Validate artifact versions referenced in Terraform configurations
This topic describes how to validate that the HCP Packer artifacts referenced in your Terraform configuration have not been revoked. Administrators can revoke artifact versions that have become outdated or that pose a security risk. Refer to Revoke and restore artifacts for additional information.
Overview
You can manually validate artifacts using the Sentinel policy-as-code framework or set up the HCP Terraform run task for HCP Packer to automatically validate artifact versions.
- Manual validation: To manually validate artifacts, define a Sentinel policy that checks for revoked artifacts.
- Automatic validation: Set up the HCP Terraform run task for HCP Packer to check your Terraform configuration references for revoked artifacts.
Hands on: Complete the following tutorials for guidance on how to set up and test the HCP Terraform run task integration:
Requirements
- Manual validation requires the following software versions:
- Terraform HCP provider 0.33.0 and later
- Terraform 1.2.0 and later
- You must use a supported resource type for the run task to validate referenced artifacts. Refer to Supported resource types for the HCP Terraform run task reference for information about supported types.
Manual validation
When the hcp_packer_artifact
data source references a revoked artifact or an artifact that is scheduled to be revoked, the revoke_at
attribute is set to the revocation timestamp.
You can define a Sentinel policy that checks for the revoke_at
attribute to validate Terraform configurations for revoked artifacts. Refer to Defining Sentinel Policies in the HCP Terraform documentation for instructions.
In the following example, a Terraform configuration only provisions an EC2 instance if the data source returns a version that is not revoked.
resource "aws_instance" "app_server" { ami = data.hcp_packer_artifact.ubuntu_us_east_2.external_identifier instance_type = "t2.micro" tags = { Name = "Learn-HCP-Packer" } lifecycle { precondition { condition = try( formatdate("YYYYMMDDhhmmss", data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()), data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at == "" ) error_message = "Source AMI is revoked." } }}
Automatic validation
The HCP Terraform run task for HCP Packer directs HCP Packer to check for references to revoked artifacts in your Terraform configuration during Terraform operations. The run task fails if it detects resources that reference revoked artifacts.
When a run task fails, HCP Packer stops the Terraform run if the run task's enforcement mode is set to Mandatory
. The run proceeds with a warning if the mode is set to Advisory
. Terraform also prints information about the run task operation to the console. The amount of detail depends on your HCP Packer tier.
HCP Terraform Free Edition includes one run task that you can associate with up to ten workspaces. Refer to Packer pricing for details.
Hands on: Complete the following tutorials for guidance on how to set up and test the HCP Terraform run task integration:
Set up the HCP Terraform run task for HCP Packer
- Open the HCP Packer homepage click Integrate with HCP Terraform.
- When prompted, copy the values in the Endpoint URL and HMAC Key fields. These values are required to create the run task in HCP Terraform.
- Complete the instructions described in the HCP Terraform documentation for creating a run task and associating run tasks with a workspace.
Review run task output
Run the Terraform configuration associated with the workspace containing the run task. Refer to the HCP Terraform documentation for details.
After each run, you can click Details to open the HCP Packer registry home page if you need to make changes to versions or channels.
The details about the run task vary depending on your HCP Packer tier.
Standard tier run task
For Standard tier registries, the run task scans resources for artifacts retrieved by the hcp_packer_artifact
data source.
The run task scans all the resources in the plan and only validates resources that reference HCP Packer data sources. The run task fails when any new or replaced resources reference a revoked version. HCP Packer stops the Terraform run if the run task's enforcement mode is set to Mandatory
. The run proceeds with a warning if the mode is set to Advisory
.
Terraform also prints the following information about the run task operation to the console:
- The number of resources scanned.
- The number of resources referencing revoked versions.
- Whether a more recent version is available in HCP Packer. Use this information to generate new versions for revoked artifacts as necessary, as well as update the channels accordingly.
- The number of resources referencing versions that are scheduled to be revoked.
Plus tier run task
For Plus tier registries, the run task performs the following types of validation:
- Data source artifact validation: The run task scans planned resources that reference artifacts through the HCP Packer data source.
- Resource artifact validation: The run task scans planned resources that use hard-coded machine artifact IDs. Refer to Supported resource types for the HCP Terraform run task for a list of resources that the run task can validate.
The run task scans all the resources known so far in the plan. For each resource, the run task checks for an artifact associated with a version in HCP Packer. The run task fails when any new or replaced resources reference a revoked version. HCP Packer stops the Terraform run if the run task's enforcement mode is set to Mandatory
. The run proceeds with a warning if the mode is set to Advisory
.
HCP Terraform will also display a structured list of resources with the status of each resource, and its associated matched HCP Packer artifact.