Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect config validation - If you have set either region_kms_key_ids or kms_key_id, encrypt_boot must also be true. #496

Open
maxb opened this issue Jul 30, 2024 · 0 comments
Open

Incorrect config validation - If you have set either region_kms_key_ids or kms_key_id, encrypt_boot must also be true. #496

maxb opened this issue Jul 30, 2024 · 0 comments
Labels
bug

Comments

@maxb
Copy link

maxb commented Jul 30, 2024

Overview of the Issue / Reproduction steps

Incorrect config validation prevents use of the most efficent build behaviour.

Suppose you want to:

  • Create an encrypted AMI...
  • ... and do so most efficiently, by using launch_block_device_mappings to launch the build instance encrypted initially, rather than performing a copy/encrypt operation to apply encryption after building an unencrypted AMI first...
  • ... but you also want the final AMI to be copied to other regions using specified keys

The plugin rejects such a configuration with the message:

If you have set either region_kms_key_ids or kms_key_id, encrypt_boot must also be true.

I don't think this is correct. The technique of encrypting via launch_block_device_mappings is documented at https://developer.hashicorp.com/packer/integrations/hashicorp/amazon/latest/components/builder/ebs within the documentation for kms_key_id :

If you have a custom kms key you'd like to apply to the launch volume, and are only building in one region, it is more efficient to leave this and encrypt_boot empty and to instead set the key id in the launch_block_device_mappings (you can find an example below). This saves potentially many minutes at the end of the build by preventing Packer from having to copy and re-encrypt the image at the end of the build.

Just because I've specified region_kms_key_ids to customize the keys to be used for the copy to ami_regions, shouldn't prevent me from using this build technique.

Simplified Packer Buildfile

packer {
  required_plugins {
    amazon = {
      version = "~> 1.0"
      source  = "github.com/hashicorp/amazon"
    }
  }
}

variable "build_region" {
  type    = string
  default = "eu-west-2"
}

variable "distribution_regions" {
  type = list(string)
  default = [
    "eu-west-1",
  ]
}

variable "kms_key_id" {
  type    = string
  default = "mrk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

source "amazon-ebs" "debian" {
  ami_name           = "my-ami-{{timestamp}}"
  region             = var.build_region
  kms_key_id         = var.kms_key_id
  ami_regions        = var.distribution_regions
  region_kms_key_ids = { for region in var.distribution_regions : region => var.kms_key_id }
  instance_type      = "t3.2xlarge"
  launch_block_device_mappings {
    device_name           = "/dev/xvda"
    volume_size           = 8
    volume_type           = "gp3"
    delete_on_termination = true
  }
  source_ami_filter {
    filters = {
      name                = "debian-12-amd64-*"
      root-device-type    = "ebs"
      virtualization-type = "hvm"
      architecture        = "x86_64"
    }
    most_recent = true
    owners      = ["136693071363"] # https://wiki.debian.org/Cloud/AmazonEC2Image
  }
  ssh_username = "admin"
}

build {
  sources = ["source.amazon-ebs.debian"]
}
@maxb maxb added the bug label Jul 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maxb