[packer] Packer EBS volume encryption

['Thenuka Keerthibandara' via Packer]

I'm using  a packer script to encrypt my EBS volumes on AWS by creating a 
new AMI with encrypted EBS. 

I have a created a CMK using KMS and have added the kms_key_id in packer 
script builder section as follows.

"variables": {
     ....................
    "kms_key_prod": "{{env `kms_key_prod`}}",
     ....................
    },

"builders": [
    {
      "type": "amazon-ebs",
      "access_key": "{{user `aws_access_key`}}",
      "secret_key": "{{user `aws_secret_key`}}",
      "vpc_id": "{{user `aws_vpc_id`}}",
      "subnet_id": "{{user `subnet_id`}}",
      "region": "{{user `region`}}",
      "kms_key_id": "{{user `kms_key_prod`}}",
      "source_ami": "{{user `base_ami`}}",
      "instance_type": "t2.micro",
      "ssh_username": "ubuntu",
      "ami_name": "{{user `name`}}-Default-{{isotime \"2006-01-02-1504\"}}",
      "ami_description": "Base AMI for Ubuntu 16.04",
      "tags": {
        "Name": "Default-Base",
        "Project": "Public Cloud",
        "Build": "{{ user `buildtime` }}"
      },
      "ami_block_device_mappings": [
        {
          "device_name": "/dev/xvdk",
          "volume_size": 25,
          "Encrypted": true,
          "volume_type": "gp2",
          "delete_on_termination": true
        }
      ],
      "launch_block_device_mappings": [
        {
          "device_name": "/dev/xvdk",
          "volume_size": 25,
          "Encrypted": true,
          "volume_type": "gp2",
          "delete_on_termination": true
        }
      ]
    }
  ],


But when packer runs, the generated AMI has an attached snapshots of the 
devices I have attached encrpted with the "default" CMK which is "aws/ebs" 
that is unique for the specific region.

I don't need my boot volume to get encrypted but the attahced EBS volumes 
to be encrypted with the KMS key that I have created.

Does anyone know if this a limitation in packer or if there is any other 
way to achieve this through packer?

Regards,
Thenuka


-- 
This mailing list is governed under the HashiCorp Community Guidelines - 
https://www.hashicorp.com/community-guidelines.html. Behavior in violation of 
those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
--- 
You received this message because you are subscribed to the Google Groups 
"Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to packer-tool+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/packer-tool/ea5c895d-584b-45aa-9613-ec913de08231%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.