HCP Packer provides automation, collaboration, and security for managing images across multiple clouds. It includes image security and compliance workflows with Terraform Cloud.
We announced the public beta of our HashiCorp Cloud Platform (HCP) Packer service at HashiConf in October. Since then, we’ve seen quite a few organizations adopt it. Today we are pleased to announce that HCP Packer is now generally available. HCP Packer configures and manages images across clouds automatically, improving your workflows. It also provides a standardized way of securing images across an organization.
This GA release includes new features not present in the beta, including security workflows as well as the ability to track and query images that use your own custom metadata. Terraform Cloud Business tier users will also be able to integrate HCP Packer image compliance checks into their Terraform Cloud workflows. This enables customers to check all Terraform configurations for images flagged for revocation within HCP Packer.
The HCP Packer Standard tier allows you to track 10 images and make 250 API requests for free each month.
Many organizations’ application stacks use the same operating system and system-level security tools. To keep things DRY and avoid creating the same image for this operating environment over and over, it makes sense to codify a single “golden image,” which can then be used to track and update this base image across stacks using automation.
The concept of using golden images is not new. Why does it make sense to codify images using HCP Packer instead of other tools?
Many of the organizations we talked to about build management kept track of their images across clouds in spreadsheets. Some sought to have a standardized means for updating images, but struggled to get visibility for images across clouds. Some organizations still update images manually.
Codifying base images across downstream images provides visibility into how they are used and enables teams to update them using automation. HCP Packer can codify a base image as a golden image using channels, enabling your teams to automate updates to its downstream images with a single
packer build. Not only can this golden image be used to automate base image updates across a single cloud, the same golden image can be used to automate image updates across multiple clouds and private infrastructure.
HCP Packer updates a version of Ubuntu across downstream images.
HCP Packer saves every update to your image as an iteration within an image bucket in your registry. HCP Packer will also tell you all of the artifacts associated with that particular iteration of this image across multiple clouds.
A key mantra of HashiCorp is “workflows, not technologies.” People who provision infrastructure often manage images, so we aim to make their workflows as simple as possible. By defining golden images as a data source that is consumable by Terraform, other teams can always find the right version of an image for their provisioning pipelines.
You can integrate golden images into Terraform configurations using the HCP provider for Terraform. This provider makes HCP Packer’s data available as a data source. Instead of updating hard-coded Amazon Machine Images (AMIs) or VM images within your Terraform configurations, your teams can use the channel ID that defines your golden images. Once that channel is updated, a single
terraform apply will update the golden image. In the time it takes you to brew a pot of coffee, you can update an image used within numerous application stacks across multiple clouds.
As we talked to customers about their image management practices, we found that many wanted to set processes for deprecating older images, but struggled to do this across multiple application stacks and clouds. HCP Packer now allows you to set end of life (EOL) dates for images, or revoke images immediately as necessary. If your team schedules an image to be revoked, it will no longer return queries from the HCP Packer API after that date.
Setting up EOL dates is one thing, but enforcing action on these EOL dates is something else entirely. HCP Packer integrates with Terraform Cloud using run tasks (currently in beta), which are available to Terraform Cloud Business tier users. If you try to execute a
terraform plan for a configuration that includes a revoked image, Terraform Cloud will let you know. The more visibility teams have into the images that are up-to-date, the easier it is to improve security and compliance across your organization.
We aim to make it easy to get started with HCP Packer. Your team can get started with a Standard plan and track ten images per month for free. After that, it’s just $5 per tracked image per month. Sign up for free.
If you haven’t used Packer yet, this New to Packer? HashiCorp Learn guide will walk you through the basics. If you know Packer already, there are Learn guides for building golden images as well as integrating with Terraform.
Do you want to implement HCP Packer across larger and/or multiple teams? HashiCorp is launching a Plus plan in Beta. This already includes image compliance checks, which allow Terraform Cloud to scan configurations for hard-coded AMIs that are set for revocation. Using this integration will make it easier to track and enforce compliance across all provisioning pipelines. Going forward, we plan to enhance HCP Packer Plus with more features that simplify image management at scale. If you’re interested, please contact us for more details.
HashiCorp adopts the community-created HCL Extension for Visual Studio Code and adds HCL 2.0 support.
The HashiCorp Releases API is now available. This API is your one-stop shop for finding and viewing extended metadata about HashiCorp product releases.
Several of this year’s HashiTalks speakers presented useful Terraform, Packer, and CI/CD tips and tricks. Learn from this list of highlights.