HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More
Packer
HCP Packer

Control images with channels

  • 9min
  • |
  • HCP
  • Packer
  • Terraform

Just like software teams version and tag applications to track changes, you should version and tag parent images. HCP Packer channels let you to label image iterations to describe the quality and stability of the build. Channels give you control over the delivery of your images. Other teams can dynamically query images based on the quality and stability they want. This workflow helps your infrastructure stay up to date with minimal manual effort and is less error-prone than manually referencing AMIs or using AWS tags.

In this tutorial, you will create a new channel in the HCP Packer registry. Next, you will query the channel and its build artifact metadata, then use the image to deploy an EC2 instance with Terraform. Next, you will update the channel to point to another iteration, and query the updated channel.

Prerequisites

To complete this tutorial, you must have completed the previous tutorials. In the previous tutorials, you:

  • Created a service principal.
  • Set your client ID and secret as environment variables.
  • Configured your AWS credentials as environment variables.
  • Built an image and push its metadata to HCP Packer.

In addition, you will need:

Create another image iteration

In ubuntu-focal.pkr.hcl, update the version number to 1.0.1.

Tip

If you do not already have this file, complete the previous tutorial.

ubuntu-focal.pkr.hcl
packer {
  ## ...
}

variable "version" {
  type    = string
  default = "1.0.1"
}

The amazon-ebs source blocks use the version variable to generate the AMI name. Since you changed the version number, Packer will generate a new AMI in each region.

ubuntu-focal.pkr.hcl
source "amazon-ebs" "basic-example-east" {
  ## ..
  ami_name       = "packer_AWS_{{timestamp}}_v${var.version}"
}

source "amazon-ebs" "basic-example-west" {
  ## ..
  ami_name       = "packer_AWS_{{timestamp}}_v${var.version}"
}

In your terminal, format the Packer template.

$ packer fmt ubuntu-focal.pkr.hcl

Stage your template file.

$ git add ubuntu-focal.pkr.hcl

Then, commit your changes.

$ git commit -m "Update image version"

Finally, build your image. Continue with the tutorial while Packer builds the image.

$ packer build ubuntu-focal.pkr.hcl
amazon-ebs.basic-example-east: output will be in this color.
amazon-ebs.basic-example-west: output will be in this color.
==> amazon-ebs.basic-example-west: Publishing build details for amazon-ebs.basic-example-west to the HCP Packer registry
==> amazon-ebs.basic-example-east: Publishing build details for amazon-ebs.basic-example-east to the HCP Packer registry
==> amazon-ebs.basic-example-west: Prevalidating any provided VPC information
==> amazon-ebs.basic-example-west: Prevalidating AMI Name: packer_AWS_1646372103_v1.0.1
==> amazon-ebs.basic-example-east: Prevalidating any provided VPC information
==> amazon-ebs.basic-example-east: Prevalidating AMI Name: packer_AWS_1646372103_v1.0.1
## ...
==> Wait completed after 3 minutes 43 seconds
==> Builds finished. The artifacts of successful builds are:
--> amazon-ebs.basic-example-west: AMIs were created:
us-west-1: ami-00eabd3d9c1fd7377
--> amazon-ebs.basic-example-west: Published metadata to HCP Packer registry packer/learn-packer-ubuntu/iterations/01FX9PS8XXYQ5AT2JMT9ZR03MW
--> amazon-ebs.basic-example-east: AMIs were created:
us-east-2: ami-0c1da2ccb8b526c36
--> amazon-ebs.basic-example-east: Published metadata to HCP Packer registry packer/learn-packer-ubuntu/iterations/01FX9PS8XXYQ5AT2JMT9ZR03MW

Add channels to the image bucket

Visit the HCP Packer dashboard and select the learn-packer-ubuntu image you created in the previous tutorial. Your bucket has one complete iteration and another that Packer is currently building.

Main page for learn-packer-ubuntu image bucket. This page will show two iterations for the image.

Go to Channels in the left navigation menu and click New Channel. Create a new channel named production and select the first iteration.

Create a channel named production for learn-packer-ubuntu image bucket.

Query and deploy image

Wait until Packer finishes building the second iteration before continuing.

Once Packer completes the build, change into the tf-channel directory.

$ cd tf-channel

Open tf-channel/main.tf to review the Terraform configuration.

tf-channel/main.tf
provider "hcp" {}

data "hcp_packer_iteration" "ubuntu" {
  bucket_name = "learn-packer-ubuntu"
  channel     = "production"
}

data "hcp_packer_image" "ubuntu_us_east_2" {
  bucket_name    = "learn-packer-ubuntu"
  cloud_provider = "aws"
  iteration_id   = data.hcp_packer_iteration.ubuntu.ulid
  region         = "us-east-2"
}

This Terraform configuration contains two data sources:

  1. The hcp_packer_iteration retrieves the channel's current iteration. Notice that this resource references the bucket name (learn-packer-ubuntu) and channel (production) you created in the previous steps.

  2. The hcp_packer_image retrieves a specific image from the iteration data source above. Remember that an iteration may contain multiple machine images from different cloud providers and regions.

In addition, this configuration deploys an EC2 instance with the image you queried.

tf-channel/main.tf
resource "aws_instance" "app_server" {
  ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
  instance_type = "t2.micro"
  tags = {
    Name = "Learn-HCP-Packer"
  }
}

The Terraform provider for HCP uses the HCP_CLIENT_ID and HCP_CLIENT_SECRET environment variables to authenticate to HCP. You configured these values in the previous tutorial.

Initialize your Terraform configuration.

$ terraform init
Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/hcp from the dependency lock file
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/hcp v0.23.1...
- Installed hashicorp/hcp v0.23.1 (signed by HashiCorp)
- Installing hashicorp/aws v4.2.0...
- Installed hashicorp/aws v4.2.0 (signed by HashiCorp)

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Apply your configuration. Enter yes when prompted to confirm the run.

$ terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # aws_instance.app_server will be created
  + resource "aws_instance" "app_server" {
      + ami                                  = "ami-0f7..."
      ## ...
  + }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + ubuntu_iteration = {
      + author_id           = "packer"
      + bucket_name         = "learn-packer-ubuntu"
      + channel             = "production"
      ## ...
    }
  + ubuntu_us_east_2 = {
      + bucket_name     = "learn-packer-ubuntu"
      ## ...
    }

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_instance.app_server: Creating...
aws_instance.app_server: Still creating... [10s elapsed]
aws_instance.app_server: Still creating... [20s elapsed]
aws_instance.app_server: Creation complete after 23s [id=i-0a3ae53d111dd476f]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

ubuntu_iteration = {
  "author_id" = "learn-hcp-packer"
  "bucket_name" = "learn-packer-ubuntu"
  "channel" = "production"
  "created_at" = "2023-03-10T15:20:41.647Z"
  "fingerprint" = "01GQ8832ZT3ZV7ZCQ6MZ1APKJ2"
  "id" = "01GV61R8XFM3RD81B8DZJ2QWT4"
  "incremental_version" = 1
  "organization_id" = "a54e8641-88c0-46e3-a845-4f68a478b798"
  "project_id" = "2651bd1a-de00-47c9-aed5-5b7453f25089"
  "timeouts" = null /* object */
  "ulid" = "01GV61R8XFM3RD81B8DZJ2QWT4"
  "updated_at" = "2023-03-10T15:23:48.463Z"
}
ubuntu_us_east_2 = {
  "bucket_name" = "learn-packer-ubuntu"
  "build_id" = "01GV61R949QYCDVEAW7DNBKG7H"
  "cloud_image_id" = "ami-..."
  "cloud_provider" = "aws"
  "component_type" = "amazon-ebs.basic-example-east"
  "created_at" = "2023-03-10T15:20:41.865Z"
  "id" = "01GV61XZ6KT5YMEHEHHJ8E6WW9"
  "iteration_id" = "01GV61R8XFM3RD81B8DZJ2QWT4"
  "labels" = tomap({
    "build-source" = "learn-hcp-packer-get-started"
    "build-time" = "2023-03-10T15:20:40Z"
  })
  "organization_id" = "a54e8641-88c0-46e3-a845-4f68a478b798"
  "packer_run_uuid" = "eb408e13-2cd5-394c-2cfd-45c0a9741734"
  "project_id" = "2651bd1a-de00-47c9-aed5-5b7453f25089"
  "region" = "us-east-2"
  "timeouts" = null /* object */
}

The ubuntu_iteration output returns all metadata associated with the iteration. It shows that this is the first iteration (incremental_version) and assigned to the production channel.

The ubuntu_us_east_2 output returns the build for us_east_2 region. Notice that the cloud_image_id maps to the AMI ID.

Update a channel to point to another iteration

Return to the Channels page in the HCP Packer portal.

Edit the production channel by clicking on the ... and selecting Changed assigned iteration. Then, update the channel to the second iteration.

Set production channel to the first iteration for learn-packer-ubuntu image bucket.

View channel assignment history

Click on the production channel name to view the channel's overview page.

Review the Assignment history section, which lists when you assigned each iteration to the channel.

Channel overview

Re-query channel image iteration

Now, re-apply your Terraform configuration. Enter yes when prompted to confirm the run.

$ terraform apply

## ...

Plan: 1 to add, 0 to change, 1 to destroy.

## ...

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_instance.app_server: Destroying... [id=i-0a3ae53d111dd476f]
aws_instance.app_server: Still destroying... [id=i-0a3ae53d111dd476f, 10s elapsed]
aws_instance.app_server: Still destroying... [id=i-0a3ae53d111dd476f, 20s elapsed]
aws_instance.app_server: Still destroying... [id=i-0a3ae53d111dd476f, 30s elapsed]
aws_instance.app_server: Destruction complete after 31s
aws_instance.app_server: Creating...
aws_instance.app_server: Still creating... [10s elapsed]
aws_instance.app_server: Still creating... [20s elapsed]
aws_instance.app_server: Creation complete after 22s [id=i-0127eeba25202f366]

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

Outputs:

ubuntu_iteration = {
  "author_id" = "learn-hcp-packer"
  "bucket_name" = "learn-packer-ubuntu"
  "channel" = "production"
  "created_at" = "2023-03-10T15:25:43.353Z"
  "fingerprint" = "01GQ8832ZT3ZV7ZCQ6MZ1APKJ2"
  "id" = "01GV621FHS1JQ75N8AZ4GZHFSM"
  "incremental_version" = 2
  "organization_id" = "a54e8641-88c0-46e3-a845-4f68a478b798"
  "project_id" = "2651bd1a-de00-47c9-aed5-5b7453f25089"
  "timeouts" = null /* object */
  "ulid" = "01GV621FHS1JQ75N8AZ4GZHFSM"
  "updated_at" = "2023-03-10T15:28:57.758Z"
}
ubuntu_us_east_2 = {
  "bucket_name" = "learn-packer-ubuntu"
  "build_id" = "01GV621FRRDVN4V75PGXRF4SP2"
  "cloud_image_id" = "ami-..."
  "cloud_provider" = "aws"
  "component_type" = "amazon-ebs.basic-example-east"
  "created_at" = "2023-03-10T15:25:43.576Z"
  "id" = "01GV627D8AF7J4JY3WDG8WG2EH"
  "iteration_id" = "01GV621FHS1JQ75N8AZ4GZHFSM"
  "labels" = tomap({
    "build-source" = "learn-hcp-packer-get-started"
    "build-time" = "2023-03-10T15:25:41Z"
  })
  "organization_id" = "a54e8641-88c0-46e3-a845-4f68a478b798"
  "packer_run_uuid" = "c7cb5c02-7329-4ae3-ea58-7836a8777546"
  "project_id" = "2651bd1a-de00-47c9-aed5-5b7453f25089"
  "region" = "us-east-2"
  "timeouts" = null /* object */
}

Since you updated the iteration the channel uses, the incremental_version changed from 1 to 2,

Destroy infrastructure

Run terraform destroy to clean up your provisioned infrastructure. Respond yes to the prompt to confirm the operation.

$ terraform destroy
## ...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:
## ...

Plan: 0 to add, 0 to change, 1 to destroy.

## ...

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

## ...

Destroy complete! Resources: 1 destroyed.

Next steps

In this tutorial, you created a new channel in the HCP Packer registry. Next, you used Terraform to query the channel and its build artifacts metadata, then used the AMI ID to deploy an EC2 instance . Finally, you updated the channel to point to another iteration, and then queried the updated channel and build artifacts.

For more information on topics covered in this tutorial, check out the following resources:

Previous

Push image metadata

 Next

Revoke image iteration