Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News HashiCorp Moves HCP Packer into GA with New Security Workflows

HashiCorp Moves HCP Packer into GA with New Security Workflows

This item in japanese


HashiCorp has moved HCP Packer into full general availability. HCP Packer is their cloud hosted offering of Packer, a machine-image building tool. The release adds a number of new features including improved security workflows, custom metadata, and integration of compliance checks with Terraform Cloud workflows.

HashiCorp Cloud Platform (HCP) Packer provides a cross-cloud image gallery for images built using the open-sourced Packer tool. This includes storing metadata that can be used to track the images, artifacts, and iterations across public cloud providers such as AWS, Azure, Google Cloud Platform, and private infrastructure. The metadata includes who maintains the image, any associated version control repositories, and every iteration of the image. The metadata is accessible via either the UI or the API.

HCP Packer UI showing iteration metadata including downstream consumers

HCP Packer UI showing iteration metadata including downstream consumers (credit: HashiCorp)

These features are aligned towards simplifying the process of creating "golden images'': standard machine images that can be used to create downstream images and machines. HCP Packer codifies these golden images as channels which assign build iterations human-readable names. As opposed to referencing a potentially changing build iteration, a consumer can instead reference a channel which can be updated to point at the most recent, published iteration. Downstream consumers will automatically update to the channel's latest image version when they execute pipelines (either via packer build or terraform apply) that request metadata from that channel.

These golden images can be integrated into Terraform configurations using the HCP provider for Terraform. The provider makes HCP Packer's data available as a data source allowing for the use of channel names to obtain golden images. For example, the data source hcp_packer_iteration will obtain the most recent iteration of an image when given a channel name:

data "hcp_packer_iteration" "hardened-source" { 
  bucket_name = "hardened-ubuntu-16-04" 
  channel = "image-test" 

These golden images can be used dynamically referenced workflows that produce child images. This allows for pre-building security, compliance, and other tooling into the base golden image that is common across all downstream images. The HCP provider for Terraform can be used to obtain the most recent base image to build additional layers onto:

data "hcp-packer-iteration" "base-image" {
 bucket_name = "learn-packer-hcp-golden-base-image"
 channel     = "latest"

data "hcp-packer-image" "base-image" {
 bucket_name    = data.hcp-packer-iteration.base-image.bucket_name
 iteration_id   =
 cloud_provider = "aws"
 region         = "us-east-2"

source "amazon-ebs" "marketing-layer-2" {
 source_ami        =
 source_deregister = true
 instance_type     = "t2.small"
 ssh_username      = "ubuntu"
 ami_name          = "custom-secondary-image-redis-server"

The release also introduces setting end of life (EOL) dates for images. Once an EOL date is reached, that image will no longer be returned from HCP Packer API queries. If needed, it is possible to immediately revoke an image. For Terraform Cloud users using run tasks, a notification will be provided if an executed terraform plan contains a revoked image.

HCP Packer standard tier allows for tracking of up to 10 images and 250 API requests per month at no cost. HashiCorp is in the process of launching a Plus Plan in beta for Packer users with larger usage needs. The Plus Plan includes image compliance checks that enable Terraform Cloud to scan configurations for hard-coded AMIs associated with images that are set for revocation.

About the Author

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p