Acquisition complete HashiCorp officially joins the IBM family. Learn more
Packer
HCP Packer

Immediately revoke insecure artifact versions

  • 6min
  • |
  • HCP
  • Packer
  • Terraform

Over the lifecycle of an artifact, you may discover a vulnerability and need to prevent access to it. HCP Packer lets you revoke an artifact version immediately. This strengthens your security posture by preventing usage of a compromised artifact that has been found to have a vulnerability.

In this tutorial, you will revoke an artifact version. You will review the relationship between HCP Packer artifact channels and revoked versions, and how artifact revocation prevents downstream consumers from referencing compromised artifacts.

Prerequisites

To complete this tutorial, you must have completed the previous tutorials. In the previous tutorials, you:

  • Created a service principal with Contributor access to HCP.
  • Set your client ID and secret as environment variables.
  • Configured your AWS credentials as environment variables.
  • Built an artifact and pushed its metadata to HCP Packer.
  • Set up a channel named production for your bucket.

In addition, you will need:

Revoke artifact version

Assume you just discovered a new security vulnerability in the second version of your learn-packer-ubuntu artifact. To prevent users from referencing the version's artifacts, you will immediately revoke the second version.

On the learn-packer-ubuntu's Versions page, revoke the second version by clicking on ..., then Revoke version.

Revoke second version

Enter Learning about immediate revocation for the revocation reason.

Tip

A revocation reason is optional, but we recommend providing one so your team understands why you revoked the version.

If you are subscribed to the HCP Packer Plus tier, select Revoke immediately from the When? dropdown menu. If you are on the free tier, you will not see this field.

Then select Yes, rollback channel from the Rollback channels? dropdown menu.

Finally, click Revoke to revoke the version.

Confirm immediate revocation

Navigate to the overview page for the second version, which contains the revocation reason. Copy the fingerprint of this version as you will reference it later in this tutorial

View detailed revoked version

Now, select Back to versions. The Versions page now shows that the second version is revoked, and that the production and latest channels rolled back to the first version.

Second version is now revoked

Verify artifact version revocation

When you revoke an artifact version, it becomes unavailable to artifact channels. You cannot assign a revoked version to a channel.

Change into the tf-revoked-version directory.

$ cd tf-revoked-version

The configuration in this directory defines a data source that queries the version of the learn-packer-ubuntu artifact specified by the version_fingerprint input variable. If HCP Packer returns a version that is not revoked, Terraform will create a compute instance with the artifact ID.

tf-revoked-version/main.tf

data "hcp_packer_artifact" "ubuntu_us_east_2" {
  bucket_name         = "learn-packer-ubuntu"
  platform            = "aws"
  version_fingerprint = var.version_fingerprint
  region              = "us-east-2"
}

resource "aws_instance" "app_server" {
  ami           = data.hcp_packer_artifact.ubuntu_us_east_2.external_identifier
  instance_type = "t2.micro"
  tags = {
    Name = "Learn-HCP-Packer"
  }

  lifecycle {
    precondition {
      condition = try(
        formatdate("YYYYMMDDhhmmss", data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()),
        data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at == null
      )
      error_message = "Source AMI is revoked."
    }
  }
}

The lifecycle precondition will succeed if revoke_at is scheduled to the future or is null.

Open tf-revoked-version/terraform.tfvars in your editor. Set version_fingerprint to the version fingerprint you retrieved in the previous step, then save the file.

tf-revoked-version/terraform.tfvars

version_fingerprint="VERSION_FINGERPRINT"

Initialize your Terraform configuration.

$ terraform init
Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/hcp from the dependency lock file
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/hcp v0.80.0...
- Installed hashicorp/hcp v0.80.0 (signed by HashiCorp)
- Installing hashicorp/aws v4.2.0...
- Installed hashicorp/aws v4.2.0 (signed by HashiCorp)

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Because the lifecycle custom precondition depends on timestamp() which is unknown during a Terraform plan, the condition will be checked during the Terraform apply.

Apply your configuration. Since hcp_packer_artifact references a revoked version, the artifact_revocation_date output is set to the revocation timestamp. The app_server lifecycle precondition will fail, and Terraform will not create the EC2 instance.

$ terraform apply
  # ... 
Changes to Outputs:
  + artifact_revocation_date = "2023-03-10T15:59:09.781Z"

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


│ Error: Resource precondition failed

│   on main.tf line 23, in resource "aws_instance" "app_server":
│   23:       condition = try(
│   24:         formatdate("YYYYMMDDhhmmss", data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()),
│   25:         data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at == null
│   26:       )
│     ├────────────────
│     │ data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at is "2024-01-18T20:42:59.322Z"

│ Source AMI is revoked.

Restore revoked version

If you accidentally revoke the wrong version, you can restore the version so your team can use it again.

In the HCP Packer UI, navigate to the second version. Then, click Manage and Restore version.

Click Restore version to restore your version.

Select Back to versions. The versions page shows that the second version is active again. Notice that the production channel uses the first version, and the latest channel once again uses the second version.

Verify restoration

Apply your configuration. Since the version is restored, Terraform successfully creates the EC2 instance.

$ terraform apply

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_instance.app_server: Creating...
aws_instance.app_server: Still creating... [10s elapsed]
aws_instance.app_server: Still creating... [20s elapsed]
aws_instance.app_server: Still creating... [30s elapsed]
aws_instance.app_server: Still creating... [40s elapsed]
aws_instance.app_server: Still creating... [50s elapsed]
aws_instance.app_server: Still creating... [1m0s elapsed]
aws_instance.app_server: Creation complete after 1m5s [id=xxx]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

To clean up your provisioned infrastructure, run terraform destroy and respond yes to the prompt to confirm the operation.

Next steps

In this tutorial, you revoked an HCP Packer artifact version and used automatic rollback to update the channels that used the version. Revocation prevents users from using insecure artifacts and ensures that your organization uses compliant artifacts.

For more information on topics covered in this tutorial, check out the following resources:

Previous

Channels

 Next

Create child artifact