packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Incorrect config validation - `If you have set either region_kms_key_ids or kms_key_id, encrypt_boot must also be true.`

Open maxb opened this issue 1 year ago • 1 comments

Overview of the Issue / Reproduction steps

Incorrect config validation prevents use of the most efficent build behaviour.

Suppose you want to:

  • Create an encrypted AMI...
  • ... and do so most efficiently, by using launch_block_device_mappings to launch the build instance encrypted initially, rather than performing a copy/encrypt operation to apply encryption after building an unencrypted AMI first...
  • ... but you also want the final AMI to be copied to other regions using specified keys

The plugin rejects such a configuration with the message:

If you have set either region_kms_key_ids or kms_key_id, encrypt_boot must also be true.

I don't think this is correct. The technique of encrypting via launch_block_device_mappings is documented at https://developer.hashicorp.com/packer/integrations/hashicorp/amazon/latest/components/builder/ebs within the documentation for kms_key_id :

If you have a custom kms key you'd like to apply to the launch volume, and are only building in one region, it is more efficient to leave this and encrypt_boot empty and to instead set the key id in the launch_block_device_mappings (you can find an example below). This saves potentially many minutes at the end of the build by preventing Packer from having to copy and re-encrypt the image at the end of the build.

Just because I've specified region_kms_key_ids to customize the keys to be used for the copy to ami_regions, shouldn't prevent me from using this build technique.

Simplified Packer Buildfile

packer {
  required_plugins {
    amazon = {
      version = "~> 1.0"
      source  = "github.com/hashicorp/amazon"
    }
  }
}

variable "build_region" {
  type    = string
  default = "eu-west-2"
}

variable "distribution_regions" {
  type = list(string)
  default = [
    "eu-west-1",
  ]
}

variable "kms_key_id" {
  type    = string
  default = "mrk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

source "amazon-ebs" "debian" {
  ami_name           = "my-ami-{{timestamp}}"
  region             = var.build_region
  kms_key_id         = var.kms_key_id
  ami_regions        = var.distribution_regions
  region_kms_key_ids = { for region in var.distribution_regions : region => var.kms_key_id }
  instance_type      = "t3.2xlarge"
  launch_block_device_mappings {
    device_name           = "/dev/xvda"
    volume_size           = 8
    volume_type           = "gp3"
    delete_on_termination = true
  }
  source_ami_filter {
    filters = {
      name                = "debian-12-amd64-*"
      root-device-type    = "ebs"
      virtualization-type = "hvm"
      architecture        = "x86_64"
    }
    most_recent = true
    owners      = ["136693071363"] # https://wiki.debian.org/Cloud/AmazonEC2Image
  }
  ssh_username = "admin"
}

build {
  sources = ["source.amazon-ebs.debian"]
}

maxb avatar Jul 30 '24 17:07 maxb