hashicorp · lbajolet-hashicorp · May 12, 2023 · Mar 6, 2023 · Mar 6, 2023 · May 11, 2023
@@ -205,6 +205,10 @@ type Config struct {
 	// Base64 representation of the non-volatile UEFI variable store. For more information
 	// see [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot-optionB.html).
 	UefiData string `mapstructure:"uefi_data" required:"false"`
+	// NitroTPM Support. Valid options are `v2.0`. See the documentation on
+	// [NitroTPM Support](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html) for
+	// more information. Only enabled if a valid option is provided, otherwise ignored.
+	TpmSupport string `mapstructure:"tpm_support" required:"false"`
 
 	ctx interpolate.Context
 }
@@ -376,6 +380,10 @@ func (b *Builder) Prepare(raws ...interface{}) ([]string, []string, error) {
 		errs = packersdk.MultiErrorAppend(errs, errors.New(`The only valid ami_architecture values are "arm64", "i386", "x86_64", or "x86_64_mac"`))
 	}
 
+	if b.config.TpmSupport != "" && b.config.TpmSupport != ec2.TpmSupportValuesV20 {
+		errs = packersdk.MultiErrorAppend(errs, fmt.Errorf(`The only valid tpm_support value is %q`, ec2.TpmSupportValuesV20))
+	}
+
 	if b.config.BootMode != "" {
 		err := awscommon.IsValidBootMode(b.config.BootMode)
 		if err != nil {
@@ -512,6 +520,7 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 			PollingConfig:            b.config.PollingConfig,
 			BootMode:                 b.config.BootMode,
 			UefiData:                 b.config.UefiData,
+			TpmSupport:               b.config.TpmSupport,
 		},
 		&awscommon.StepAMIRegionCopy{
 			AccessConfig:      &b.config.AccessConfig,

@@ -359,3 +359,53 @@ func TestBuilderPrepare_IMDSSupportValue(t *testing.T) {
 		})
 	}
 }
+
+func TestBuilderPrepare_TpmSupportValue(t *testing.T) {
+	tests := []struct {
+		name        string
+		optValue    string
+		expectError bool
+	}{
+		{
+			name:        "OK - no value set",
+			optValue:    "",
+			expectError: false,
+		},
+		{
+			name:        "OK - v2.0",
+			optValue:    "v2.0",
+			expectError: false,
+		},
+		{
+			name:        "Error - bad value set",
+			optValue:    "v3.0",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			config := testConfig()
+			config["ami_name"] = "name"
+			config["root_device_name"] = "/dev/sda"
+			config["ami_block_device_mappings"] = []interface{}{map[string]string{}}
+			config["root_volume_size"] = 15
+
+			config["tpm_support"] = tt.optValue
+
+			b := &Builder{}
+
+			_, _, err := b.Prepare(config)
+			if err != nil && !tt.expectError {
+				t.Fatalf("got unexpected error: %s", err)
+			}
+			if err == nil && tt.expectError {
+				t.Fatalf("expected an error, got a success instead")
+			}
+
+			if err != nil {
+				t.Logf("OK: b.Prepare produced expected error: %s", err)
+			}
+		})
+	}
+}
@@ -25,6 +25,7 @@ type StepRegisterAMI struct {
 	AMISkipBuildRegion       bool
 	BootMode                 string
 	UefiData                 string
+	TpmSupport               string
 }
 
 func (s *StepRegisterAMI) Run(ctx context.Context, state multistep.StateBag) multistep.StepAction {
@@ -78,6 +79,9 @@ func (s *StepRegisterAMI) Run(ctx context.Context, state multistep.StateBag) mul
 	if s.UefiData != "" {
 		registerOpts.UefiData = aws.String(s.UefiData)
 	}
+	if s.TpmSupport != "" {
+		registerOpts.TpmSupport = aws.String(s.TpmSupport)
+	}
 
 	registerResp, err := ec2conn.RegisterImage(registerOpts)
 	if err != nil {

@@ -81,6 +81,10 @@ type Config struct {
 	// Base64 representation of the non-volatile UEFI variable store. For more information
 	// see [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot-optionB.html).
 	UefiData string `mapstructure:"uefi_data" required:"false"`
+	// NitroTPM Support. Valid options are `v2.0`. See the documentation on
+	// [NitroTPM Support](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html) for
+	// more information. Only enabled if a valid option is provided, otherwise ignored.
+	TpmSupport string `mapstructure:"tpm_support" required:"false"`
 
 	ctx interpolate.Context
 }
@@ -183,6 +187,10 @@ func (b *Builder) Prepare(raws ...interface{}) ([]string, []string, error) {
 		errs = packersdk.MultiErrorAppend(errs, errors.New(`The only valid ami_architecture values are "arm64", "i386", "x86_64", or "x86_64_mac"`))
 	}
 
+	if b.config.TpmSupport != "" && b.config.TpmSupport != ec2.TpmSupportValuesV20 {
+		errs = packersdk.MultiErrorAppend(errs, fmt.Errorf(`The only valid tpm_support value is %q`, ec2.TpmSupportValuesV20))
+	}
+
 	if b.config.BootMode != "" {
 		err := awscommon.IsValidBootMode(b.config.BootMode)
 		if err != nil {
@@ -437,6 +445,7 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 			PollingConfig:            b.config.PollingConfig,
 			BootMode:                 b.config.BootMode,
 			UefiData:                 b.config.UefiData,
+			TpmSupport:               b.config.TpmSupport,
 		},
 		&awscommon.StepAMIRegionCopy{
 			AccessConfig:       &b.config.AccessConfig,

@@ -243,3 +243,64 @@ func TestBuilderPrepare_IMDSSupportValue(t *testing.T) {
 		})
 	}
 }
+
+func TestBuilderPrepare_TpmSupportValue(t *testing.T) {
+	tests := []struct {
+		name        string
+		optValue    string
+		expectError bool
+	}{
+		{
+			name:        "OK - no value set",
+			optValue:    "",
+			expectError: false,
+		},
+		{
+			name:        "OK - v2.0",
+			optValue:    "v2.0",
+			expectError: false,
+		},
+		{
+			name:        "Error - bad value set",
+			optValue:    "v3.0",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			config := testConfig()
+			config["ami_name"] = "name"
+			config["ami_virtualization_type"] = "kvm"
+
+			config["tpm_support"] = tt.optValue
+
+			b := &Builder{}
+			// Basic configuration
+			b.config.RootDevice = RootBlockDevice{
+				SourceDeviceName: "device name",
+				DeviceName:       "device name",
+			}
+			b.config.LaunchMappings = BlockDevices{
+				BlockDevice{
+					BlockDevice: common.BlockDevice{
+						DeviceName: "device name",
+					},
+					OmitFromArtifact: false,
+				},
+			}
+
+			_, _, err := b.Prepare(config)
+			if err != nil && !tt.expectError {
+				t.Fatalf("got unexpected error: %s", err)
+			}
+			if err == nil && tt.expectError {
+				t.Fatalf("expected an error, got a success instead")
+			}
+
+			if err != nil {
+				t.Logf("OK: b.Prepare produced expected error: %s", err)
+			}
+		})
+	}
+}
@@ -30,6 +30,7 @@ type StepRegisterAMI struct {
 	AMISkipBuildRegion       bool
 	BootMode                 string
 	UefiData                 string
+	TpmSupport               string
 }
 
 func (s *StepRegisterAMI) Run(ctx context.Context, state multistep.StateBag) multistep.StepAction {
@@ -83,6 +84,9 @@ func (s *StepRegisterAMI) Run(ctx context.Context, state multistep.StateBag) mul
 	if s.UefiData != "" {
 		registerOpts.UefiData = aws.String(s.UefiData)
 	}
+	if s.TpmSupport != "" {
+		registerOpts.TpmSupport = aws.String(s.TpmSupport)
+	}
 	registerResp, err := ec2conn.RegisterImage(registerOpts)
 	if err != nil {
 		state.Put("error", fmt.Errorf("Error registering AMI: %s", err))

@@ -91,6 +91,10 @@ type Config struct {
 	// okay to create this directory as part of the provisioning process.
 	// Defaults to /tmp.
 	X509UploadPath string `mapstructure:"x509_upload_path" required:"false"`
+	// NitroTPM Support. Valid options are `v2.0`. See the documentation on
+	// [NitroTPM Support](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html) for
+	// more information. Only enabled if a valid option is provided, otherwise ignored.
+	TpmSupport string `mapstructure:"tpm_support" required:"false"`
 
 	ctx interpolate.Context
 }
@@ -236,6 +240,10 @@ func (b *Builder) Prepare(raws ...interface{}) ([]string, []string, error) {
 			"Packer, inclusion of enable_t2_unlimited will error your builds.")
 	}
 
+	if b.config.TpmSupport != "" && b.config.TpmSupport != ec2.TpmSupportValuesV20 {
+		errs = packersdk.MultiErrorAppend(errs, fmt.Errorf(`The only valid tpm_support value is %q`, ec2.TpmSupportValuesV20))
+	}
+
 	if errs != nil && len(errs.Errors) > 0 {
 		return nil, warns, errs
 	}
@@ -436,6 +444,7 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 			EnableAMIENASupport:      b.config.AMIENASupport,
 			AMISkipBuildRegion:       b.config.AMISkipBuildRegion,
 			PollingConfig:            b.config.PollingConfig,
+			TpmSupport:               b.config.TpmSupport,
 		},
 		&awscommon.StepAMIRegionCopy{
 			AccessConfig:      &b.config.AccessConfig,

@@ -392,3 +392,51 @@ func TestBuilderPrepare_IMDSSupportValue(t *testing.T) {
 		})
 	}
 }
+
+func TestBuilderPrepare_TpmSupportValue(t *testing.T) {
+	tests := []struct {
+		name        string
+		optValue    string
+		expectError bool
+	}{
+		{
+			name:        "OK - no value set",
+			optValue:    "",
+			expectError: false,
+		},
+		{
+			name:        "OK - v2.0",
+			optValue:    "v2.0",
+			expectError: false,
+		},
+		{
+			name:        "Error - bad value set",
+			optValue:    "v3.0",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			config, _ := testConfig()
+			config["ami_name"] = "name"
+			config["skip_region_validation"] = true
+
+			config["tpm_support"] = tt.optValue
+
+			b := &Builder{}
+
+			_, _, err := b.Prepare(config)
+			if err != nil && !tt.expectError {
+				t.Fatalf("got unexpected error: %s", err)
+			}
+			if err == nil && tt.expectError {
+				t.Fatalf("expected an error, got a success instead")
+			}
+
+			if err != nil {
+				t.Logf("OK: b.Prepare produced expected error: %s", err)
+			}
+		})
+	}
+}
@@ -21,6 +21,7 @@ type StepRegisterAMI struct {
 	EnableAMIENASupport      confighelper.Trilean
 	EnableAMISriovNetSupport bool
 	AMISkipBuildRegion       bool
+	TpmSupport               string
 }
 
 func (s *StepRegisterAMI) Run(ctx context.Context, state multistep.StateBag) multistep.StepAction {
@@ -68,6 +69,9 @@ func (s *StepRegisterAMI) Run(ctx context.Context, state multistep.StateBag) mul
 		// As of February 2017, this applies to C5, I3, P2, R4, X1, and m4.16xlarge
 		registerOpts.EnaSupport = aws.Bool(true)
 	}
+	if s.TpmSupport != "" {
+		registerOpts.TpmSupport = aws.String(s.TpmSupport)
+	}
 
 	registerResp, err := ec2conn.RegisterImage(registerOpts)
 	if err != nil {

@@ -162,4 +162,8 @@
 - `uefi_data` (string) - Base64 representation of the non-volatile UEFI variable store. For more information
   see [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot-optionB.html).
 
+- `tpm_support` (string) - NitroTPM Support. Valid options are `v2.0`. See the documentation on
+  [NitroTPM Support](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html) for
+  more information. Only enabled if a valid option is provided, otherwise ignored.
+
 <!-- End of code generated from the comments of the Config struct in builder/chroot/builder.go; -->
@@ -38,4 +38,8 @@
 - `uefi_data` (string) - Base64 representation of the non-volatile UEFI variable store. For more information
   see [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot-optionB.html).
 
+- `tpm_support` (string) - NitroTPM Support. Valid options are `v2.0`. See the documentation on
+  [NitroTPM Support](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html) for
+  more information. Only enabled if a valid option is provided, otherwise ignored.
+
 <!-- End of code generated from the comments of the Config struct in builder/ebssurrogate/builder.go; -->
@@ -37,4 +37,8 @@
   okay to create this directory as part of the provisioning process.
   Defaults to /tmp.
 
+- `tpm_support` (string) - NitroTPM Support. Valid options are `v2.0`. See the documentation on
+  [NitroTPM Support](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html) for
+  more information. Only enabled if a valid option is provided, otherwise ignored.
+
 <!-- End of code generated from the comments of the Config struct in builder/instance/builder.go; -->