b/builder/amazon/ebs/builder.go
@ -162,6 +162,7 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			AMIName:         b.config.AMIName,
 		},
 		&stepCreateAMI{},
+		&stepCreateEncryptedAMICopy{},
 		&awscommon.StepAMIRegionCopy{
 			AccessConfig: &b.config.AccessConfig,
 			Regions:      b.config.AMIRegions,
--- a/builder/amazon/ebs/builder_acc_test.go
+++ b/builder/amazon/ebs/builder_acc_test.go
@ -55,6 +55,15 @@ func TestBuilderAcc_amiSharing(t *testing.T) {
 	})
 }

+func TestBuilderAcc_encryptedBoot(t *testing.T) {
+	builderT.Test(t, builderT.TestCase{
+		PreCheck: func() { testAccPreCheck(t) },
+		Builder:  &Builder{},
+		Template: testBuilderAccEncrypted,
+		Check:    checkBootEncrypted(),
+	})
+}
+
 func checkAMISharing(count int, uid, group string) builderT.TestCheckFunc {
 	return func(artifacts []packer.Artifact) error {
 		if len(artifacts) > 1 {
@ -144,6 +153,42 @@ func checkRegionCopy(regions []string) builderT.TestCheckFunc {
 	}
 }

+func checkBootEncrypted() builderT.TestCheckFunc {
+	return func(artifacts []packer.Artifact) error {
+
+		// Get the actual *Artifact pointer so we can access the AMIs directly
+		artifactRaw := artifacts[0]
+		artifact, ok := artifactRaw.(*common.Artifact)
+		if !ok {
+			return fmt.Errorf("unknown artifact: %#v", artifactRaw)
+		}
+
+		// describe the image, get block devices with a snapshot
+		ec2conn, _ := testEC2Conn()
+		imageResp, err := ec2conn.DescribeImages(&ec2.DescribeImagesInput{
+			ImageIds: []*string{aws.String(artifact.Amis["us-east-1"])},
+		})
+
+		if err != nil {
+			return fmt.Errorf("Error retrieving Image Attributes for AMI (%s) in AMI Encrypted Boot Test: %s", artifact, err)
+		}
+
+		image := imageResp.Images[0] // Only requested a single AMI ID
+
+		rootDeviceName := image.RootDeviceName
+
+		for _, bd := range image.BlockDeviceMappings {
+			if *bd.DeviceName == *rootDeviceName {
+				if *bd.Ebs.Encrypted != true {
+					return fmt.Errorf("volume not encrypted: %s", *bd.Ebs.SnapshotId)
+				}
+			}
+		}
+
+		return nil
+	}
+}
+
 func testAccPreCheck(t *testing.T) {
 	if v := os.Getenv("AWS_ACCESS_KEY_ID"); v == "" {
 		t.Fatal("AWS_ACCESS_KEY_ID must be set for acceptance tests")
@ -222,6 +267,20 @@ const testBuilderAccSharing = `
 }
 `

+const testBuilderAccEncrypted = `
+{
+	"builders": [{
+		"type": "test",
+		"region": "us-east-1",
+		"instance_type": "m3.medium",
+		"source_ami":"ami-c15bebaa",
+		"ssh_username": "ubuntu",
+		"ami_name": "packer-enc-test {{timestamp}}",
+		"encrypt_boot": true 
+	}]
+}
+`
+
 func buildForceDeregisterConfig(name, flag string) string {
 	return fmt.Sprintf(testBuilderAccForceDeregister, name, flag)
 }
--- a/builder/amazon/ebs/step_encrypted_ami.go
+++ b/builder/amazon/ebs/step_encrypted_ami.go
@ -0,0 +1,142 @@
+package ebs
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/mitchellh/multistep"
+	awscommon "github.com/mitchellh/packer/builder/amazon/common"
+	"github.com/mitchellh/packer/packer"
+)
+
+type stepCreateEncryptedAMICopy struct {
+	image *ec2.Image
+}
+
+func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.StepAction {
+	config := state.Get("config").(Config)
+	ec2conn := state.Get("ec2").(*ec2.EC2)
+	ui := state.Get("ui").(packer.Ui)
+
+	// Encrypt boot not set, so skip step
+	if !config.AMIConfig.AMIEncryptBootVolume {
+		return multistep.ActionContinue
+	}
+
+	ui.Say("Creating Encrypted AMI Copy")
+
+	amis := state.Get("amis").(map[string]string)
+	var region, id string
+	if amis != nil {
+		for region, id = range amis {
+			break // Only get the first
+		}
+	}
+
+	ui.Say(fmt.Sprintf("Copying AMI: %s(%s)", region, id))
+
+	copyOpts := &ec2.CopyImageInput{
+		Name:          &config.AMIName, // Try to overwrite existing AMI
+		SourceImageId: aws.String(id),
+		SourceRegion:  aws.String(region),
+		Encrypted:     aws.Bool(true),
+	}
+
+	copyResp, err := ec2conn.CopyImage(copyOpts)
+	if err != nil {
+		err := fmt.Errorf("Error copying AMI: %s", err)
+		state.Put("error", err)
+		ui.Error(err.Error())
+		return multistep.ActionHalt
+	}
+
+	// Wait for the copy to become ready
+	stateChange := awscommon.StateChangeConf{
+		Pending:   []string{"pending"},
+		Target:    "available",
+		Refresh:   awscommon.AMIStateRefreshFunc(ec2conn, *copyResp.ImageId),
+		StepState: state,
+	}
+
+	ui.Say("Waiting for AMI copy to become ready...")
+	if _, err := awscommon.WaitForState(&stateChange); err != nil {
+		err := fmt.Errorf("Error waiting for AMI Copy: %s", err)
+		state.Put("error", err)
+		ui.Error(err.Error())
+		return multistep.ActionHalt
+	}
+
+	// Get the unencrypted AMI image
+	unencImagesResp, err := ec2conn.DescribeImages(&ec2.DescribeImagesInput{ImageIds: []*string{aws.String(id)}})
+	if err != nil {
+		err := fmt.Errorf("Error searching for AMI: %s", err)
+		state.Put("error", err)
+		ui.Error(err.Error())
+		return multistep.ActionHalt
+	}
+	unencImage := unencImagesResp.Images[0]
+
+	// Remove unencrypted AMI
+	ui.Say("Deregistering unecrypted AMI")
+	deregisterOpts := &ec2.DeregisterImageInput{ImageId: aws.String(id)}
+	if _, err := ec2conn.DeregisterImage(deregisterOpts); err != nil {
+		ui.Error(fmt.Sprintf("Error deregistering AMI, may still be around: %s", err))
+		return multistep.ActionHalt
+	}
+
+	// Remove associated unencrypted snapshot(s)
+	ui.Say("Deleting unencrypted snapshots")
+
+	for _, blockDevice := range unencImage.BlockDeviceMappings {
+		if blockDevice.Ebs != nil {
+			if blockDevice.Ebs.SnapshotId != nil {
+				ui.Message(fmt.Sprintf("Snapshot ID: %s", *blockDevice.Ebs.SnapshotId))
+				deleteSnapOpts := &ec2.DeleteSnapshotInput{
+					SnapshotId: aws.String(*blockDevice.Ebs.SnapshotId),
+				}
+				if _, err := ec2conn.DeleteSnapshot(deleteSnapOpts); err != nil {
+					ui.Error(fmt.Sprintf("Error deleting snapshot, may still be around: %s", err))
+					return multistep.ActionHalt
+				}
+			}
+		}
+	}
+
+	// Replace original AMI ID with Encrypted ID in state
+	amis[region] = *copyResp.ImageId
+	state.Put("amis", amis)
+
+	imagesResp, err := ec2conn.DescribeImages(&ec2.DescribeImagesInput{ImageIds: []*string{copyResp.ImageId}})
+	if err != nil {
+		err := fmt.Errorf("Error searching for AMI: %s", err)
+		state.Put("error", err)
+		ui.Error(err.Error())
+		return multistep.ActionHalt
+	}
+	s.image = imagesResp.Images[0]
+
+	return multistep.ActionContinue
+}
+
+func (s *stepCreateEncryptedAMICopy) Cleanup(state multistep.StateBag) {
+	if s.image == nil {
+		return
+	}
+
+	_, cancelled := state.GetOk(multistep.StateCancelled)
+	_, halted := state.GetOk(multistep.StateHalted)
+	if !cancelled && !halted {
+		return
+	}
+
+	ec2conn := state.Get("ec2").(*ec2.EC2)
+	ui := state.Get("ui").(packer.Ui)
+
+	ui.Say("Deregistering the AMI because cancelation or error...")
+	deregisterOpts := &ec2.DeregisterImageInput{ImageId: s.image.ImageId}
+	if _, err := ec2conn.DeregisterImage(deregisterOpts); err != nil {
+		ui.Error(fmt.Sprintf("Error deregistering AMI, may still be around: %s", err))
+		return
+	}
+}
--- a/website/source/docs/builders/amazon-ebs.html.md
+++ b/website/source/docs/builders/amazon-ebs.html.md
@ -144,6 +144,10 @@ builder.
 -   `force_deregister` (boolean) - Force Packer to first deregister an existing
    AMI if one with the same name already exists. Default `false`.

+-   `encrypt_boot` (boolean) - Instruct packer to automatically create a copy of the
+    AMI with an encrypted boot volume (discarding the initial unencrypted AMI in the
+    process). Default `false`.
+
 -   `iam_instance_profile` (string) - The name of an [IAM instance
    profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html)
    to launch the EC2 instance with.