When you query an artifact fingerprint from HCP Packer, you want to be confident that it is not compromised or outdated. Thedata source artifact validation HCP Terraform run task scans your Terraform resources for references tohcp_packer_version andhcp_packer_artifact data sources. Once it detects a referenced data resource, it will warn you if it retrieves a revoked artifact version or an artifact version scheduled for revocation. This scanning is available for all HCP Packer users.

Since it relies on the HCP Packer data sources to validate the artifact fingerprints, data source artifact validation supports all Terraform resources. The run task also has paidresource artifact validation, which currently only supports thislist of resources. The paid validation feature checks artifacts referenced by hard-coded artifact fingerprints.

In this tutorial, you will use the HCP Terraform run task for HCP Packer to prevent your Terraform configuration from referencing revoked artifact versions. You will first associate the run task with an HCP Terraform workspace, then test the run task against configuration that includes a revoked version.

Prerequisites

This tutorial assumes that you are familiar with:

• The standard Packer and HCP Packer workflows. If you are new to Packer, complete theGet Started tutorials first. If you are new to HCP Packer, complete theGet Started HCP Packer tutorials first.
• The Terraform and HCP Terraform plan/apply workflows. If you're new to Terraform itself, refer first to the Getting Startedtutorials. If you are new to HCP Terraform, refer to the Get Started - HCP Terraformtutorials.

To follow along with this tutorial, you will need:

• Packer 1.10.1+ installed locally
• Terraform 1.1.7 or later installed locally
• AnAWS account withcredentials set as local environment variables
• AHCP account with the HCP PackerStandard tier
• AnHCP Terraform account.
  • HCP Terraform workspace admin permissions to associate run tasks to a workspace.

In addition, you must have an HCP Terraform run task integrated with HCP Packer. If you do not have one set up, follow theSet Up HCP Terraform Run Task for HCP Packer tutorial.

Create and set HCP service principal ID and key

Log intoHCP Packer. SelectAccess control (IAM) from the sidebar menu, then clickService principals.

Create a service principal namedpacker with theContributor role.

Once you create the service principal, HCP shows you a detailed overview page. ClickKeys in the left navigation bar, then clickGenerate key to create a client ID and secret.

Copy and save the client ID and secret; you will not be able to retrieve the secret later. You will use these credentials in the next step.

Once you generate the keys for the service principal, set the client ID and secret as environment variables so that Packer can authenticate with HCP.

In your terminal, set an environment variable for the client ID.

$ export HCP_CLIENT_ID=

Then, set an environment variable for the client secret.

$ export HCP_CLIENT_SECRET=

Next, navigate to your HCP project settings page to get your project's ID.

Use this value to set an environment variable for your project's ID.

$ export HCP_PROJECT_ID=

Login to HCP Terraform

In this tutorial, you will use the Terraform CLI to create the HCP Terraform workspace and trigger remote plan and apply runs.

Log in to your HCP Terraform account in your terminal.

$ terraform loginTerraform will request an API token for app.terraform.io using your browser.If login is successful, Terraform will store the token in plain text inthe following file for use by subsequent commands:    /Users/<USER>/.terraform.d/credentials.tfrc.jsonDo you want to proceed?  Only 'yes' will be accepted to confirm.  Enter a value:

Confirm with ayes and follow the workflow in the browser window that automatically opens. Paste the generated API key into your Terminal when prompted. For more detailed instructions on logging in, review theCollaborate using HCP Terraform tutorial.

Clone repository

In your terminal, clone theexample repository. This repository contains a Packer template that defines an Ubuntu AMI and two directories with configuration that you will use to test the run task.

$ git clone https://github.com/hashicorp-education/learn-hcp-packer-run-tasks

Navigate to the cloned repository.

$ cd learn-hcp-packer-run-tasks

Create artifact version in HCP Packer

Openubuntu-focal.pkr.hcl to review the template. This template will build an Ubuntu 20.04 AMI in theus-east-2 region. It will also push the metadata to thelearn-packer-run-tasks bucket in HCP Packer.

build {  hcp_packer_registry {    bucket_name= "learn-packer-run-tasks"    ## ...  }  sources= [    "source.amazon-ebs.basic-example-east"  ]}

Initialize your Packer template.

$ packer init.

Now, build your artifact.

$ packer build ubuntu-focal.pkr.hclTracking build on HCP Packer with fingerprint "01HMH2E8ENJR3NB6PBJBT2F69B"amazon-ebs.basic-example-east: output will be in this color.==> amazon-ebs.basic-example-east: Prevalidating any provided VPC information==> amazon-ebs.basic-example-east: Prevalidating AMI Name: packer_AWS_1705675008_v1.0.0    amazon-ebs.basic-example-east: Found Image ID: ami-03...## ...==> Wait completed after 4 minutes 34 seconds==> Builds finished. The artifacts of successful builds are:--> amazon-ebs.basic-example-east: AMIs were created:us-east-2: ami-0c16bec5441261947--> amazon-ebs.basic-example-east: Published metadata to HCP Packer registry packer/learn-packer-run-tasks/versions/01HMH2E9VE1RQ20E2CTV9SX4ZT

In yourHCP dashboard, go to thelearn-packer-run-tasks bucket to confirm Packer pushed the build metadata to HCP Packer.

Create channel and schedule revocation

From theHCP Packer UI, navigate to theChannels page. Create a channel namedproduction and set it to the first version.

Next, go to theVersions page. Schedule a revocation date for the first version by clicking on..., thenRevoke version.

SelectRevoke at a future date and enter the time for 1 minute from your current time. The time is in UTC (current time in UTC). For example, if it is currently10:00, enter10:01. Then, enterAssign artifact channel to revoked version for the revocation reason, then clickRevoke Version to revoke the version.

You are setting a short revocation window so that your artifact channel uses a revoked artifact to test validation workflows. This is for the educational purposes of the tutorial.

Set up HCP Terraform workspace

Go to thetf-data-source-validation directory. This directory contains Terraform configuration that you will use to create an HCP Terraform workspace to test the data source artifact validation run task.

$ cd tf-data-source-validation

Openmain.tf. This configuration defines two data sources that retrieve an AMI ID from theproduction channel of thelearn-packer-run-tasks HCP Packer bucket, and an EC2 instance that uses the image ID returned by the HCP Packer data sources.

provider "hcp" {}provider "aws" {  region= var.region}data "hcp_packer_version" "ubuntu" {  bucket_name= "learn-packer-run-tasks"  channel_name= "production"}data "hcp_packer_artifact" "ubuntu_us_east_2" {  bucket_name= "learn-packer-run-tasks"  platform= "aws"  version_fingerprint= data.hcp_packer_version.ubuntu.fingerprint  region= "us-east-2"}resource "aws_instance" "app_server" {  ami= data.hcp_packer_artifact.ubuntu_us_east_2.external_identifier  instance_type= "t2.micro"  tags= {    Name= "Learn-HCP-Packer"  }}

Update configuration

Openterraform.tf. In thecloud block, update theorganization to point to your HCP Terraform organization.

terraform {  ## ...  cloud {    organization= "hashicorp-training"    hostname= "app.terraform.io"    workspaces {      name= "learn-hcp-packer-run-tasks-data-source-validation"    }  }}

Create HCP Terraform workspace

Initialize your Terraform configuration. This will create an HCP Terraform workspace namedlearn-hcp-packer-run-tasks-data-source-validation in your HCP Terraform organization.

$ terraform initInitializing HCP Terraform...Initializing provider plugins...- Reusing previous version of hashicorp/aws from the dependency lock file- Installing hashicorp/aws v4.2.0...- Installed hashicorp/aws v4.2.0 (signed by HashiCorp)HCP Terraform has been successfully initialized!You may now begin working with HCP Terraform. Try running "terraform plan" tosee any changes that are required for your infrastructure.If you ever set or change modules or Terraform Settings, run "terraform init"again to reinitialize your working directory.

Log into theHCP Terraform UI and go to thelearn-hcp-packer-run-tasks-data-source-validation workspace.

Add AWS and HCP credentials to workspace variables

Go to theVariables page.

UnderWorkspace variables, add yourAWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,HCP_CLIENT_ID,HCP_CLIENT_SECRET, andHCP_PROJECT_ID as environment variables. You generated the HCP client ID and secret in theprerequisites. Alternatively, you can create [variable sets]/terraform/tutorials/cloud-get-started/cloud-create-project) with these environment variables and reuse them across multiple workspaces.

Enable run tasks in workspace

Click onSettings, thenRun Tasks. UnderAvailable Run Tasks, click onHCP-Packer.

HCP Terraform run tasks have two enforcement levels.

1. Advisory: If this run task fails, the run will proceed with a warning in the UI.
2. Mandatory: If this run task fails, the run will return an error and stop.

Select theMandatory enforcement level, then clickCreate.

TheRun Task page will now display the run task for HCP Packer. This run task will parse resources for hard-coded machine image IDs and check if they are tracked and unrevoked in HCP Packer. If the run task detects an machine image ID that is associated with a revoked version, both the run task and the HCP Terraform run will fail.

Trigger HCP Terraform run

In your terminal, apply your configuration. After Terraform creates the plan, the run will return an error because the run task failed.

$ terraform applyRunning apply in HCP Terraform. Output will stream here. Pressing Ctrl-Cwill cancel the remote apply if it's still pending. If the apply started itwill stop streaming the logs, but will not stop the apply running remotely.Preparing the remote apply...To view this run in a browser, visit:https://app.terraform.io/app/hashicorp-training/learn-hcp-packer-run-tasks-resource-validation/runs/run-REDACTED

In HCP Terraform, open the latest run. Notice that Terraform was able to build an execution plan.

Thehcp_packer_artifact data source will return the artifact satisfying the data source parameters regardless of its revocation status. If the data source references a revoked artifact or an artifact that is scheduled to be revoked, therevoke_at attribute is set to the revocation timestamp.

The data source artifact validation run task automatically checks and warns for artifact versions that are revoked or scheduled for revocation.

Click theTasks failed box.

The run task failed with the following message:

Data source artifact validation results: 1 resource scanned. 1 new resource using revoked artifacts. No newer version was found for the revoked artifacts. Use Packer to build compliant artifacts and send information to HCP Packer. When using channels, the channel must be re-assigned to a valid version.

The run task detected that theaws_instance resource references thehcp_packer_artifact data source. Since the data source references a revoked version and the resource was being created, the run task failed and blocked the deployment of revoked artifacts.

If the run task determines that a newer version version is available, it will suggest that you use it. If you are the artifact maintainer, you can assign the channel to the newer version.

TheDetails link in the run task output will take you to the HCP Packer dashboard in case you wish to make any changes.

Restore artifact version

In the HCP Packer dashboard, go to thelearn-packer-run-tasks bucket and select the revoked version. ClickManage, thenRestore version to restore the revoked version.

Confirm the action by clicking onRestore version.

Re-trigger HCP Terraform run

Apply your configuration. When prompted to confirm the apply, pressEnter to discard the run.

$ terraform applyRunning apply in HCP Terraform. Output will stream here. Pressing Ctrl-Cwill cancel the remote apply if it's still pending. If the apply started itwill stop streaming the logs, but will not stop the apply running remotely.Preparing the remote apply...To view this run in a browser, visit:https://app.terraform.io/app/hashicorp-training/learn-hcp-packer-run-tasks-data-source-validation/runs/run-REDACTEDWaiting for the plan to start...Terraform v1.1.6on linux_amd64Configuring remote state backend...Initializing Terraform configuration...## ...Plan: 1 to add, 0 to change, 0 to destroy.## ...Do you want to perform these actions in workspace "learn-hcp-packer-run-tasks-data-source-validation"?  Terraform will perform the actions described above.  Only 'yes' will be accepted to approve.  Enter a value:╷│ Error: Apply discarded.││

Verify artifact validation

InHCP Terraform, open the latest run and expand theTasks passed box.

The run task passed with the following message:

Data source artifact validation: 1 resource scanned. All resources are compliant.

The run task parsed theaws_instance resource and again detected the reference to the HCP Packer data source. Since you restored the version, your configuration is now valid and the run check passes.

The data source artifact validationonly validates resources that reference thehcp_packer_artifact data source. The Standard tier resource artifact validation run task validates all types of artifact fingerprint references (for example, HCP data source, hard-coded, or external source).

Next steps

In this tutorial, you used the HCP Terraform run task for HCP Packer to prevent your Terraform configuration from referencing revoked artifact versions.

For more information on topics covered in this tutorial, check out the following resources:

• Complete theresource artifact validation run task feature tutorial to learn how to ensure your Terraform configuration uses compliant machine artifacts (even if you hard-code machine artifact fingerprints).
• Read more about theHCP Terraform run task integration in the HCP Packer documentation.

This tutorial also appears in: