Over the lifecycle of a machine image, you may need to prevent access to it if it becomes outdated. In addition to immediately revoking insecure image iterations, HCP Packer lets you schedule a future image revocation by setting a Time To Live (TTL). This strengthens your compliance posture by by preventing usage of outdated images.
Note: Scheduled revocation is an HCP Packer Plus tier feature.
In this tutorial, you will schedule a revocation. In the process, you will learn the relationship between HCP Packer image channels and revoked iterations, and how image revocation prevents downstream image consumers from referencing outdated images.
»Prerequisites
To complete this tutorial, you must have completed the HCP Packer Get Started tutorials. In the tutorials, you:
- Created a service principal.
- Set your client ID and secret as environment variables.
- Configured your AWS credentials as environment variables.
- Built an image and push its metadata to HCP Packer.
- Set up a channel named
productionfor your image bucket.
In addition, you will need:
- Terraform 1.2.0+ installed locally.
»Schedule image iteration revocation
Assume that your company policy requires that images expire after 30 days to ensure no one deploys a stale image. To enforce this policy, you can schedule a revocation date and time.
Go to the learn-packer-ubuntu's Iterations page. Schedule a revocation date for the first iteration by clicking on ... then Revoke iteration. Scheduled revocations, unlike immediate ones, can apply to iterations assigned to image channels.
Select Revoke at a future date and enter the time for 5 minutes from your current time. The time is in UTC (current time in UTC). For example, if it is currently 10:00, enter 10:05.
Enter Learning about scheduling revocation for the revocation reason, and click Revoke Iteration to revoke the iteration.
The dashboard now shows a scheduled revocation for the first iteration.
Open the first iteration by clicking on 1. HCP Packer displays the reason why this image was scheduled to be revoked.
»Verify scheduled image iteration revocation
In the tf-channel directory, generate a Terraform plan. Terraform will successfully create the plan.
The hcp_packer_iteration and hcp_packer_image Terraform data sources still retrieve information for revoked or scheduled to be revoked iterations. However, the hcp_packer_image data source's revoke_at attribute is set to the revocation timestamp.
In main.tf, update the EC2 instance to only create an instance if the image is not revoked.
The lifecycle precondition will succeed if revoke_at is scheduled to the future or is null.
In outputs.tf, add the following output to view the iteration's image ID.
Wait until the five minute revocation time you configured earlier passes. HCP Packer will automatically revoke your iteration. Check the Iterations dashboard to confirm HCP Packer revoked the first iteration.
Notice that even though the first iteration is revoked, the production channel still references it.
Because the lifecycle custom precondition depends on timestamp() which is unknown during a Terraform plan, the condition will be checked during the Terraform apply.
Apply your configuration. Since the production channel references a revoked image, the image_revocation_date output is set to to the revocation timestamp, the app_server lifecycle precondition will fail, and Terraform will not create the EC2 instance.
If your Terraform configuration references a revoked image, contact your HCP Packer administrator to re-assign the channel to a valid image iteration.
»Restore revoked iteration
If you accidentally revoke the wrong iteration, you can restore the iteration so your team can use its images again.
In the HCP Packer UI, navigate to the first iteration. Then, click Manage and Restore iteration.
Click Restore iteration to restore your iteration.
»Verify restoration
In the tf-channels directory, apply your configuration. Since the iteration is restored, Terraform successfully creates the EC2 instance.
To clean up your provisioned infrastructure, run terraform destroy and respond yes to the prompt to confirm the operation.
»Next steps
In this tutorial, you used scheduled an iteration revocation and restored a revoked iteration. In the process, you reviewed how scheduled revocations strengthen your compliance posture by setting expiration dates on iterations, preventing users from using outdated images. Though you can schedule a revocation for an iteration assigned to an image channel, when the revocation date passes, the channel will reference a revoked iteration. Any attempts to query a channel with a revoked iteration will fail.
By integrating both immediate and scheduled iteration revocation in your workflows, you can ensure your organization uses secure and compliant images.
For more information on topics covered in this tutorial, check out the following resources:
- Complete the Immediately Revoke Insecure Image Iterations tutorial to learn how to prevent users from referencing insecure images.
- Read more about revoking image iterations in the HCP Packer documentation.
- Visit the Terraform
hcpprovider for a full list of arguments and attributes for thehcp_packer_iterationandhcp_packer_imagedata resources. - Complete the Set Up Terraform Cloud Run Task for HCP Packer tutorial to learn how to ensure your Terraform configuration uses compliant machine images.
