HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Revoke Images

If an image becomes outdated or a security risk, you can revoke it to prevent consumers from accessing its metadata and using it to build artifacts. HCP Packer supports two revocation strategies: immediate and scheduled.

  • Immediate revocation lets you promptly decommission images with security vulnerabilities, strengthening your security posture.
  • Scheduled revocation is a Plus tier feature that lets you set a Time To Live (TTL) on images, preventing consumers from using outdated images and strengthening your compliance posture.

The hcp_packer_iteration and hcp_packer_image Terraform data sources will still retrieve information for revoked iterations. However, if the hcp_packer_image data source references a revoked image or an image that is scheduled to be revoked, the revoke_at attribute is set to the revocation timestamp. Terraform consumers can use this attribute to validate the iterations. The Terraform Cloud image validation run task also scans the configuration and flags any planned resources that reference revoked iterations.

When the revocation takes effect, HCP Packer marks the iteration as revoked in the HCP Packer UI. Packer consumers cannot build templates referencing revoked iterations.

Inherited Revocation

HCP Packer automatically tracks how images are related to each other to trace changes and vulnerabilities from an image to all of its descendants. Refer to Ancestry for more details.

When you revoke an iteration or schedule a revocation, you can choose to automatically revoke all of that iteration’s downstream descendants in HCP Packer. This option can help prevent consumers from using outdated images. The HCP Packer UI displays information about inherited revocations on the iteration’s overview page, including a link to the revoked ancestor.

For child images already inheriting a scheduled revocation, you can still schedule an earlier revocation date directly on the child or revoke it immediately.

Hands on: Try the Revoke an Image and its Descendents tutorial.

Revocation Precedence

An iteration can have multiple parents, so a single child image can have multiple inherited revocations. You can also always revoke a child image directly. The following rules determine revocation precedence:

  1. Direct Revocation: Revoking the iteration directly takes precedence over all inherited revocations. Likewise, directly scheduling revocation for the iteration takes precedence over inherited scheduled revocations.

  2. Revocation Date: The earliest revocation date takes precedence. Directly revoking an iteration immediately takes precedence over inherited revocations scheduled for later dates. If an iteration has multiple inherited revocations, HCP Packer revokes the iteration at the earliest possible date. For example, if you schedule ancestor A for revocation at 5pm and then schedule ancestor B for revocation at 4pm the same day, HCP Packer revokes the child iteration at 4pm.

Immediately Revoke an Iteration

To immediately revoke an iteration:

  1. Open the Revoke iteration page by doing one of the following:

    1. Click Iterations in the left sidebar to view a list of all iterations within an image bucket. Then, click the ellipses (...) to the right of the iteration you want to revoke and select Revoke Iteration.
    2. Go to the details page for the iteration you want to revoke. Then, open the Manage menu and select Revoke iteration.

  2. (Optional) Enter a Reason for why this iteration is no longer usable. Users will see this message on the iteration details page when the revocation takes effect.

  3. Select Revoke immediately from the When dropdown

  4. Choose whether to revoke all descendant iterations, if any.

  5. If this iteration is assigned to user created channels, select Yes, rollback channel from the Rollback channels dropdown to automatically reassign the last valid and unrevoked iteration to each channel. Otherwise, you must manually unassign the iteration from all user created channels before proceeding.

  6. Click Revoke.

The HCP Packer UI displays a Revoked message on the iteration details page. You can restore the iteration at any time.

Schedule Revoking an Iteration

Note: Scheduled revocation is only available in the HCP Packer Plus tier. Refer to Manage Registry for details about viewing and changing your registry tier.

To schedule a revocation:

  1. Open the Revoke iteration page by doing one of the following:

    1. Click Iterations in the left sidebar to view a list of all iterations within an image bucket. Then, click the ellipses (...) to the right of the iteration you want to revoke and select Revoke Iteration.
    2. Go to the details page for the iteration you want to revoke. Then, open the Manage menu and select Revoke iteration.

  2. (Optional) Enter a Reason for why this iteration is no longer usable. Users will see this message on the iteration details page when the revocation takes effect.

  3. Select Revoke at a future date from the When dropdown and choose a date and time when the revocation will take effect. Consumers will be able to use this iteration’s metadata until the specified date.

  4. Choose whether to schedule the revocation for all descendant iterations, if any.

  5. If this iteration is assigned to user created channels, select Yes, rollback channel from the Rollback channel dropdown to automatically reassign the last valid and unrevoked iteration to each channel when revocation occurs. If the channel has a valid iteration assigned at the time of scheduled revocation, no rollback occurs.

  6. Click Revoke.

The HCP Packer UI displays a Revoke scheduled message on the iteration details page and a tag on any associated image channels. Consumers can use the iteration up until the scheduled revocation date, and you can cancel the scheduled revoke at any time before it takes effect.

Note: Once the revocation takes effect, HCP Packer marks image channels pointing to revoked iterations with a Revoked tag in the UI. We recommend notifying consumers and removing the revoked iteration from all associated image channels.

Restore Iteration

Revoked iterations remain available in HCP Packer until you manually delete them from your registry. You can restore them at any time to make their metadata available to consumers. To restore an iteration:

  1. Go to the iteration’s details page and click Restore iteration. The Restore iteration? box appears.
  2. Click Restore iteration.

The iteration metadata is immediately available to consumers, and HCP Packer no longer lists it as Revoked in the UI. However, HCP Packer does not automatically re-add the image to any previously associated image channels; you must re-add it manually.

You cannot restore an iteration that inherited a revocation from one of its ancestors. Restore the revoked ancestor to automatically restore all of its descendants.

Cancel Scheduled Revocation

You can cancel a scheduled revocation at any time up until the specified date. To cancel a schedule revoke:

  1. Go to the iteration’s details page and click Cancel scheduled revoke. The Cancel scheduled revoke? box appears.
  2. Click Cancel scheduled revoke.

The iteration is no longer marked as Scheduled for revoke in the UI.

You cannot cancel an inherited scheduled revocation. Cancel the scheduled revocation for the ancestor to automatically cancel the revocation for all of its descendants.