Owner security

HashiCorp moves HCP Packer to GA with new security workflows

HashiCorp has released HCP Packer into full general availability. HCP Packer is their cloud-hosted offering of Packer, a machine imaging tool. The release adds a number of new features, including improved security workflows, custom metadata, and compliance checks integration with Terraform Cloud workflows.

HashiCorp Cloud Platform (HCP) Packer provides a cross-cloud image gallery for images created using the open source Packer tool. This includes storing metadata that can be used to track images, artifacts, and iterations across public cloud providers such as AWS, Azure, Google Cloud Platform, and private infrastructure. Metadata includes who manages the image, any associated version control repositories, and each iteration of the image. Metadata can be accessed through the UI or API.

HCP Packer UI showing iteration metadata including downstream consumers (Credit: HashiCorp)

These features are aligned with simplifying the process of creating “ideal images”: standard machine images that can be used to create downstream images and machines. HCP Packer codifies these privileged images as pipes that assign build iterations human-readable names. As opposed to referencing a potentially changing build iteration, a consumer can instead reference a channel that can be updated to point to the most recent released iteration. Downstream consumers will automatically update to the latest channel image version when they run pipelines (either through packer build Where terraform apply) that request metadata from this channel.

These golden images can be integrated into Terraform configurations using the HCP Provider for Terraform. The provider makes the data from HCP Packer available as a data source allowing the use of channel names to obtain perfect images. For example, the data source hcp_packer_iteration will get the most recent iteration of an image when given a channel name:

data "hcp_packer_iteration" "hardened-source" { 
  bucket_name = "hardened-ubuntu-16-04" 
  channel = "image-test" 

These golden images can be used in dynamically referenced workflows that produce child images. This allows security, compliance, and other tools to be pre-built into the base master image that is common to all downstream images. The HCP Provider for Terraform can be used to get the most recent base image on which to build additional layers:

data "hcp-packer-iteration" "base-image" {
 bucket_name = "learn-packer-hcp-golden-base-image"
 channel     = "latest"

data "hcp-packer-image" "base-image" {
 bucket_name    = data.hcp-packer-iteration.base-image.bucket_name
 iteration_id   = data.hcp-packer-iteration.base-image.id
 cloud_provider = "aws"
 region         = "us-east-2"

source "amazon-ebs" "marketing-layer-2" {
 source_ami        = data.hcp-packer-image.base-image.id
 source_deregister = true
 instance_type     = "t2.small"
 ssh_username      = "ubuntu"
 ami_name          = "custom-secondary-image-redis-server"

The release also introduces setting end-of-life (EOL) dates for images. Once an EOL date is reached, this image will no longer be returned by HCP Packer API requests. If necessary, it is possible to immediately revoke an image. For Terraform Cloud users using runtime tasks, a notification will be provided if a running Terraform plan contains a revoked image.

The standard tier of HCP Packer allows tracking of up to 10 images and 250 API requests per month at no cost. HashiCorp is launching a Plus plan in beta for Packer users with higher usage needs. The Plus plan includes image compliance checks that allow Terraform Cloud to analyze configurations for hard-coded AMIs associated with images set for revocation.