Unfortunately that doesn't seem to be supported. See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html and http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
As a workaround you can prepare a CMK encrypted (empty) snapshot and attach that in your device mapping block. That should give you a snapshot encrypted with the KMS key you want. // Rickard On 22 November 2017 at 12:50, 'Thenuka Keerthibandara' via Packer < [email protected]> wrote: > I'm using a packer script to encrypt my EBS volumes on AWS by creating a > new AMI with encrypted EBS. > > I have a created a CMK using KMS and have added the kms_key_id in packer > script builder section as follows. > > "variables": { > .................... > "kms_key_prod": "{{env `kms_key_prod`}}", > .................... > }, > > "builders": [ > { > "type": "amazon-ebs", > "access_key": "{{user `aws_access_key`}}", > "secret_key": "{{user `aws_secret_key`}}", > "vpc_id": "{{user `aws_vpc_id`}}", > "subnet_id": "{{user `subnet_id`}}", > "region": "{{user `region`}}", > "kms_key_id": "{{user `kms_key_prod`}}", > "source_ami": "{{user `base_ami`}}", > "instance_type": "t2.micro", > "ssh_username": "ubuntu", > "ami_name": "{{user `name`}}-Default-{{isotime > \"2006-01-02-1504\"}}", > "ami_description": "Base AMI for Ubuntu 16.04", > "tags": { > "Name": "Default-Base", > "Project": "Public Cloud", > "Build": "{{ user `buildtime` }}" > }, > "ami_block_device_mappings": [ > { > "device_name": "/dev/xvdk", > "volume_size": 25, > "Encrypted": true, > "volume_type": "gp2", > "delete_on_termination": true > } > ], > "launch_block_device_mappings": [ > { > "device_name": "/dev/xvdk", > "volume_size": 25, > "Encrypted": true, > "volume_type": "gp2", > "delete_on_termination": true > } > ] > } > ], > > > But when packer runs, the generated AMI has an attached snapshots of the > devices I have attached encrpted with the "default" CMK which is "aws/ebs" > that is unique for the specific region. > > I don't need my boot volume to get encrypted but the attahced EBS volumes > to be encrypted with the KMS key that I have created. > > Does anyone know if this a limitation in packer or if there is any other > way to achieve this through packer? > > Regards, > Thenuka > > > -- > This mailing list is governed under the HashiCorp Community Guidelines - > https://www.hashicorp.com/community-guidelines.html. Behavior in > violation of those guidelines may result in your removal from this mailing > list. > > GitHub Issues: https://github.com/mitchellh/packer/issues > IRC: #packer-tool on Freenode > --- > You received this message because you are subscribed to the Google Groups > "Packer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/packer-tool/ea5c895d-584b-45aa-9613-ec913de08231%40googlegroups.com > <https://groups.google.com/d/msgid/packer-tool/ea5c895d-584b-45aa-9613-ec913de08231%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CALz9Rt-s2%2Ba7_oS53zga12YUZd_%2B9ifMYbUgCm7QeZP%2BHg7FgA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
