Skip to content

Unable to use ami_regions when Tags-on-create policy enforced #591

New issue
New issue
Open
Open
Unable to use ami_regions when Tags-on-create policy enforced#591
Labels
bug
@a1exx-k

Description

@a1exx-k
a1exx-k
opened on Aug 14, 2025

Overview of the Issue

Our organization enforces an AWS Organizations tag policy (“Tags-on-create” enforcement) that requires some tags at the moment the AMI is created in the destination region.

When Packer uses ami_regions to copy an AMI, it seems that tags aren’t supplied as TagSpecifications in that copy request, and the call is rejected before any post-copy tagging can occur — which yields this error:

TagPolicyViolation: The resource is missing the tag key(s) 'RequiredTag'

Therefore, we are unable to use ami_regions option.

Reproduction Steps

Steps to reproduce this issue

  • Introduce “Tags-on-create” enforcement policy in AWS in target region with tag RequiredTag
  • Add RequiredTag tag to tags list
  • Set ami_regions to target region
  • AMI copy fails with TagPolicyViolation: The resource is missing the tag key(s) 'RequiredTag'

Plugin and Packer version

packer v1.13.0, plugin v1.3.9

Simplified Packer Buildfile

source "amazon-ebs" "example" {
  ami_name          = "example"
  region = ["eu-central-1"]
  ami_regions  = ["eu-west-1"]
  ...
  run_tags = {
    RequiredTag  = "value"
  }
  snapshot_tags = {
    RequiredTag  = "value"
  }

  tags = {
    RequiredTag  = "value"
  }
  ...
}

build {
  sources = ["source.amazon-ebs.sample"]
}

Operating system and Environment details

linux, amd64

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions