HashiCorp Cloud Platform
Enforced provisioners
Enforced provisioners let you define reusable Packer provisioner definitions and apply them to one or more HCP Packer buckets. When you enforce a provisioner in an HCP Packer bucket, Packer automatically injects the provisioner blocks into the build. Use enforced provisioners to consistently run the same provisioning logic in HCP Packer buckets, such as security hardening, agent installation, or compliance steps.
Overview
You can create enforced provisioners to ensure that all builds in an HCP Packer bucket include the same set of provisioning sets. Complete the following steps to create an enforced provisioner and apply it to an HCP Packer bucket:
- Create a new enforced provisioner and definition version in the HCP Packer user interface. Refer to Create an enforced provisioner for more information.
- Link the enforced provisioner to one or more HCP Packer bucket. Refer to Link an enforced provisioner for more information.
You can only link one version of an enforced provisioner to a bucket at a time. To update an existing enforced provisioner and link it to a bucket, complete the following steps:
- Create the new version of an enforced provisioner.
- Unlink the old version of the enforced provisioner from the bucket. Refer to Unlink an enforced provisioner for more information.
- Link the new version of the enforced provisioner to the bucket.
Before you can delete a version of an enforced provisioner version, you must first unlink every bucket currently linked to that version.
Requirements
To use enforced provisioners, you must meet the following requirements:
- A Standard edition registry is required to use enforced provisioners. Refer to Manage the Packer registry for details about viewing and changing your registry tier.
- An HCP account with the
contributorrole. Refer to the HCP Packer permissions documentation for more information.
Create an enforced provisioner
To create a new enforced provisioner, complete the following steps:
- Sign into the HCP portal, choose your organization and project, and click Packer in the Services menu.
- Click Enforced Provisioners in the left navigation menu.
- Click Create provisioner.
- Enter a name to give the provisioner in the Provisioner Name field.
- Choose a Provisioner template format of either JSON or HCL.
- Optionally, enter a Description for the provisioner.
- Click Next.
- Choose a version label for the initial enforced provisioner version in the Version field, such as
v1.0.0. - Optionally, specify metadata as labels to associate with your enforced provisioner in the in the Labels field.
- Click Next.
- Enter your provisioner template in the Packer Template Code textbox. Refer to Examples for more information.
- Click Save.
After you create the provisioner, verify that the new resource appears in the Enforced Provisioners list and that the first version appears in its details view. Once you create an enforced provisioner, you can link it to one or more HCP Packer bucket. Refer to Link an enforced provisioner for more information.
Link an enforced provisioner
To apply an enforced provisioner, you can link one version of the enforced provisioner to one or more HCP Packer buckets. You cannot link multiple versions of the same provisioner to a bucket. When you create a new enforced provisioner version, you must first remove the bucket you want to link from the old version of the provisioner and then link the bucket to the new version. To unlink an enforced provisioner version from a bucket, refer to Unlink an enforced provisioner.
To link a version of an enforced provisioner, complete the following steps:
- Sign into the HCP portal, choose your organization and project, and click Packer in the Services menu.
- Click Enforced Provisioners in the left navigation menu.
- Click the name of the provisioner you want to link.
- Click the ellipses (...) next to the version you want to link.
- Click Manage linked buckets.
- Enter the name each bucket that you want to link the enforced provisioner to.
- Click Apply Changes.
After you link the enforced provisioner, verify the bucket list shown for that version.
Unlink an enforced provisioner
To unlink a version of an enforced provisioner from a bucket, complete the following steps:
- Sign into the HCP portal, choose your organization and project, and click Packer in the Services menu.
- Click Enforced Provisioners in the left navigation menu.
- Click the name of the provisioner that has the version of the enforced provisioner you want to unlink.
- Click the ellipses (...) next to the version you want to link.
- Click Manage linked buckets.
- Remove the buckets that you want to unlink from the version of the enforced provisioner.
- Click Apply Changes.
Delete an enforced provisioner version
Before you can delete a version of an enforced provisioner version, you must first unlink every bucket currently linked to that version. Refer to Unlink an enforced provisioner for more information.
To delete an individual version of an enforced provisioner, complete the following steps:
- Sign into the HCP portal, choose your organization and project, and click Packer in the Services menu.
- Click Enforced Provisioners in the left navigation menu.
- Click the name of the provisioner that has the version of the enforced provisioner you want to delete.
- Click the ellipses (...) next to the version you want to delete and click Delete version.
- Click Delete provisioner version to confirm the deletion.
Delete an enforced provisioner
Before you can delete an enforced provisioner, you must first unlink every bucket currently linked to every version of the provisioner. Refer to Unlink an enforced provisioner for more information.
To delete an individual version of an enforced provisioner, complete the following steps:
- Sign into the HCP portal, choose your organization and project, and click Packer in the Services menu.
- Click Enforced Provisioners in the left navigation menu.
- Click the ellipses (...) next to the provisioner you want to delete and click Delete Provisioner.
- Click Delete provisioner to confirm the deletion.
Examples
The following example demonstrates the configuration you can provide when you create an enforced provisioner. In the following example, the enforced provisioner has three provisioner blocks to install tools on the machine image, create a user, and configure security. When you link this enforced provisioner to a bucket, every build you create for that bucket runs these three provisioner blocks.
provisioner "shell" {
inline = [
"apt-get update -y",
"apt-get install -y curl wget jq"
]
}
provisioner "shell" {
inline = [
"echo 'Creating app user...'",
"useradd -m -s /bin/bash appuser",
"mkdir -p /opt/app",
"chown appuser:appuser /opt/app"
]
}
provisioner "shell" {
inline = [
"echo 'Applying security hardening...'",
"echo 'net.ipv4.ip_forward = 0' >> /etc/sysctl.conf",
"echo 'Build complete!'"
]
}
Run builds with enforced provisioners
Packer applies linked enforced provisioners automatically when your build connects to HCP Packer and targets a bucket with active enforced provisioner links.
When the referenced bucket has an enforced provisioner version linked to it, Packer injects that provisioner automatically during the build.
You can use the -skip-enforcement flag with the packer build command to bypass the provisioners enforced on the bucket for that build. Refer to the Packer build command reference for more information.