Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support using custom KMS keys to build private stemcells #31

Merged
merged 1 commit into from
Nov 16, 2023
Merged

Support using custom KMS keys to build private stemcells #31

merged 1 commit into from
Nov 16, 2023
+23,830 −8

Conversation

mvach
Copy link
Contributor

@mvach mvach commented Nov 8, 2023
edited
Loading

When building a private stemcell, the aws light stemcell builder currently uses a managed KMS key which is default AWS account key. Using this key prevents sharing stemcells across accounts. Therefore we add the custom KMS key support.

This PR belongs to Issue #30 and it relevant for building FPIS light stemcells.

@mvach mvach mentioned this pull request Nov 8, 2023
Closed
@ramonskie
Copy link
Contributor

ramonskie commented Nov 8, 2023
edited
Loading

as we paused the aws light stemcell builder tests. in the publish pipeline.
it would be a good idea to enable them once we are planing to merge this.

@mvach mvach added the FIPS label Nov 9, 2023
@mvach mvach force-pushed the support-custom-kms-keys branch 2 times, most recently from 5a6af98 to 4d66c9b Compare November 9, 2023 07:24
@jpalermo jpalermo requested review from a team, selzoc and lnguyen and removed request for a team November 9, 2023 16:26
lnguyen
lnguyen requested changes Nov 14, 2023
View reviewed changes
driver/copy_ami_driver.go Show resolved Hide resolved
selzoc
selzoc requested changes Nov 14, 2023
View reviewed changes
config/config.go Outdated Show resolved Hide resolved
publisher/standard_region.go Show resolved Hide resolved
@mvach
Support using custom KMS keys to build private stemcells
fed3ae5 
When building a private stemcells, the builder currently uses
a managed KMS key which is default AWS account key. Using this key
prevents sharing stemcells across accounts. Therefore we add the
custom KMS key support.
@mvach mvach force-pushed the support-custom-kms-keys branch from 4d66c9b to fed3ae5 Compare November 16, 2023 12:20
lnguyen
lnguyen approved these changes Nov 16, 2023
View reviewed changes
Copy link
Member

@lnguyen lnguyen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

anshrupani
anshrupani approved these changes Nov 16, 2023
View reviewed changes
Copy link

@anshrupani anshrupani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good!

@rkoster rkoster requested review from selzoc and aramprice November 16, 2023 15:51
selzoc
selzoc approved these changes Nov 16, 2023
View reviewed changes
Copy link
Member

@selzoc selzoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

aramprice
aramprice approved these changes Nov 16, 2023
View reviewed changes
Copy link
Member

@aramprice aramprice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@aramprice aramprice merged commit e8ebcc9 into master Nov 16, 2023
4 checks passed
@aramprice aramprice deleted the support-custom-kms-keys branch November 16, 2023 22:26
@aramprice
Copy link
Member

We're seeing failures with the drivers test. This may well be an issue with our setup, I'm still investigating. Posting the info here for posterity:

Test script

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$( cd "$(dirname "${0}")" && pwd )"
source "${SCRIPT_DIR}/utils.sh"

tmp_dir="$(mktemp -d /tmp/stemcell_builder.XXXXXXX)"
trap '{ rm -rf ${tmp_dir}; }' EXIT

# US Regions
# shellcheck disable=SC2154
export AWS_ACCESS_KEY_ID="${access_key}"
# shellcheck disable=SC2154
export AWS_SECRET_ACCESS_KEY="${secret_key}"
# shellcheck disable=SC2154
export AWS_BUCKET_NAME="${bucket_name}"
# shellcheck disable=SC2154
export AWS_REGION="${region}"
export AWS_ROLE_ARN="${role_arn:-}"
# shellcheck disable=SC2154
export AWS_DESTINATION_REGION="${copy_region}"
# shellcheck disable=SC2154
export AWS_KMS_KEY_ID="${kms_key_id}"

# Fixtures
# shellcheck disable=SC2154
export S3_MACHINE_IMAGE_URL="${uploaded_machine_image_url}"
export S3_MACHINE_IMAGE_FORMAT="${uploaded_machine_image_format:=RAW}"
# shellcheck disable=SC2154
export EBS_VOLUME_ID="${existing_volume_id}"
# shellcheck disable=SC2154
export EBS_SNAPSHOT_ID="${existing_snapshot_id}"
# shellcheck disable=SC2154
export AMI_FIXTURE_ID="${ami_fixture_id}"

echo "Downloading machine image"
export MACHINE_IMAGE_PATH="${tmp_dir}/image.iso"
export MACHINE_IMAGE_FORMAT="RAW"
wget http://tinycorelinux.net/7.x/x86_64/archive/7.1/TinyCorePure64-7.1.iso \
  -O "${MACHINE_IMAGE_PATH}"

echo "Running driver tests"

(
  cd builder-src
  # Run all driver specs in parallel to reduce test time
  spec_count="$(grep "It(" -r driver | wc -l)"
  go run github.com/onsi/ginkgo/v2/ginkgo -nodes "${spec_count}" -r driver
)

Test output

Running driver tests
[1700173625] Drivers Suite - 19/19 specs - 20 procs ••••
------------------------------
• [FAILED] [5.640 seconds]
KmsDriver [It] replicates a given kms key to another region
/tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:58

  Timeline >>
  KmsDriver 2023/11/16 22:27:24 Replicating kms key: arn:aws:kms:us-west-1:462397596885:key/070d4996-99f0-471b-8099-576e8968ab06
  KmsDriver 2023/11/16 22:27:29 Completed ReplicateKey() in 0.093970 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:68 @ 11/16/23 22:27:29.684
  << Timeline

  [FAILED] Unexpected error:
      <*errors.errorString | 0xc0007ae100>: 
      failed to replicate key: NotFoundException: Invalid arn us-west-1
      {
          s: "failed to replicate key: NotFoundException: Invalid arn us-west-1",
      }
  occurred
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:68 @ 11/16/23 22:27:29.684
------------------------------
• [FAILED] [5.655 seconds]
KmsDriver [It] creates an alias for a given kms key
/tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:18

  Timeline >>
  KmsDriver 2023/11/16 22:27:24 Creating alias: alias/8194149476949636637
  KmsDriver 2023/11/16 22:27:29 Completed CreateKeyAlias() in 0.094228 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:30 @ 11/16/23 22:27:29.7
  << Timeline

  [FAILED] Unexpected error:
      <*errors.errorString | 0xc0006f2250>: 
      failed to create alias: NotFoundException: Invalid arn us-west-1
      {
          s: "failed to create alias: NotFoundException: Invalid arn us-west-1",
      }
  occurred
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:30 @ 11/16/23 22:27:29.7
------------------------------
••••••
------------------------------
• [FAILED] [147.135 seconds]
CopyAmiDriver when encrypted flag is set to true when kms_key_id is provided [It] encrypts destination AMI using provided kms key
/tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:60

  Timeline >>
  SDKCopyAmiDriver 2023/11/16 22:27:24 copying AMI from source AMI: ami-fce3c696
  SDKCopyAmiDriver 2023/11/16 22:27:34 waiting for AMI: ami-0b9d7b0d806a56eb5 to be available
  SDKCopyAmiDriver 2023/11/16 22:29:50 tagging AMI: ami-0b9d7b0d806a56eb5, with {
    Resources: ["ami-0b9d7b0d806a56eb5"],
    Tags: [
      {
        Key: "Name",
        Value: "-"
      },
      {
        Key: "distro",
        Value: ""
      },
      {
        Key: "version",
        Value: ""
      },
      {
        Key: "published",
        Value: "false"
      }
    ]
  }
  SDKCopyAmiDriver 2023/11/16 22:29:50 completed Create() in 2.445319 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:66 @ 11/16/23 22:29:51.185
  << Timeline

  [FAILED] Expected
      <string>: "...:key/23345b..."
  to equal               |
      <string>: "...:key/070d49..."
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:66 @ 11/16/23 22:29:51.185
------------------------------
••••••

Summarizing 3 Failures:
  [FAIL] KmsDriver [It] replicates a given kms key to another region
  /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:68
  [FAIL] KmsDriver [It] creates an alias for a given kms key
  /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:30
  [FAIL] CopyAmiDriver when encrypted flag is set to true when kms_key_id is provided [It] encrypts destination AMI using provided kms key
  /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:66

Ran 19 of 19 Specs in 287.357 seconds
FAIL! -- 16 Passed | 3 Failed | 0 Pending | 0 Skipped

@aramprice
Copy link
Member

aramprice commented Nov 21, 2023
edited
Loading

Quoting from email:

Hi @aramprice,
sorry I forgott to mention that in the PR. The copy AMI driver tests now shares an AMI with another account. That account need to be configures via env var AWS_ACCOUNT. It does't need to be a second account than the one that hosts the AMI since it is possible to share an AMI with yourselve.

Unfortunately both hard-coding a known aws account id, as well as fetching one via sts:

		awsAccount = os.Getenv("AWS_ACCOUNT")
		if awsAccount == "" {
			GinkgoWriter.Printf("AWS_ACCOUNT was empty, attempting sts.GetCallerIdentity()")
			session, err := session.NewSession()
			Expect(err).NotTo(HaveOccurred())
			result, err := sts.New(session).GetCallerIdentity(&sts.GetCallerIdentityInput{})
			Expect(err).NotTo(HaveOccurred())
			awsAccount = *result.Account
			GinkgoWriter.Printf("GetCallerIdentity() return %s", awsAccount)
		}
		Expect(awsAccount).ToNot(BeEmpty(), "AWS_ACCOUNT must be set")

Results in errors:

Downloading machine image
--2023-11-21 01:00:10--  http://tinycorelinux.net/7.x/x86_64/archive/7.1/TinyCorePure64-7.1.iso
Resolving tinycorelinux.net (tinycorelinux.net)... 128.127.66.77
Connecting to tinycorelinux.net (tinycorelinux.net)|128.127.66.77|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25165824 (24M) [application/octet-stream]
Saving to: '/tmp/stemcell_builder.AE1M9TK/image.iso'

/tmp/stemcell_builder.AE1M9TK/i 100%[=====================================================>]  24.00M  3.57MB/s    in 14s

2023-11-21 01:00:24 (1.70 MB/s) - '/tmp/stemcell_builder.AE1M9TK/image.iso' saved [25165824/25165824]

Running driver tests
[1700528425] Drivers Suite - 21/21 specs - 22 procs ••••
------------------------------
• [FAILED] [5.314 seconds]
KmsDriver [It] creates an alias for a given kms key
/tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:19

  Timeline >>
  KmsDriver 2023/11/21 01:00:32 Creating alias: alias/2562479606229542339
  KmsDriver 2023/11/21 01:00:38 Completed CreateKeyAlias() in 0.088545 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:31 @ 11/21/23 01:00:38.147
  << Timeline

  [FAILED] Unexpected error:
      <*errors.errorString | 0xc00071e900>:
      failed to create alias: NotFoundException: Invalid arn us-west-1
      {
          s: "failed to create alias: NotFoundException: Invalid arn us-west-1",
      }
  occurred
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:31 @ 11/21/23 01:00:38.147
------------------------------
• [FAILED] [5.317 seconds]
KmsDriver [It] replicates a given kms key to another region
/tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:59

  Timeline >>
  KmsDriver 2023/11/21 01:00:32 Replicating kms key: arn:aws:kms:us-west-1:462397596885:key/070d4996-99f0-471b-8099-576e8968ab06
  KmsDriver 2023/11/21 01:00:38 Completed ReplicateKey() in 0.088601 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:69 @ 11/21/23 01:00:38.15
  << Timeline

  [FAILED] Unexpected error:
      <*errors.errorString | 0xc00079e120>:
      failed to replicate key: NotFoundException: Invalid arn us-west-1
      {
          s: "failed to replicate key: NotFoundException: Invalid arn us-west-1",
      }
  occurred
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:69 @ 11/21/23 01:00:38.15
------------------------------
•••••••
------------------------------
• [FAILED] [141.531 seconds]
CopyAmiDriver when encrypted flag is set to true [It] encrypts destination AMI using default AWS KMS key
/tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:50

  Timeline >>
  SDKCopyAmiDriver 2023/11/21 01:00:32 copying AMI from source AMI: ami-fce3c696
  SDKCopyAmiDriver 2023/11/21 01:00:38 waiting for AMI ami-05715417dfc2d7503 to be available in region us-west-1
  SDKCopyAmiDriver 2023/11/21 01:02:54 tagging AMI: ami-05715417dfc2d7503, with {
    Resources: ["ami-05715417dfc2d7503"],
    Tags: [
      {
        Key: "Name",
        Value: "-"
      },
      {
        Key: "distro",
        Value: ""
      },
      {
        Key: "version",
        Value: ""
      },
      {
        Key: "published",
        Value: "false"
      }
    ]
  }
  SDKCopyAmiDriver 2023/11/21 01:02:54 completed Create() in 2.358829 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109 @ 11/21/23 01:02:54.327
  << Timeline

  [FAILED] Unexpected error:
      <*fmt.wrapError | 0xc000865880>:
      failed to share AMI 'ami-05715417dfc2d7503' with account 'REDACTED_AWS_ACCOUNT': InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.
      	status code: 400, request id: a13eb067-3315-46a7-b19f-6703f10b5ede
      {
          msg: "failed to share AMI 'ami-05715417dfc2d7503' with account 'REDACTED_AWS_ACCOUNT': InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.\n\tstatus code: 400, request id: a13eb067-3315-46a7-b19f-6703f10b5ede",
          err: <*awserr.requestError | 0xc0002280c0>{
              awsError: <*awserr.baseError | 0xc000228080>{
                  code: "InvalidParameter",
                  message: "Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.",
                  errs: nil,
              },
              statusCode: 400,
              requestID: "a13eb067-3315-46a7-b19f-6703f10b5ede",
              bytes: nil,
          },
      }
  occurred
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109 @ 11/21/23 01:02:54.327
------------------------------
• [FAILED] [141.574 seconds]
CopyAmiDriver when encrypted flag is set to true [It] does NOT make snapshot public
/tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:36

  Timeline >>
  SDKCopyAmiDriver 2023/11/21 01:00:32 copying AMI from source AMI: ami-fce3c696
  SDKCopyAmiDriver 2023/11/21 01:00:38 waiting for AMI ami-01b69a9170796c85a to be available in region us-west-1
  SDKCopyAmiDriver 2023/11/21 01:02:54 tagging AMI: ami-01b69a9170796c85a, with {
    Resources: ["ami-01b69a9170796c85a"],
    Tags: [
      {
        Key: "Name",
        Value: "-"
      },
      {
        Key: "distro",
        Value: ""
      },
      {
        Key: "version",
        Value: ""
      },
      {
        Key: "published",
        Value: "false"
      }
    ]
  }
  SDKCopyAmiDriver 2023/11/21 01:02:54 completed Create() in 2.359551 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109 @ 11/21/23 01:02:54.366
  << Timeline

  [FAILED] Unexpected error:
      <*fmt.wrapError | 0xc00045c200>:
      failed to share AMI 'ami-01b69a9170796c85a' with account 'REDACTED_AWS_ACCOUNT': InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.
      	status code: 400, request id: 222fbcc2-ffad-4488-a27e-18fff3576580
      {
          msg: "failed to share AMI 'ami-01b69a9170796c85a' with account 'REDACTED_AWS_ACCOUNT': InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.\n\tstatus code: 400, request id: 222fbcc2-ffad-4488-a27e-18fff3576580",
          err: <*awserr.requestError | 0xc0003c0700>{
              awsError: <*awserr.baseError | 0xc0003c06c0>{
                  code: "InvalidParameter",
                  message: "Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.",
                  errs: nil,
              },
              statusCode: 400,
              requestID: "222fbcc2-ffad-4488-a27e-18fff3576580",
              bytes: nil,
          },
      }
  occurred
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109 @ 11/21/23 01:02:54.366
------------------------------
• [FAILED] [141.603 seconds]
CopyAmiDriver when encrypted flag is set to true when kms_key_id is provided [It] encrypts destination AMI using provided kms key
/tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:60

  Timeline >>
  SDKCopyAmiDriver 2023/11/21 01:00:32 copying AMI from source AMI: ami-fce3c696
  SDKCopyAmiDriver 2023/11/21 01:00:38 waiting for AMI ami-044dcac3ea7434270 to be available in region us-west-1
  SDKCopyAmiDriver 2023/11/21 01:02:54 tagging AMI: ami-044dcac3ea7434270, with {
    Resources: ["ami-044dcac3ea7434270"],
    Tags: [
      {
        Key: "Name",
        Value: "-"
      },
      {
        Key: "distro",
        Value: ""
      },
      {
        Key: "version",
        Value: ""
      },
      {
        Key: "published",
        Value: "false"
      }
    ]
  }
  SDKCopyAmiDriver 2023/11/21 01:02:54 completed Create() in 2.360025 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109 @ 11/21/23 01:02:54.399
  << Timeline

  [FAILED] Unexpected error:
      <*fmt.wrapError | 0xc000200460>:
      failed to share AMI 'ami-044dcac3ea7434270' with account 'REDACTED_AWS_ACCOUNT': InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.
      	status code: 400, request id: 78a4f55c-be8b-4233-b661-ee3365fc5ec4
      {
          msg: "failed to share AMI 'ami-044dcac3ea7434270' with account 'REDACTED_AWS_ACCOUNT': InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.\n\tstatus code: 400, request id: 78a4f55c-be8b-4233-b661-ee3365fc5ec4",
          err: <*awserr.requestError | 0xc000184a80>{
              awsError: <*awserr.baseError | 0xc000184a40>{
                  code: "InvalidParameter",
                  message: "Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.",
                  errs: nil,
              },
              statusCode: 400,
              requestID: "78a4f55c-be8b-4233-b661-ee3365fc5ec4",
              bytes: nil,
          },
      }
  occurred
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109 @ 11/21/23 01:02:54.399
------------------------------
• [FAILED] [141.718 seconds]
CopyAmiDriver when shared_with_accounts is provided [It] shares the AMI with other accounts
/tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:73

  Timeline >>
  SDKCopyAmiDriver 2023/11/21 01:00:32 copying AMI from source AMI: ami-fce3c696
  SDKCopyAmiDriver 2023/11/21 01:00:38 waiting for AMI ami-0c817e0ffd2b5fd06 to be available in region us-west-1
  SDKCopyAmiDriver 2023/11/21 01:02:54 tagging AMI: ami-0c817e0ffd2b5fd06, with {
    Resources: ["ami-0c817e0ffd2b5fd06"],
    Tags: [
      {
        Key: "Name",
        Value: "-"
      },
      {
        Key: "distro",
        Value: ""
      },
      {
        Key: "version",
        Value: ""
      },
      {
        Key: "published",
        Value: "false"
      }
    ]
  }
  SDKCopyAmiDriver 2023/11/21 01:02:54 completed Create() in 2.361957 minutes
  [FAILED] in [It] - /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109 @ 11/21/23 01:02:54.516
  << Timeline

  [FAILED] Unexpected error:
      <*fmt.wrapError | 0xc0001914c0>:
      failed to share AMI 'ami-0c817e0ffd2b5fd06' with account 'REDACTED_AWS_ACCOUNT': InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.
      	status code: 400, request id: 1542062a-ac1e-476f-8201-869d8ec4bb7a
      {
          msg: "failed to share AMI 'ami-0c817e0ffd2b5fd06' with account 'REDACTED_AWS_ACCOUNT': InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.\n\tstatus code: 400, request id: 1542062a-ac1e-476f-8201-869d8ec4bb7a",
          err: <*awserr.requestError | 0xc000826f80>{
              awsError: <*awserr.baseError | 0xc000826f40>{
                  code: "InvalidParameter",
                  message: "Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.",
                  errs: nil,
              },
              statusCode: 400,
              requestID: "1542062a-ac1e-476f-8201-869d8ec4bb7a",
              bytes: nil,
          },
      }
  occurred
  In [It] at: /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109 @ 11/21/23 01:02:54.516
------------------------------
••••

Summarizing 6 Failures:
  [FAIL] KmsDriver [It] creates an alias for a given kms key
  /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:31
  [FAIL] KmsDriver [It] replicates a given kms key to another region
  /tmp/build/a94a8fe5/builder-src/driver/kms_driver_test.go:69
  [FAIL] CopyAmiDriver when encrypted flag is set to true [It] encrypts destination AMI using default AWS KMS key
  /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109
  [FAIL] CopyAmiDriver when encrypted flag is set to true [It] does NOT make snapshot public
  /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109
  [FAIL] CopyAmiDriver when encrypted flag is set to true when kms_key_id is provided [It] encrypts destination AMI using provided kms key
  /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109
  [FAIL] CopyAmiDriver when shared_with_accounts is provided [It] shares the AMI with other accounts
  /tmp/build/a94a8fe5/builder-src/driver/copy_ami_driver_test.go:109

Ran 21 of 21 Specs in 273.026 seconds
FAIL! -- 15 Passed | 6 Failed | 0 Pending | 0 Skipped


Ginkgo ran 2 suites in 4m34.960685401s

There were failures detected in the following suites:
  driver ./driver

Test Suite Failed
exit status 1

Perhaps there are additional constraints on the AWS_ACCOUNT that need clarifying?

@jpalermo jpalermo mentioned this pull request Nov 22, 2023
Merged
@jpalermo
Copy link
Member

jpalermo commented Nov 22, 2023
edited
Loading

We fixed a couple of the test failures here by limiting which tests are using the sharing functionality. But the two tests that are testing sharing and kms keys still get this:

InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anshrupani anshrupani anshrupani approved these changes

@lnguyen lnguyen lnguyen approved these changes

@selzoc selzoc selzoc approved these changes

@aramprice aramprice aramprice approved these changes

Assignees
No one assigned
Labels
FIPS
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@mvach @ramonskie @aramprice @jpalermo @selzoc @lnguyen @anshrupani