Schedule image iteration revocation for compliance

Over the lifecycle of a machine image, you may need to prevent access to it if it becomes outdated. In addition to immediately revoking insecure image iterations, HCP Packer lets you schedule a future image revocation by setting a Time To Live (TTL). This strengthens your compliance posture by by preventing usage of outdated images.

In this tutorial, you will schedule a revocation. In the process, you will learn the relationship between HCP Packer image channels and revoked iterations, and how image revocation prevents downstream image consumers from referencing outdated images.

Prerequisites

To complete this tutorial, you must have completed the HCP Packer Get Started tutorials. In the tutorials, you:

• Created a service principal.
• Set your client ID and secret as environment variables.
• Configured your AWS credentials as environment variables.
• Built an image and push its metadata to HCP Packer.
• Set up a channel named production for your image bucket.

In addition, you will need:

• Terraform 1.2.0+ installed locally.

Schedule image iteration revocation

Assume that your company policy requires that images expire after 30 days to ensure no one deploys a stale image. To enforce this policy, you can schedule a revocation date and time.

Go to the learn-packer-ubuntu's Iterations page. Schedule a revocation date for the first iteration by clicking on ... then Revoke iteration. Scheduled revocations, unlike immediate ones, can apply to iterations assigned to image channels.

Select Revoke at a future date and enter the time for 5 minutes from your current time. The time is in UTC (current time in UTC). For example, if it is currently 10:00, enter 10:05.

Enter Learning about scheduling revocation for the revocation reason, and click Revoke Iteration to revoke the iteration.

The dashboard now shows a scheduled revocation for the first iteration.

Open the first iteration by clicking on 1. HCP Packer displays the reason why this image was scheduled to be revoked.

Verify scheduled image iteration revocation

In the tf-channel directory, generate a Terraform plan. Terraform will successfully create the plan.

$ terraform plan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_instance.app_server will be created
  + resource "aws_instance" "app_server" {
      + ami                                  = "ami-08fd..."
      # ...
    }

Plan: 1 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

The hcp_packer_iteration and hcp_packer_image Terraform data sources still retrieve information for revoked or scheduled to be revoked iterations. However, the hcp_packer_image data source's revoke_at attribute is set to the revocation timestamp.

In main.tf, update the EC2 instance to only create an instance if the image is not revoked.

resource "aws_instance" "app_server" {
  ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
  instance_type = "t2.micro"
  tags = {
    Name = "Learn-HCP-Packer"
  }

  lifecycle {
    precondition {
      condition = try(
        formatdate("YYYYMMDDhhmmss", data.hcp_packer_image.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()),
        data.hcp_packer_image.ubuntu_us_east_2.revoke_at == null
      )
      error_message = "Source AMI is revoked."
    }
  }
}

The lifecycle precondition will succeed if revoke_at is scheduled to the future or is null.

In outputs.tf, add the following output to view the iteration's image ID.

output "image_revocation_date" {
  value = data.hcp_packer_image.ubuntu_us_east_2.revoke_at
}

Wait until the five minute revocation time you configured earlier passes. HCP Packer will automatically revoke your iteration. Check the Iterations dashboard to confirm HCP Packer revoked the first iteration.

Notice that even though the first iteration is revoked, the production channel still references it.

Because the lifecycle custom precondition depends on timestamp() which is unknown during a Terraform plan, the condition will be checked during the Terraform apply.

Apply your configuration. Since the production channel references a revoked image, the image_revocation_date output is set to to the revocation timestamp, the app_server lifecycle precondition will fail, and Terraform will not create the EC2 instance.

$ terraform apply
  # ... 
Changes to Outputs:
  + image_revocation_date  = "2022-11-16T21:40:00.000Z"
  + ubuntu_iteration = {
      # ...
    }
  + ubuntu_us_east_2 = {
      # ...
      revoke_at = "2022-11-16T21:40:00.000Z"
    }

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

╷
│ Error: Resource precondition failed
│ 
│   on main.tf line 23, in resource "aws_instance" "app_server":
│   23:       condition = try(
│   24:         formatdate("YYYYMMDDhhmmss", data.hcp_packer_image.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()),
│   25:       data.hcp_packer_image.ubuntu_us_east_2.revoke_at == "")
│     ├────────────────
│     │ data.hcp_packer_image.ubuntu_us_east_2.revoke_at is "2022-11-16T21:40:00.000Z"
│ 
│ Source AMI is revoked.
╵

If your Terraform configuration references a revoked image, contact your HCP Packer administrator to re-assign the channel to a valid image iteration.

Restore revoked iteration

If you accidentally revoke the wrong iteration, you can restore the iteration so your team can use its images again.

In the HCP Packer UI, navigate to the first iteration. Then, click Manage and Restore iteration.

Click Restore iteration to restore your iteration.

Verify restoration

In the tf-channels directory, apply your configuration. Since the iteration is restored, Terraform successfully creates the EC2 instance.

$ terraform apply

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_instance.app_server: Creating...
aws_instance.app_server: Still creating... [10s elapsed]
aws_instance.app_server: Still creating... [20s elapsed]
aws_instance.app_server: Still creating... [30s elapsed]
aws_instance.app_server: Still creating... [40s elapsed]
aws_instance.app_server: Still creating... [50s elapsed]
aws_instance.app_server: Still creating... [1m0s elapsed]
aws_instance.app_server: Creation complete after 1m5s [id=xxx]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

To clean up your provisioned infrastructure, run terraform destroy and respond yes to the prompt to confirm the operation.

Next steps

In this tutorial, you used scheduled an iteration revocation and restored a revoked iteration. In the process, you reviewed how scheduled revocations strengthen your compliance posture by setting expiration dates on iterations, preventing users from using outdated images. Though you can schedule a revocation for an iteration assigned to an image channel, when the revocation date passes, the channel will reference a revoked iteration. Any attempts to query a channel with a revoked iteration will fail.

By integrating both immediate and scheduled iteration revocation in your workflows, you can ensure your organization uses secure and compliant images.

For more information on topics covered in this tutorial, check out the following resources:

• Complete the Immediately Revoke Insecure Image Iterations tutorial to learn how to prevent users from referencing insecure images.
• Read more about revoking image iterations in the HCP Packer documentation.
• Visit the Terraform hcp provider for a full list of arguments and attributes for the hcp_packer_iteration and hcp_packer_image data resources.
• Complete the Set Up Terraform Cloud Run Task for HCP Packer tutorial to learn how to ensure your Terraform configuration uses compliant machine images.