This blueprint shows how to deploy infrastructure for a Compute Engine image builder based on Hashicorp's Packer tool.
Prerequisite: Packer version >= v1.7.0
Infrastructure setup (Terraform part):
- Set Terraform configuration variables
- Run
terraform init
- Run
terraform apply
Building Compute Engine image (Packer part):
- Enter
packer
directory - Set Packer configuration variables (see Configuring Packer below)
- Run
packer init .
- Run
packer build .
The following blueprint leverages service account impersonation to execute any operations on GCP as a dedicated Packer service account. Depending on how you execute the Packer tool, you need to grant your principal rights to impersonate Packer's service account.
Set packer_account_users
variable in Terraform configuration to grant roles required to impersonate
Packer's service account to selected IAM principals.
Blueprint: allow default Cloud Build service account to impersonate
Packer SA: packer_account_users=["serviceAccount:[email protected]"]
.
Provided Packer build blueprint uses HCL2 configuration files and requires configuration of some input variables (i.e. service accounts emails). Values of those variables can be taken from the Terraform outputs.
For your convenience, Terraform can populate Packer's variable file.
You can enable this behavior by setting create_packer_vars
configuration variable to true
.
Terraform will use template from packer/build.pkrvars.tpl
file and generate packer/build.auto.pkrvars.hcl
variable file for Packer.
Read Assigning Variables chapter from Packer's documentation for more details on setting up Packer variables.
Packer creates a temporary Compute Engine VM instance for provisioning. As we recommend using internal IP addresses only, communication with this VM has to either:
- originate from the network routable on Packer's VPC (i.e. peered VPC, over VPN or interconnect)
- use Identity-Aware Proxy tunnel
By default, this blueprint assumes that IAP tunnel is needed to communicate with the temporary VM.
This might be changed by setting use_iap
variable to false
in Terraform and Packer
configurations respectively.
NOTE: using IAP tunnel with Packer requires gcloud SDK installed on the system running Packer.
The blueprint assumes that provisioning of a Compute Engine VM requires access to the resources over the Internet (i.e. to install OS packages). Since Compute VM has no public IP address for security reasons, Internet connectivity is done with Cloud NAT.
name | description | type | required | default |
---|---|---|---|---|
project_id | Project id that references existing project. | string |
✓ | |
billing_account | Billing account id used as default for new projects. | string |
null |
|
cidrs | CIDR ranges for subnets. | map(string) |
{…} |
|
create_packer_vars | Create packer variables file using template file and terraform output. | bool |
false |
|
packer_account_users | List of members that will be allowed to impersonate Packer image builder service account in IAM format, i.e. 'user:{emailid}'. | list(string) |
[] |
|
packer_source_cidrs | List of CIDR ranges allowed to connect to the temporary VM for provisioning. | list(string) |
["0.0.0.0/0"] |
|
project_create | Create project instead of using an existing one. | bool |
true |
|
region | Default region for resources. | string |
"europe-west1" |
|
root_node | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | string |
null |
|
use_iap | Use IAP tunnel to connect to Compute Engine instance for provisioning. | bool |
true |
name | description | sensitive |
---|---|---|
builder_sa | Packer's service account email. | |
compute_sa | Packer's temporary VM service account email. | |
compute_subnetwork | Name of a subnetwork for Packer's temporary VM. | |
compute_zone | Name of a compute engine zone for Packer's temporary VM. |