How do I correctly set 'AMIRegionKMSKeyIDs'?

jason-oc · November 24, 2023, 11:30am

Relatively new to Packer. Using it to build Amazon Machine Images, both Windows and Linux.

When setting up encrypted volumes (EBS) on an Amazon AMI, I understand from the documentation that I need to set ‘kms_key_id’ and the documentation also says “any regions the AMI gets copied to copied will be encrypted by the default EBS KMS key for that region, unless you set region-specific keys in AMIRegionKMSKeyIDs”.

First off, the word “copied” is there one too many times but what I really wanna know is how do I correctly set ‘AMIRegionKMSKeyIDs’? What is the syntax?

lbajolet-hashicorp · November 24, 2023, 3:08pm

Hi @jason-oc,

Thanks for pointing out the errors in the docs, I’ll open a PR to fix that today.
The attribute you’re looking for is called region_kms_key_ids (for reference, AMIRegionKMSKeyIDs is the name in the code), and it’s a map[string]string, which you can declare in your template like so (assuming HCL):

source "amazon-ebs" "example" {
    ami_regions = ["us-east-1", "us-east-2"]
    region_kms_key_ids = {
        "us-east-1": "<key_id_for_east1>",
        "us-east-2": "<key_id_for_east2>"
    }
}

Hope that helps!

Topic		Replies	Views
Amazon-ebs builder: issues with copying amis to different regions when ebs encryption by default is enabled Packer	0	1301	November 15, 2019
Getting us-west-2 is in region_kms_key_ids but not in ami_regions Packer	0	390	July 13, 2022
Packer Build Not Working with AWS EBS Encryption using KMS(CMK) Packer	3	693	June 21, 2023
About aws china ebs encryption Packer	1	357	December 30, 2021
Unable to use ami_org_arns with amazon-ebs builder Packer	5	2850	January 17, 2022

How do I correctly set 'AMIRegionKMSKeyIDs'?

Related topics