The best that I can tell, when resources are created with the AWS EBS AMI builder, the AWS resources (i.e. everything from the keypair to the AMI image itself) are created first, and then tagged.
I’d like to understand why that is. When I dove into the code, it looked like a lot of it could actually tag the resources on creation. But the tags are not being passed into the code that creates the resources. They are tagged after-the-fact.
This is an issue for security because whatever node / service account / pod that is running Packer will need to be able to have broad AWS permissions on any resource, including terminating arbitrary instances. You can’t try to restrict the permissions with tags, because the tags are applied after-the-fact, so you have to be able to tag *.
If I’m mistaken, or if there’s an optional flag I missed, I’d love to be corrected.