add some extra layers of validation to make sure that people don't trip over...

add some extra layers of validation to make sure that people don't trip over magical encrypt_boot settings later in the build

add some extra layers of validation to make sure that people don't trip over...
add some extra layers of validation to make sure that people don't trip over magical encrypt_boot settings later in the build
7cf47fc4 · Megan Marsh · 0b9391b0 · 7cf47fc4 · 7cf47fc4
Commit 7cf47fc4 authored 5 years ago by Megan Marsh
Hide whitespace changes
Inline Side-by-side

Showing

with 22 additions and 8 deletions
+22 -8
--- a/builder/amazon/common/ami_config.go
+++ b/builder/amazon/common/ami_config.go
@@ -170,17 +170,23 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context
 		}
 	}

-	var kmsKeys []string
+	kmsKeys := make([]string, 0)
 	if len(c.AMIKmsKeyId) > 0 {
 		kmsKeys = append(kmsKeys, c.AMIKmsKeyId)
 	}
 	if len(c.AMIRegionKMSKeyIDs) > 0 {
 		for _, kmsKey := range c.AMIRegionKMSKeyIDs {
-			if len(kmsKey) == 0 {
-				kmsKeys = append(kmsKeys, c.AMIKmsKeyId)
+			if len(kmsKey) > 0 {
+				kmsKeys = append(kmsKeys, kmsKey)
 			}
 		}
 	}
+
+	if len(kmsKeys) > 0 && !c.AMIEncryptBootVolume.True() {
+		errs = append(errs, fmt.Errorf("If you have set either "+
+			"region_kms_key_ids or kms_key_id, encrypt_boot must also be true."))
+
+	}
 	for _, kmsKey := range kmsKeys {
 		if !validateKmsKey(kmsKey) {
 			errs = append(errs, fmt.Errorf("%s is not a valid KMS Key Id.", kmsKey))
@@ -188,8 +194,9 @@ func (c *AMIConfig) Prepare(accessConfig *AccessConfig, ctx *interpolate.Context
 	}

 	if len(c.SnapshotUsers) > 0 {
-		if len(c.AMIKmsKeyId) == 0 && c.AMIEncryptBootVolume.True() {
-			errs = append(errs, fmt.Errorf("Cannot share snapshot encrypted with default KMS key"))
+		if len(c.AMIKmsKeyId) == 0 && len(c.AMIRegionKMSKeyIDs) == 0 && c.AMIEncryptBootVolume.True() {
+			errs = append(errs, fmt.Errorf("Cannot share snapshot encrypted "+
+				"with default KMS key"))
 		}
 		if len(c.AMIRegionKMSKeyIDs) > 0 {
 			for _, kmsKey := range c.AMIRegionKMSKeyIDs {

--- a/builder/amazon/common/step_ami_region_copy.go
+++ b/builder/amazon/common/step_ami_region_copy.go
@@ -83,9 +83,16 @@ func (s *StepAMIRegionCopy) Run(ctx context.Context, state multistep.StateBag) m
 			s.RegionKeyIds = make(map[string]string)
 		}

-		// Make sure the kms_key_id for the original region is in the map
-		if _, ok := s.RegionKeyIds[s.OriginalRegion]; !ok {
-			s.RegionKeyIds[s.OriginalRegion] = s.AMIKmsKeyId
+		// Make sure the kms_key_id for the original region is in the map, as
+		// long as the AMIKmsKeyId isn't being defaulted.
+		if s.AMIKmsKeyId != "" {
+			if _, ok := s.RegionKeyIds[s.OriginalRegion]; !ok {
+				s.RegionKeyIds[s.OriginalRegion] = s.AMIKmsKeyId
+			}
+		} else {
+			if regionKey, ok := s.RegionKeyIds[s.OriginalRegion]; ok {
+				s.AMIKmsKeyId = regionKey
+			}
 		}
 	}