Integrate HCP Packer with Red Hat Ansible Automation Platform

Authors: Glenn Chia, Pranit Raje and Simon Lynch

Overview

The objective of this validated pattern is to assist you in deploying a comprehensive immutable image building pipeline that combines the power of HashiCorp Packer for image creation with Ansible for configuration management. This integrated approach enables organizations to:

• Build consistent, immutable machine images across multiple cloud providers and on-premises environments
• Leverage powerful Ansible automation for complex configuration management and application deployment
• Implement secure authentication workflows using HashiCorp Vault for SSH key management and secrets handling
• Automate image building processes through GitHub Actions for continuous integration and deployment
• Maintain compliance and governance through centralized policy enforcement and audit trails
• Reduce configuration drift by deploying pre-configured, tested images rather than configuring infrastructure at runtime

This validated pattern addresses these objectives using an integrated architecture that seamlessly combines:

• HashiCorp Packer for cross-platform image building and template management
• Red Hat Ansible for configuration management and playbook execution (supporting both open source and enterprise deployments)
• HashiCorp Vault for centralized secrets management and dynamic SSH authentication
• GitHub Actions for automated CI/CD workflows and pipeline orchestration
• Multi-cloud deployment patterns that are adaptable to AWS, Azure, GCP, and on-premises environments

Target audience

This guide references the following roles:

• Platform team: Manages your organization's platform. This is an all-encompassing role that may include the responsibilities of managing cloud service providers, CI/CD pipelines, HashiCorp Vault administrators, HCP Packer.
  • For this specific guide, the Platform Team is also responsible for managing and configuring Vault and Red Hat Ansible Automation Platform and HCP Terraform as platform.
  • Responsible for golden image pipeline, image management pipeline typically using HashiCorp Packer.
  • Note that in some organizations, there could be different teams handling each of these systems. This requires coordination across the teams for the pattern to operate at scale in the organization.
• Application team: Consumer of configuration management in Ansible Automation Platform and quickly provisions images that conform to the organizational image standards.
• Security team: The team that is responsible for defining the software and configurations needed in the Ansible playbooks. These configurations align with organizational security standards, implement mandatory security tooling installation, and enforce security policies across all image builds. In some cases, the security team is the one who also develops and maintains these Ansible playbooks.

Benefits of using Ansible Automation Platform

When integrating with Packer, the Ansible Automation Platform (AAP) approach offers distinct advantages over using the basic Ansible provisioner alone. While the standard Ansible provisioner works well for simple configurations, AAP provides enterprise-grade capabilities critical for organizations with complex environments and governance requirements.

AAP delivers centralized credential management that extends beyond basic SSH authentication, enabling integration with identity providers and privileged access management systems across your entire automation estate. Additionally, AAP provides comprehensive audit trails, approval workflows, and role-based access controls that enhance your organization's compliance posture. For immutable infrastructure specifically, AAP ensures consistent security baselines and configurations across all images through centralized content repositories, certified collections, and validated roles that guarantee organizational standards.

Even though AAP may not interact with these instances after deployment (adhering to immutability principles), using AAP during the image building process ensures that you implement consistent security posture, compliance requirements, and organizational standards into every image before deployment.

This centralized governance approach provides significant benefits that justify the additional integration complexity, particularly for enterprises needing to maintain consistent controls and visibility across their image building pipeline. For organizations already using Ansible Automation Platform, this integration allows you to use your existing automation assets, rather than duplicating them in standalone Packer templates. These assets can include extensively tested playbooks, roles, and workflows that embody your organization's standards and security practices.

Prerequisites

To follow this guide, you need the following prerequisites:

• Platform team:
  • Privileged access to a Vault Enterprise or HCP Vault Dedicated cluster that grants permissions to create auth mounts, configure auth roles, and create policies.
  • Privileged access to Ansible Automation Platform (AAP) to configure and manage credentials and job templates.
  • Privileged access to the golden image pipeline process with the ability to configure and manage public key authentication and sshd configuration within the image.
  • Privileged access to HCP Packer for the creation of a HCP Project, Service Principal, Packer bucket and channel.
  • Ability to create CI/CD pipelines with the selected VCS and manage CI/CD secrets.
  • Least privilege access from the Packer build host to AAP, specifically:
    • If using self-registration approach: API permissions limited to host registration within a specific inventory and ability to launch predefined job templates.
    • If using workflow-invocation approach: API permissions restricted to launching specific workflows with parameters and ability to monitor job execution status.
• Application team:
  • Permissions to consume Ansible jobs/workflow templates that use pre-created credentials in Red Hat Ansible Automation Platform.
  • Access to HCP Packer resources like the Registry, Channels, and Buckets to access built images with Terraform.

Limitations

Packer's Ansible provisioner lacks direct integration with Ansible Automation Platform (AAP). The current integration requires that the host machine running Packer executes commands that:

1. Register the newly built machine in an AAP inventory
2. Trigger a workflow or job template targeting that inventory
3. Monitor job execution for completion

This indirect approach introduces additional complexity as it requires API interaction with AAP rather than leveraging a native integration. The build process must include authentication handling, inventory management, and job execution monitoring logic, creating dependencies on AAP availability and network access during the build process.

Background and best practices

Before implementing the HashiCorp Packer and Ansible integration within GitHub Actions pipelines, it is essential to understand the foundational principles and best practices that ensure security, scalability, immutability, and maintainability of the deployed infrastructure.

Multi-tenancy and RBAC strategy

Before beginning the integration of HashiCorp Vault-signed SSH credentials into Ansible with Packer, it is critical to define a clear multi-tenancy and Role-Based Access Control (RBAC) strategy. There needs to be a clear mapping between tenants in your Ansible deployment and tenants in HashiCorp Vault. This ensures operational security, scalability, and alignment with organizational structure.

Key considerations for multi-tenancy:

• Organizational alignment: Map Ansible tenants to business units, teams, or environment boundaries
• Vault namespace strategy: Use Vault namespaces or path-based separation to isolate tenant secrets and policies. Define a strategic mapping between Ansible Automation Platform Organizations, Teams, Roles, and Vault namespaces with RBAC and scalability as key considerations. We recommend creating a dedicated Vault namespace per line of business (LoB) or environment which would be logically mapped to the Organizations, Teams in Ansible Automation Platform (AAP) dedicated to that particular line of business (LoB) or environment.
• Credential isolation: Scope SSH credentials appropriately to prevent cross-tenant access
• Audit boundaries: Design logging for tenant visibility without exposing cross-organizational data

HCP Packer organization and governance

Registry structure:

• Use a single HCP Packer registry per organization for optimal functionality and ancestry tracking
• Create a dedicated HCP Packer project for platform team use within the HCP organization

Bucket management:

• Create separate buckets for each application or team to isolate image metadata
• Use consistent naming convention: <bu>-<appname>-images (business unit + application name)
• Platform Team maintains bucket creation and permission assignment

Channel lifecycle:

• Implement a minimum of three channels: development, test, and production
• Ensure consistent naming conventions across all buckets for operational clarity
• Platform Team manages channel creation and lifecycle policies

Security hardening practices

CIS Benchmark compliance:

• Implement CIS configurations through dedicated Ansible roles
• Automate compliance validation and document justified deviations

Security baseline enforcement:

• Deploy mandatory security tools (antivirus, endpoint detection, monitoring agents)
• Configure centralized logging and enforce password/privilege policies

Vulnerability management:

• Integrate automated scanning and patch management into build pipelines
• Establish remediation service level agreements and maintain software inventory for compliance

Validated architecture

The validated design implements an immutable image building pipeline where Packer orchestrates the creation of machine images while delegating configuration management tasks to Red Hat Ansible Automation Platform. This separation of concerns allows organizations to leverage specialized tools for their intended purposes:

• Packer handles image lifecycle management, including base image selection, build orchestration, and artifact publishing.
• Ansible manages configuration complexity, executing sophisticated playbooks with enterprise features like credential management, job templates, and workflow automation.
• Vault provides dynamic authentication, generating ephemeral SSH credentials for secure Packer-to-image communication.
• GitHub Actions orchestrates the entire pipeline, triggering builds, managing dependencies, and publishing artifacts.

This architecture ensures correctly configured, consistently built images, for secure deployment across your infrastructure landscape.

Image management with HCP Packer

The diagram illustrates the integration between HashiCorp Packer and HashiCorp Terraform for automated image building and configuration:

1. Code management: Store Packer code in a dedicated Version Control System (VCS) repository (Packer repository). The Packer code references the HCP Packer registry for metadata storage and tracking. Implement all changes through a pull request (PR) process for code review and approval.
2. CI/CD pipeline execution: The CI/CD pipeline triggers automatically upon PR merge to the main branch. The pipeline executes the Packer build process on the specified cloud service provider. The system automatically stores image metadata in the HCP Packer registry as a new version in the specified Packer channel.
3. Cloud deployment: After successful testing and validation as per your organization's compliance standards, promote the golden image to the HCP Packer production channel. Reference production-ready images in your Terraform templates and deploy them across infrastructure.

Image management with Ansible

The diagram illustrates the integration between HashiCorp Packer, the Ansible Provisioner, and HashiCorp Terraform for consistent, secure, and automated delivery of immutable infrastructure while maintaining full traceability from source code to production deployment.

1. Source control trigger: Developer commits changes to Packer templates or Ansible playbooks, triggering GitHub Actions workflow based on the branch (development, staging, main) or semantic version tags
2. Secure credential management: GitHub Actions runner configures credentials and environment variables for cloud provider and HCP service principal authentication for the build process.
3. Image build and configuration: Packer launches temporary cloud instances, executes Ansible playbooks for configuration management and security hardening, then creates immutable machine images
4. Metadata and registry management: The metadata associated with the built artifacts you build are automatically pushed to the HCP Packer registry with full CI/CD context, provenance tracking, and compliance information.
5. Channel promotion: The system updates HCP Packer channels based on the source branch or tag (development → development channel, main → release channel, tags → versioned channels).
6. Infrastructure deployment: Downstream systems reference HCP Packer channels to deploy validated, compliant images across multi-cloud environments with full audit trails.

Before HashiCorp Packer can run Ansible playbooks, we need to ensure that Ansible is running in the GitHub Actions runner or the CI/CD execution environment that we are using for the Packer pipeline. Then, using HashiCorp Packer with the Ansible provisioner, we can call the Ansible playbook to perform any custom actions on the image as follow,

provisioner "ansible" {
  playbook_file = "ansible/playbook.yml"
}

post-processor "manifest" {
  output     = "packer_manifest.json"
  strip_path = true
  custom_data = {
    version_fingerprint = packer.versionFingerprint
  }
}

Whereas the sample playbook could look like below,

---
- name: 'Provision Image'
  hosts: default
  become: true

  tasks:
    - name: install Apache
      package:
        name: 'httpd'
        state: present

The playbook then runs all the tasks to create the golden image and the associated metadata gets published to the HCP Packer registry.

Image management with Ansible Automation Platform

The diagram illustrates the integration between HashiCorp Packer, Ansible Automation Platform (AAP), and HashiCorp Vault for secure, automated image building and configuration:

1. Image building with Packer: HashiCorp Packer initiates the image building process with a base OS template.
2. Vault CA trust configuration: Using Packer's ansible provisioner, configure the image to trust HashiCorp Vault's SSH Certificate Authority by retrieving and installing Vault's public SSH CA key and updating SSH daemon configurations.
3. AAP registration and job template execution: After building the base image with Vault CA trust, Packer triggers another Ansible playbook. This playbook has the following tasks and the host requires permissions for these tasks accordingly.
   1. Registers the IP address as a new host within AAP
   2. Adds the host to an inventory or optionally creating a new inventory
   3. Launches a job template targeting the inventory
   4. Deregisters the host from the inventory since the system terminates the host machine after the packer run. Optionally delete the inventory if you created an inventory.

The CI/CD pipeline that orchestrates the Packer build only reports whether the AAP job succeeded or failed. Access the AAP user interface at https://<aap-dns-name>/execution/jobs/playbook/<job-id>/output for detailed execution logs and specific error messages. We recommend programmatically extracting the Job ID and constructing this URL within your workflow, which simplifies troubleshooting efforts when diagnosing issues in your image build process.

Ansible Automation Platform specific considerations

Follow the guidance below if you are integrating Ansible Automation Platform into your Packer pipelines.

Dynamic SSH credentials with HashiCorp Vault and AAP

Ansible Automation Platform can integrate with HashiCorp Vault to dynamically generate SSH credentials for secure machine access during automation tasks. This eliminates the need to store static credentials within AAP and provides enhanced security through short-lived, automatically rotated credentials.

Using the certified Ansible Controller collections, you can automate the configuration of AAP to work with Vault's SSH secret engine:

1. Vault authentication credential: Configure authentication to Vault using the ansible.controller.credential module with the "HashiCorp Vault Signed SSH" credential type, which supports multiple auth methods: Token, TLS, Kubernetes, and AppRole
2. Machine credential configuration: Set up a standard Machine credential in AAP that Vault populates dynamically with SSH keys
3. Credential input source: Link the Vault credential to the Machine credential using ansible.controller.credential_input_source, specifying parameters like authentication path and SSH role

This integration enhances security by ensuring that AAP jobs use fresh, ephemeral credentials generated at runtime rather than long-lived static credentials stored in AAP's credential system.

Packer image build process for AAP and Vault integration

The Packer build process for integrating with Ansible Automation Platform and HashiCorp Vault requires two essential steps:

1. Configure Vault CA trust: Use the Packer ansible provisioner to configure the image to trust HashiCorp Vault's Certificate Authority by retrieving Vault's SSH CA public key, placing it in the proper location, and configuring the SSH daemon to trust certificates that this CA signs.
2. AAP integration: After you configure the base image to trust Vault's CA, either register the host in an AAP inventory and trigger a job template execution, or invoke an AAP workflow that handles the registration and configuration for the newly built instance.

This two-phase approach works in conjunction with the AAP credential configuration described earlier. Once you build the temporary Packer virtual machine with Vault SSH CA trust, AAP can use its dynamic credential generation capability to securely access the host virtual machine. The configured Vault SSH credential in AAP requests short-lived, signed SSH certificates from Vault at runtime, which the preconfigured target machine trusts. This ensures that the system uses only dynamic, short-lived credentials from image creation through ongoing management.

For detailed implementation instructions, refer to our comprehensive guide on HashiCorp Vault integration with Ansible Automation Platform.

Using HashiCorp Packer with the Ansible provisioner, we can call a playbook that performs actions on AAP as follows:

provisioner "ansible" {
  playbook_file = "../ansible/aap.yml"

  extra_arguments = [
    "-e", "inventory_name=packer-aap",
    "-e", "inventory_description='Packer with AAP inventory'",
    "-e", "inventory_organization=Default",
    "-e", "host_name=al2023-aap-vault-ssh-ca",
    "-e", "host_description='Packer with AAP sample host'",
    "-e", "instance_ip=${build.Host}",
    "-e", "template_name=example-template",
  ]

  # AAP Credentials
  ansible_env_vars = [
    "ANSIBLE_REMOTE_TMP=/tmp",
    "CONTROLLER_HOST=${var.controller_host}",
    "CONTROLLER_USERNAME=${var.controller_username}",
    "CONTROLLER_PASSWORD=${var.controller_password}"
  ]
}

The playbook creates the inventory, adds a host to the inventory, and launches a job template to configure the host according to the centralized AAP playbooks. After the system executes the job template, it removes the host from the inventory and deletes the inventory. This action does not delete the job template execution logs, which the system retains for auditing purposes.

---
- name: Configure AAP
  hosts: all
  become: true
  gather_facts: true
  vars:
    ansible_python_interpreter: /usr/bin/python3
  tasks:
    - name: Create inventory
      ansible.controller.inventory:
        name: "{{ inventory_name }}"
        description: "{{ inventory_description }}"
        organization: "{{ inventory_organization }}"
        state: present
        controller_host: "{{ lookup('env', 'CONTROLLER_HOST') }}"
        controller_username: "{{ lookup('env', 'CONTROLLER_USERNAME') }}"
        controller_password: "{{ lookup('env', 'CONTROLLER_PASSWORD') }}"
        validate_certs: false
      register: inventory_result

    - name: Add host to inventory
      ansible.controller.host:
        name: "{{ host_name }}"
        description: "{{ host_description }}"
        inventory: "{{ inventory_result.id }}"
        variables:
          ansible_host: "{{ instance_ip }}"
        state: present
        controller_host: "{{ lookup('env', 'CONTROLLER_HOST') }}"
        controller_username: "{{ lookup('env', 'CONTROLLER_USERNAME') }}"
        controller_password: "{{ lookup('env', 'CONTROLLER_PASSWORD') }}"
        validate_certs: false
      register: host_result

    - name: Launch job template with the new inventory
      ansible.controller.job_launch:
        job_template: "{{ template_name }}"
        inventory: "{{ inventory_result.id }}"
        # credentials:
        #   - "{{ credential_name }}"
        controller_host: "{{ lookup('env', 'CONTROLLER_HOST') }}"
        controller_username: "{{ lookup('env', 'CONTROLLER_USERNAME') }}"
        controller_password: "{{ lookup('env', 'CONTROLLER_PASSWORD') }}"
        validate_certs: false
        wait: true
      register: job_launch_result

    - name: Display job launch information
      debug:
        var: job_launch_result

    - name: Delete host from inventory
      ansible.controller.host:
        name: "{{ host_name }}"
        inventory: "{{ inventory_result.id }}"
        state: absent
        controller_host: "{{ lookup('env', 'CONTROLLER_HOST') }}"
        controller_username: "{{ lookup('env', 'CONTROLLER_USERNAME') }}"
        controller_password: "{{ lookup('env', 'CONTROLLER_PASSWORD') }}"
        validate_certs: false
      register: host_delete_result
      # Always attempt to delete, even if the job failed, to clean up resources
      ignore_errors: true

    - name: Display host deletion status
      debug:
        var: host_delete_result

    - name: Delete inventory
      ansible.controller.inventory:
        name: "{{ inventory_result.id }}"
        organization: "{{ inventory_organization }}"
        state: absent
        controller_host: "{{ lookup('env', 'CONTROLLER_HOST') }}"
        controller_username: "{{ lookup('env', 'CONTROLLER_USERNAME') }}"
        controller_password: "{{ lookup('env', 'CONTROLLER_PASSWORD') }}"
        validate_certs: false
      register: inventory_delete_result
      ignore_errors: true

    - name: Display inventory deletion status
      debug:
        var: inventory_delete_result

People and process considerations

This integration requires the platform team to manage the Red Hat Ansible Automation Platform, HashiCorp Vault, HCP Packer and the downstream hosts these platforms are managing. Ensure cross-team collaboration with platform teams, security teams and application teams to meet integration objectives. Set clear expectations with application teams regarding potential workflow impacts, for example increased processing time and run blocks. Provide centralized documentation and training for both platform and application teams. Update Terraform modules and CI/CD pipelines to integrate with Ansible Automation Platform and HCP Packer. This streamlined approach ensures proper governance while maintaining operational efficiency across the organization's infrastructure automation pipeline.

Conclusion

The Red Hat Ansible Automation Platform and HashiCorp Packer integration establishes a foundation for modern, scalable infrastructure management. By treating infrastructure as immutable artifacts, organizations can achieve greater reliability, security, and operational efficiency. This approach not only addresses current infrastructure challenges but also positions teams to adapt to future technological requirements with confidence.

The success of this integration reinforces the value of combining specialized tools to create comprehensive solutions that exceed the capabilities of individual components, ultimately delivering superior business outcomes through improved infrastructure reliability and operational excellence.

Related resources

• Integrate HashiCorp Vault with Red Hat Ansible Automation Platform for signed SSH credentials
• HashiCorp Vault SSH signed certificates documentation
• Terraform integration with Ansible Automation Platform validated pattern
• Terraform integration with HCP Packer validated pattern