aws-samples / copy-encrypted-ami Goto Github PK

View Code? Open in Web Editor NEW

56.0 7.0 21.0 54 KB

Shell script that automates the copy of encrypted AMI across accounts and regions.

License: Apache License 2.0

Shell 100.00%

copy-encrypted-ami's Introduction

Copy Encrypted AMI

Shell script that automates the copy of encrypted AMI across accounts and regions.

License

This library is licensed under the Apache 2.0 License.

Synopsis

This script copies an AMI and its associated snapshots (encrypted or not) in the account A (source) to an AMI with encrypted snapshots using account B (destination).

Prerequisites

jq - https://stedolan.github.io/jq/download/

aws cli - https://docs.aws.amazon.com/cli/latest/userguide/installing.html

The source and destination profiles must be configured in the system where you are running the script from. The source and destination profiles can be the same if the intent is to copy an AMI that has already been shared to the destination account, but isn't currently stored there.

Usage

copy_encrypted_ami.sh -s profile -d profile -a ami_id [-k key] [-l source region] [-r destination region] [-n] [-u tag:value]
    -s,               AWS CLI profile name for AMI source account.
    -d,               AWS CLI profile name for AMI destination account.
    -a,               ID of AMI to be copied.
    -N,               Name for new AMI.
    -l,               Region of the AMI to be copied.
    -r,               Destination region for copied AMI.
    -n,               Enable ENA support on new AMI. (Optional)
    -t,               Copy Tags. (Optional)
    -k,               Specific AWS KMS Key ID for snapshot re-encryption in target AWS account. (Optional)
    -u,               Update an existing or create a new tag with this value. Valid only with -t. (Optional)
    -h,               Show this message.

By default, the currently specified region for the source and destination AWS CLI profile will be used, and the default Amazon-managed AWS KMS Key for Amazon EBS.

Setting up the profiles

Use aws configure --profile profile_name to set up your profiles (source and destination). For more information about multiple profiles, please consult https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

Example

copy_encrypted_ami.sh -s mysrcprofile -d mydstprofile -a ami-61341708

The line above copies the AMI ami-61341708 present in the account configured in the local mysrcprofile to the account configured in the local mydstprofile using the profile's default region.

copy_encrypted_ami.sh -s mysrclocal -d mydstprofile -a ami-61341708 -k arn:aws:kms:eu-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab -l ap-southeast-2 -r eu-west-2 -n

The line above copies the AMI ami-61341708 present in the region ap-southeast-2 for the account configured in the local mysrcprofile to the account configured in the local mydstprofile in the region eu-west-2, using AWS KMS key arn:aws:kms:eu-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab in the destination and enabling ENA Support.

Known Limitations

This script will not work if the default AWS KMS key was used to encrypt the source snapshots.

This script will encrypt the snapshots at the destination, even if one of the source snapshots was unencrypted.

copy-encrypted-ami's People

Contributors

Stargazers

Watchers

Forkers

jdoshi110 eosho soopadave ruparee bobkodex christek91 niejn badgerspoke vligade christianbermejo theashwanik kiran251 giom-l per-scholas-aws-re-start th0masl somoore schmidtd aws-wwso-cloudops

copy-encrypted-ami's Issues

Windows AMI supported?

Was wondering if this script does support my custom MS Windows AMI baked with un-encrypted snapshot.

Awsome tool and thanks!

Issue with aws cli v2.13.35 (latest to date)

Hi,

I don't know exactly which version between 2.11.21 and 2.13.35 introduced the SourceInstanceId field in aws ec2 describe-images response, but it prevent the script to work properly with (at least) latest-to-date version of aws-cli.

SourceInstanceId field seems not supported by aws ec2 register-image, so it needs to be removed as well as other fields already removed here

copy_encrypted_ami.sh: error: KMS Key arn:aws:kms:us-east-1:******* non existent, in the wrong region, or not enabled. Aborting.

I have created and enabled KMS key still it is showing me above error

Option to name the destination AMI

It could be useful to define the destination AMI name.
Also, if the source AMI has no tags then we should not try and push tags to the destination AMI.

does this handle "Share gallery VM images across Azure tenants"

Hi,

Does this handle "Share gallery VM images across Azure tenants" as well ?

Too many snapshot copies in progress. The limit is 5 for this destination region.

Most accounts have a limit of 5 concurrent snapshots , if the AMI has more than 5 volumes, the error below will occur:

An error occurred (ResourceLimitExceeded) when calling the CopySnapshot operation: Too many snapshot copies in progress. The limit is 5 for this destination region.

Error on trying to copy AMI with associated ephemeral devices

Hi, thank you for this handy tool. On trying to copy an AMI, I ran into an error like this:

$ copy_encrypted_ami.sh -s src -d dst -a ami-04f386a8fa9b55blah 
Source region: eu-west-1
Destination region: eu-west-1
Destination account ID: blah
Snapshots found: snap-012a6c6688943blah snap-06ae1c9807c77blah null null null null null null null null null null null null null null null null null null null null null null null null null null

An error occurred (InvalidParameterValue) when calling the DescribeSnapshots operation: Value (null) for parameter snapshotId is invalid. Expected: 'snap-...'.
Customer managed KMS key(s) used on source AMI:
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument --key-id: expected one argument
 copy_encrypted_ami.sh: error: Unable to retrieve the Key Manager information. Aborting.

Exploring the BlockDeviceMappings section of the AMI metadata, I see:

$ aws ec2 describe-images --profile src --region eu-west-1 --image-id ami-04f386a8fa9b55blah  --query 'Images[0]'|jq .BlockDeviceMappings
 [
   {
     "DeviceName": "/dev/sda1",
     "Ebs": {
       "Encrypted": true,
       "DeleteOnTermination": true,
       "VolumeType": "gp2",
       "VolumeSize": 100,
       "SnapshotId": "snap-012a6c6688943blah"
     }
   },
   {
     "DeviceName": "/dev/sdf",
     "Ebs": {
       "Encrypted": true,
       "DeleteOnTermination": true,
       "VolumeType": "gp2",
       "VolumeSize": 500,
       "SnapshotId": "snap-06ae1c9807c77blah"
     }
   },
   {
     "DeviceName": "xvdca",
     "VirtualName": "ephemeral0"
   },
   {
     "DeviceName": "xvdcb",
     "VirtualName": "ephemeral1"
   },
   {
     "DeviceName": "xvdcc",
     "VirtualName": "ephemeral2"
   },
   {
     "DeviceName": "xvdcd",
     "VirtualName": "ephemeral3"
   },
   {
     "DeviceName": "xvdce",
     "VirtualName": "ephemeral4"
   },
   {
[.....]

It seems that we would want to skip emphemeral devices when finding snapshots to copy. I'll submit a quick pull request with a proposed solution.

parse error: Invalid numeric literal at line 1, column 99 copy_encrypted_ami.sh: error: Unable to get the encrypted snapshot ids from AMI. Aborting.

Hi,

I am not able to use this script getting below error.

parse error: Invalid numeric literal at line 1, column 99
copy_encrypted_ami.sh: error: Unable to get the encrypted snapshot ids from AMI. Aborting.

please suggest.
Thanks,
Neha Kumari.

Unable to copy unencrypted AMI

Hi,
I am unable to copy unencrypted AMI from account A to encrypted AMI in account B, I am getting the below error:
command used
./copy_encrypted_ami.sh -s xxxxx -d yyyyy -a ami-zzzzzzzzz -k arn:aws:kms:us-east-1:12345678:key/fgdfgdffgdfhdghfdhdh -l us-east-1 -r us-east-1 -n

Customer managed KMS key(s) used on source AMI:
usage: aws [options] [ ...] [parameters]
To see help text, you can run:

aws help
aws help
aws help
aws.exe: error: argument --key-id: expected one argument
copy_encrypted_ami.sh: error: Unable to retrieve the Key Manager information. Aborting.

aws ec2 wait snapshot-completed times out often

Hi,

I found that, quite often, the "aws ec2 wait snapshot-completed" would timeout waiting for snapshots to complete. That command has a hardcoded limit of 10 minutes.

My shell scripting is horrific, but, for what it's worth, I ended up adding a loop on the "describe-snapshots" command that waits for the snapshots to complete (for as long as it takes...).

I stole the idea and most of the code from :
https://gist.github.com/sgnn7/d27fb0ab6e2cb29d466198ced9ea93df

I hope this helps someone that was running into the same problem.

...
i=0
while read snapshotid; do

    snapshot_progress="0%"
    while [ "$snapshot_progress" != "100%" ]; do
        snapshot_progress=$(aws ec2 describe-snapshots --region ${DST_REGION} \
                                                       --snapshot-ids ${DST_SNAPSHOT[i]} \
                                                       --profile ${DST_PROFILE} \
                                                       --no-paginate \
                                                       --query "Snapshots[*].Progress" \
                                                       --output text)
      echo "Snapshot progress: ${DST_SNAPSHOT[i]} $snapshot_progress"
      sleep 10
    done

    aws ec2 wait snapshot-completed --snapshot-ids ${DST_SNAPSHOT[i]} --profile ${DST_PROFILE} --region ${DST_REGION}

    i=$(( $i + 1 ))
done <<< "$SNAPSHOT_IDS"
echo -e "${COLOR}EBS Snapshots copies completed ${NC}"
...