home / skills / hashicorp / agent-skills / push-to-registry

push-to-registry skill

/packer/hcp/skills/push-to-registry

This skill helps push Packer build metadata to the HCP Packer registry for governance and lifecycle tracking.

npx playbooks add skill hashicorp/agent-skills --skill push-to-registry

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.6 KB
---
name: push-to-registry
description: Push Packer build metadata to HCP Packer registry for tracking and managing image lifecycle. Use when integrating Packer builds with HCP Packer for version control and governance.
---

# Push to HCP Packer Registry

Configure Packer templates to push build metadata to HCP Packer registry.

**Reference:** [HCP Packer Registry](https://developer.hashicorp.com/hcp/docs/packer)

> **Note:** HCP Packer is free for basic use. Builds push metadata only (not actual images), adding minimal overhead (<1 minute).

## Basic Registry Configuration

```hcl
packer {
  required_version = ">= 1.7.7"
}

variable "image_name" {
  type    = string
  default = "web-server"
}

locals {
  timestamp = regex_replace(timestamp(), "[- TZ:]", "")
}

source "amazon-ebs" "ubuntu" {
  region        = "us-west-2"
  instance_type = "t3.micro"

  source_ami_filter {
    filters = {
      name = "ubuntu/images/*ubuntu-jammy-22.04-amd64-server-*"
    }
    most_recent = true
    owners      = ["099720109477"]
  }

  ssh_username = "ubuntu"
  ami_name     = "${var.image_name}-${local.timestamp}"
}

build {
  sources = ["source.amazon-ebs.ubuntu"]

  hcp_packer_registry {
    bucket_name = var.image_name
    description = "Ubuntu 22.04 base image for web servers"

    bucket_labels = {
      "os"   = "ubuntu"
      "team" = "platform"
    }

    build_labels = {
      "build-time" = local.timestamp
    }
  }

  provisioner "shell" {
    inline = [
      "sudo apt-get update",
      "sudo apt-get upgrade -y",
    ]
  }
}
```

## Authentication

Set environment variables before building:

```bash
export HCP_CLIENT_ID="your-service-principal-client-id"
export HCP_CLIENT_SECRET="your-service-principal-secret"
export HCP_ORGANIZATION_ID="your-org-id"
export HCP_PROJECT_ID="your-project-id"

packer build .
```

### Create HCP Service Principal

1. Navigate to HCP → Access Control (IAM)
2. Create Service Principal
3. Grant "Contributor" role on project
4. Generate client secret
5. Save client ID and secret

## Registry Configuration Options

### bucket_name (required)
The image identifier. Must stay consistent across builds!

```hcl
bucket_name = "web-server"  # Keep this constant
```

### bucket_labels (optional)
Metadata at bucket level. Updates with each build.

```hcl
bucket_labels = {
  "os"        = "ubuntu"
  "team"      = "platform"
  "component" = "web"
}
```

### build_labels (optional)
Metadata for each iteration. Immutable after build completes.

```hcl
build_labels = {
  "build-time" = local.timestamp
  "git-commit" = var.git_commit
}
```

## CI/CD Integration

### GitHub Actions

```yaml
name: Build and Push to HCP Packer

on:
  push:
    branches: [main]

env:
  HCP_CLIENT_ID: ${{ secrets.HCP_CLIENT_ID }}
  HCP_CLIENT_SECRET: ${{ secrets.HCP_CLIENT_SECRET }}
  HCP_ORGANIZATION_ID: ${{ secrets.HCP_ORGANIZATION_ID }}
  HCP_PROJECT_ID: ${{ secrets.HCP_PROJECT_ID }}

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-packer@main

      - name: Build and push
        run: |
          packer init .
          packer build \
            -var "git_commit=${{ github.sha }}" \
            .
```

## Querying in Terraform

```hcl
data "hcp_packer_artifact" "ubuntu" {
  bucket_name  = "web-server"
  channel_name = "production"
  platform     = "aws"
  region       = "us-west-2"
}

resource "aws_instance" "web" {
  ami           = data.hcp_packer_artifact.ubuntu.external_identifier
  instance_type = "t3.micro"

  tags = {
    PackerBucket = data.hcp_packer_artifact.ubuntu.bucket_name
  }
}
```

## Common Issues

**Authentication Failed**
- Verify HCP_CLIENT_ID and HCP_CLIENT_SECRET
- Ensure service principal has Contributor role
- Check organization and project IDs

**Bucket Name Mismatch**
- Keep `bucket_name` consistent across builds
- Don't include timestamps in bucket_name
- Creates new bucket if name changes

**Build Fails**
- Packer fails immediately if can't push metadata
- Prevents drift between artifacts and registry
- Check network connectivity to HCP API

## Best Practices

- **Consistent bucket names** - Never change for same image type
- **Meaningful labels** - Use for versions, teams, compliance
- **CI/CD automation** - Automate builds and registry pushes
- **Immutable build labels** - Put changing data (git SHA, date) in build_labels

## References

- [HCP Packer Documentation](https://developer.hashicorp.com/hcp/docs/packer)
- [hcp_packer_registry Block](https://developer.hashicorp.com/packer/docs/templates/hcl_templates/blocks/build/hcp_packer_registry)
- [HCP Terraform Provider](https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/data-sources/packer_artifact)

Overview

This skill pushes Packer build metadata to the HCP Packer registry so you can track and manage image lifecycle without storing full images. It integrates with Packer builds and CI/CD pipelines to record immutable build artifacts, labels, and bucket-level metadata for governance and discovery. The push is lightweight and quick, suitable for automated pipelines.

How this skill works

During a Packer build, the hcp_packer_registry block sends build metadata (bucket name, bucket_labels, build_labels, platform, region, channel) to HCP Packer. Authentication relies on HCP service principal environment variables (HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_ORGANIZATION_ID, HCP_PROJECT_ID). Registry entries are queryable via HCP Terraform data sources and the HCP API.

When to use it

  • You need versioned, discoverable records of Packer image builds for deployment or audit.
  • You want to integrate Packer builds into CI/CD and ensure artifacts are tracked centrally.
  • Governance requires immutable metadata and labels for compliance or team ownership.
  • You need to reference AMIs (or other platform artifacts) in Terraform using registry queries.
  • Prevent drift by failing builds that cannot push registry metadata.

Best practices

  • Use a constant bucket_name per image type; avoid including timestamps in the bucket name.
  • Put volatile data (git SHA, timestamp) in build_labels and static metadata (os, team) in bucket_labels.
  • Grant a service principal Contributor on the HCP project and store credentials in CI secrets.
  • Automate packer init and packer build in CI to keep registry and artifacts consistent.
  • Verify network access to HCP API to prevent unexpected build failures.

Example use cases

  • Push Ubuntu AMI build metadata from Packer into HCP so Terraform can look up the latest AMI for production.
  • CI pipeline that runs on push, builds images, records git commit and build-time as build_labels in the registry.
  • Centralize image metadata for multiple teams using bucket_labels to denote team and component.
  • Audit and compliance workflows that require immutable build records and labels for traceability.

FAQ

What environment variables are required for authentication?

Set HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_ORGANIZATION_ID, and HCP_PROJECT_ID before running packer build.

Will pushing to HCP store my actual images?

No — only build metadata is pushed. Actual images remain in the platform-specific artifact store (for example, AMIs in AWS).