»Terraform Cloud Run Tasks

Run Tasks perform checks on Terraform Cloud operations to determine whether a run should proceed. The HCP Packer image validation run task validates whether your Terraform configuration references revoked images, which helps improve your security and compliance standards.

Run Tasks are a paid feature available with Terraform Cloud for Business and Team & Governance tiers. HCP Packer image validation run task functionality differs depending on whether your registry uses the HCP Packer Standard or Plus tier.

»Standard Tier Run Task

Hands On: Try the Set Up Terraform Cloud Run Task for HCP Packer and Standard tier run task image validation tutorials on HashiCorp Learn to set up and test the Terraform Cloud Run Task integration end to end.

For Standard tier registries, the run task performs data source image validation. This involves scanning planned resources for image artifacts retrieved by the hcp_packer_image data source.

The run task does not scan the entire Terraform configuration for each run; it only validates resources that are related to the current plan and reference HCP Packer data sources. If any resources reference revoked iterations, the run task fails. Whether this failure stops the Terraform run depends on the run task's enforcement mode. If it is Mandatory, the run will stop; if it is Advisory, the run proceeds with a warning.

Whether the run task passes or fails, its output contains the following information:

The number of planned resources scanned. This will only include resources that reference HCP Packer data sources.
The number of planned resources referencing revoked iterations and whether HCP Packer has a more recent iteration available. This lets you generate new iterations for revoked images if needed and update the image channels accordingly.
The number of planned resources referencing iterations that are scheduled to be revoked.

»Example

The following example contains 2 resources. The aws_instance.app_server1 resource references an image through the HCP Packer data source.

provider "aws" {
 region = var.region
}

data "hcp_packer_iteration" "ubuntu" {
 bucket_name = "learn-packer-ubuntu"
 channel     = "production"
}

data "hcp_packer_image" "ubuntu_us_east_2" {
 bucket_name    = "learn-packer-ubuntu"
 cloud_provider = "aws"
 iteration_id   = data.hcp_packer_iteration.ubuntu.ulid
 region         = "us-east-2"
}

// Referenced through HCP Packer data source
resource "aws_instance" "app_server1" {
 ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
 instance_type = "t2.micro"
 tags = {
   Name = "Learn-HCP-Packer"
 }

// hard-coded image reference
// Run task will not scan
resource "aws_instance" "app_server2" {
 ami           = "ami-bar"
 instance_type = "t2.micro"
 tags = {
   Name = "hard-coded image reference"
 }
}

provider "aws" { region = var.region}
data "hcp_packer_iteration" "ubuntu" { bucket_name = "learn-packer-ubuntu" channel     = "production"}
data "hcp_packer_image" "ubuntu_us_east_2" { bucket_name    = "learn-packer-ubuntu" cloud_provider = "aws" iteration_id   = data.hcp_packer_iteration.ubuntu.ulid region         = "us-east-2"}
// Referenced through HCP Packer data sourceresource "aws_instance" "app_server1" { ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id instance_type = "t2.micro" tags = {   Name = "Learn-HCP-Packer" }
// hard-coded image reference// Run task will not scanresource "aws_instance" "app_server2" { ami           = "ami-bar" instance_type = "t2.micro" tags = {   Name = "hard-coded image reference" }}

If the plan includes the aws_instance.app_server1 resource and the referenced iteration is valid, the run task succeeds and produces the following output in the Terraform Cloud UI:

Data source image validation results: 1 resource scanned.
All resources are compliant.

Data source image validation results: 1 resource scanned.All resources are compliant.

Then, the iteration attached to the production channel is scheduled to be revoked. If a plan includes the aws_instance.app_server1 resource, the run task succeeds but produces the following output in the Terraform Cloud UI:

Data source image validation results: 1 resource scanned. 1 using images
scheduled to be revoked in the future. No newer version was found for the
revoked image. Use Packer to build compliant images and send information to
HCP Packer. When using channels, the channel must be assigned to a valid iteration.

Data source image validation results: 1 resource scanned. 1 using imagesscheduled to be revoked in the future. No newer version was found for therevoked image. Use Packer to build compliant images and send information toHCP Packer. When using channels, the channel must be assigned to a valid iteration.

On the scheduled revocation date and time, the iteration attached to the production channel is revoked. If a plan includes the aws_instance.app_server1 resource, the run task fails and produces the following output in the Terraform Cloud UI:

Data source image validation results: 1 resource scanned. 1 image is revoked.
No newer version was found for the revoked image. Use Packer to build compliant
images and send information to HCP Packer. When using channels, the channel
must be assigned to a valid iteration.

Data source image validation results: 1 resource scanned. 1 image is revoked.No newer version was found for the revoked image. Use Packer to build compliantimages and send information to HCP Packer. When using channels, the channelmust be assigned to a valid iteration.

After each run, you can click Details to go to the HCP Packer registry home page if you need to make changes to iterations or image channels.

Screenshot:Details button in Terraform Cloud UI

»Plus Tier Run Task

Hands On: Try the Set Up Terraform Cloud Run Task for HCP Packer and Plus tier run task image validation tutorials on HashiCorp Learn to set up and test the Terraform Cloud Run Task integration end to end.

For Plus tier registries, the run task performs the following types of validation:

Data source image validation: The run task scans planned resources that reference image artifacts through the HCP Packer data source.
Resource image validation: The run task scans planned resources that use hard-coded machine image IDs. Refer to supported resources for a list of resources that the run task will validate.

The run task does not scan the entire Terraform configuration for each run; it only validates resources related to the current plan. For each scanned resource, the run task checks whether the image is associated with an iteration in HCP Packer. If any referenced iterations are revoked, the run task fails. Whether this failure stops the Terraform run depends on the run task’s enforcement mode. If it is Mandatory, the run will stop; if it is Advisory, the run will proceed with a warning.

Whether the run task passes or fails, its output contains the following information:

The number of resources scanned. This includes both resources referenced through the HCP Packer data source and hard-coded machine image IDs that affect the current plan.
The number of planned resources referencing revoked iterations. For each revoked iteration, the run task reports if HCP Packer has a more recent iteration available. This lets you generate new iterations for revoked images if needed and update the image channels accordingly.
The number of planned resources referencing iterations scheduled to be revoked.
The number of planned resources referencing hard-coded image IDs. This helps you build a more resilient configuration by replacing hard-coded image IDs with dynamic references, like the HCP Packer data source.
The number of planned resources referencing images that are not associated with an iteration in HCP Packer. This helps you identify untracked images and add them to your HCP Packer registry.

After each run, you can click Details to go to the HCP Packer registry homepage and make changes to iterations or image channels.

Screenshot:Details button in Terraform Cloud UI

»Example - Revoked Iterations

The following example includes 3 resources. The run task will scan aws_instance.app_server1 and aws_instance.app_server2 because aws_instance.app_server3 does not include an image reference.

provider "aws" {
 region = var.region
}

data "hcp_packer_iteration" "ubuntu" {
 bucket_name = "learn-packer-ubuntu"
 channel     = "production"
}

data "hcp_packer_image" "ubuntu_us_east_2" {
 bucket_name    = "learn-packer-ubuntu"
 cloud_provider = "aws"
 iteration_id   = data.hcp_packer_iteration.ubuntu.ulid
 region         = "us-east-2"
}

// Supported resource type referenced through HCP Packer data source
resource "aws_instance" "app_server1" {
 ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
 instance_type = "t2.micro"
 tags = {
   Name = "Learn-HCP-Packer"
 }
}

// Unsupported resource type
// Run task will scan because reference is through HCP Packer data source
resource "generic_compute_instance" "app_server2" {
 ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id
}

// Resource does not use machine images
// Run task will not scan
resource "aws_s3_bucket" "app_server3" {
 bucket        = "hcp-packer-run-task-plus"
}

provider "aws" { region = var.region}
data "hcp_packer_iteration" "ubuntu" { bucket_name = "learn-packer-ubuntu" channel     = "production"}
data "hcp_packer_image" "ubuntu_us_east_2" { bucket_name    = "learn-packer-ubuntu" cloud_provider = "aws" iteration_id   = data.hcp_packer_iteration.ubuntu.ulid region         = "us-east-2"}
// Supported resource type referenced through HCP Packer data sourceresource "aws_instance" "app_server1" { ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id instance_type = "t2.micro" tags = {   Name = "Learn-HCP-Packer" }}
// Unsupported resource type// Run task will scan because reference is through HCP Packer data sourceresource "generic_compute_instance" "app_server2" { ami           = data.hcp_packer_image.ubuntu_us_east_2.cloud_image_id}
// Resource does not use machine images// Run task will not scanresource "aws_s3_bucket" "app_server3" { bucket        = "hcp-packer-run-task-plus"}

If a plan includes aws_instance.app_server1 and aws_instance.app_server2 and the referenced images are valid, the advanced run task succeeds and produces the following output in the Terraform Cloud UI:

Data source and resource image validation results: 2 resources scanned.
All resources are compliant.

Data source and resource image validation results: 2 resources scanned.All resources are compliant.

Later, the iteration attached to the production channel is revoked. If a plan includes aws_instance.app_server1 and aws_instance.app_server2, the run task fails and produces the following output in the Terraform Cloud UI:

Data source and resource image validation results: 2 resources scanned.
2 using revoked images. No newer version was found for the revoked images.
Use Packer to build compliant images and send information to HCP Packer.
When using channels, the channel must be assigned to a valid iteration.

Data source and resource image validation results: 2 resources scanned.2 using revoked images. No newer version was found for the revoked images.Use Packer to build compliant images and send information to HCP Packer.When using channels, the channel must be assigned to a valid iteration.

»Example - Hard-coded and Untracked Images

The following example includes 3 resources that all contain image references. The run task will scan only aws_instance.app_server1 and aws_instance.app_server2 because generic_compute_instance.app_server3 is an unsupported type.

provider "aws" {
 region = var.region
}

// Supported resource type with hard-coded image reference
// HCP Packer is tracking this ami (ami-foo)
resource "aws_instance" "app_server1" {
 ami           = "ami-foo"
 instance_type = "t2.micro"
 tags = {
   Name = "hard-coded image reference"
 }
}

// Supported resource type with hard-coded image reference
// HCP Packer is not tracking this ami (ami-bar)
resource "aws_instance" "app_server2" {
 ami           = "ami-bar"
 instance_type = "t2.micro"
 tags = {
   Name = "hard-coded image reference"
 }
}

// Unsupported resource type with hard-coded image reference
// Run task will not scan
resource "generic_compute_instance" "app_server3" {
 ami           = "ami-foo"
}

provider "aws" { region = var.region}
// Supported resource type with hard-coded image reference// HCP Packer is tracking this ami (ami-foo)resource "aws_instance" "app_server1" { ami           = "ami-foo" instance_type = "t2.micro" tags = {   Name = "hard-coded image reference" }}
// Supported resource type with hard-coded image reference// HCP Packer is not tracking this ami (ami-bar)resource "aws_instance" "app_server2" { ami           = "ami-bar" instance_type = "t2.micro" tags = {   Name = "hard-coded image reference" }}
// Unsupported resource type with hard-coded image reference// Run task will not scanresource "generic_compute_instance" "app_server3" { ami           = "ami-foo"}

If a plan includes aws_instance.app_server1 and aws_instance.app_server2, the advanced run task succeeds and produces the following output in the Terraform Cloud UI:

Data source and resource image validation results: 2 resources scanned.
2 images found hard-coded in the configuration. 1 image not tracked by HCP
Packer. Use Packer to build compliant images and send information to HCP
Packer. Use hcp_packer_image and hcp_packer_iteration data sources to
query images from HCP Packer.

Data source and resource image validation results: 2 resources scanned.2 images found hard-coded in the configuration. 1 image not tracked by HCPPacker. Use Packer to build compliant images and send information to HCPPacker. Use hcp_packer_image and hcp_packer_iteration data sources toquery images from HCP Packer.

»Supported Resources

The advanced run task supports validating hard-coded machine images on the following resources.

Amazon Web Services (AWS) Provider

aws_instance
aws_spot_instance_request
aws_launch_template
aws_launch_configuration
aws_ami_launch_permission
aws_launch_template
aws_emr_cluster
aws_batch_compute_environment

Azure Provider

azurerm_virtual_machine_scale_set
azurerm_linux_virtual_machine
azurerm_windows_virtual_machine
azurerm_managed_disk

Google Cloud Platform (GCP) Provider

google_compute_instance
google_compute_machine_image_iam_binding
google_compute_machine_image_iam_member
google_compute_machine_image_iam_policy
google_compute_image_iam_binding
google_compute_image_iam_member
google_compute_image_iam_policy
google_compute_disk

»Set up Run Tasks

Hands On: Try the Set Up Terraform Cloud Run Task for HCP Packer tutorial on HashiCorp Learn.

To set up the HCP Packer Image Validation Run Task in Terraform Cloud:

Go to the HCP Packer homepage click Integrate with Terraform Cloud. The Integrate with Terraform Cloud box appears containing the Validation Run Task Endpoint URL and the HMAC Key. These values are required to create the run task in Terraform Cloud.
Follow the instructions in the Terraform Cloud Run Tasks documentation to create a new run task and add it to workspaces.