Schedule artifact version revocation for compliance
Over the lifecycle of an artifact, you may need to prevent access to it if it becomes outdated. In addition to immediately revoking insecure artifact versions, HCP Packer lets you schedule a future artifact revocation by setting a Time To Live (TTL). This strengthens your compliance posture by by preventing usage of outdated artifacts.
Note
Scheduled revocation is an HCP Packer Plus tier feature.
In this tutorial, you will schedule a revocation. In the process, you will learn the relationship between HCP Packer artifact channels and revoked versions, and how artifact revocation prevents downstream artifact consumers from referencing outdated artifacts.
Prerequisites
To complete this tutorial, you must have completed the HCP Packer Get Started tutorials. In the tutorials, you:
- Created a service principal with Contributor access to HCP.
- Set your client ID and secret as environment variables.
- Configured your AWS credentials as environment variables.
- Built an artifact and push its metadata to HCP Packer.
- Set up a channel named
production
for your bucket.
In addition, you will need:
- Terraform 1.2.0+ installed locally.
Schedule artifact version revocation
Assume that your company policy requires that artifacts expire after 30 days to ensure no one deploys a stale artifact. To enforce this policy, you can schedule a revocation date and time.
Go to the learn-packer-ubuntu
's Versions page. Schedule a revocation date for the first version by clicking on ... then Revoke version. Scheduled revocations, unlike immediate ones, can apply to versions assigned to artifact channels.
Select Revoke at a future date and enter the time for 5 minutes from your current time. The time is in UTC (current time in UTC). For example, if it is currently 10:00
, enter 10:05
.
Enter Learning about scheduling revocation
for the revocation reason, and click Revoke Version to revoke the version.
Under Revoke descendants choose No, only revoke v1. Under Rollback channels, choose No, do not rollback channel.
The dashboard now shows a scheduled revocation for the first version.
Open the first version by clicking on v1. HCP Packer displays the reason why this artifact was scheduled to be revoked.
Verify scheduled artifact version revocation
In the tf-channel
directory, generate a Terraform plan. Terraform will successfully create the plan.
$ terraform plan Terraform used the selected providers to generate the following executionplan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_instance.app_server will be created + resource "aws_instance" "app_server" { + ami = "ami-08fd..." # ... } Plan: 1 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can'tguarantee to take exactly these actions if you run "terraform apply" now.
The hcp_packer_version
and hcp_packer_artifact
Terraform data sources still retrieve information for revoked or scheduled to be revoked versions. However, the hcp_packer_artifact
data source's revoke_at
attribute is set to the revocation timestamp.
In main.tf
, update the EC2 instance to only create an instance if the artifact is not revoked.
tf-channel/main.tf
resource "aws_instance" "app_server" { ami = data.hcp_packer_artifact.ubuntu_us_east_2.external_identifier instance_type = "t2.micro" tags = { Name = "Learn-HCP-Packer" } lifecycle { precondition { condition = try( formatdate("YYYYMMDDhhmmss", data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()), data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at == null ) error_message = "Source AMI is revoked." } }}
The lifecycle precondition will succeed if revoke_at
is scheduled to the future or is null.
In outputs.tf
, add the following output to view the artifact's revocation time.
tf-channel/outputs.tf
output "artifact_revocation_date" { value = data.hcp_packer_artifact.ubuntu_us_east_2.revoke_at}
Wait until the five minute revocation time you configured earlier passes. HCP Packer will automatically revoke your version. Check the Versions dashboard to confirm HCP Packer revoked the first version.
Notice that even though the first version is revoked, the production
channel still references it.
Because the lifecycle custom precondition depends on timestamp()
which is unknown during a Terraform plan, the condition will be checked during the Terraform apply.
Apply your configuration. Since the production
channel references a revoked image, the image_revocation_date
output is set to to the revocation timestamp, the app_server
lifecycle precondition will fail, and Terraform will not create the EC2 instance.
$ terraform apply # ... Changes to Outputs: + image_revocation_date = "2022-11-16T21:40:00.000Z" + ubuntu_iteration = { # ... } + ubuntu_us_east_2 = { # ... revoke_at = "2022-11-16T21:40:00.000Z" } Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes ╷│ Error: Resource precondition failed│ │ on main.tf line 23, in resource "aws_instance" "app_server":│ 23: condition = try(│ 24: formatdate("YYYYMMDDhhmmss", data.hcp_packer_image.ubuntu_us_east_2.revoke_at) > formatdate("YYYYMMDDhhmmss", timestamp()),│ 25: data.hcp_packer_image.ubuntu_us_east_2.revoke_at == "")│ ├────────────────│ │ data.hcp_packer_image.ubuntu_us_east_2.revoke_at is "2022-11-16T21:40:00.000Z"│ │ Source AMI is revoked.╵
If your Terraform configuration references a revoked artifact, contact your HCP Packer administrator to re-assign the channel to a valid artifact version.
Restore revoked version
If you accidentally revoke the wrong version, you can restore the version so your team can use its artifacts again.
In the HCP Packer UI, navigate to the first version. Then, click Manage and Restore version.
Click Restore version to restore your version.
Verify restoration
In the tf-channels
directory, apply your configuration. Since the version is restored, Terraform successfully creates the EC2 instance.
$ terraform apply Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes aws_instance.app_server: Creating...aws_instance.app_server: Still creating... [10s elapsed]aws_instance.app_server: Still creating... [20s elapsed]aws_instance.app_server: Still creating... [30s elapsed]aws_instance.app_server: Still creating... [40s elapsed]aws_instance.app_server: Still creating... [50s elapsed]aws_instance.app_server: Still creating... [1m0s elapsed]aws_instance.app_server: Creation complete after 1m5s [id=xxx] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
To clean up your provisioned infrastructure, run terraform destroy
and respond yes
to the prompt to confirm the operation.
Next steps
In this tutorial, you used scheduled a version revocation and restored a revoked version. In the process, you reviewed how scheduled revocations strengthen your compliance posture by setting expiration dates on versions, preventing users from using outdated artifacts. Though you can schedule a revocation for a version assigned to an artifact channel, when the revocation date passes, the channel will reference a revoked version. Any attempts to query a channel with a revoked version will fail.
By integrating both immediate and scheduled version revocation in your workflows, you can ensure your organization uses secure and compliant artifacts.
For more information on topics covered in this tutorial, check out the following resources:
- Complete the Immediately Revoke Insecure Artifact Versions tutorial to learn how to prevent users from referencing insecure artifacts.
- Read more about revoking artifact versions in the HCP Packer documentation.
- Visit the Terraform
hcp
provider for a full list of arguments and attributes for thehcp_packer_version
andhcp_packer_artifact
data resources. - Complete the Set Up HCP Terraform Run Task for HCP Packer tutorial to learn how to ensure your Terraform configuration uses compliant artifacts.