Terraform Cloud Run Tasks

Run Tasks perform checks on Terraform Cloud operations to determine whether a run should proceed. The HCP Packer image validation run task validates whether your Terraform configuration references revoked images, which helps improve your security and compliance standards.

Terraform Cloud Free Edition includes one run task that you can associate with up to ten workspaces. HCP Packer image validation run task functionality differs depending on whether your registry uses the HCP Packer Standard or Plus tier.

Standard Tier Run Task

Hands On: Try the Set Up Terraform Cloud Run Task for HCP Packer and Standard tier run task image validation tutorials on HashiCorp Learn to set up and test the Terraform Cloud Run Task integration end to end.

For Standard tier registries, the run task performs data source image validation. This involves scanning resources for image artifacts retrieved by the hcp_packer_image data source.

The run task scans all the resources known so far in the plan and only validates resources that reference HCP Packer data sources. If any new or replaced resources reference revoked iterations, the run task fails. Whether this failure stops the Terraform run depends on the run task's enforcement mode. If it is Mandatory, the run will stop; if it is Advisory, the run proceeds with a warning.

Whether the run task passes or fails, its output contains the following information:

• The number of resources scanned. This will only include resources that reference HCP Packer data sources.
• The number of resources referencing revoked iterations and whether HCP Packer has a more recent iteration available. This lets you generate new iterations for revoked images if needed and update the image channels accordingly.
• The number of resources referencing iterations that are scheduled to be revoked.

Example

The following example contains 2 resources. The aws_instance.app_server1 resource references an image through the HCP Packer data source.

provider "aws" {
 region = var.region
}

data "hcp_packer_iteration" "ubuntu" {
 bucket_name = "learn-packer-ubuntu"
 channel     = "production"
}

data "hcp_packer_image" "ubuntu_us_east_2" {
 bucket_name    = "learn-packer-ubuntu"
 cloud_provider = "aws"
 iteration_id   = data.hcp_packer_iteration.ubuntu.ulid
 region         = "us-east-2"
}

// Referenced through HCP Packer data source
resource "aws_instance" "app_server1" {
 ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
 instance_type = "t2.micro"
 tags = {
   Name = "Learn-HCP-Packer"
 }

// hard-coded image reference
// Run task will not scan
resource "aws_instance" "app_server2" {
 ami           = "ami-bar"
 instance_type = "t2.micro"
 tags = {
   Name = "hard-coded image reference"
 }
}

If the referenced iteration is valid, the run task succeeds and produces the following output in the Terraform Cloud UI:

Data source image validation results: 1 resource scanned. 
All resources are compliant.

Then, the iteration attached to the production channel is scheduled to be revoked. The run task succeeds but produces the following output in the Terraform Cloud UI:

Data source image validation results: 1 resource scanned. 1 using images
scheduled to be revoked in the future. No newer version was found for the
revoked image. Use Packer to build compliant images and send information to
HCP Packer. When using channels, the channel must be assigned to a valid iteration.

On the scheduled revocation date and time, the iteration attached to the production channel is revoked. If aws_instance.app_server1 is new or being replaced, the run task fails and produces the following output in the Terraform Cloud UI:

Data source image validation results: 1 resource scanned. 1 new resource using revoked images.
No newer version was found for the revoked image. Use Packer to build compliant
images and send information to HCP Packer. When using channels, the channel
must be assigned to a valid iteration.

If aws_instance.app_server1 is not being created, the run task succeeds and produces the following output in the Terraform Cloud UI:

Data source image validation results: 1 resource scanned. 1 existing resource using revoked images.
No newer version was found for the revoked image. Use Packer to build compliant
images and send information to HCP Packer. When using channels, the channel
must be assigned to a valid iteration.

After each run, you can click Details to go to the HCP Packer registry home page if you need to make changes to iterations or image channels.

Plus Tier Run Task

Hands On: Try the Set Up Terraform Cloud Run Task for HCP Packer and Plus tier run task image validation tutorials on HashiCorp Learn to set up and test the Terraform Cloud Run Task integration end to end.

For Plus tier registries, the run task performs the following types of validation:

• Data source image validation: The run task scans planned resources that reference image artifacts through the HCP Packer data source.
• Resource image validation: The run task scans planned resources that use hard-coded machine image IDs. Refer to supported resources for a list of resources that the run task will validate.

The run task scans all the resources known so far in the plan. For each scanned resource, the run task checks whether there is an image associated with an iteration in HCP Packer. If any iterations referenced in a new or replaced resources are revoked, the run task fails. Whether this failure stops the Terraform run depends on the run task’s enforcement mode. If it is Mandatory, the run will stop; if it is Advisory, the run will proceed with a warning.

Whether the run task passes or fails, its output contains the following information:

• The number of resources scanned. This includes both resources referenced through the HCP Packer data source and hard-coded machine image IDs that affect the current plan.
• The number of resources referencing revoked iterations. For each revoked iteration, the run task reports if HCP Packer has a more recent iteration available. This lets you generate new iterations for revoked images if needed and update the image channels accordingly.
• The number of resources referencing iterations scheduled to be revoked.
• The number of resources referencing hard-coded image IDs. This helps you build a more resilient configuration by replacing hard-coded image IDs with dynamic references, like the HCP Packer data source.
• The number of resources referencing images that are not associated with an iteration in HCP Packer. This helps you identify untracked images and add them to your HCP Packer registry.

After each run, you can click Details to go to the HCP Packer registry homepage and make changes to iterations or image channels.

Example - Revoked Iterations

The following example includes 3 resources. The run task will scan aws_instance.app_server1 and aws_instance.app_server2 because aws_instance.app_server3 does not include an image reference.

provider "aws" {
 region = var.region
}

data "hcp_packer_iteration" "ubuntu" {
 bucket_name = "learn-packer-ubuntu"
 channel     = "production"
}

data "hcp_packer_image" "ubuntu_us_east_2" {
 bucket_name    = "learn-packer-ubuntu"
 cloud_provider = "aws"
 iteration_id   = data.hcp_packer_iteration.ubuntu.ulid
 region         = "us-east-2"
}

// Supported resource type referenced through HCP Packer data source
resource "aws_instance" "app_server1" {
 ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
 instance_type = "t2.micro"
 tags = {
   Name = "Learn-HCP-Packer"
 }
}

// Unsupported resource type
// Run task will scan because reference is through HCP Packer data source
resource "generic_compute_instance" "app_server2" {
 ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
}

// Resource does not use machine images
// Run task will not scan
resource "aws_s3_bucket" "app_server3" {
 bucket        = "hcp-packer-run-task-plus"
}

If the referenced images are valid, the advanced run task succeeds and produces the following output in the Terraform Cloud UI:

Data source and resource image validation results: 2 resources scanned.
All resources are compliant.

Later, the iteration attached to the production channel is revoked. If aws_instance.app_server1 and aws_instance.app_server2 are new or being replaced, the run task fails and produces the following output in the Terraform Cloud UI:

Data source and resource image validation results: 2 resources scanned.
2 new resources using revoked images. No newer version was found for the revoked images.
Use Packer to build compliant images and send information to HCP Packer.
When using channels, the channel must be assigned to a valid iteration.

Example - Hard-coded and Untracked Images

The following example includes 3 resources that all contain image references. The run task will scan only aws_instance.app_server1 and aws_instance.app_server2 because generic_compute_instance.app_server3 is an unsupported type.

provider "aws" {
 region = var.region
}

// Supported resource type with hard-coded image reference
// HCP Packer is tracking this ami (ami-foo)
resource "aws_instance" "app_server1" {
 ami           = "ami-foo"
 instance_type = "t2.micro"
 tags = {
   Name = "hard-coded image reference"
 }
}

// Supported resource type with hard-coded image reference
// HCP Packer is not tracking this ami (ami-bar)
resource "aws_instance" "app_server2" {
 ami           = "ami-bar"
 instance_type = "t2.micro"
 tags = {
   Name = "hard-coded image reference"
 }
}

// Unsupported resource type with hard-coded image reference
// Run task will not scan
resource "generic_compute_instance" "app_server3" {
 ami           = "ami-foo"
}

The advanced run task succeeds and produces the following output in the Terraform Cloud UI:

Data source and resource image validation results: 2 resources scanned.
2 images found hard-coded in the configuration. 1 image not tracked by HCP
Packer. Use Packer to build compliant images and send information to HCP
Packer. Use hcp_packer_image and hcp_packer_iteration data sources to
query images from HCP Packer.

Supported Resources

The advanced run task supports validating hard-coded machine images on the following resources.

Amazon Web Services (AWS) Provider

• aws_instance
• aws_spot_instance_request
• aws_launch_template
• aws_launch_configuration
• aws_ami_launch_permission
• aws_launch_template
• aws_emr_cluster
• aws_batch_compute_environment

Azure Provider

• azurerm_virtual_machine_scale_set
• azurerm_linux_virtual_machine
• azurerm_windows_virtual_machine
• azurerm_managed_disk

Google Cloud Platform (GCP) Provider

• google_compute_instance
• google_compute_machine_image_iam_binding
• google_compute_machine_image_iam_member
• google_compute_machine_image_iam_policy
• google_compute_image_iam_binding
• google_compute_image_iam_member
• google_compute_image_iam_policy
• google_compute_disk

Set up Run Tasks

Hands On: Try the Set Up Terraform Cloud Run Task for HCP Packer tutorial on HashiCorp Learn.

To set up the HCP Packer Image Validation Run Task in Terraform Cloud:

1. Go to the HCP Packer homepage click Integrate with Terraform Cloud. The Integrate with Terraform Cloud box appears containing the Validation Run Task Endpoint URL and the HMAC Key. These values are required to create the run task in Terraform Cloud.

   

2. Follow the instructions in the Terraform Cloud Run Tasks documentation to create a new run task and add it to workspaces.