Immediately revoke insecure artifact versions
Over the lifecycle of an artifact, you may discover a vulnerability and need to prevent access to it. HCP Packer lets you revoke an artifact version immediately. This strengthens your security posture by preventing usage of a compromised artifact that has been found to have a vulnerability.
In this tutorial, you will revoke an artifact version. You will review the relationship between HCP Packer artifact channels and revoked versions, and how artifact revocation prevents downstream consumers from referencing compromised artifacts.
Prerequisites
To complete this tutorial, you must have completed the previous tutorials. In the previous tutorials, you:
- Created a service principal with Contributor access to HCP.
- Set your client ID and secret as environment variables.
- Configured your AWS credentials as environment variables.
- Built an artifact and pushed its metadata to HCP Packer.
- Set up a channel named
production
for your bucket.
In addition, you will need:
- Terraform 1.2.0+ installed locally.
Revoke artifact version
Assume you just discovered a new security vulnerability in the second version of your learn-packer-ubuntu
artifact. To prevent users from referencing the version's artifacts, you will immediately revoke the second version.
On the learn-packer-ubuntu
's Versions page, revoke the second version by clicking on ..., then Revoke version.
Enter Learning about immediate revocation
for the revocation reason.
Tip
A revocation reason is optional, but we recommend providing one so your team understands why you revoked the version.
If you are subscribed to the HCP Packer Plus tier, select Revoke immediately from the When? dropdown menu. If you are on the free tier, you will not see this field.
Then select Yes, rollback channel from the Rollback channels? dropdown menu.
Finally, click Revoke to revoke the version.
Navigate to the overview page for the second version, which contains the revocation reason. Copy the fingerprint of this version as you will reference it later in this tutorial
Now, select Back to versions. The Versions page now shows that the second version is revoked, and that the production
and latest
channels rolled back to the first version.
Verify artifact version revocation
When you revoke an artifact version, it becomes unavailable to artifact channels. You cannot assign a revoked version to a channel.
Change into the tf-revoked-version
directory.
$ cd tf-revoked-version
The configuration in this directory defines a data source that queries the version of the learn-packer-ubuntu
artifact specified by the version_fingerprint
input variable. If HCP Packer returns a version that is not revoked, Terraform will create a compute instance with the artifact ID.
tf-revoked-version/main.tf
data "hcp_packer_artifact" "ubuntu_us_east_2" { bucket_name = "learn-packer-ubuntu" platform = "aws" version_fingerprint = var.version_fingerprint region = "us-east-2"} resource "aws_instance" "app_server" { ami = data.hcp_packer_artifact.ubuntu_us_east_2.external_identifier instance_type = "t2.micro" tags = { Name = "Learn-HCP-Packer" } lifecycle { precondition { condition = try( formatdate("YYYYMMDDhhmmss", data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()), data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at == null ) error_message = "Source AMI is revoked." } }}
The lifecycle precondition will succeed if revoke_at
is scheduled to the future or is null.
Open tf-revoked-version/terraform.tfvars
in your editor. Set version_fingerprint
to the version fingerprint you retrieved in the previous step, then save the file.
tf-revoked-version/terraform.tfvars
version_fingerprint="VERSION_FINGERPRINT"
Initialize your Terraform configuration.
$ terraform initInitializing the backend... Initializing provider plugins...- Reusing previous version of hashicorp/hcp from the dependency lock file- Reusing previous version of hashicorp/aws from the dependency lock file- Installing hashicorp/hcp v0.80.0...- Installed hashicorp/hcp v0.80.0 (signed by HashiCorp)- Installing hashicorp/aws v4.2.0...- Installed hashicorp/aws v4.2.0 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to seeany changes that are required for your infrastructure. All Terraform commandsshould now work. If you ever set or change modules or backend configuration for Terraform,rerun this command to reinitialize your working directory. If you forget, othercommands will detect it and remind you to do so if necessary.
Because the lifecycle custom precondition depends on timestamp()
which is unknown during a Terraform plan, the condition will be checked during the Terraform apply.
Apply your configuration. Since hcp_packer_artifact
references a revoked version, the artifact_revocation_date
output is set to the revocation timestamp. The app_server
lifecycle precondition will fail, and Terraform will not create the EC2 instance.
$ terraform apply # ... Changes to Outputs: + artifact_revocation_date = "2023-03-10T15:59:09.781Z" Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes ╷│ Error: Resource precondition failed││ on main.tf line 23, in resource "aws_instance" "app_server":│ 23: condition = try(│ 24: formatdate("YYYYMMDDhhmmss", data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()),│ 25: data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at == null│ 26: )│ ├────────────────│ │ data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at is "2024-01-18T20:42:59.322Z"││ Source AMI is revoked.
Restore revoked version
If you accidentally revoke the wrong version, you can restore the version so your team can use it again.
In the HCP Packer UI, navigate to the second version. Then, click Manage and Restore version.
Click Restore version to restore your version.
Select Back to versions. The versions page shows that the second version is active again. Notice that the production
channel uses the first version, and the latest
channel once again uses the second version.
Verify restoration
Apply your configuration. Since the version is restored, Terraform successfully creates the EC2 instance.
$ terraform apply Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes aws_instance.app_server: Creating...aws_instance.app_server: Still creating... [10s elapsed]aws_instance.app_server: Still creating... [20s elapsed]aws_instance.app_server: Still creating... [30s elapsed]aws_instance.app_server: Still creating... [40s elapsed]aws_instance.app_server: Still creating... [50s elapsed]aws_instance.app_server: Still creating... [1m0s elapsed]aws_instance.app_server: Creation complete after 1m5s [id=xxx] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
To clean up your provisioned infrastructure, run terraform destroy
and respond yes
to the prompt to confirm the operation.
Next steps
In this tutorial, you revoked an HCP Packer artifact version and used automatic rollback to update the channels that used the version. Revocation prevents users from using insecure artifacts and ensures that your organization uses compliant artifacts.
For more information on topics covered in this tutorial, check out the following resources:
- Read more about revoking artifact versions in the HCP Packer documentation.
- Complete the Schedule Artifact Versions Revocation for Compliance tutorial to learn how to schedule version revocation to prevent users from referencing outdated artifacts. Scheduled revocation is an HCP Packer Plus tier feature.
- Visit the Terraform
hcp
provider for a full list of arguments and attributes for thehcp_packer_version
andhcp_packer_artifact
data resources. - Complete the Set Up HCP Terraform Run Task for HCP Packer tutorial to learn how to set up run tasks that ensure your Terraform configuration uses compliant artifacts.