Hi all
As guided I created a new snapshot of an encrypted volume from my custom
CMK and attached the snapshot id to packer.
I have created my block device mapings like this.
"ami_block_device_mappings": [
{
"device_name": "/dev/xvdk",
"snapshot_id": "snap-0cb78ce26c58ecf02",
"volume_size": 25,
"Encrypted": true,
"volume_type": "gp2",
"delete_on_termination": true
}
],
"launch_block_device_mappings": [
{
"device_name": "/dev/xvdk",
"snapshot_id": "snap-0cb78ce26c58ecf02",
"volume_size": 25,
"Encrypted": true,
"volume_type": "gp2",
"delete_on_termination": true
}
]
But When I create the AMI I get the following error and AMI bake process
terminates.
[1;31mBuild 'amazon-ebs' errored: Error waiting for instance
(i-xxxxxxxxxxxxxxx) to become ready: unexpected state 'shutting-down',
wanted target 'running' [0m
==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error waiting for instance (i-xxxxxxxxxxxxxxx) to become
ready: unexpected state 'shutting-down', wanted target 'running'
==> Builds finished but no artifacts were created.
Finished: FAILURE
What is the correct way to put the snapshot_id?
Thank you,
Thenuka.
On Wednesday, November 22, 2017 at 7:21:55 PM UTC+5:30, Thenuka
Keerthibandara wrote:
>
> Will try that and re post if anything goes south @Rickard von Essen
>
> Thanks in advance. :)
>
> Thenuka.
>
> On Wednesday, November 22, 2017 at 5:55:05 PM UTC+5:30, Rickard von Essen
> wrote:
>>
>> Unfortunately that doesn't seem to be supported. See
>> http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html
>>
>> and
>> http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
>>
>> As a workaround you can prepare a CMK encrypted (empty) snapshot and
>> attach that in your device mapping block. That should give you a snapshot
>> encrypted with the KMS key you want.
>>
>> // Rickard
>>
>> On 22 November 2017 at 12:50, 'Thenuka Keerthibandara' via Packer <
>> [email protected]> wrote:
>>
>>> I'm using a packer script to encrypt my EBS volumes on AWS by creating
>>> a new AMI with encrypted EBS.
>>>
>>> I have a created a CMK using KMS and have added the kms_key_id in packer
>>> script builder section as follows.
>>>
>>> "variables": {
>>> ....................
>>> "kms_key_prod": "{{env `kms_key_prod`}}",
>>> ....................
>>> },
>>>
>>> "builders": [
>>> {
>>> "type": "amazon-ebs",
>>> "access_key": "{{user `aws_access_key`}}",
>>> "secret_key": "{{user `aws_secret_key`}}",
>>> "vpc_id": "{{user `aws_vpc_id`}}",
>>> "subnet_id": "{{user `subnet_id`}}",
>>> "region": "{{user `region`}}",
>>> "kms_key_id": "{{user `kms_key_prod`}}",
>>> "source_ami": "{{user `base_ami`}}",
>>> "instance_type": "t2.micro",
>>> "ssh_username": "ubuntu",
>>> "ami_name": "{{user `name`}}-Default-{{isotime
>>> \"2006-01-02-1504\"}}",
>>> "ami_description": "Base AMI for Ubuntu 16.04",
>>> "tags": {
>>> "Name": "Default-Base",
>>> "Project": "Public Cloud",
>>> "Build": "{{ user `buildtime` }}"
>>> },
>>> "ami_block_device_mappings": [
>>> {
>>> "device_name": "/dev/xvdk",
>>> "volume_size": 25,
>>> "Encrypted": true,
>>> "volume_type": "gp2",
>>> "delete_on_termination": true
>>> }
>>> ],
>>> "launch_block_device_mappings": [
>>> {
>>> "device_name": "/dev/xvdk",
>>> "volume_size": 25,
>>> "Encrypted": true,
>>> "volume_type": "gp2",
>>> "delete_on_termination": true
>>> }
>>> ]
>>> }
>>> ],
>>>
>>>
>>> But when packer runs, the generated AMI has an attached snapshots of the
>>> devices I have attached encrpted with the "default" CMK which is "aws/ebs"
>>> that is unique for the specific region.
>>>
>>> I don't need my boot volume to get encrypted but the attahced EBS
>>> volumes to be encrypted with the KMS key that I have created.
>>>
>>> Does anyone know if this a limitation in packer or if there is any other
>>> way to achieve this through packer?
>>>
>>> Regards,
>>> Thenuka
>>>
>>>
>>> --
>>> This mailing list is governed under the HashiCorp Community Guidelines -
>>> https://www.hashicorp.com/community-guidelines.html. Behavior in
>>> violation of those guidelines may result in your removal from this mailing
>>> list.
>>>
>>> GitHub Issues: https://github.com/mitchellh/packer/issues
>>> IRC: #packer-tool on Freenode
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Packer" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/packer-tool/ea5c895d-584b-45aa-9613-ec913de08231%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/packer-tool/ea5c895d-584b-45aa-9613-ec913de08231%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
This mailing list is governed under the HashiCorp Community Guidelines -
https://www.hashicorp.com/community-guidelines.html. Behavior in violation of
those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups
"Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/packer-tool/77d725be-987d-4a73-844d-f30f01601dc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
