search

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder
https://www.packer.io/docs/builders/amazon
Mozilla Public License 2.0
76 stars 112 forks source link

`kms_key_id` is ignored in a destination region and default AWS-managed key is used #270

Open sfuerte opened 2 years ago

sfuerte commented 2 years ago

Overview of the Issue

the subject behaviour results in the following error:

==> amazon-ebs.build: Error modify AMI attributes: InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.
==> amazon-ebs.build:   status code: 400, request id: c1...
==> amazon-ebs.build: Deregistering the AMI and deleting unencrypted temporary AMIs and snapshots
==> amazon-ebs.build: Deregistering the AMI and deleting associated snapshots because of cancellation, or error...
==> amazon-ebs.build: Provisioning step had errors: Running the cleanup provisioner, if present...
==> amazon-ebs.build: Terminating the source AWS instance...
==> amazon-ebs.build: Cleaning up any extra volumes...
==> amazon-ebs.build: No volumes to clean up, skipping
==> amazon-ebs.build: Deleting temporary security group...
==> amazon-ebs.build: Deleting temporary keypair...
Build 'amazon-ebs.build' errored after 15 minutes 48 seconds: Error modify AMI attributes: InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.
    status code: 400, request id: c1...

Reproduction Steps

Configure kms_key_id only:

source "amazon-ebs" "build" {
  ami_name              = "test_image"
  ami_users             = concat([var.aws_account_id], var.ami_users)
  ami_regions           = concat([var.aws_region], var.ami_regions)
  encrypt_boot          = true
  kms_key_id            = var.kms_key_id
...

Plugin and Packer version

Packer v1.8.3 Installed plugin github.com/hashicorp/amazon v1.1.4 in "~/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.1.4_x5.0_linux_amd64"

Operating system and Environment details

Alpine Linux amd64 based container

Log Fragments and crash.log files

See above.

Also, here is how it looks in the AWS console; the source us-east-1 region AMI and snapshot are encrypted by the correct multi-region CMK (customer-managed key) prefixed with mrk- image

when the AMI is copied to the destination us-west-2 region, then the key is reset to default AWS-managed one image

Workaround

Specifying a CMK explicitly for each region:

```hcl
source "amazon-ebs" "build" {
  ami_name              = "test_image"
  ami_users             = concat([var.aws_account_id], var.ami_users)
  ami_regions           = concat([var.aws_region], var.ami_regions)
  encrypt_boot          = true
  kms_key_id            = var.kms_key_id
  region_kms_key_ids    = local.region_kms_key_ids # BUG:/XXX: in hashicorp/packer-plugin-amazon? see comment below
...
}

locals {
  # BUG:/XXX: (2022-09-14) in hashicorp/packer-plugin-amazon where 'kms_key_id' isn't honored
  #       in the destination region and default key is used?
  region_kms_key_ids = { for _region in concat([var.aws_region], var.ami_regions) : _region => var.kms_key_id }
}