What is the status of your base image? Is it already encrypted, I assume?
On Tue, Feb 5, 2019 at 9:24 PM Frank Dias <[email protected]> wrote:
> let me take a step back for a minute;
> this did work last march, I can not remember which version of packer was
> used.
> I am not interested in assigning a different key per region.
> what I want is the ability to create an AMI on one region and then copy
> the AMI to any region in the same account. it seems that this is no longer
> working.
> the confusing portion is that I can create an AMI in a single region:
> "_comment": "To create a new AMI in us-west-2 run:",
> packer build -var aws_region='us-west-2' dockerhost.json
>
> works everytime and I can manually copy the AMI to any region using AWS
> portal.
>
> what has stopped work is when I include copy_to list of regions:
> "_comment": "To create an AMI and copy to one or more regions, run:",
> packer build -var aws_region='us-west-2' -var
> copy_to='us-west-1,eu-central-1' dockerhost.json
>
> * Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-1):
> InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating
> unencrypted copy from an encrypted snapshot is not supported.
> status code: 400, request id: bffa5254-8dd2-4b7d-b826-09ac26eb787d
>
> so that lead to the question is the function broken for encryted AMI's
> if I run the same config with;
> "encrypt_boot": false ,
> packer build -var aws_region='us-west-2' -var
> copy_to='us-west-1,us-west-2' dockerhost.json
> ==> Builds finished. The artifacts of successful builds are:
> --> amazon-ebs: AMIs were created:
> us-west-1: ami-05ec9d716b4301a5b
> us-west-2: ami-0dcacd69edba0beb8
>
> but if I run the config with:
> "encrypt_boot": true ,
> packer build -var aws_region='us-west-2' -var
> copy_to='us-west-1,us-west-2' dockerhost.json
>
> ==> amazon-ebs: 1 error(s) occurred:
> ==> amazon-ebs:
> ==> amazon-ebs: * Error Copying AMI (ami-093d856058e911402) to region
> (us-west-1): InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted.
> Creating unencrypted copy from an encrypted snapshot is not supported.
> ==> amazon-ebs: status code: 400, request id:
> 6c82fe92-5942-4c61-8312-89b8224471a1
> ==> amazon-ebs: Deregistering the AMI because cancellation or error...
> ==> amazon-ebs: Deregistering the AMI because cancellation or error...
> ==> amazon-ebs: Error deregistering AMI, may still be around:
> InvalidAMIID.Unavailable: The image ID 'ami-0888140c4a7226a51' is no longer
> available
> ==> amazon-ebs: status code: 400, request id:
> af4169fd-009c-42b6-bd35-d5b8663fdccc
> ==> amazon-ebs: Terminating the source AWS instance...
> ==> amazon-ebs: Cleaning up any extra volumes...
> ==> amazon-ebs: Destroying volume (vol-0260232693224011d)...
> ==> amazon-ebs: Deleting temporary security group...
> ==> amazon-ebs: Deleting temporary keypair...
> Build 'amazon-ebs' errored: 1 error(s) occurred:
>
> * Error Copying AMI (ami-093d856058e911402) to region (us-west-1):
> InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted. Creating
> unencrypted copy from an encrypted snapshot is not supported.
> status code: 400, request id: 6c82fe92-5942-4c61-8312-89b8224471a1
>
> ==> Some builds didn't complete successfully and had errors:
> --> amazon-ebs: 1 error(s) occurred:
>
> * Error Copying AMI (ami-093d856058e911402) to region (us-west-1):
> InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted. Creating
> unencrypted copy from an encrypted snapshot is not supported.
> status code: 400, request id: 6c82fe92-5942-4c61-8312-89b8224471a1
>
> ==> Builds finished but no artifacts were created.
>
> so the only difference is the "encrypt_boot" flag
>
> Frank
>
> On Tuesday, February 5, 2019 at 5:52:55 PM UTC-6, John Roh wrote:
>>
>> Hi, Frank,
>>
>> we have used as below, and are on packer v1.2.3
>>
>> "variables":
>> {
>> "kms_key_id_eu-central-1" : "arn:aws:kms:eu-central-1:[[aws account
>> id]]:key/xxxx-xxx-xxx-xxx-xxxxx",
>> "kms_key_id_us-west-2" : "arn:aws:kms:us-west-2:[[aws account id]]:key/
>> xxxx-xxx-xxx-xxx-xxxxx",
>> "kms_key_id_us-east-1" : "arn:aws:kms:us-east-1:[[aws account id]]:key/
>> xxxx-xxx-xxx-xxx-xxxxx",
>> "kms_key_id_eu-west-3" : "arn:aws:kms:eu-west-3:[[aws account id]]:key/
>> xxxx-xxx-xxx-xxx-xxxxx",
>> "kms_key_id_eu-central-1" : "arn:aws:kms:eu-central-1:[[aws account id]]
>> :key/xxxx-xxx-xxx-xxx-xxxxx"
>> }
>>
>> In the build section, you can pass as below.
>> "region_kms_key_ids" : {
>> "us-west-1": "{{user `kms_key_id_us-west-1`}}",
>> "us-east-1": "{{user `kms_key_id_us-east-1`}}",
>> "eu-west-2": "{{user `kms_key_id_eu-west-2`}}",
>> "eu-central-1": "{{user `kms_key_id_eu-central-1`}}"
>> },
>>
>> On Tue, Feb 5, 2019 at 2:30 PM Frank Dias <[email protected]> wrote:
>>
>>> Rickard,
>>>
>>> what is the best way to generate a map from the copy_to string. this was
>>> as the user sets the copy_to ? not have to hardcode the regions, take them
>>> as input
>>>
>>> frank
>>>
>>> On Tuesday, February 5, 2019 at 8:13:04 AM UTC-6, Rickard von Essen
>>> wrote:
>>>>
>>>>
>>>> I thought that is would copy the unencrypted copy to the new region and
>>>>> then encrypt. encryption is region specific
>>>>
>>>> No, CopyImage can copy a encrypted AMI, but it will be reencrypted with
>>>> a KMS key that belongs to new region.
>>>>
>>>> As a workaround try add this to your template:
>>>>
>>>> "region_kms_key_ids": {
>>>> "us-west-1": "aws/ebs",
>>>> "eu-central-1": "aws/ebs"
>>>> }
>>>>
>>>> And add the regions that you might use in copy_to...
>>>>
>>>> Reading the docs again sugests that:
>>>> "region_kms_key_ids": {
>>>> "us-west-1": "",
>>>> "eu-central-1": ""
>>>> }
>>>>
>>>> Should work to?
>>>>
>>>> On Tue, Feb 5, 2019 at 2:30 PM Frank Dias <[email protected]> wrote:
>>>>
>>>>> 1.3.3 and tried 1.3.4
>>>>> I thought that is would copy the unencrypted copy to the new region
>>>>> and then encrypt. encryption is region specific
>>>>>
>>>>> --
>>>>> This mailing list is governed under the HashiCorp Community Guidelines
>>>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in
>>>>> violation of those guidelines may result in your removal from this mailing
>>>>> list.
>>>>>
>>>>> GitHub Issues: https://github.com/mitchellh/packer/issues
>>>>> IRC: #packer-tool on Freenode
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Packer" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/packer-tool/5f765ebd-6044-42b9-b763-f47d190bdf62%40googlegroups.com
>>>>> .
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>> --
>>> This mailing list is governed under the HashiCorp Community Guidelines -
>>> https://www.hashicorp.com/community-guidelines.html. Behavior in
>>> violation of those guidelines may result in your removal from this mailing
>>> list.
>>>
>>> GitHub Issues: https://github.com/mitchellh/packer/issues
>>> IRC: #packer-tool on Freenode
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Packer" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/packer-tool/eb3f7f25-1bc7-4d5c-93b1-e0f369fa9490%40googlegroups.com
>>> <https://groups.google.com/d/msgid/packer-tool/eb3f7f25-1bc7-4d5c-93b1-e0f369fa9490%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in
> violation of those guidelines may result in your removal from this mailing
> list.
>
> GitHub Issues: https://github.com/mitchellh/packer/issues
> IRC: #packer-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Packer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/packer-tool/ff362825-b952-4dcf-aa2d-ad1fcc172246%40googlegroups.com
> <https://groups.google.com/d/msgid/packer-tool/ff362825-b952-4dcf-aa2d-ad1fcc172246%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
This mailing list is governed under the HashiCorp Community Guidelines -
https://www.hashicorp.com/community-guidelines.html. Behavior in violation of
those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups
"Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/packer-tool/CAPxBRp6bDXO6DhU8izbxrFZraDhPHwTpN4-nQzDNrqhDhYjdHQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
