We did it little differently. We create unencrypted ami using packer and then copied it to all other accounts using small python boto3 script, while copying enabled the encryption flag in api to create the encrypted ami. I think this is simpler than what you have.
Regards, Harish Panwar On Fri, Jul 13, 2018 at 11:53 AM 'Andrew Thompson' via Packer < [email protected]> wrote: > I have a very similar setup. I'm using Packer to create and share an > unencrypted AMI with multiple accounts, then in those accounts I run Packer > again to encrypt the source ami (no provisioners). I'm wondering if it's > possible to skip launching the instance and just do the encryption/sharing > steps? I was doing this myself previously, but I think Packer handles this > much better than I can. > > On Friday, June 1, 2018 at 5:53:26 AM UTC-4, Rickard von Essen wrote: >> >> Since this is more of image life cycle management this is out of scope >> for Packer. (Packer would need to access multiple AWS accounts, etc). >> >> I would write a simple Python + Boto3 script since you seem to have a >> fairly complex setup. Or a bash script if you wan't to be quick and dirty. >> >> On 1 June 2018 at 11:28, Sumit Joshi <[email protected]> wrote: >> >>> Thank you again for replying Rickard. >>> >>> I have to create AMI in 7 different AWS accounts using encrypted >>> snapshots >>> ami_users = ["88682111111", "9951111111", "4801111111", "111114799942", >>> "86411113717", "2271111124", "482111111127"] >>> >>> I have a query regarding this: >>> Now, Each AWS account has encrypted snapshot access, I need to perform >>> the following for each AWS account >>> - Copy snapshot in target account >>> - specify Region and Master Key >>> - Create Image (AMI) using that snapshot in atleast one region >>> >>> >>> *My Question is:* >>> As a part of packer JSON file how to do this ? (Need to use Post >>> processor ?) >>> Or If I am writing one python script, which uses aws cli and loops over >>> 7 AWS accounts and perform the above steps or Use terraform after packer >>> build command ? >>> >>> Can you suggest the better way to do this? >>> >>> On Friday, June 1, 2018 at 1:02:37 PM UTC+5:30, Rickard von Essen wrote: >>>> >>>> Yeah sorry about that, forgot about that limitation. You should use >>>> register-image *). >>>> >>>> Rickard >>>> >>>> *) >>>> https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html >>>> >>>> On 1 June 2018 at 08:39, Sumit Joshi <[email protected]> wrote: >>>> >>>>> Thank you for the reply, Rickard! >>>>> >>>>> But we can't share the encrypted AMI with the other AWS accounts, >>>>> right? >>>>> >>>>> I have used "ami_users" in the JSON config and I got below error: >>>>> *Error modify AMI attributes: UnsupportedOperation: * >>>>> *The requested operation is not supported. Images associated with >>>>> encrypted Snapshots can not be shared* >>>>> >>>>> due to which I have used only "snaphot_users" which shares the >>>>> encrypted snapshot with other AWS account. >>>>> >>>>> Mainly I am trying, In the source AWS account I have created encrypted >>>>> AMI and in the target AWS Account has access for encrypted snapshot. In >>>>> the >>>>> target I need to create AMI from copied snaphot (from shared encrypted >>>>> snapshot). >>>>> >>>>> Any pointers on this? >>>>> >>>>> >>>>> Thanks, >>>>> Sumit >>>>> >>>>> On Thursday, May 31, 2018 at 11:49:59 PM UTC+5:30, Rickard von Essen >>>>> wrote: >>>>>> >>>>>> Why don't you just use ami_users to authorize the other accounts to >>>>>> lunch instances from the AMI? >>>>>> >>>>>> https://www.packer.io/docs/builders/amazon-ebs.html#ami_users >>>>>> >>>>>> >>>>>> On Thu, May 31, 2018, 16:35 Sumit Joshi <[email protected]> wrote: >>>>>> >>>>>>> I have created encrypted AMI (backed by EBS) using packer and >>>>>>> sharing the encrypted EBS snapshots with other AWS accounts (Using >>>>>>> "snapshot_users" parameter). Also, given access to other AWS accounts >>>>>>> for >>>>>>> KMS keys. >>>>>>> >>>>>>> Now in the target AWS account, I want to create AMI using the shared >>>>>>> encrypted snapshot. I know the manual steps that needs to be done in >>>>>>> target >>>>>>> AWS account: >>>>>>> - Copy the snapshots to the target region and reencrypt them using >>>>>>> the target account’s KMS encryption keys in the target region. >>>>>>> - Have the target account create an AMI using the encrypted EBS >>>>>>> snapshots in the target region. >>>>>>> >>>>>>> >>>>>>> But, How to do this using Packer ? with below packer config, Once >>>>>>> encrypted AMI is generated & shared, how to perform above manual step >>>>>>> using >>>>>>> packer. >>>>>>> >>>>>>> My JSON config: >>>>>>> ... >>>>>>> "builders": [ >>>>>>> >>>>>>> { "type": "amazon-ebs", >>>>>>> "access_key": "{{user `aws_access_key_id`}}", >>>>>>> "secret_key": "{{user `aws_secret_access_key`}}", >>>>>>> "token": "{{user `aws_session_token`}}", >>>>>>> "region": "us-east-1", >>>>>>> "source_ami": "ami-f2368c8d", >>>>>>> "ami_regions": ["us-west-1","us-west-2","eu-west-1"], >>>>>>> "instance_type": "t2.large", >>>>>>> "ssh_username": "cloud-user", >>>>>>> "ssh_pty": true, >>>>>>> "ami_name": "centos7_aws_packer_{{timestamp}}_{{user >>>>>>> `build_tag`}}", >>>>>>> "vpc_id": "{{user `aws_vpc_id`}}", >>>>>>> "subnet_id": "{{user `aws_subnet_id`}}", >>>>>>> "encrypt_boot": true, >>>>>>> "kms_key_id": "ddddaaaww-ccv-wwwa-ddsds-fddd", >>>>>>> "region_kms_key_ids": { >>>>>>> "us-west-1": >>>>>>> "arn:aws:kms:us-west-1:11111211:key/xxxxxxxxxx-xxxxx-xxxxxx-1111-xxxxx", >>>>>>> "us-west-2": >>>>>>> "arn:aws:kms:us-west-2:11111211:key/xxxxxx-7xxxx26f-xxxx-xxxx-xxxxxxxx", >>>>>>> "eu-west-1": >>>>>>> "arn:aws:kms:eu-west-1:11111211:key/xxxx-xxxxxxxxxxx-xxxxxxx-xxxxx-xxx" >>>>>>> }, >>>>>>> "snapshot_users": ["88682111111", "9951111111", "4801111111", >>>>>>> "111114799942", "86411113717", "2271111124", "482111111127"] >>>>>>> } >>>>>>> ] >>>>>>> >>>>>>> >>>>>>> Any help/pointer is appriciated. >>>>>>> Thanks! >>>>>>> >>>>>>> -- >>>>>>> This mailing list is governed under the HashiCorp Community >>>>>>> Guidelines - https://www.hashicorp.com/community-guidelines.html. >>>>>>> Behavior in violation of those guidelines may result in your removal >>>>>>> from >>>>>>> this mailing list. >>>>>>> >>>>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>>>> IRC: #packer-tool on Freenode >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Packer" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/packer-tool/d2f5cc92-f081-4c67-83e4-77b9fe92a29c%40googlegroups.com >>>>>>> <https://groups.google.com/d/msgid/packer-tool/d2f5cc92-f081-4c67-83e4-77b9fe92a29c%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>>>> This mailing list is governed under the HashiCorp Community Guidelines >>>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in >>>>> violation of those guidelines may result in your removal from this mailing >>>>> list. >>>>> >>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>> IRC: #packer-tool on Freenode >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Packer" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/packer-tool/7e112a47-9a75-4140-a5cf-cd37d98cde78%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/packer-tool/7e112a47-9a75-4140-a5cf-cd37d98cde78%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> This mailing list is governed under the HashiCorp Community Guidelines - >>> https://www.hashicorp.com/community-guidelines.html. Behavior in >>> violation of those guidelines may result in your removal from this mailing >>> list. >>> >>> GitHub Issues: https://github.com/mitchellh/packer/issues >>> IRC: #packer-tool on Freenode >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Packer" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/packer-tool/59e64b2a-507d-4d7d-9267-dff11bd42f61%40googlegroups.com >>> <https://groups.google.com/d/msgid/packer-tool/59e64b2a-507d-4d7d-9267-dff11bd42f61%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > ------------------------------ > > *CONFIDENTIALITY NOTICE:* The information contained in this message may be > privileged and/or confidential. It is the property of CrowdStrike. If you > are not the intended recipient, or responsible for delivering this message to > the intended recipient, any review, forwarding, dissemination, distribution > or copying of this communication or any attachment(s) is strictly prohibited. > If you have received this message in error, please notify the sender > immediately, and delete it and all attachments from your computer and network. > > -- > This mailing list is governed under the HashiCorp Community Guidelines - > https://www.hashicorp.com/community-guidelines.html. Behavior in > violation of those guidelines may result in your removal from this mailing > list. > > GitHub Issues: https://github.com/mitchellh/packer/issues > IRC: #packer-tool on Freenode > --- > You received this message because you are subscribed to the Google Groups > "Packer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/packer-tool/85090d4f-d17c-4bfe-ace1-dca7f43288e8%40googlegroups.com > <https://groups.google.com/d/msgid/packer-tool/85090d4f-d17c-4bfe-ace1-dca7f43288e8%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CAB0mmOVd-HLsBv_BNGhUR9%3DNaBnQngb4s3LkrUaL1Nu4zGo%3DuQ%40mail.gmail.com.
