Skip to main content

HashiCorp Packer

Mondoo maintains an open-source plugin for HashiCorp Packer for securing and validating machine images.

Install Packer Plugin Mondoo

Using the packer init command​

Starting from version 1.7, Packer supports a new packer init command allowing automatic installation of Packer plugins. Read the Packer documentation for more information.

To install this plugin, copy and paste this code into your Packer configuration . Then, run packer init.

packer {
required_plugins {
mondoo = {
version = ">= 0.3.0"
source = "github.com/mondoohq/mondoo"
}
}
}

Manual installation​

You can find pre-built binary releases of the plugin here.

Once you have downloaded the latest archive corresponding to your target OS, uncompress it to retrieve the plugin binary file corresponding to your platform. To install the plugin, please follow the Packer documentation on installing a plugin.

Build from source​

If you prefer to build the plugin from sources, clone the GitHub repository locally and run the command go build from the root directory. Upon successful compilation, a packer-plugin-mondoo plugin binary file can be found in the root directory. To install the compiled plugin, please follow the official Packer documentation on installing a plugin.

Configuration​

NameDescriptionTypeDefaultRequired
annotationsCustom annotations can be applied to Packer build assets to provide additional metadata for asset tracking.map of stringsNoneNo
asset_nameOverwrite the asset name in Mondoo Platform.stringNoneNo
on_failureSet on_failure = "continue" to ignore build failures that do not meet any set score_threshold.stringNoneNo
score_thresholdSet a score threshold for Packer builds [0-100]. Any scans that fall below the score_threshold will fail unless on_failure = "continue". For more information see Policy Scoring in the Mondoo documentation.intNoneNo
sudoUse sudo to elevate permissions when running Mondoo scans.boolNoneNo
mondoo_config_pathThe path to the configuration to be used when running Mondoo scans. If left empty Mondoo will try to determine the config automatically.stringNoneNo

Example: Complete configuration​

  provisioner "mondoo" {
on_failure = "continue"
score_threshold = 85
mondoo_config_path = "/etc/mondoo-config.json"
asset_name = "example-secure-base-image"
sudo {
active = true
}

annotations = {
Source_AMI = "{{ .SourceAMI }}"
Creation_Date = "{{ .SourceAMICreationDate }}"
}
}
}

Tutorials​

For more information try Building secure AMIs with Mondoo and Packer.