Skip to content

Latest commit

 

History

History
 
 

packer-image-builder

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Compute Image builder with Hashicorp Packer

This blueprint shows how to deploy infrastructure for a Compute Engine image builder based on Hashicorp's Packer tool.

High-level diagram

Running the blueprint

Prerequisite: Packer version >= v1.7.0

Infrastructure setup (Terraform part):

  1. Set Terraform configuration variables
  2. Run terraform init
  3. Run terraform apply

Building Compute Engine image (Packer part):

  1. Enter packer directory
  2. Set Packer configuration variables (see Configuring Packer below)
  3. Run packer init .
  4. Run packer build .

Using Packer's service account

The following blueprint leverages service account impersonation to execute any operations on GCP as a dedicated Packer service account. Depending on how you execute the Packer tool, you need to grant your principal rights to impersonate Packer's service account.

Set packer_account_users variable in Terraform configuration to grant roles required to impersonate Packer's service account to selected IAM principals. Blueprint: allow default Cloud Build service account to impersonate Packer SA: packer_account_users=["serviceAccount:[email protected]"].

Configuring Packer

Provided Packer build blueprint uses HCL2 configuration files and requires configuration of some input variables (i.e. service accounts emails). Values of those variables can be taken from the Terraform outputs.

For your convenience, Terraform can populate Packer's variable file. You can enable this behavior by setting create_packer_vars configuration variable to true. Terraform will use template from packer/build.pkrvars.tpl file and generate packer/build.auto.pkrvars.hcl variable file for Packer.

Read Assigning Variables chapter from Packer's documentation for more details on setting up Packer variables.

Accessing temporary VM

Packer creates a temporary Compute Engine VM instance for provisioning. As we recommend using internal IP addresses only, communication with this VM has to either:

  • originate from the network routable on Packer's VPC (i.e. peered VPC, over VPN or interconnect)
  • use Identity-Aware Proxy tunnel

By default, this blueprint assumes that IAP tunnel is needed to communicate with the temporary VM. This might be changed by setting use_iap variable to false in Terraform and Packer configurations respectively.

NOTE: using IAP tunnel with Packer requires gcloud SDK installed on the system running Packer.

Accessing resources over the Internet

The blueprint assumes that provisioning of a Compute Engine VM requires access to the resources over the Internet (i.e. to install OS packages). Since Compute VM has no public IP address for security reasons, Internet connectivity is done with Cloud NAT.

Variables

name description type required default
project_id Project id that references existing project. string
billing_account Billing account id used as default for new projects. string null
cidrs CIDR ranges for subnets. map(string) {…}
create_packer_vars Create packer variables file using template file and terraform output. bool false
packer_account_users List of members that will be allowed to impersonate Packer image builder service account in IAM format, i.e. 'user:{emailid}'. list(string) []
packer_source_cidrs List of CIDR ranges allowed to connect to the temporary VM for provisioning. list(string) ["0.0.0.0/0"]
project_create Create project instead of using an existing one. bool true
region Default region for resources. string "europe-west1"
root_node The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. string null
use_iap Use IAP tunnel to connect to Compute Engine instance for provisioning. bool true

Outputs

name description sensitive
builder_sa Packer's service account email.
compute_sa Packer's temporary VM service account email.
compute_subnetwork Name of a subnetwork for Packer's temporary VM.
compute_zone Name of a compute engine zone for Packer's temporary VM.