Will try that and re post if anything goes south @Rickard von Essen Thanks in advance. :)
Thenuka. On Wednesday, November 22, 2017 at 5:55:05 PM UTC+5:30, Rickard von Essen wrote: > > Unfortunately that doesn't seem to be supported. See > http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html > and > http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html > > As a workaround you can prepare a CMK encrypted (empty) snapshot and > attach that in your device mapping block. That should give you a snapshot > encrypted with the KMS key you want. > > // Rickard > > On 22 November 2017 at 12:50, 'Thenuka Keerthibandara' via Packer < > [email protected] <javascript:>> wrote: > >> I'm using a packer script to encrypt my EBS volumes on AWS by creating a >> new AMI with encrypted EBS. >> >> I have a created a CMK using KMS and have added the kms_key_id in packer >> script builder section as follows. >> >> "variables": { >> .................... >> "kms_key_prod": "{{env `kms_key_prod`}}", >> .................... >> }, >> >> "builders": [ >> { >> "type": "amazon-ebs", >> "access_key": "{{user `aws_access_key`}}", >> "secret_key": "{{user `aws_secret_key`}}", >> "vpc_id": "{{user `aws_vpc_id`}}", >> "subnet_id": "{{user `subnet_id`}}", >> "region": "{{user `region`}}", >> "kms_key_id": "{{user `kms_key_prod`}}", >> "source_ami": "{{user `base_ami`}}", >> "instance_type": "t2.micro", >> "ssh_username": "ubuntu", >> "ami_name": "{{user `name`}}-Default-{{isotime >> \"2006-01-02-1504\"}}", >> "ami_description": "Base AMI for Ubuntu 16.04", >> "tags": { >> "Name": "Default-Base", >> "Project": "Public Cloud", >> "Build": "{{ user `buildtime` }}" >> }, >> "ami_block_device_mappings": [ >> { >> "device_name": "/dev/xvdk", >> "volume_size": 25, >> "Encrypted": true, >> "volume_type": "gp2", >> "delete_on_termination": true >> } >> ], >> "launch_block_device_mappings": [ >> { >> "device_name": "/dev/xvdk", >> "volume_size": 25, >> "Encrypted": true, >> "volume_type": "gp2", >> "delete_on_termination": true >> } >> ] >> } >> ], >> >> >> But when packer runs, the generated AMI has an attached snapshots of the >> devices I have attached encrpted with the "default" CMK which is "aws/ebs" >> that is unique for the specific region. >> >> I don't need my boot volume to get encrypted but the attahced EBS volumes >> to be encrypted with the KMS key that I have created. >> >> Does anyone know if this a limitation in packer or if there is any other >> way to achieve this through packer? >> >> Regards, >> Thenuka >> >> >> -- >> This mailing list is governed under the HashiCorp Community Guidelines - >> https://www.hashicorp.com/community-guidelines.html. Behavior in >> violation of those guidelines may result in your removal from this mailing >> list. >> >> GitHub Issues: https://github.com/mitchellh/packer/issues >> IRC: #packer-tool on Freenode >> --- >> You received this message because you are subscribed to the Google Groups >> "Packer" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/packer-tool/ea5c895d-584b-45aa-9613-ec913de08231%40googlegroups.com >> >> <https://groups.google.com/d/msgid/packer-tool/ea5c895d-584b-45aa-9613-ec913de08231%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/32e1f6ad-7fb2-4757-85e4-746f1e05de0a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
