Enforce image compliance with Terraform Cloud

Using Terraform data sources in your configuration to retrieve machine images lets your configuration dynamically use more up-to-date images as you create them and stops you from using revoked images. The resource image validation Terraform Cloud run task feature helps you implement this best practice by scanning your Terraform configuration to prevent usage of revoked images, even when they are referenced by hard-coded image IDs.

The resource image validation run task feature parses your Terraform resources for machine image IDs and checks if images are tracked by HCP Packer. If the image is associated with an image iteration, the run task will fail if it is a revoked iteration. Additionally, it will warn you if the image is scheduled for revocation. The run task also detects any hard-coded image IDs, and prompts users to use the HCP Packer data sources to better track and manage machine images. This encourages your organization to track image lifecycles in HCP Packer and dynamically query image IDs from image channels with Terraform data sources.

In this tutorial, you will use the Terraform Cloud run task for HCP Packer to enforce Terraform configuration compliance. You will do this by associating the run task with a Terraform Cloud workspace. Then, you will iteratively update the workspace's configuration until the resource image validation reports that the configuration uses compliant images.

Prerequisites

This tutorial assumes that you are familiar with:

• The standard Packer and HCP Packer workflows. If you are new to Packer, complete the Get Started tutorials first. If you are new to HCP Packer, complete the Get Started HCP Packer tutorials first.
• The Terraform and Terraform Cloud plan/apply workflows. If you are new to Terraform itself, refer first to the Getting Started tutorials. If you are new to Terraform Cloud, refer to the Get Started - Terraform Cloud tutorials.

To follow along with this tutorial, you will need:

• Packer 1.7.10 installed locally
• Terraform 1.1.7 or later installed locally
• An AWS account with credentials set as local environment variables
• A HCP account with the HCP Packer Plus tier
• A Terraform Cloud account.
• Terraform Cloud workspace admin permissions to associate run tasks to a workspace.

This tutorial relies on a Terraform Cloud run task integrated with HCP Packer. If you have not yet created one, follow the Set Up Terraform Cloud Run Task for HCP Packer tutorial to do so.

Create HCP service principal and set as environment variables

In HCP Packer, go to Access control (IAM) in the left navigation menu, then select the Service principals tab.

Create a service principal named packer with the Contributor role.

Once you create the service principal, click the service principal name to view its details. From the detail page, click + Generate key to create a client ID and secret.

Copy and save the client ID and secret; you will not be able to retrieve the secret later. You will use these credentials in the next step.

Once you generate the keys for the service principal, set the client ID and secret as environment variables so that Packer can authenticate with HCP.

In your terminal, set an environment variable for the client ID.

$ export HCP_CLIENT_ID=

Then, set an environment variable for the client secret.

$ export HCP_CLIENT_SECRET=

Login to Terraform Cloud

In this tutorial, you will use the Terraform CLI to create a Terraform Cloud workspace and trigger remote plan and apply runs.

Log into your Terraform Cloud account in your terminal.

$ terraform login
Terraform will request an API token for app.terraform.io using your browser.

If login is successful, Terraform will store the token in plain text in
the following file for use by subsequent commands:
    /Users/<USER>/.terraform.d/credentials.tfrc.json

Do you want to proceed?
  Only 'yes' will be accepted to confirm.

  Enter a value:

Confirm with a yes and follow the workflow in the browser window that automatically opens. Paste the generated API key into your Terminal when prompted. For more detailed instructions on logging in, review the Authenticate the CLI with Terraform Cloud tutorial.

Clone repository

In your terminal, clone the example repository. This repository contains a Packer template that defines an Ubuntu AMI and two directories with Terraform configuration that you will use to test the run task.

$ git clone https://github.com/hashicorp/learn-hcp-packer-run-tasks

Navigate to the cloned repository.

$ cd learn-hcp-packer-run-tasks

Create image iteration in HCP Packer

Open ubuntu-focal.pkr.hcl to review the template. This template will build an Ubuntu 20.04 AMI in the us-east-2 region and push the metadata to the learn-packer-run-tasks in HCP Packer.

build {
  hcp_packer_registry {
    bucket_name = "learn-packer-run-tasks"
    ## ...
  }
  sources = [
    "source.amazon-ebs.basic-example-east"
  ]
}

Initialize your Packer template.

$ packer init .

Now, build your image.

$ packer build ubuntu-focal.pkr.hcl
amazon-ebs.basic-example-east: output will be in this color.

==> amazon-ebs.basic-example-east: Publishing build details for amazon-ebs.basic-example-east to the HCP Packer registry
==> amazon-ebs.basic-example-east: Prevalidating any provided VPC information
==> amazon-ebs.basic-example-east: Prevalidating AMI Name: packer_AWS_1646215104_v1.0.0
    amazon-ebs.basic-example-east: Found Image ID: ami-05be...
## ...
==> Wait completed after 4 minutes 41 seconds
==> Builds finished. The artifacts of successful builds are:
--> amazon-ebs.basic-example-east: AMIs were created:
us-east-2: ami-05be...
--> amazon-ebs.basic-example-east: Published metadata to HCP Packer registry packer/learn-packer-run-tasks/iterations/01FX9WDZPYN3YBFTTVJQFBGQVE

In your HCP dashboard, go to the learn-packer-run-tasks bucket to confirm Packer pushed the build metadata to HCP Packer.

Create channel and schedule revocation

On the Channels page, create a channel named production and set it to the first iteration.

Next, go to the Iterations page. Schedule a revocation date for the first iteration by clicking on ..., then Revoke iteration.

Select Revoke at a future date and enter the time for 1 minute from your current time. The time is in UTC (current time in UTC). For example, if it is currently 10:00, enter 10:01. Then, enter Assign image channel to revoked iteration for the revocation reason, then click Revoke Iteration to revoke the iteration.

You are setting a short revocation window so that your image channel uses a revoked image to test validation workflows. This is for the educational purposes of the tutorial.

Set up Terraform Cloud workspace

Go to the tf-resource-validation directory. This directory contains Terraform configuration that you will use to create your Terraform Cloud workspace to test the HCP Packer resource image validation run task.

$ cd tf-resource-validation

Open main.tf. This configuration defines an EC2 instance that references the community Ubuntu 20.04 AMI ID for us-east-2. This AMI ID is not tracked in your HCP Packer registry.

provider "aws" {
  region = var.region
}

resource "aws_instance" "app_server" {
  ami           = "ami-039af..."
  instance_type = "t2.micro"
  tags = {
    Name = "Learn-HCP-Packer"
  }
}

Update configuration

Open terraform.tf. In the cloud block, update the organization to point to your Terraform Cloud organization.

terraform {
  ## ...

  cloud {
    organization = "hashicorp-training"
    hostname     = "app.terraform.io"

    workspaces {
      name = "learn-hcp-packer-run-tasks-resource-validation"
    }
  }
}

Create Terraform Cloud workspace

Initialize your Terraform configuration. This will create a Terraform Cloud workspace named learn-hcp-packer-run-tasks-resource-validation in your Terraform Cloud organization.

$ terraform init

Initializing Terraform Cloud...

Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v4.2.0...
- Installed hashicorp/aws v4.2.0 (signed by HashiCorp)

Terraform Cloud has been successfully initialized!

You may now begin working with Terraform Cloud. Try running "terraform plan" to
see any changes that are required for your infrastructure.

If you ever set or change modules or Terraform Settings, run "terraform init"
again to reinitialize your working directory.

In Terraform Cloud, open the learn-hcp-packer-run-tasks-resource-validation workspace.

Add AWS and HCP credentials to workspace variables

Go to the Variables page.

Under Workspace variables, add your AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, HCP_CLIENT_ID, and HCP_CLIENT_SECRET as environment variables. You generated the HCP client ID and secret in the prerequisites. Alternatively, you can create variable sets with these environment variables and reuse them across multiple workspaces.

Enable run tasks in workspace

Click on Settings then Run Tasks.

Under Available Run Tasks, click on HCP-Packer.

Terraform Cloud run tasks have two enforcement levels:

1. Advisory: If this run task fails, the run will proceed with a warning in the UI.
2. Mandatory: If this run task fails, the run will return an error and stop.

Select the Mandatory enforcement level, then click Create.

The Run Task page will now display the run task for HCP Packer. This run task will parse resources for hard-coded machine image IDs and check if they are tracked and unrevoked in HCP Packer. If the run task detects an machine image ID that is associated with a revoked iteration, both the run task and the Terraform Cloud run will fail.

Trigger Terraform Cloud run

In your terminal, apply your configuration. When prompted to confirm the apply, press Enter to discard the run.

$ terraform apply
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/hashicorp-training/learn-hcp-packer-run-tasks-resource-validation/runs/run-REDACTED

Waiting for the plan to start...

Terraform v1.1.6
on linux_amd64
Configuring remote state backend...
Initializing Terraform configuration...

## ...

Plan: 1 to add, 0 to change, 0 to destroy.

## ...

Do you want to perform these actions in workspace "learn-hcp-packer-run-tasks-resource-validation"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

╷
│ Error: Apply discarded.
│
│

Verify untracked image validation

In Terraform Cloud, open the latest run and expand the Tasks passed box.

The run task passed with the following message:

Data source and resource image validation: 1 resource scanned. 1 image not tracked by HCP Packer. Use Packer to build compliant images and send information to HCP Packer.

Since you have the HCP Packer Plus tier, the run task will perform both data source and resource image validation. This will check and validate whether the HCP Packer data sources and hard-coded image IDs reference revoked image iterations in HCP Packer.

The run task parsed the aws_instance resource but did not find the AMI it uses in your HCP Packer registry. Since the task cannot verify the compliance of untracked images, it passes. The run task prompts you to use HCP Packer to track and manage your images for more accurate validation.

In addition, the run task has a Details link that will take you to the HCP Packer dashboard.

Hard-code AMI to test validation

In HCP Packer, go to the learn-packer-run-tasks bucket's revoked iteration. Under Builds, click on us-east-2 to view more information about the image.

Copy the Image ID, you will update your Terraform configuration to use this AMI ID.

In tf-resource-validation/main.tf, update the aws_instance's ami attribute to the revoked iteration's image ID.

resource "aws_instance" "app_server" {
  ami           = "ami-039af..."
  instance_type = "t2.micro"
  tags = {
    Name = "Learn-HCP-Packer"
  }
}

Apply your configuration. After Terraform creates the plan, it will return an error because the run task failed.

$ terraform apply
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/hashicorp-training/learn-hcp-packer-run-tasks-resource-validation/runs/run-REDACTED

## ...

╷
│ Error: Unknown or unexpected cost estimate state: unreachable
│
│
╵

Verify hard-coded AMI image validation

In Terraform Cloud, open the latest run and expand the Tasks failed box.

The run task failed with the following message:

Data source and resource image validation results: 1 resource scanned. 1 new resource using revoked images. 1 using hardcoded images in the configuration. No newer version was found for the revoked images. Use Packer to build compliant images and send information to HCP Packer. Use hcp_packer_image and hcp_packer_iteration data sources to query images from HCP Packer.

The run task parsed the aws_instance resource and found the machine image ID in a revoked iteration. This configuration uses a revoked (compromised or outdated) image. As a result, because the resource was being created, the run task failed and blocked the deployment of revoked images.

If the run task identifies a newer iteration version, it will suggest that you use it. If you are the image maintainer, you can then assign the channel to the newer iteration.

The run task also detected a hard-coded image ID in your configuration. The error message recommends updating the configuration to use HCP Packer data sources, so you do not have to manually update hard-coded image IDs.

Restore image iteration

In the HCP Packer dashboard, go to the learn-packer-run-tasks bucket and select the revoked iteration. Click Manage, then Restore iteration to restore the revoked iteration.

Confirm the action by clicking on Restore iteration.

Use HCP Packer data source

In tf-resource-validation/main.tf, add the following data sources to the top of the file so Terraform can dynamically query the image ID from HCP Packer.

provider "hcp" {}

data "hcp_packer_iteration" "ubuntu" {
  bucket_name = "learn-packer-run-tasks"
  channel     = "production"
}

data "hcp_packer_image" "ubuntu_us_east_2" {
  bucket_name    = "learn-packer-run-tasks"
  cloud_provider = "aws"
  iteration_id   = data.hcp_packer_iteration.ubuntu.ulid
  region         = "us-east-2"
}

Then, update the aws_instance's ami attribute to reference the hcp_packer_image data source.

resource "aws_instance" "app_server" {
  ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
  instance_type = "t2.micro"
  tags = {
    Name = "Learn-HCP-Packer"
  }
}

In your terminal, apply your configuration. When prompted to confirm the apply, press Enter to discard the run.

$ terraform apply
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/hashicorp-training/learn-hcp-packer-run-tasks-resource-validation/runs/run-REDACTED

Waiting for the plan to start...

Terraform v1.1.6
on linux_amd64
Configuring remote state backend...
Initializing Terraform configuration...

## ...

Plan: 1 to add, 0 to change, 0 to destroy.

## ...

Do you want to perform these actions in workspace "learn-hcp-packer-run-tasks-resource-validation"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

╷
│ Error: Apply discarded.
│
│

Verify image validation

In Terraform Cloud, open the latest run and expand the Tasks passed box.

The run task passed with the following message:

Data source and resource image validation: 1 resource scanned. All resources are compliant.

The run task parsed both the data sources and the aws_instance resource. Since the data sources and the resource reference a d.

Next steps

In this tutorial, you associated the Terraform Cloud run task for HCP Packer with a Terraform Cloud workspace, then used the run task to ensure your Terraform configuration uses compliant images and follows HCP Packer best practices.

For more information on topics covered in this tutorial, check out the following resources:

• Read more about the Terraform Cloud run task integration in the HCP Packer documentation.
• Complete the data source image validation run task tutorial to learn how to identify compromised and outdated images referenced by the HCP Packer data sources (`hcp_packer_iteration and hcp_packer_image).