Set Up Terraform Cloud Run Task for HCP Packer

After you build your image with Packer and push its metadata to HCP Packer, you can reference the image in your Terraform configuration to deploy it. HCP Packer has a Terraform Cloud run task integration, which validates that the machine images in your Terraform configuration are not revoked for being insecure or outdated.

In this tutorial, you will retrieve the endpoint URL and HMAC key from HCP Packer and create a run task in Terraform Cloud.

Run task features

The Terraform Cloud run task for HCP Packer currently has two main features:

1. The data source image validation scans your Terraform resources for references to hcp_packer_iteration and hcp_packer_image data sources. It will warn you if any referenced data source is associated with a revoked image iteration.

2. The resource image validation scans your Terraform configuration for resources that use hard-coded machine image IDs and checks if the image is tracked by HCP Packer. If the image is associated with an image iteration, the run task will warn users if it is a revoked iteration. It will also prompt users to use the HCP Packer data sources instead of hard-coded image IDs to better track and manage machine images.

   Note

   The resource image validation currently supports this list of resources.

The HCP Packer Standard tier only supports data source image validation. The HCP Packer Plus tier supports both data source and resource image validation.

The run task configuration instructions are the same for both Standard and Plus tiers. The HCP Packer plans will determine which validations the run task will run.

Prerequisites

To follow along with this tutorial, you will need:

• An HCP account with an HCP Packer registry

• A Terraform Cloud account with a Team & Governance plan

  Note

  Terraform Cloud run tasks are available in the Team & Governance tier. Organization owners can enable a 30-day free trial in their settings under "Plan & Billing".

You will also need organization owner permissions in Terraform Cloud to create a run task.

Retrieve HCP Packer information

On the HCP Packer page, click on Integrate with Terraform Cloud.

This displays information for you to use to configure your Terraform Cloud run task.

1. The Endpoint URL is a unique HCP Packer URL, specific to your HCP organization and HCP Packer registry. The Terraform Cloud run task will send a payload to this URL for image validation.

2. The HMAC Key is a secret key that lets HCP Packer verify the run task request.

   Warning

   Do not share these values. If your HMAC key is compromised, [re-generate it] and update your Terraform Cloud run task to use the new value.

Set up run task in Terraform Cloud

In your Terraform Cloud dashboard, go to Settings then click Run tasks on the left sidebar.

Click on Create run task.

On the Create a Run Task page:

1. Verify Enabled is checked.

2. Set Name to HCP-Packer.

3. Set Endpoint URL to the endpoint URL you retrieved in the previous step.

4. Set HMAC key to the HMAC key you retrieved in the previous step.

   Note

   Although labeled as optional in the UI, you must enter the HMAC key provided by HCP Packer. The HCP Packer integration requires an HMAC key to authenticate the requests.

Click Create run task.

The Run Tasks page will now show the HCP-Packer run task.

Next steps

In this tutorial, you set up a Terraform Cloud run task for HCP Packer.

For more information on topics covered in this tutorial, check out the following resources:

• Complete the data source image validation run task tutorial to learn how to identify compromised and outdated images referenced by the HCP Packer data sources (hcp_packer_iteration and hcp_packer_image).
• Complete the resource image validation run task tutorial to learn how to ensure your Terraform configuration uses compliant machine image (even when you hard-code machine images).
• Read more about the Terraform Cloud run task integration in the HCP Packer documentation.