copy ami to other regions issue

[Frank Dias]

I am using the following packer file; it is failing on the last function of copying to other regions.

copying encrypted AIM not supported. I would think that it would copy first then encrypt.

any help would be greatly appreciated.

Frank

 

{

  "_comment": "To create a new AMI in us-west-2 run:",

  "_comment": "  packer build -var aws_region='us-west-2' dockerhost.json",

  "_comment": "To create an AMI and copy to one or more regions, run:",

  "_comment": "  packer build -var aws_region='us-west-2' -var copy_to='us-west-1,eu-central-1' dockerhost.json",

  "variables": {

    "aws_region": "",

    "copy_to": "",

    "aws_vpc_id": "",

    "aws_subnet_id": "",

    "instance_type": "m3.medium",

    "version": "0.0.3"

  },

  "builders": [{

    "type": "amazon-ebs",

    "vpc_id": "{{user `aws_vpc_id`}}",

    "subnet_id": "{{user `aws_subnet_id`}}",

    "region": "{{user `aws_region`}}",

    "ami_regions": "{{user `copy_to`}}",

    "source_ami_filter": {

      "filters": {

        "virtualization-type": "hvm",

        "name": "CentOS Linux 7*",

        "state": "available",

        "root-device-type": "ebs"

      },

      "owners": [ "679593333241" ],

      "most_recent": true

    },

    "user_data_file": "./scripts/disable_requiretty.sh",

    "instance_type": "{{user `instance_type`}}",

    "ssh_username": "centos",

    "ami_name": "dockerhost {{timestamp}}",

    "encrypt_boot": true,

    "ena_support": true,

    "tags": {

      "Owner": "arrayent",

      "Version": "{{user `version`}}",

      "Environment": "packer build"

    }

  }],

  "provisioners": [{

    "type": "ansible",

    "user": "centos",

    "extra_arguments": "-vvv",

    "pause_before": "10s",

    "sftp_command": "/usr/libexec/openssh/sftp-server",

    "playbook_file": "../playbooks/packer/play.yml"

  }]

}

[Rickard von Essen]

What's the error message you are getting?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/ee19e981-65b7-4df8-9c99-8be1012d53ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Frank Dias]

==> amazon-ebs: Stopping the source instance...

    amazon-ebs: Stopping instance, attempt 1

==> amazon-ebs: Waiting for the instance to stop...

==> amazon-ebs: Enabling Enhanced Networking (ENA)...

==> amazon-ebs: Creating unencrypted AMI FwOBiwF from instance i-0f3f4ac15c6b6cbc5

    amazon-ebs: AMI: ami-0f75316b152634e4f

==> amazon-ebs: Waiting for AMI to become ready...

==> amazon-ebs: Creating Encrypted AMI Copy

==> amazon-ebs: Copying AMI: us-east-2(ami-0f75316b152634e4f)

==> amazon-ebs: Waiting for AMI copy to become ready...

==> amazon-ebs: Deregistering unencrypted AMI

==> amazon-ebs: Deleting unencrypted snapshots

    amazon-ebs: Deleting Snapshot ID: snap-00cfa506fcaa0d4ee

==> amazon-ebs: Copying AMI (ami-0419bfd39943f48db) to other regions...

    amazon-ebs: Copying to: us-west-1

    amazon-ebs: Copying to: us-west-2

    amazon-ebs: Copying to: us-east-1

    amazon-ebs: Waiting for all copies to complete...

==> amazon-ebs: 3 error(s) occurred:

==> amazon-ebs: 

==> amazon-ebs: * Error Copying AMI (ami-0419bfd39943f48db) to region (us-east-1): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

==> amazon-ebs: status code: 400, request id: 150f7ab3-6001-48cd-a768-f604952bf43b

==> amazon-ebs: * Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-1): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

==> amazon-ebs: status code: 400, request id: bffa5254-8dd2-4b7d-b826-09ac26eb787d

==> amazon-ebs: * Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-2): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

==> amazon-ebs: status code: 400, request id: 4b8a7831-4909-4707-84c4-1535b0a8f17d

==> amazon-ebs: Deregistering the AMI because cancellation or error...

==> amazon-ebs: Deregistering the AMI because cancellation or error...

==> amazon-ebs: Error deregistering AMI, may still be around: InvalidAMIID.Unavailable: The image ID 'ami-0f75316b152634e4f' is no longer available

==> amazon-ebs: status code: 400, request id: b83c1a0b-c407-492d-8793-8342220f1735

==> amazon-ebs: Terminating the source AWS instance...

==> amazon-ebs: Cleaning up any extra volumes...

==> amazon-ebs: Destroying volume (vol-0df7658d7627c001f)...

==> amazon-ebs: Deleting temporary security group...

==> amazon-ebs: Deleting temporary keypair...

Build 'amazon-ebs' errored: 3 error(s) occurred:

* Error Copying AMI (ami-0419bfd39943f48db) to region (us-east-1): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: 150f7ab3-6001-48cd-a768-f604952bf43b

* Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-1): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: bffa5254-8dd2-4b7d-b826-09ac26eb787d

* Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-2): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: 4b8a7831-4909-4707-84c4-1535b0a8f17d

==> Some builds didn't complete successfully and had errors:

--> amazon-ebs: 3 error(s) occurred:

* Error Copying AMI (ami-0419bfd39943f48db) to region (us-east-1): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: 150f7ab3-6001-48cd-a768-f604952bf43b

* Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-1): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: bffa5254-8dd2-4b7d-b826-09ac26eb787d

* Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-2): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: 4b8a7831-4909-4707-84c4-1535b0a8f17d

==> Builds finished but no artifacts were created.

[Rickard von Essen]

Hmm, that seems broken. Packer should create encrypted snapshots copies from the main encrypted snapshot. What version of Packer do you use?

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/7b0c364a-ac83-44c1-84a9-037375d058bc%40googlegroups.com.

[Frank Dias]

1.3.3 and tried 1.3.4
I thought that is would copy the unencrypted copy to the new region and then encrypt. encryption is region specific

[Rickard von Essen]

I thought that is would copy the unencrypted copy to the new region and then encrypt. encryption is region specific

No, CopyImage can copy a encrypted AMI, but it will be reencrypted with a KMS key that belongs to new region.

As a workaround try add this to your template:

"region_kms_key_ids": {

  "us-west-1": "aws/ebs",

  "eu-central-1": "aws/ebs"

}

And add the regions that you might use in copy_to...

Reading the docs again sugests that:

"region_kms_key_ids": {

  "us-west-1": "",

  "eu-central-1": ""

}

Should work to?

On Tue, Feb 5, 2019 at 2:30 PM Frank Dias <fr...@djfamily.net> wrote:

1.3.3 and tried 1.3.4
I thought that is would copy the unencrypted copy to the new region and then encrypt. encryption is region specific

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/5f765ebd-6044-42b9-b763-f47d190bdf62%40googlegroups.com.

[Frank Dias]

I did some testing and in the aws web interface I am able to copy ami's to other regions , so did this break in packer?

[Frank Dias]

Rickard,

what is the best way to generate a map from the copy_to string. this was as the user sets the copy_to ?  not have to hardcode the regions, take them as input

frank 

[John Roh]

Hi, Frank, 

we have used as below, and are on packer v1.2.3 

"variables":

{

"kms_key_id_eu-central-1" : "arn:aws:kms:eu-central-1:[[aws account id]]:key/xxxx-xxx-xxx-xxx-xxxxx",

"kms_key_id_us-west-2" : "arn:aws:kms:us-west-2:[[aws account id]]:key/xxxx-xxx-xxx-xxx-xxxxx",

"kms_key_id_us-east-1" : "arn:aws:kms:us-east-1:[[aws account id]]:key/xxxx-xxx-xxx-xxx-xxxxx",

"kms_key_id_eu-west-3" : "arn:aws:kms:eu-west-3:[[aws account id]]:key/xxxx-xxx-xxx-xxx-xxxxx",

"kms_key_id_eu-central-1" : "arn:aws:kms:eu-central-1:[[aws account id]]:key/xxxx-xxx-xxx-xxx-xxxxx"

}

In the build section, you can pass as below.

"region_kms_key_ids" : {

"us-west-1": "{{user `kms_key_id_us-west-1`}}",

"us-east-1": "{{user `kms_key_id_us-east-1`}}",

"eu-west-2": "{{user `kms_key_id_eu-west-2`}}",

"eu-central-1": "{{user `kms_key_id_eu-central-1`}}"

},

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/eb3f7f25-1bc7-4d5c-93b1-e0f369fa9490%40googlegroups.com.

[Frank Dias]

let me take a step back for a minute;

this did work last march, I can not remember which version of packer was used.

I am not interested in assigning a different key per region. 

what I want is the ability to create an AMI on one region and then copy the AMI to any region in the same account. it seems that this is no longer working. 

the confusing portion is that I can create an AMI in a single region:

 "_comment": "To create a new AMI in us-west-2 run:",

 packer build -var aws_region='us-west-2' dockerhost.json

works everytime and I can manually copy the AMI to any region using AWS portal.

what has stopped work is when I include copy_to list of regions:

  "_comment": "To create an AMI and copy to one or more regions, run:",

  packer build -var aws_region='us-west-2' -var copy_to='us-west-1,eu-central-1' dockerhost.json

* Error Copying AMI (ami-0419bfd39943f48db) to region (us-west-1): InvalidRequest: Snapshot snap-05657965eb9352840 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: bffa5254-8dd2-4b7d-b826-09ac26eb787d

so that lead to the question is the function broken for encryted AMI's

if I run the same config with;

   "encrypt_boot": false ,

packer build -var aws_region='us-west-2' -var copy_to='us-west-1,us-west-2' dockerhost.json

==> Builds finished. The artifacts of successful builds are:

--> amazon-ebs: AMIs were created:

us-west-1: ami-05ec9d716b4301a5b

us-west-2: ami-0dcacd69edba0beb8

but if I run the config with:

   "encrypt_boot": true ,

packer build -var aws_region='us-west-2' -var copy_to='us-west-1,us-west-2' dockerhost.json

==> amazon-ebs: 1 error(s) occurred:

==> amazon-ebs: 

==> amazon-ebs: * Error Copying AMI (ami-093d856058e911402) to region (us-west-1): InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

==> amazon-ebs: status code: 400, request id: 6c82fe92-5942-4c61-8312-89b8224471a1

==> amazon-ebs: Deregistering the AMI because cancellation or error...

==> amazon-ebs: Deregistering the AMI because cancellation or error...

==> amazon-ebs: Error deregistering AMI, may still be around: InvalidAMIID.Unavailable: The image ID 'ami-0888140c4a7226a51' is no longer available

==> amazon-ebs: status code: 400, request id: af4169fd-009c-42b6-bd35-d5b8663fdccc

==> amazon-ebs: Terminating the source AWS instance...

==> amazon-ebs: Cleaning up any extra volumes...

==> amazon-ebs: Destroying volume (vol-0260232693224011d)...

==> amazon-ebs: Deleting temporary security group...

==> amazon-ebs: Deleting temporary keypair...

Build 'amazon-ebs' errored: 1 error(s) occurred:

* Error Copying AMI (ami-093d856058e911402) to region (us-west-1): InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: 6c82fe92-5942-4c61-8312-89b8224471a1

==> Some builds didn't complete successfully and had errors:

--> amazon-ebs: 1 error(s) occurred:

* Error Copying AMI (ami-093d856058e911402) to region (us-west-1): InvalidRequest: Snapshot snap-0c21f1f2f16716f73 is encrypted. Creating unencrypted copy from an encrypted snapshot is not supported.

status code: 400, request id: 6c82fe92-5942-4c61-8312-89b8224471a1

==> Builds finished but no artifacts were created.

so the only difference is the "encrypt_boot" flag

Frank

[John Roh]

What is the status of your base image? Is it already encrypted, I assume? 

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/ff362825-b952-4dcf-aa2d-ad1fcc172246%40googlegroups.com.

[Frank Dias]

When it get to the copy portion the AMI is encrypted to be copied to other regions

[Rickard von Essen]

This was introduced in https://github.com/hashicorp/packer/pull/4948 v1.0.1

https://github.com/hashicorp/packer/blob/master/CHANGELOG.md#101-june-19-2017

Before that only the default ebs kms key would be used in ami_regions.

On Wed, Feb 6, 2019 at 7:24 PM Frank Dias <fr...@djfamily.net> wrote:

When it get to the copy portion the AMI is encrypted to be copied to other regions

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/2d6e34ff-aeef-4c34-9af5-840f5f66224e%40googlegroups.com.

[Rickard von Essen]

I would suggest that you just hardcode a map from all regions that might be used to "". That should solve it.

[Frank Dias]

I believe that we ahve been just using default ebs kms key, we are not defining any ebs kms keys. So I am guessing this no longer works using default.

[Frank Dias]

Rickard,

I am using a user var to list the regions

   "ami_regions": "{{user `copy_to`}}",

    "ami_regions": "{{user `copy_to`}}",

    "region_kms_key_ids": {

      "eu-central-1": "alias/aws/ebs",

      "eu-east-1": "alias/aws/ebs",

      "sa-east-1": "alias/aws/ebs",

      "us-east-1": "alias/aws/ebs",

      "us-east-2": "alias/aws/ebs",

      "us-west-1": "alias/aws/ebs",

      "us-west-1": "alias/aws/ebs"

    },

I can not hardcode region_kms_key_ids list, if the list does not match aim_regions list one gets the following error.

amazon-ebs output will be in this color.

6 error(s) occurred:

* Region sa-east-1 is in region_kms_key_ids but not in ami_regions

* Region us-east-1 is in region_kms_key_ids but not in ami_regions

* Region us-east-2 is in region_kms_key_ids but not in ami_regions

* Region eu-central-1 is in region_kms_key_ids but not in ami_regions

* Region eu-east-1 is in region_kms_key_ids but not in ami_regions

* Region us-west-2 is in ami_regions but not in region_kms_key_ids

how can I var the  region_kms_key_ids to match the ami_regions based on user input. I have tried a few variation but no luck.

Frank

[apet...@trueaccord.com]

I see only 1 temporary solution:

1. build unencrypted AMI

2. copy unencrypted AMI to Encrypted to all necessary regions

3. deregister unencrypted AMI

4. delete unencrypted AMI snapshot.

If anyone has better solution -- please let me know.

Any roadmap for packer 1.4?

Thanks

AP

[Rickard von Essen]

I can not hardcode region_kms_key_ids list, if the list does not match aim_regions list one gets the following error.

amazon-ebs output will be in this color.

6 error(s) occurred:

* Region sa-east-1 is in region_kms_key_ids but not in ami_regions

Ohh that is bad. That was not behaving as I expected. I think this should be changed so you can have more regions in region_kms_key_ids than in ami_regions.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/b5848176-5522-4a0e-9ffb-2ffe27f84f77%40googlegroups.com.

[Frank Dias]

Hi Rickard,

Can you think of  a way that we could code  something similar to "ami_regions": "{{user `copy_to`}}",

 "region_kms_key_ids": ["{{user `copy_to'}}": "alias/aws/ebs"],

so that the list is dynamically built using the same list from user copy_to.  I do not know how to structure the syntax if possible.

frank

[Rickard von Essen]

It's not possible to pass maps as variables in Packer. I would preprocess the template with jq/python/ruby whatever is simplest for you.

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/1b33d6eb-d035-4c22-a268-7363fda7c7f9%40googlegroups.com.

[Frank Dias]

this seems like a lot of work for a function that was working and now we have to go though so many hacks to make thinks work again.

I feel that what I have found and run into is a huge bugs, this worked and it is now broken.

just venting...

frank 

[Rickard von Essen]

I don't think this is exactly a but because I think this was intended to work this way, but the UX is very poor so I suggest that you open an issue and describe in detail the issue and how it worked before.

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/f5f68a6f-15e4-4cfe-88a0-4078956db3dd%40googlegroups.com.