algo/roles/cloud-ec2/tasks/encrypt_image.yml

- name: Check if the encrypted image already exist
  ec2_ami_find:
    aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
    aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
    owner: self
    sort: creationDate
    sort_order: descending
    sort_end: 1
    state: available
    ami_tags:
      Algo: "encrypted"
    region: "{{ region }}"
  register: search_crypt

- set_fact:
    ami_image: "{{ search_crypt.results[0].ami_id }}"
  when: search_crypt.results

- name: Copy to an encrypted image
  ec2_ami_copy:
    aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
    aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
    encrypted: yes
    name: algo
    kms_key_id: "{{ kms_key_id | default(omit) }}"
    region: "{{ region }}"
    source_image_id: "{{ ami_image }}"
    source_region: "{{ region }}"
    tags:
      Algo: "encrypted"
    wait: true
  register: enc_image
  when: not search_crypt.results

- set_fact:
    ami_image: "{{ enc_image.image_id }}"
  when: not search_crypt.results