Allow for multi-region, cross account copy

ConsultingMD · Sep 24, 2022 · 92edbdb · 92edbdb
1 parent 893889a
commit 92edbdb
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 6 deletions.
diff --git a/amazon-eks-al2.pkr.hcl b/amazon-eks-al2.pkr.hcl
@@ -27,6 +27,7 @@ source "amazon-ebs" "this" {
     device_name           = "/dev/sdb"
     volume_size           = var.data_volume_size
     volume_type           = "gp2"
+    encrypted             = true
   }
 
   ami_description         = "EKS Kubernetes Worker AMI with AmazonLinux2 image"
@@ -36,35 +37,46 @@ source "amazon-ebs" "this" {
 
   launch_block_device_mappings {
     delete_on_termination = true
-    device_name           = "/dev/sda1"
+    device_name           = "/dev/xvda"
     volume_size           = var.root_volume_size
     volume_type           = "gp2"
+    encrypted             = true
+    kms_key_id            = var.kms_key_id
   }
 
   launch_block_device_mappings {
     delete_on_termination = true
     device_name           = "/dev/sdb"
     volume_size           = var.data_volume_size
     volume_type           = "gp2"
+    encrypted             = true
+    kms_key_id            = var.kms_key_id
   }
 
+  encrypt_boot = var.encrypt_boot
+  kms_key_id   = var.kms_key_id
+
   region = var.aws_region
 
   run_tags = {
     Name = local.target_ami_name
   }
 
-  source_ami    = data.amazon-ami.this.id
-  subnet_id     = var.subnet_id
-  ami_regions   = var.ami_regions
-  ami_users     = var.ami_users
+  source_ami = data.amazon-ami.this.id
 
+  subnet_id     = var.subnet_id
   ssh_pty       = true
   ssh_interface = var.ssh_interface
   ssh_username  = var.source_ami_ssh_user
 
   temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip
 
+  ami_regions        = var.ami_regions
+  region_kms_key_ids = var.region_kms_key_ids
+  ami_org_arns       = var.ami_org_arns
+  ami_users          = var.ami_users
+  snapshot_users     = var.snapshot_users
+
   tags = {
     os_version        = "Amazon Linux 2"
     source_image_name = "{{ .SourceAMIName }}"

diff --git a/scripts/partition-disks.sh b/scripts/partition-disks.sh
@@ -51,7 +51,7 @@ migrate_and_mount_disk() {
     fi
 }
 
-disk_name='/dev/nvme2n1'
+disk_name='/dev/nvme1n1'
 
 # partition the disk
 parted -a optimal -s $disk_name \

diff --git a/variables.pkr.hcl b/variables.pkr.hcl
@@ -16,6 +16,24 @@ variable "root_volume_size" {
   default     = 10
 }
 
+variable "encrypt_boot" {
+  description = "Whether or not to encrypt the resulting AMI when copying a provisioned instance to an AMI."
+  type        = bool
+  default     = false
+}
+
+variable "kms_key_id" {
+  description = "ID, alias or ARN of the KMS key to use for AMI encryption. This only applies to the main."
+  type        = string
+  default     = null
+}
+
+variable "region_kms_key_ids" {
+  description = "Regions to copy the ami to, along with the custom kms key id (alias or arn) to use for encryption for that region."
+  type        = map(string)
+  default     = null
+}
+
 variable "eks_version" {
   description = "The EKS cluster version associated with the AMI created"
   type        = string
@@ -100,8 +118,20 @@ variable "ami_regions" {
   default     = []
 }
 
+variable "ami_org_arns" {
+  description = "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s)."
+  type        = list(string)
+  default     = []
+}
+
 variable "ami_users" {
   description = "A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it."
   type        = list(string)
   default     = []
 }
+
+variable "snapshot_users" {
+  description = "A list of account IDs that have access to create volumes from the snapshot(s)."
+  type        = list(string)
+  default     = []
+}