Allow for encrypted multi-region, cross account use

ConsultingMD · Sep 25, 2022 · 3cc040a · 3cc040a
1 parent 0975b6e
commit 3cc040a
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 7 deletions.
diff --git a/amazon-eks-al2.pkr.hcl b/amazon-eks-al2.pkr.hcl
@@ -1,7 +1,7 @@
 locals {
   timestamp = regex_replace(timestamp(), "[- TZ:]", "")
 
-  target_ami_name = "${var.ami_name_prefix}-${var.eks_version}-${local.timestamp}"
+  target_ami_name = "${var.ami_name_prefix}-${var.eks_version}-v${local.timestamp}"
 }
 
 data "amazon-ami" "this" {
@@ -27,6 +27,7 @@ source "amazon-ebs" "this" {
     device_name           = "/dev/sdb"
     volume_size           = var.data_volume_size
     volume_type           = "gp2"
+    encrypted             = true
   }
 
   ami_description         = "EKS Kubernetes Worker AMI with AmazonLinux2 image"
@@ -36,28 +37,46 @@ source "amazon-ebs" "this" {
 
   launch_block_device_mappings {
     delete_on_termination = true
-    device_name           = "/dev/sda1"
+    device_name           = "/dev/xvda"
     volume_size           = var.root_volume_size
     volume_type           = "gp2"
+    encrypted             = true
+    kms_key_id            = var.kms_key_id
   }
 
   launch_block_device_mappings {
     delete_on_termination = true
     device_name           = "/dev/sdb"
     volume_size           = var.data_volume_size
     volume_type           = "gp2"
+    encrypted             = true
+    kms_key_id            = var.kms_key_id
   }
 
+  encrypt_boot = var.encrypt_boot
+  kms_key_id   = var.kms_key_id
+
   region = var.aws_region
 
   run_tags = {
     Name = local.target_ami_name
   }
 
-  source_ami   = data.amazon-ami.this.id
-  ssh_pty      = true
-  ssh_username = var.source_ami_ssh_user
-  subnet_id    = var.subnet_id
+  source_ami = data.amazon-ami.this.id
+
+  subnet_id     = var.subnet_id
+  ssh_pty       = true
+  ssh_interface = var.ssh_interface
+  ssh_username  = var.source_ami_ssh_user
+
+  temporary_security_group_source_cidrs     = var.temporary_security_group_source_cidrs
+  temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip
+
+  ami_regions        = var.ami_regions
+  region_kms_key_ids = var.region_kms_key_ids
+  ami_org_arns       = var.ami_org_arns
+  ami_users          = var.ami_users
+  snapshot_users     = var.snapshot_users
 
   tags = {
     os_version        = "Amazon Linux 2"

diff --git a/scripts/partition-disks.sh b/scripts/partition-disks.sh
@@ -51,7 +51,7 @@ migrate_and_mount_disk() {
     fi
 }
 
-disk_name='/dev/nvme2n1'
+disk_name='/dev/nvme1n1'
 
 # partition the disk
 parted -a optimal -s $disk_name \

diff --git a/variables.pkr.hcl b/variables.pkr.hcl
@@ -16,6 +16,24 @@ variable "root_volume_size" {
   default     = 10
 }
 
+variable "encrypt_boot" {
+  description = "Whether or not to encrypt the resulting AMI when copying a provisioned instance to an AMI."
+  type        = bool
+  default     = false
+}
+
+variable "kms_key_id" {
+  description = "ID, alias or ARN of the KMS key to use for AMI encryption. This only applies to the main."
+  type        = string
+  default     = null
+}
+
+variable "region_kms_key_ids" {
+  description = "Regions to copy the ami to, along with the custom kms key id (alias or arn) to use for encryption for that region."
+  type        = map(string)
+  default     = null
+}
+
 variable "eks_version" {
   description = "The EKS cluster version associated with the AMI created"
   type        = string
@@ -81,3 +99,45 @@ variable "ami_name_prefix" {
   type        = string
   default     = "amazon-eks-node"
 }
+
+variable "temporary_security_group_source_cidrs" {
+  description = "A list of IPv4 CIDR blocks to be authorized access to the instance, when packer is creating a temporary security group."
+  type        = list(string)
+  default     = []
+}
+
+variable "temporary_security_group_source_public_ip" {
+  description = "When enabled, use public IP of the host (obtained from https://checkip.amazonaws.com) as IPv4 CIDR block to be authorized access to the instance, when packer is creating a temporary security group"
+  type        = bool
+  default     = false
+}
+
+variable "ssh_interface" {
+  description = "If set, either the public IP address, private IP address, public DNS name or private DNS name will be used as the host for SSH. The default behaviour if inside a VPC is to use the public IP address if available, otherwise the private IP address will be used. If not in a VPC the public DNS name will be used."
+  type        = string
+  default     = "private_ip"
+}
+
+variable "ami_regions" {
+  description = "A list of regions to copy the AMI to. Tags and attributes are copied along with the AMI. AMI copying takes time depending on the size of the AMI, but will generally take many minutes."
+  type        = list(string)
+  default     = []
+}
+
+variable "ami_org_arns" {
+  description = "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s)."
+  type        = list(string)
+  default     = []
+}
+
+variable "ami_users" {
+  description = "A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it."
+  type        = list(string)
+  default     = []
+}
+
+variable "snapshot_users" {
+  description = "A list of account IDs that have access to create volumes from the snapshot(s)."
+  type        = list(string)
+  default     = []
+}