After you build your image with Packer and push its metadata to HCP Packer, you can reference the image in your Terraform configuration to deploy it. HCP Packer has a Terraform Cloud run task integration, which validates that the machine images in your Terraform configuration are not revoked for being insecure or outdated.
In this tutorial, you will retrieve the endpoint URL and HMAC key from HCP Packer and create a run task in Terraform Cloud.
The Terraform Cloud run task for HCP Packer currently has two main features:
The data source image validation scans your Terraform resources for references to
hcp_packer_imagedata sources. It will warn you if any referenced data source is associated with a revoked image iteration.
The resource image validation scans your Terraform configuration for resources that use hard-coded machine image IDs and checks if the image is tracked by HCP Packer. If the image is associated with an image iteration, the run task will warn users if it is a revoked iteration. It will also prompt users to use the HCP Packer data sources instead of hard-coded image IDs to better track and manage machine images.
Note: The resource image validation currently supports this list of resources.
The run task configuration instructions are the same for both Standard and Plus tiers. The HCP Packer plans will determine which validations the run task will run.
To follow along with this tutorial, you will need:
A Terraform Cloud account with a Team & Governance plan
Note: Terraform Cloud run tasks are available in the Team & Governance tier. Organization owners can enable a 30-day free trial in their settings under "Plan & Billing".
You will also need organization owner permissions in Terraform Cloud to create a run task.
On the HCP Packer page, click on Integrate with Terraform Cloud.
This displays information for you to use to configure your Terraform Cloud run task.
The Endpoint URL is a unique HCP Packer URL, specific to your HCP organization and HCP Packer registry. The Terraform Cloud run task will send a payload to this URL for image validation.
The HMAC Key is a secret key that lets HCP Packer verify the run task request.
Warning: Do not share these values. If your HMAC key is compromised, [re-generate it] and update your Terraform Cloud run task to use the new value.
In your Terraform Cloud dashboard, go to Settings then click Run tasks on the left sidebar.
Click on Create run task.
On the Create a Run Task page:
Verify Enabled is checked.
Set Name to
Set Endpoint URL to the endpoint URL you retrieved in the previous step.
Set HMAC key to the HMAC key you retrieved in the previous step.
Note: Although labeled as optional in the UI, you must enter the HMAC key provided by HCP Packer. The HCP Packer integration requires an HMAC key to authenticate the requests.
Click Create run task.
The Run Tasks page will now show the
HCP-Packer run task.
In this tutorial, you set up a Terraform Cloud run task for HCP Packer.
For more information on topics covered in this tutorial, check out the following resources:
- Complete the data source image validation run task tutorial to learn how to identify compromised and outdated images referenced by the HCP Packer data sources (
- Complete the resource image validation run task tutorial to learn how to ensure your Terraform configuration uses compliant machine image (even when you hard-code machine images).
- Read more about the Terraform Cloud run task integration in the HCP Packer documentation.