Set up Terraform Cloud run task for HCP Packer
After you build your image with Packer and push its metadata to HCP Packer, you can reference the image in your Terraform configuration to deploy it. HCP Packer has a Terraform Cloud run task integration, which validates that the machine images in your Terraform configuration are not revoked for being insecure or outdated.
In this tutorial, you will retrieve the endpoint URL and HMAC key from HCP Packer and create a run task in Terraform Cloud.
Run task features
The Terraform Cloud run task for HCP Packer currently has two main features:
The data source image validation scans your Terraform resources for references to
hcp_packer_iterationandhcp_packer_imagedata sources. It will warn you if any referenced data source is associated with a revoked image iteration.The resource image validation scans your Terraform configuration for resources that use hard-coded machine image IDs and checks if the image is tracked by HCP Packer. If the image is associated with an image iteration, the run task will warn users if it is a revoked iteration. It will also prompt users to use the HCP Packer data sources instead of hard-coded image IDs to better track and manage machine images.
Note
The resource image validation currently supports this list of resources.
The HCP Packer Standard tier only supports data source image validation. The HCP Packer Plus tier supports both data source and resource image validation.
The run task configuration instructions are the same for both Standard and Plus tiers. The HCP Packer plans will determine which validations the run task will run.
Prerequisites
To follow along with this tutorial, you will need:
- An HCP account with an HCP Packer registry
- A Terraform Cloud account
Note
Terraform Cloud Free Edition includes one run task integration that you can apply to up to ten workspaces. Refer to Terraform Cloud pricing for details.
You will also need organization owner permissions in Terraform Cloud to create a run task.
Retrieve HCP Packer information
On the HCP Packer page, click on Integrate with Terraform Cloud.
This displays information for you to use to configure your Terraform Cloud run task.
The Endpoint URL is a unique HCP Packer URL, specific to your HCP organization and HCP Packer registry. The Terraform Cloud run task will send a payload to this URL for image validation.
The HMAC Key is a secret key that lets HCP Packer verify the run task request.
Warning
Do not share these values. If your HMAC key is compromised, [re-generate it] and update your Terraform Cloud run task to use the new value.
Set up run task in Terraform Cloud
In your Terraform Cloud dashboard, go to Settings then click Run tasks on the left sidebar.
Click on Create run task.
On the Create a Run Task page:
Verify Enabled is checked.
Set Name to
HCP-Packer.Set Endpoint URL to the endpoint URL you retrieved in the previous step.
Set HMAC key to the HMAC key you retrieved in the previous step.
Note
Although labeled as optional in the UI, you must enter the HMAC key provided by HCP Packer. The HCP Packer integration requires an HMAC key to authenticate the requests.
Click Create run task.
The Run Tasks page will now show the HCP-Packer run task.
Next steps
In this tutorial, you set up a Terraform Cloud run task for HCP Packer.
For more information on topics covered in this tutorial, check out the following resources:
- Complete the data source image validation run task tutorial to learn how to identify compromised and outdated images referenced by the HCP Packer data sources (
hcp_packer_iterationandhcp_packer_image). - Complete the resource image validation run task tutorial to learn how to ensure your Terraform configuration uses compliant machine image (even when you hard-code machine images).
- Read more about the Terraform Cloud run task integration in the HCP Packer documentation.