It's not possible to share encrypted AMI's

builder/amazon/common/ami_config.go

@@ -58,8 +58,8 @@ func (c *AMIConfig) Prepare(ctx *interpolate.Context) []error {
 		c.AMIRegions = regions
 	}
 
-	if len(c.AMIUsers) > 0 && len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume {
-		errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume unless kms_key_id is provided"))
+	if len(c.AMIUsers) > 0 && c.AMIEncryptBootVolume {
+		errs = append(errs, fmt.Errorf("Cannot share AMI with encrypted boot volume"))
 	}
 
 	if len(errs) > 0 {

builder/amazon/common/ami_config_test.go

@@ -66,11 +66,11 @@ func TestAMIConfigPrepare_Share_EncryptedBoot(t *testing.T) {
 
 	c.AMIKmsKeyId = ""
 	if err := c.Prepare(nil); err == nil {
-		t.Fatal("shouldn't be able to share ami with encrypted boot volume unless kms_key_id is provided")
+		t.Fatal("shouldn't be able to share ami with encrypted boot volume")
 	}
 
 	c.AMIKmsKeyId = "89c3fb9a-de87-4f2a-aedc-fddc5138193c"
-	if err := c.Prepare(nil); err != nil {
-		t.Fatal("should be able to share ami with encrypted boot volume if kms_key_id is provided")
+	if err := c.Prepare(nil); err == nil {
+		t.Fatal("shouldn't be able to share ami with encrypted boot volume")
 	}
 }

builder/amazon/ebs/step_encrypted_ami.go

@@ -2,6 +2,7 @@ package ebs
 
 import (
 	"fmt"
+	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
@@ -23,7 +24,7 @@ func (s *stepCreateEncryptedAMICopy) Run(state multistep.StateBag) multistep.Ste
 	// Encrypt boot not set, so skip step
 	if !config.AMIConfig.AMIEncryptBootVolume {
 		if kmsKeyId != "" {
-			ui.Say(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId))
+			log.Printf(fmt.Sprintf("Ignoring KMS Key ID: %s, encrypted=false", kmsKeyId))
 		}
 		return multistep.ActionContinue
 	}