Create Child Image from Registry Image

HCP Packer makes it easier to maintain image pipelines. Traditionally, you would need to coordinate with downstream teams whenever you updated an upstream image. With HCP Packer and channels, upstream teams — like security or platform teams — can update base images and use channels to point to the latest iteration. When downstream teams rebuild their images, Packer will automatically retrieve the channel's current iteration and rebuild with the new, updated base image.

In this tutorial, you will use Packer to query a specific base image's build iteration and build a new image using that base image. Then, you will update the base image's channel to point to another iteration, and rebuild the downstream image on top of the new base image.

»Prerequisites

To complete this tutorial, you must have completed the previous tutorials in this collection. In the previous tutorials, you:

• Created a service principal.
• Set your client ID and secret as environment variables.
• Configured your AWS credentials as environment variables.
• Built an image and push its metadata to HCP Packer.
• Set up a channel named production for your image bucket.

»Review example template

Open packer-application/application.pkr.hcl to review the Packer template that builds the downstream images.

This Packer template file contains:

• A hcp-packer-iteration data source, which retrieves the channel's current iteration.

  data "hcp-packer-iteration" "ubuntu" {
    bucket_name = "learn-packer-ubuntu"
    channel     = "production"
  }
  

  packer-application/application.pkr.hcl

  data "hcp-packer-iteration" "ubuntu" {
    bucket_name = "learn-packer-ubuntu"
    channel     = "production"
  }
  

  Notice that this resource references the bucket name (learn-packer-ubuntu) and channel (production) you created in the previous steps.

• Two hcp-packer-image data sources, which retrieve the specific image from the iteration.

  data "hcp-packer-image" "ubuntu-east" {
    bucket_name    = "learn-packer-ubuntu"
    iteration_id   = data.hcp-packer-iteration.ubuntu.id
    cloud_provider = "aws"
    region         = "us-east-2"
  }
  
  data "hcp-packer-image" "ubuntu-west" {
    bucket_name    = "learn-packer-ubuntu"
    iteration_id   = data.hcp-packer-iteration.ubuntu.id
    cloud_provider = "aws"
    region         = "us-west-1"
  }
  

  packer-application/application.pkr.hcl

  data "hcp-packer-image" "ubuntu-east" {
    bucket_name    = "learn-packer-ubuntu"
    iteration_id   = data.hcp-packer-iteration.ubuntu.id
    cloud_provider = "aws"
    region         = "us-east-2"
  }
  
  data "hcp-packer-image" "ubuntu-west" {
    bucket_name    = "learn-packer-ubuntu"
    iteration_id   = data.hcp-packer-iteration.ubuntu.id
    cloud_provider = "aws"
    region         = "us-west-1"
  }
  

  Remember that an iteration may contain multiple machine images from different cloud providers and regions. There are two hcp-packer-image data sources, one for each region, but they both reference the same iteration, data.hcp-packer-iteration.ubuntu.

• Two source template blocks, each one mapping to the base image in its respective region.

  source "amazon-ebs" "application-east" {
    ami_name = "packer_AWS_{{timestamp}}"
  
    region         = "us-east-2"
    source_ami     = data.hcp-packer-image.ubuntu-east.id
    instance_type  = "t2.small"
    ssh_username   = "ubuntu"
    ssh_agent_auth = false
  
    tags = {
      Name = "learn-packer-application"
    }
  }
  
  source "amazon-ebs" "application-west" {
    ami_name = "packer_AWS_{{timestamp}}"
  
    region         = "us-west-1"
    source_ami     = data.hcp-packer-image.ubuntu-west.id
    instance_type  = "t2.small"
    ssh_username   = "ubuntu"
    ssh_agent_auth = false
  
    tags = {
      Name = "learn-packer-application"
    }
  }
  

  packer-application/application.pkr.hcl

  source "amazon-ebs" "application-east" {
    ami_name = "packer_AWS_{{timestamp}}"
  
    region         = "us-east-2"
    source_ami     = data.hcp-packer-image.ubuntu-east.id
    instance_type  = "t2.small"
    ssh_username   = "ubuntu"
    ssh_agent_auth = false
  
    tags = {
      Name = "learn-packer-application"
    }
  }
  
  source "amazon-ebs" "application-west" {
    ami_name = "packer_AWS_{{timestamp}}"
  
    region         = "us-west-1"
    source_ami     = data.hcp-packer-image.ubuntu-west.id
    instance_type  = "t2.small"
    ssh_username   = "ubuntu"
    ssh_agent_auth = false
  
    tags = {
      Name = "learn-packer-application"
    }
  }
  

  These source blocks retrieve the image by querying the AMI ID directly with the source_ami attribute.

• A build block with a hcp_packer_registry block. This defines the new HCP bucket name (learn-packer-application) and builds the two images in parallel.

  build {
    hcp_packer_registry {
      bucket_name = "learn-packer-application"
      description = <<EOT
  Some nice description about the image being published to HCP Packer Registry.
      EOT
      bucket_labels = {
        "foo-version" = "3.4.0",
        "foo"         = "bar",
      }
    }
    sources = [
      "source.amazon-ebs.application-east",
      "source.amazon-ebs.application-west"
    ]
  }
  

  packer-application/application.pkr.hcl

  build {
    hcp_packer_registry {
      bucket_name = "learn-packer-application"
      description = <<EOT
  Some nice description about the image being published to HCP Packer Registry.
      EOT
      bucket_labels = {
        "foo-version" = "3.4.0",
        "foo"         = "bar",
      }
    }
    sources = [
      "source.amazon-ebs.application-east",
      "source.amazon-ebs.application-west"
    ]
  }
  

»Build the downstream image

Now that you have a template file configured for HCP Packer, build the image and push its metadata to the registry.

Change into the packer-application directory.

$ cd ../packer-application

$ cd ../packer-application

Initialize your Packer template.

$ packer init application.pkr.hcl

$ packer init application.pkr.hcl

Then, format the Packer template.

$ packer fmt application.pkr.hcl
application.pkr.hcl

$ packer fmt application.pkr.hcl
application.pkr.hcl

Finally, build your image. Packer will display color-coded output for both builds. You can tell which build source an output line is associated by the line's color or prefix.

$ packer build application.pkr.hcl
amazon-ebs.application-east: output will be in this color.
amazon-ebs.application-west: output will be in this color.
==> amazon-ebs.application-east: Publishing build details for amazon-ebs.application-east to the HCP Packer registry
==> amazon-ebs.application-west: Publishing build details for amazon-ebs.application-west to the HCP Packer registry
==> amazon-ebs.application-west: Prevalidating any provided VPC information
==> amazon-ebs.application-west: Prevalidating AMI Name: packer_AWS_1646375931
==> amazon-ebs.application-east: Prevalidating any provided VPC information
==> amazon-ebs.application-east: Prevalidating AMI Name: packer_AWS_1646375931
## ...
==> Wait completed after 3 minutes 25 seconds
==> Builds finished. The artifacts of successful builds are:
--> amazon-ebs.application-east: AMIs were created:
us-east-2: ami-0f2e27f3bff004277
--> amazon-ebs.application-east: Published metadata to HCP Packer registry packer/learn-packer-application/iterations/01FX9TE43C6NHCM72ZHCJDTKN5
--> amazon-ebs.application-west: AMIs were created:
us-west-1: ami-00febc276990cecf5
--> amazon-ebs.application-west: Published metadata to HCP Packer registry packer/learn-packer-application/iterations/01FX9TE43C6NHCM72ZHCJDTKN5

$ packer build application.pkr.hcl
amazon-ebs.application-east: output will be in this color.
amazon-ebs.application-west: output will be in this color.
==> amazon-ebs.application-east: Publishing build details for amazon-ebs.application-east to the HCP Packer registry
==> amazon-ebs.application-west: Publishing build details for amazon-ebs.application-west to the HCP Packer registry
==> amazon-ebs.application-west: Prevalidating any provided VPC information
==> amazon-ebs.application-west: Prevalidating AMI Name: packer_AWS_1646375931
==> amazon-ebs.application-east: Prevalidating any provided VPC information
==> amazon-ebs.application-east: Prevalidating AMI Name: packer_AWS_1646375931
## ...
==> Wait completed after 3 minutes 25 seconds
==> Builds finished. The artifacts of successful builds are:
--> amazon-ebs.application-east: AMIs were created:
us-east-2: ami-0f2e27f3bff004277
--> amazon-ebs.application-east: Published metadata to HCP Packer registry packer/learn-packer-application/iterations/01FX9TE43C6NHCM72ZHCJDTKN5
--> amazon-ebs.application-west: AMIs were created:
us-west-1: ami-00febc276990cecf5
--> amazon-ebs.application-west: Published metadata to HCP Packer registry packer/learn-packer-application/iterations/01FX9TE43C6NHCM72ZHCJDTKN5

Visit the AWS us-east-2 AMI Dashboard and us-west-1 AMI Dashboard to verify that Packer has built your images.

»Visit the image bucket

Visit the HCP Packer dashboard to review the image metadata that Packer uploaded to the HCP Packer registry. Select the learn-packer-application bucket.

»Update image channel

You may occasionally need to revert to using a previous version of a base image and rebuild the downstream images that depend on it.

Navigate to the learn-packer-ubuntu bucket, then click on Channels.

Edit the production channel by clicking on the ... and selecting Changed assigned iteration. Then, update the channel to the second iteration.

»Rebuild the downstream image

The base image's production channel now points to a different base image. You will rebuild the application image on top of the updated base image.

Though your template file has not changed, this build will generate new images due to the updated upstream image. Since there are no changes to commit to Git to generate a new fingerprint from the SHA, you must manually create a new fingerprint for this build. Create an environment variable named HCP_PACKER_BUILD_FINGERPRINT and set it to a unique value.

$ export HCP_PACKER_BUILD_FINGERPRINT="application-$(date +%s)"

$ export HCP_PACKER_BUILD_FINGERPRINT="application-$(date +%s)"

Now, build your image.

$ packer build application.pkr.hcl
amazon-ebs.application-east: output will be in this color.
amazon-ebs.application-west: output will be in this color.
==> amazon-ebs.application-east: Publishing build details for amazon-ebs.application-east to the HCP Packer registry
==> amazon-ebs.application-west: Publishing build details for amazon-ebs.application-west to the HCP Packer registry
==> amazon-ebs.application-west: Prevalidating any provided VPC information
==> amazon-ebs.application-west: Prevalidating AMI Name: packer_AWS_1646376404
==> amazon-ebs.application-east: Prevalidating any provided VPC information
==> amazon-ebs.application-east: Prevalidating AMI Name: packer_AWS_1646376404
## ...
==> Wait completed after 3 minutes 11 seconds
==> Builds finished. The artifacts of successful builds are:
--> amazon-ebs.application-west: AMIs were created:
us-west-1: ami-02912f40df80edac3
--> amazon-ebs.application-west: Published metadata to HCP Packer registry packer/learn-packer-application/iterations/01FX9TWH350DRRPNMF60HK96AE
--> amazon-ebs.application-east: AMIs were created:
us-east-2: ami-022f3ca3975963154
--> amazon-ebs.application-east: Published metadata to HCP Packer registry packer/learn-packer-application/iterations/01FX9TWH350DRRPNMF60HK96AE

$ packer build application.pkr.hcl
amazon-ebs.application-east: output will be in this color.
amazon-ebs.application-west: output will be in this color.
==> amazon-ebs.application-east: Publishing build details for amazon-ebs.application-east to the HCP Packer registry
==> amazon-ebs.application-west: Publishing build details for amazon-ebs.application-west to the HCP Packer registry
==> amazon-ebs.application-west: Prevalidating any provided VPC information
==> amazon-ebs.application-west: Prevalidating AMI Name: packer_AWS_1646376404
==> amazon-ebs.application-east: Prevalidating any provided VPC information
==> amazon-ebs.application-east: Prevalidating AMI Name: packer_AWS_1646376404
## ...
==> Wait completed after 3 minutes 11 seconds
==> Builds finished. The artifacts of successful builds are:
--> amazon-ebs.application-west: AMIs were created:
us-west-1: ami-02912f40df80edac3
--> amazon-ebs.application-west: Published metadata to HCP Packer registry packer/learn-packer-application/iterations/01FX9TWH350DRRPNMF60HK96AE
--> amazon-ebs.application-east: AMIs were created:
us-east-2: ami-022f3ca3975963154
--> amazon-ebs.application-east: Published metadata to HCP Packer registry packer/learn-packer-application/iterations/01FX9TWH350DRRPNMF60HK96AE

Visit the AWS us-east-2 AMI Dashboard and us-west-1 AMI Dashboard to verify that Packer has built your images.

»Next steps

In this tutorial, you used Packer to query a specific base image's build iteration and built a new image using that base image. Then, you updated the base image's channel to point to another iteration, and rebuilt the downstream image on top of the new base image.

For more information on topics covered in this tutorial, check out the following resources:

• Read more about referencing image metadata in the HCP Packer documentation.
• Visit the HCP Packer Glossary for additional descriptions of the terms covered in this tutorial.
• Visit the Build a Golden Image Pipeline With HCP Packer tutorial to build a sample application image with a golden image pipeline, then you will deploy the image to AWS using Terraform.
• Complete the Set Up Terraform Cloud Run Task for HCP Packer tutorial to learn how to set up run tasks that ensure your Terraform configuration uses compliant machine images.