Packer: AMI encryption not working with 1.4.4
This is similar to the bug reported with 1.4.0
"ami_regions": [
"us-west-2",
"ap-southeast-2"
],
"launch_block_device_mappings": [{
"device_name": "/dev/xvda",
"delete_on_termination": true,
"encrypted": true,
"kms_key_id": "CMK ID",
"volume_size": 50,
"volume_type": "gp2"
}],
"region": "{{user `region`}}",
"region_kms_key_ids": {
"us-west-2": "us-west-2 CMK",
"ap-southeast-2": "ap-southeast-2 CMK"
},
"snapshot_users": [list of accounts],
```
When packer build is run, we get the error message that the snapshot can not be copied because it was encrypted with the default key.
==> amazon-ebs: Modifying attributes on snapshot (snap-0296946e686ffee81)...
amazon-ebs: Modifying: users
==> amazon-ebs: Error modify snapshot attributes: OperationNotPermitted: Encrypted snapshots with EBS default key cannot be shared
==> amazon-ebs: status code: 400, request id: 13a92c1f-3f1d-46b0-ba75
==> amazon-ebs: Deregistering the AMI and deleting associated snapshots because of cancellation, or error...
==> amazon-ebs: Deregistered AMI id: ami-07cc5349b50c1a9
==> amazon-ebs: Deleted snapshot: snap-06c800be413b69f
==> amazon-ebs: Provisioning step had errors: Running the cleanup provisioner, if present...
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: No volumes to clean up, skipping
==> amazon-ebs: Deleting temporary security group...
==> amazon-ebs: Deleting temporary keypair...
Build 'amazon-ebs' errored: Error modify snapshot attributes: OperationNotPermitted: Encrypted snapshots with EBS default key cannot be shared
status code: 400, request id: 13a92c1f-3f1d-46b0-ba75
```
youngfeldt
All 9 comments
Note: this is experienced when trying to create an ami based off of Amazon Linux 2.
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"architecture": "x86_64",
"name": "*amzn2-ami-hvm-*",
"block-device-mapping.volume-type": "gp2",
"root-device-type": "ebs"
},
"owners": [
"amazon"
],
"most_recent": true
},
Just to be extra certain: you aren't providing the options encrypt_boot or kms_key_id?
Are the pieces you've shown here the entirety of your template needed for reproducing?
SwampDragons
on 24 Oct 2019
The complete code is here
https://gist.github.com/youngfeldt/c2f5c6edbd618d7e3b60f52feab37419
(Keys, and acct# truncated/changed.)
youngfeldt
on 24 Oct 2019
Which region are you initially building in? One of the ones in your "regions" list, or a different one?
SwampDragons
on 25 Oct 2019
I can reproduce; for now you can work around by adding the encrypt_boot and kms_key_id options I mentioned above:
"encrypt_boot": true,
"kms_key_id": "CMK ID",
But I'll make sure our validator/cleanup code properly picks the encryption key to use from the region_kms_key_ids when these are unset.
SwampDragons
on 25 Oct 2019
Which region are you initially building in? One of the ones in your "regions" list, or a different one?
building from one in list, us-west-2.
I'll try work-around. Thank you.
youngfeldt
on 27 Oct 2019
@youngfeldt I've addressed the bug in the linked PR, and added some extra validation. It'll go out as part of the 1.4.5 release on Monday
SwampDragons
on 29 Oct 2019
Outstanding! Thank you
youngfeldt
on 31 Oct 2019
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 23 Jan 2020
Related issues
DanielBo
ยท
3Comments
shashanksinha89
ยท
3Comments
mwhooker
ยท
3Comments
znerd
ยท
3Comments
wduncanfraser
ยท
3Comments