HCP Packer now enforces provisioning logic across all image builds tied to a Packer bucket—no more trusting downstream teams to remember to run the security scan.
Why a centralised provisioner hammer matters
Golden images (AMIs, VMs, Docker containers) are the standard for hybrid-cloud infrastructure. Problem: platform teams harden a base image, then application teams layer on their own crap. Somewhere in that chain, a team forgets to run the CIS benchmark, or accidentally removes the antivirus agent. HCP Packer's new enforced provisioners solve that by letting you define mandatory provisioning logic once and have it applied automatically on every downstream build.
How enforced provisioners work
Platform and security teams upload provisioner definitions through the HCP Packer UI or API, then link them to specific image buckets. During every downstream image build, HCP Packer retrieves and executes those provisioners before the team's own custom steps run. HCP Packer also tracks the version of each enforced provisioner used per image version, giving you a clean audit trail for compliance investigations.
Three concrete benefits
- Security and compliance: critical checks (OS hardening, vulnerability scans, software component validation) can't be skipped or bypassed.
- Operational overhead drops: no more manually replicating security configs across dozens of Packer templates. Centralised management scales.
- Visibility and auditability: you can prove exactly which controls were applied to every image version, which keeps auditors happy and incident responders informed.
Enforced provisioners are available now in HCP Packer. If you're already managing image pipelines with Packer, this is the feature that turns trust into enforcement.
Source: HCP Packer adds enforced provisioners
Domain: hashicorp.com
Comments load interactively on the live page.