packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard
verified publisher icon hashicorp

Packer >=1.7.3 JSON AWS Variables Key and Value Issue

Open hc-github-team-packer opened this issue 4 years ago • 4 comments

This issue was originally opened by @BClev in https://github.com/hashicorp/packer/issues/11169 and has been migrated to this repository. The original issue description is below.

Background In versions of Packer before 1.7.3, the following worked fine for JSON:

In Packer var file (e.g. packer-vars.json):

...
    "aws_region": "us-east-1",
    "ami_regions": "us-east-1",
    "kms_key_id": "arn:aws:kms:us-east-1:<account>:key/<id>",
...

In Packer json file under builders:

...
      "region": "{{user `aws_region`}}",
      "ami_regions": ["{{user `ami_regions`}}"],
...
      "kms_key_id": "{{user `kms_key_id`}}",
      "region_kms_key_ids": {
        "{{user `aws_region`}}": "{{user `kms_key_id`}}"
      },
...

In case there were additional regions, I'd just append an increasing numeral to the additional items under region_kms_key_ids (e.g. aws_region1)

Issue Running this in Packer >1.7.3, the following error occurs:

2021/07/27 16:38:58 packer-builder-amazon-ebs plugin: [INFO] (aws): No AWS timeout and polling overrides have been set. Packer will default to waiter-specific delays and timeouts. If you would like to customize the length of time between retries and max number of retries you may do so by setting the environment variables AWS_POLL_DELAY_SECONDS and AWS_MAX_ATTEMPTS or the configuration options aws_polling_delay_seconds and aws_polling_max_attempts to your desired values.
2021/07/27 16:38:58 packer-builder-amazon-ebs plugin: Cannot copy AMI to AWS session region 'us-east-1', deleting it from `ami_regions`.
2021/07/27 16:38:58 Build 'amazon-ebs' prepare failure: 1 error(s) occurred:

* "{{user `kms_key_id`}}" is not a valid KMS Key Id.

1 error(s) occurred:

* "{{user `kms_key_id`}}" is not a valid KMS Key Id.

I've tried changing the KMS key ID to an Alias or the ID itself. The only fix is to either remove the "region_kms_key_ids" entirely (which works for single region deployments but not multi), or hardcoding either the region or kms_key_id:

      "region_kms_key_ids": {
        "us-east-1": "{{user `kms_key_id`}}",
},

or

      "region_kms_key_ids": {
        "{{user `aws_region`}}": "arn:aws:kms:us-east-1:<account>:key/<id>",
},

It's almost as if having a variable on each side of the mapping is causing the issue. Again, this worked fine prior to 1.7.3.

hc-github-team-packer avatar Aug 04 '21 08:08 hc-github-team-packer

Correction: Still seems fine for us-east-1 somehow, but does not work in GovCloud regions (us-gov-east-1/us-gov-west-1)

BClev avatar Aug 05 '21 19:08 BClev

I bet the key id validation is too naive to handle gov-cloud regions. We'll investigate when we get a chance.

SwampDragons avatar Aug 17 '21 02:08 SwampDragons

@SwampDragons Any updates on this? Just checking in.

BClev avatar Oct 20 '21 21:10 BClev

Sorry, we haven't had a chance to look at this yet.

SwampDragons avatar Oct 20 '21 23:10 SwampDragons