Merge pull request #7551 from krzyszko/gcp_encryption_key

Googlecompute builder image encryption support
2019-05-07 15:59:59 -07:00 · 2019-05-07 15:59:59 -07:00 · fdae14bc18
commit fdae14bc18
parent 01a27e4f37 e96bda6466
8 changed files with 84 additions and 46 deletions
--- a/builder/googlecompute/config.go
+++ b/builder/googlecompute/config.go
@ -13,6 +13,7 @@ import (
 	"github.com/hashicorp/packer/helper/config"
 	"github.com/hashicorp/packer/packer"
 	"github.com/hashicorp/packer/template/interpolate"
+	compute "google.golang.org/api/compute/v1"
 )

 var reImageFamily = regexp.MustCompile(`^[a-z]([-a-z0-9]{0,61}[a-z0-9])?$`)
@ -36,6 +37,7 @@ type Config struct {
 	DiskType                     string                         `mapstructure:"disk_type"`
 	ImageName                    string                         `mapstructure:"image_name"`
 	ImageDescription             string                         `mapstructure:"image_description"`
+	ImageEncryptionKey           *compute.CustomerEncryptionKey `mapstructure:"image_encryption_key"`
 	ImageFamily                  string                         `mapstructure:"image_family"`
 	ImageLabels                  map[string]string              `mapstructure:"image_labels"`
 	ImageLicenses                []string                       `mapstructure:"image_licenses"`
--- a/builder/googlecompute/config_test.go
+++ b/builder/googlecompute/config_test.go
@ -156,6 +156,21 @@ func TestConfigPrepare(t *testing.T) {
 			"foo bar",
 			true,
 		},
+		{
+			"image_encryption_key",
+			map[string]string{"kmsKeyName": "foo"},
+			false,
+		},
+		{
+			"image_encryption_key",
+			map[string]string{"No such key": "foo"},
+			true,
+		},
+		{
+			"image_encryption_key",
+			map[string]string{"kmsKeyName": "foo", "RawKey": "foo"},
+			false,
+		},
 		{
 			"scopes",
 			[]string{},
--- a/builder/googlecompute/driver.go
+++ b/builder/googlecompute/driver.go
@ -3,6 +3,8 @@ package googlecompute
 import (
 	"crypto/rsa"
 	"time"
+
+	compute "google.golang.org/api/compute/v1"
 )

 // Driver is the interface that has to be implemented to communicate
@ -11,7 +13,7 @@ import (
 type Driver interface {
 	// CreateImage creates an image from the given disk in Google Compute
 	// Engine.
-	CreateImage(name, description, family, zone, disk string, image_labels map[string]string, image_licenses []string) (<-chan *Image, <-chan error)
+	CreateImage(name, description, family, zone, disk string, image_labels map[string]string, image_licenses []string, image_encryption_key *compute.CustomerEncryptionKey) (<-chan *Image, <-chan error)

 	// DeleteImage deletes the image with the given name.
 	DeleteImage(name string) <-chan error
--- a/builder/googlecompute/driver_gce.go
+++ b/builder/googlecompute/driver_gce.go
@ -104,13 +104,14 @@ func NewDriverGCE(ui packer.Ui, p string, a *AccountFile) (Driver, error) {
 	}, nil
 }

-func (d *driverGCE) CreateImage(name, description, family, zone, disk string, image_labels map[string]string, image_licenses []string) (<-chan *Image, <-chan error) {
+func (d *driverGCE) CreateImage(name, description, family, zone, disk string, image_labels map[string]string, image_licenses []string, image_encryption_key *compute.CustomerEncryptionKey) (<-chan *Image, <-chan error) {
 	gce_image := &compute.Image{
 		Description:        description,
 		Name:               name,
 		Family:             family,
 		Labels:             image_labels,
 		Licenses:           image_licenses,
+		ImageEncryptionKey: image_encryption_key,
 		SourceDisk:         fmt.Sprintf("%s%s/zones/%s/disks/%s", d.service.BasePath, d.projectId, zone, disk),
 		SourceType:         "RAW",
 	}
--- a/builder/googlecompute/driver_mock.go
+++ b/builder/googlecompute/driver_mock.go
@ -1,6 +1,10 @@
 package googlecompute

-import "fmt"
+import (
+	"fmt"
+
+	compute "google.golang.org/api/compute/v1"
+)

 // DriverMock is a Driver implementation that is a mocked out so that
 // it can be used for tests.
@ -8,6 +12,7 @@ type DriverMock struct {
 	CreateImageName            string
 	CreateImageDesc            string
 	CreateImageFamily          string
+	CreateImageEncryptionKey   *compute.CustomerEncryptionKey
 	CreateImageLabels          map[string]string
 	CreateImageLicenses        []string
 	CreateImageZone            string
@ -82,7 +87,7 @@ type DriverMock struct {
 	WaitForInstanceErrCh <-chan error
 }

-func (d *DriverMock) CreateImage(name, description, family, zone, disk string, image_labels map[string]string, image_licenses []string) (<-chan *Image, <-chan error) {
+func (d *DriverMock) CreateImage(name, description, family, zone, disk string, image_labels map[string]string, image_licenses []string, image_encryption_key *compute.CustomerEncryptionKey) (<-chan *Image, <-chan error) {
 	d.CreateImageName = name
 	d.CreateImageDesc = description
 	d.CreateImageFamily = family
@ -90,6 +95,7 @@ func (d *DriverMock) CreateImage(name, description, family, zone, disk string, i
 	d.CreateImageLicenses = image_licenses
 	d.CreateImageZone = zone
 	d.CreateImageDisk = disk
+	d.CreateImageEncryptionKey = image_encryption_key
 	if d.CreateImageResultProjectId == "" {
 		d.CreateImageResultProjectId = "test"
 	}
--- a/builder/googlecompute/step_create_image.go
+++ b/builder/googlecompute/step_create_image.go
@ -40,7 +40,7 @@ func (s *StepCreateImage) Run(ctx context.Context, state multistep.StateBag) mul

 	imageCh, errCh := driver.CreateImage(
 		config.ImageName, config.ImageDescription, config.ImageFamily, config.Zone,
-		config.DiskName, config.ImageLabels, config.ImageLicenses)
+		config.DiskName, config.ImageLabels, config.ImageLicenses, config.ImageEncryptionKey)
 	var err error
 	select {
 	case err = <-errCh:
--- a/builder/googlecompute/step_create_image_test.go
+++ b/builder/googlecompute/step_create_image_test.go
@ -47,6 +47,7 @@ func TestStepCreateImage(t *testing.T) {
 	assert.Equal(t, d.CreateImageDisk, c.DiskName, "Incorrect disk passed to driver.")
 	assert.Equal(t, d.CreateImageLabels, c.ImageLabels, "Incorrect image_labels passed to driver.")
 	assert.Equal(t, d.CreateImageLicenses, c.ImageLicenses, "Incorrect image_licenses passed to driver.")
+	assert.Equal(t, d.CreateImageEncryptionKey, c.ImageEncryptionKey, "Incorrect image_encryption_key passed to driver.")
 }

 func TestStepCreateImage_errorOnChannel(t *testing.T) {
--- a/website/source/docs/builders/googlecompute.html.md
+++ b/website/source/docs/builders/googlecompute.html.md
@ -270,6 +270,17 @@ builder.
 -   `image_name` (string) - The unique name of the resulting image. Defaults to
    `"packer-{{timestamp}}"`.

+-   `image_encryption_key` (object of encryption key) - Image encryption key to apply to the created image. Possible values:
+    * kmsKeyName -  The name of the encryption key that is stored in Google Cloud KMS.
+    * RawKey: - A 256-bit customer-supplied encryption key, encodes in RFC 4648 base64.
+
+    example: 
+    ``` json
+    {
+      "kmsKeyName": "projects/${project}/locations/${region}/keyRings/computeEngine/cryptoKeys/computeEngine/cryptoKeyVersions/4"
+    }
+    ```
+
 -   `instance_name` (string) - A name to give the launched instance. Beware
    that this must be unique. Defaults to `"packer-{{uuid}}"`.