Terraform
Set up HCP Terraform run task for HCP Packer
After you build your artifact with Packer and push its metadata to HCP Packer, you can reference the artifact in your Terraform configuration to deploy it. HCP Packer has an HCP Terraform run task integration, which validates that the artifacts in your Terraform configuration are not revoked for being insecure or outdated.
In this tutorial, you will retrieve the endpoint URL and HMAC key from HCP Packer and create a run task in HCP Terraform.
Run task features
The HCP Terraform run task for HCP Packer currently has two main features:
The data source artifact validation scans your Terraform resources for references to
hcp_packer_version
andhcp_packer_artifact
data sources. It will warn you if any referenced data source is associated with a revoked artifact version.The resource artifact validation scans your Terraform configuration for resources that use hard-coded machine image IDs and checks if the artifact is tracked by HCP Packer. If the artifact is associated with an artifact version, the run task will warn users if it is a revoked version. It will also prompt users to use the HCP Packer data sources instead of hard-coded image IDs to better track and manage artifacts.
Note
The resource artifact validation currently supports this list of resources.
The HCP Packer Standard tier only supports data source artifact validation. The HCP Packer Plus tier supports both data source and resource artifact validation.
The run task configuration instructions are the same for both Standard and Plus tiers. The HCP Packer plans will determine which validations the run task will run.
Prerequisites
To follow along with this tutorial, you will need:
- An HCP account with an HCP Packer registry
- An HCP Terraform account
Note
HCP Terraform Free Edition includes one run task integration that you can apply to up to ten workspaces. Refer to HCP Terraform pricing for details.
You will also need organization owner permissions in HCP Terraform to create a run task.
Retrieve HCP Packer information
On the HCP Packer page, click on Integrate with HCP Terraform.
This displays information for you to use to configure your HCP Terraform run task.
The Endpoint URL is a unique HCP Packer URL, specific to your HCP organization and HCP Packer registry. The HCP Terraform run task will send a payload to this URL for artifact validation.
The HMAC Key is a secret key that lets HCP Packer verify the run task request.
Warning
Do not share these values. If your HMAC key is compromised, regenerate it and update your HCP Terraform run task to use the new value.
Set up run task in HCP Terraform
In your HCP Terraform dashboard, go to Settings then click Run tasks on the left sidebar.
Click on Create run task. On the Create a Run Task page:
Verify Enabled is checked.
Set Name to
HCP-Packer
.Set Endpoint URL to the endpoint URL you retrieved in the previous step.
Set HMAC key to the HMAC key you retrieved in the previous step.
Note
Although labeled as optional in the UI, you must enter the HMAC key provided by HCP Packer. The HCP Packer integration requires an HMAC key to authenticate the requests.
Click Create run task.
The Run Tasks page will now show the HCP-Packer
run task.
Next steps
In this tutorial, you set up an HCP Terraform run task for HCP Packer.
For more information on topics covered in this tutorial, check out the following resources:
- Complete the data source artifact validation run task tutorial to learn how to identify compromised and outdated artifacts referenced by the HCP Packer data sources (
hcp_packer_version
andhcp_packer_artifact
). - Complete the resource artifact validation run task tutorial to learn how to ensure your Terraform configuration uses compliant machine image (even when you hard-code machine images).
- Read more about the HCP Terraform run task integration in the HCP Packer documentation.