let me take a step back for a minute;
this did work last march, I can not remember which version of packer was
used.
I am not interested in assigning a different key per region.
what I want is the ability to create an AMI on one region and then copy the
AMI to any region in the same account. it seems that this is no longer
working.
the confusing portion is that I can create an AMI in a single region:
"_comment": "To create a new AMI in us-west-2 run:",
packer build -var aws_region='us-west-2' dockerhost.json
works everytime and I can manually copy the AMI to any region using AWS
portal.
what has stopped work is when I include copy_to list of regions:
"_comment": "To create an AMI and copy to one or more regions, run:",
packer build -var aws_region='us-west-2' -var
copy_to='us-west-1,eu-central-1' dockerhost.json
* Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-1):
InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating
unencrypted copy from an encrypted snapshot is not supported.
status code: 400, request id: bffa5254-8dd2-4b7d-b826-09ac26eb787d
so that lead to the question is the function broken for encryted AMI's
if I run the same config with;
"encrypt_boot": false ,
packer build -var aws_region='us-west-2' -var copy_to='us-west-1,us-west-2'
dockerhost.json
==> Builds finished. The artifacts of successful builds are:
--> amazon-ebs: AMIs were created:
us-west-1: ami-05ec9d716b4301a5b
us-west-2: ami-0dcacd69edba0beb8
but if I run the config with:
"encrypt_boot": true ,
packer build -var aws_region='us-west-2' -var copy_to='us-west-1,us-west-2'
dockerhost.json
==> amazon-ebs: 1 error(s) occurred:
==> amazon-ebs:
==> amazon-ebs: * Error Copying AMI (ami-093d856058e911402) to region
(us-west-1): InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted.
Creating unencrypted copy from an encrypted snapshot is not supported.
==> amazon-ebs: status code: 400, request id:
6c82fe92-5942-4c61-8312-89b8224471a1
==> amazon-ebs: Deregistering the AMI because cancellation or error...
==> amazon-ebs: Deregistering the AMI because cancellation or error...
==> amazon-ebs: Error deregistering AMI, may still be around:
InvalidAMIID.Unavailable: The image ID 'ami-0888140c4a7226a51' is no longer
available
==> amazon-ebs: status code: 400, request id:
af4169fd-009c-42b6-bd35-d5b8663fdccc
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: Destroying volume (vol-0260232693224011d)...
==> amazon-ebs: Deleting temporary security group...
==> amazon-ebs: Deleting temporary keypair...
Build 'amazon-ebs' errored: 1 error(s) occurred:
* Error Copying AMI (ami-093d856058e911402) to region (us-west-1):
InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted. Creating
unencrypted copy from an encrypted snapshot is not supported.
status code: 400, request id: 6c82fe92-5942-4c61-8312-89b8224471a1
==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: 1 error(s) occurred:
* Error Copying AMI (ami-093d856058e911402) to region (us-west-1):
InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted. Creating
unencrypted copy from an encrypted snapshot is not supported.
status code: 400, request id: 6c82fe92-5942-4c61-8312-89b8224471a1
==> Builds finished but no artifacts were created.
so the only difference is the "encrypt_boot" flag
Frank
On Tuesday, February 5, 2019 at 5:52:55 PM UTC-6, John Roh wrote:
>
> Hi, Frank,
>
> we have used as below, and are on packer v1.2.3
>
> "variables":
> {
> "kms_key_id_eu-central-1" : "arn:aws:kms:eu-central-1:[[aws account
> id]]:key/xxxx-xxx-xxx-xxx-xxxxx",
> "kms_key_id_us-west-2" : "arn:aws:kms:us-west-2:[[aws account id]]:key/
> xxxx-xxx-xxx-xxx-xxxxx",
> "kms_key_id_us-east-1" : "arn:aws:kms:us-east-1:[[aws account id]]:key/
> xxxx-xxx-xxx-xxx-xxxxx",
> "kms_key_id_eu-west-3" : "arn:aws:kms:eu-west-3:[[aws account id]]:key/
> xxxx-xxx-xxx-xxx-xxxxx",
> "kms_key_id_eu-central-1" : "arn:aws:kms:eu-central-1:[[aws account id]]
> :key/xxxx-xxx-xxx-xxx-xxxxx"
> }
>
> In the build section, you can pass as below.
> "region_kms_key_ids" : {
> "us-west-1": "{{user `kms_key_id_us-west-1`}}",
> "us-east-1": "{{user `kms_key_id_us-east-1`}}",
> "eu-west-2": "{{user `kms_key_id_eu-west-2`}}",
> "eu-central-1": "{{user `kms_key_id_eu-central-1`}}"
> },
>
> On Tue, Feb 5, 2019 at 2:30 PM Frank Dias <[email protected]
> <javascript:>> wrote:
>
>> Rickard,
>>
>> what is the best way to generate a map from the copy_to string. this was
>> as the user sets the copy_to ? not have to hardcode the regions, take them
>> as input
>>
>> frank
>>
>> On Tuesday, February 5, 2019 at 8:13:04 AM UTC-6, Rickard von Essen wrote:
>>>
>>>
>>> I thought that is would copy the unencrypted copy to the new region and
>>>> then encrypt. encryption is region specific
>>>
>>> No, CopyImage can copy a encrypted AMI, but it will be reencrypted with
>>> a KMS key that belongs to new region.
>>>
>>> As a workaround try add this to your template:
>>>
>>> "region_kms_key_ids": {
>>> "us-west-1": "aws/ebs",
>>> "eu-central-1": "aws/ebs"
>>> }
>>>
>>> And add the regions that you might use in copy_to...
>>>
>>> Reading the docs again sugests that:
>>> "region_kms_key_ids": {
>>> "us-west-1": "",
>>> "eu-central-1": ""
>>> }
>>>
>>> Should work to?
>>>
>>> On Tue, Feb 5, 2019 at 2:30 PM Frank Dias <[email protected]> wrote:
>>>
>>>> 1.3.3 and tried 1.3.4
>>>> I thought that is would copy the unencrypted copy to the new region and
>>>> then encrypt. encryption is region specific
>>>>
>>>> --
>>>> This mailing list is governed under the HashiCorp Community Guidelines
>>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in
>>>> violation of those guidelines may result in your removal from this mailing
>>>> list.
>>>>
>>>> GitHub Issues: https://github.com/mitchellh/packer/issues
>>>> IRC: #packer-tool on Freenode
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Packer" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/packer-tool/5f765ebd-6044-42b9-b763-f47d190bdf62%40googlegroups.com
>>>> .
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>> --
>> This mailing list is governed under the HashiCorp Community Guidelines -
>> https://www.hashicorp.com/community-guidelines.html. Behavior in
>> violation of those guidelines may result in your removal from this mailing
>> list.
>>
>> GitHub Issues: https://github.com/mitchellh/packer/issues
>> IRC: #packer-tool on Freenode
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Packer" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/packer-tool/eb3f7f25-1bc7-4d5c-93b1-e0f369fa9490%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/packer-tool/eb3f7f25-1bc7-4d5c-93b1-e0f369fa9490%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
This mailing list is governed under the HashiCorp Community Guidelines -
https://www.hashicorp.com/community-guidelines.html. Behavior in violation of
those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups
"Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/packer-tool/ff362825-b952-4dcf-aa2d-ad1fcc172246%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
