Welcome to the Packer Terraform Demos repository!
This repository contains 2 demos showcasing how to use HCP Packer and HCP Terraform to build and manage infrastructure. Each demo is organized into its own subdirectory for clarity and ease of use.
-
HCP Packer Run Task
- Data Source Artifact Validation
- Scans for use of hcp_packer_version and hcp_packer_artifact data sources.
- Warns if any referenced artifact version is revoked.
- Resource Artifact Validation
- Scans for hard-coded machine image IDs in Terraform resources.
- Checks if these images are tracked in HCP Packer.
- Warns if the image's artifact version is revoked.
- Promotes best practice by encouraging use of HCP Packer data sources instead of hard-coded IDs.
- Data Source Artifact Validation
-
HCP Packer Webhook in AWS
- Implements a handler for HCP Packer webhook events for AWS AMIs, using an API Gateway and Lambda function.
- Currently handles the following HCP Packer events:
- Completed iteration: adds tags to the AMI(s) with HCP Packer metadata
- Revoked iteration: deprecates the AMI(s) and adds the revocation reason as a tag
- Restored iteration: cancels the AMI deprecation and removes the tags added by the revoked handler
- Deleted iteration: deregisters the AMI(s) and deletes the associated snapshots
- Credit to Dan Barr for building
this
-
HCP Packer Data Sources in Terraform
- The hcp_packer_artifact and hcp_packer_version data sources allow Terraform to dynamically fetch metadata and AMI IDs from HCP Packer instead of hardcoding AMI IDs.
- Instead of pasting static AMI IDs into Terraform configs (which get stale or revoked), the data source dynamically pulls the correct, latest AMI from HCP Packer.
- The data source integrates with HCP Packer's lifecycle metadata:
- Channel-based sourcing (e.g., get the latest "production" image)
- Awareness of revoked or outdated versions
-
Continuous Validation checks for Day 2 Guarantees
- Automated daily checks of deployed infrastructure against HCP Packer registry
- Identifies infrastructure running:
- Revoked images (security vulnerabilities, compliance issues)
- Outdated images (newer versions available)
- Deprecated images (end-of-life or unsupported)
- Provides detailed reporting through HCP Portal:
- Resource inventory with image status
- Age of deployed images
- Version differences between environments
- Enables proactive risk management:
- Early warning system for security vulnerabilities
- Compliance drift detection
- Technical debt identification
- Integrates with existing notification systems:
- Slack/Teams notifications
- Email alerts
- Ticket creation in ITSM systems
.github/workflows/- GitHub Actions workflows for building Packer images.01-pre-reqs/aws-networking- AWS Landing Zone.01-pre-reqs/aws-webhook- AWS Webhook for HCP Packer.01-pre-reqs/ec2-module- HCP Terraform Module for EC2 Instance.02-packer-images/hashicat- HashiCat Packer Images (Dev and Prod).02-packer-images/terramino- Terramino Packer Images (Dev and Prod).hashicat-demo/- Terraform deployment for HashiCat (Dev and Prod).terramino-demo/- Terraform deployment for Terramino (Dev and Prod).
- AWS Credentials for your AWS Account
- add AWS creds to Github Actions workflow for Packer build workflow
- add AWS creds to HCP Terraform workspaces deploying resources to AWS
- HCP Credentials for your HashiCorp Cloud Platform project
- add HCP creds to Gtihuc Actions workflow for Packer build workflow
- HCP Terraform account for deploying infrastructure using IaC
Store module in HCP Terraform Organization for demo use
- Create separate repository with proper module naming (ex: terraform-aws-nameofmodule)
- Deploys VM and scaffolding
AWS Landing Zone creating a VPC
AWS Webhook for HCP Packer
hashicat-demo/dev- Dev deploymenthashicat-demo/prod- Prod deployment
terramino-demo/dev- Dev deploymentterramino-demo/prod- Prod deployment
Add credentials and use Github Actions workflows in github/workflows
02-packer-images/hashicat- HashiCat images02-packer-images/terramino- Terramino images
"How do you currently manage machine images across your organization? [Pause] Common challenges:
- Tracking image usage
- Managing updates across environments
- Ensuring compliance and security
- Preventing environment drift"
"HCP Packer and Terraform solve these through:
- Centralized image management
- Automated lifecycle handling
- Continuous compliance validation
- Streamlined dev-to-prod workflows"
"Why Packer?
- Reproducibility: Version-controlled, documented builds
- Standardization: Approved, consistent base images
- Automation: Eliminate manual creation and errors
HCP Packer provides:
- Automatic versioning
- Metadata tracking
- Audit trail
- AWS integration"
"Handling security vulnerabilities:
- Automatic AMI deprecation
- Tag updates with revocation reasons
- Proper resource management
- Zero manual cleanup"
"Integration demo highlights:
- Dynamic Image Selection
- Run Task Validation
- Channel-based Deployment"
"Ongoing management features:
- Daily automated checks
- Proactive notifications
- Clear upgrade paths
- Compliance reporting"
"Value delivered:
- Risk Reduction: Automated compliance/security
- Cost Savings: Efficient lifecycle management
- Time to Market: Streamlined pipeline
- Operational Efficiency: Reduced manual work"
[HashiCat/Terramino enhancement demo] "How would this fit your processes?"
"What image management challenges should we explore?"
- Ask open questions
- Listen for pain points
- Connect to business outcomes
- Use relevant examples
- Adjust technical depth for audience