HashiConf Our community conference is taking place in San Francisco and online October 10-12. Register now
Packer
HCP Packer

Immediately Revoke Insecure Image Iterations

  • 6min

  • HCP
  • Packer
  • Terraform

Over the lifecycle of a machine image, you may need to prevent access to it if it becomes insecure. HCP Packer lets you revoke an image iteration immediately. This strengthens your security posture by preventing usage of an insecure image that has been found to have a vulnerability.

In this tutorial, you will revoke an image iteration. You will review the relationship between HCP Packer image channels and revoked iterations, and how image revocation prevents downstream image consumers from referencing insecure images.

Prerequisites

To complete this tutorial, you must have completed the previous tutorials. In the previous tutorials, you:

  • Created a service principal.
  • Set your client ID and secret as environment variables.
  • Configured your AWS credentials as environment variables.
  • Built an image and pushed its metadata to HCP Packer.
  • Set up a channel named production for your image bucket.

In addition, you will need:

Revoke image iteration

Assume you just discovered a new security vulnerability in the second iteration of your learn-packer-ubuntu image. To prevent users from referencing the iteration's images, you will immediately revoke the second iteration.

On the learn-packer-ubuntu's Iterations page, revoke the second iteration by clicking on ..., then Revoke iteration.

Revoke second iteration

Enter Learning about immediate revocation for the revocation reason.

Tip

A revocation reason is optional, but we recommend providing one so your team understands why you revoked the iteration.

Select Revoke immediately from the When? dropdown menu.

Then select Yes, rollback channel from the Rollback channels? dropdown menu.

Finally, click Revoke to revoke the iteration.

Confirm immediate revocation

HCP Packer now shows the overview page for the second iteration, which contains the revocation reason.

View detailed revoked iteration

Retrieve the iteration ID – it is the field in the URL between /iterations/ and ?project_id, replaced by ITERATION_ID in the example link below. You will use this in the next step to verify that no one can use this iteration.

https://portal.cloud.hashicorp.com/dev/services/packer/learn-packer-ubuntu/iterations/ITERATION_ID?project_id=3fdf0c72...

Now, select Back to iterations. The Iterations page now shows that the second iteration is revoked, and that the production and latest channels rolled back to the first iteration.

Second iteration is now revoked

Verify image iteration revocation

When you revoke an image iteration, it becomes unavailable to image channels. You cannot assign a revoked iteration to a channel.

Change into the tf-revoked-iteration directory.

$ cd tf-revoked-iteration

The configuration in this directory defines a data source that queries the iteration of the learn-packer-ubuntu image specified by the iteration_id input variable. If HCP Packer returns an iteration that is not revoked, Terraform will create a compute instance with the image ID.

tf-revoked-iteration/main.tf
data "hcp_packer_image" "ubuntu_us_east_2" {
  bucket_name    = "learn-packer-ubuntu"
  cloud_provider = "aws"
  iteration_id   = var.iteration_id
  region         = "us-east-2"
}

resource "aws_instance" "app_server" {
  ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
  instance_type = "t2.micro"

  tags = {
    Name = "Learn-HCP-Packer"
  }

  lifecycle {
    precondition {
      condition = try(
        formatdate("YYYYMMDDhhmmss", data.hcp_packer_image.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()),
        data.hcp_packer_image.ubuntu_us_east_2.revoke_at == null
      )
      error_message = "Source AMI is revoked."
    }
  }
}

The lifecycle precondition will succeed if revoke_at is scheduled to the future or is null.

Open tf-revoked-iteration/terraform.tfvars in your editor. Set iteration_id to the iteration ID you retrieved in the previous step, then save the file.

tf-revoked-iteration/terraform.tfvars
iteration_id="ITERATION_ID"

Initialize your Terraform configuration.

$ terraform init
Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/hcp from the dependency lock file
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/hcp v0.33.0...
- Installed hashicorp/hcp v0.33.0 (signed by HashiCorp)
- Installing hashicorp/aws v4.2.0...
- Installed hashicorp/aws v4.2.0 (signed by HashiCorp)

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Because the lifecycle custom precondition depends on timestamp() which is unknown during a Terraform plan, the condition will be checked during the Terraform apply.

Apply your configuration. Since hcp_packer_image references a revoked iteration, the image_revocation_date output is set to the revocation timestamp. The app_server lifecycle precondition will fail, and Terraform will not create the EC2 instance.

$ terraform apply
  # ... 
Changes to Outputs:
  + image_revocation_date = "2023-03-10T15:59:09.781Z"

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


│ Error: Resource precondition failed

│   on main.tf line 23, in resource "aws_instance" "app_server":
│   23:       condition = try(
│   24:         formatdate("YYYYMMDDhhmmss", data.hcp_packer_image.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()),
│   25:         data.hcp_packer_image.ubuntu_us_east_2.revoke_at == null
│   26:       )
│     ├────────────────
│     │ data.hcp_packer_image.ubuntu_us_east_2.revoke_at is "2023-03-10T15:59:09.781Z"

│ Source AMI is revoked.

Restore revoked iteration

If you accidentally revoke the wrong iteration, you can restore the iteration so your team can use it again.

In the HCP Packer UI, navigate to the second iteration. Then, click Manage and Restore iteration.

Click Restore iteration to restore your iteration.

Select Back to iterations. The iterations page shows that the second iteration is active again. Notice that the production channel uses the first iteration, and the latest channel once again uses the second iteration.

Verify restoration

Apply your configuration. Since the iteration is restored, Terraform successfully creates the EC2 instance.

$ terraform apply

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_instance.app_server: Creating...
aws_instance.app_server: Still creating... [10s elapsed]
aws_instance.app_server: Still creating... [20s elapsed]
aws_instance.app_server: Still creating... [30s elapsed]
aws_instance.app_server: Still creating... [40s elapsed]
aws_instance.app_server: Still creating... [50s elapsed]
aws_instance.app_server: Still creating... [1m0s elapsed]
aws_instance.app_server: Creation complete after 1m5s [id=xxx]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

To clean up your provisioned infrastructure, run terraform destroy and respond yes to the prompt to confirm the operation.

Next steps

In this tutorial, you revoked an HCP Packer image iteration and used automatic rollback to update the channels that used the iteration. Revocation prevents users from using insecure images and ensures that your organization uses compliant images.

For more information on topics covered in this tutorial, check out the following resources:

Previous
Next