Deploy Golden Images to GCP Using Packer and Cloud Build

How to leverage Packer and GitOps to build and deploy VM Golden Images to GCP

by Marco Marulli — Principal Lead II, Cloud Delivery, McKinsey & Company

This article is part of a series that focuses on VM-based compute solutions in GCP. In particular, we describe how to build and deploy Golden Images and how to update Managed Instance Group’s VMs as new Golden Images are available across a three-part series:

• Part 1 (this article): Deploy Golden Images to GCP using Packer and Cloud Build
• Part 2: Update GCP Managed Instance Groups using Cloud Asset Feeds
• Part 3: Use GCP Security Command Center’s Security Findings to track GCE disks that are using old Golden Images
• Part 4: Integrating vulnerability scanning into your Golden Image Pipeline in GCP

Before diving into the technical details, let’s quickly review what Golden Images are and the benefits users can expect.

What is a Golden Image?

A Golden Image is a pre-configured image template for VMs that contains:

• An operating system with the latest security patches and updates.
• Software and tools used by the organization already installed and configured.
• Security hardening settings (e.g., CIS rules).

Why should Golden Images be used?

There are five key benefits that organizations will experience when using Golden Images, alongside a team dedicated to building them:

• Security: Golden Images include the latest OS, security patches, and hardening rules. The images are regularly rebuilt to make sure that they are always secure.
• App development speed: Application teams can focus on deploying their applications instead of spending time running OS updates, applying security patches, etc.
• Consistency: Any VM using the Golden Image has the same software installed and configured in the same way.
• Separation of duties: The application team will focus on deploying their application while a dedicated team is responsible for building Golden Images. That team will also run tests on them, thus guaranteeing the quality of the product.
• Automation: The Golden Image creation and deployment processes can be automated using tools and frameworks. There is no manual software installation and hence no risk of running into configuration issues.

Landing Zone structure

The organization’s Landing Zone has the following characteristics:

• Hosts multiple applications, and each application has one GCP project per lifecycle environment.
• Uses Shared VPC for foundational networking components.
• Has a GCP “Golden Images Project” reserved to host Golden Images.

Sample Landing Zone structure

These are some details related to the Golden Images process in place:

• The GIT (Golden Images Team) builds, tests, and deploys Golden Images to the Golden Images Project.
• Application teams are responsible for their Projects’ compliance with the latest published Golden Images.
• No cross-project notification mechanisms are currently available.
• The application teams do not have a scheduling tool that would allow them to regularly schedule the rebuild of Managed Instance Groups’ VMs.

How do we build and deploy Golden Images on GCP?

There is probably not just a single way to achieve this, but one way to do it is using Packer and GitOps:

• Packer is an open-source tool that enables you to create identical machine images for multiple platforms from a single source template.
• GitOps is an operational framework that takes DevOps best practices used for application development such as version control, collaboration, compliance, and CI/CD tooling and applies them to infrastructure automation.

The graphic below describes what the process would look like, followed by the key steps to follow to ensure success.

1) Build and deploy a Packer Docker Image

The first step is to create a Docker Image for a Packer runtime environment. This image will be uploaded to Google Container Registry before being used by Cloud Build to build a Golden Image, based on the provided Packer configuration file. Below is an example of a Dockerfile that creates a Container Image with Packer based on Alpine Linux:

Dockerfile for a Container Image with Packer

2) Create the Packer configuration file

Below is a sample configuration for an NGINX Golden Image. Besides executing a script that has the NGINX configuration, it also has an Ansible provisioner to run Ansible Playbooks. Ansible, in this case, is used to execute a set of CIS rules to harden the underlying Ubuntu OS.

Sample Packer configuration file

3) Trigger the Golden Image build process

Once the code is pushed to a GitHub repo, a Cloud Build trigger runs a container with the Packer environment. It uses the submitted Packer configuration file to build the Golden Image. Below is a sample Cloud Build YAML file that uses the Packer Docker Image created earlier to build the Ubuntu Packer configuration file.

Sample cloudbuild.yaml file to build a VM from a Packer configuration file

Time for a test

The Packer configuration file (step 2) and a Cloud Build configuration (step 3) are now linked to a GitHub repo through a Cloud Build Trigger. If we push the Packer configuration code to Github, Cloud Build will start the Golden Image creation process that we can follow from the Cloud Build dashboard:

Cloud Build — Build Summary

In the screenshot above, our only step was executed successfully, and a disk image was created. If we go to the GCE Image menu, we can see that the Golden Image was published to GCE successfully:

The created Golden Image is saved in GCE

How to use the Golden Images from an Application Project

Remembering our architecture and requirements from earlier for our Landing Zone, Golden Images are hosted in a dedicated project. Any Application Project that wants to use the Images needs to have valid permissions. This is done by granting a Service Account on the Application Project compute.images.useReadOnly permission on the Golden Images Project.

Once permissions are set, an engineer can select the Golden Image from the console when building a new VM. The Golden Images will be displayed in the Custom Images menu as shown below:

A more interesting use case is to create VM Instance Templates that always point to the latest Image deployed in a Golden Image Family. Below is a snapshot that shows how to make such an Instance Template using Terraform:

A Managed Instance Group built off such an Instance Template will have its VMs use the latest deployed Image in the Golden Image Family. This is until a new Golden Image is deployed. What will happen after that? How can we trigger the rebuild of the Instance Template and the Managed Instance Group? This will be the focus of our next article.

Conclusion

In this article, we showed a way to build and deploy Golden Images to a GCP project using Packer and Cloud Build. Images are deployed in a dedicated GCP project that can be accessible by any application that will reside in the Landing Zone.

The Golden Image end-to-end process does not stop with the Golden Image deployment. In the next articles, we will cover the other key steps of the process that answer some of the questions below:

• How do Application Projects update a single VM or group of VMs?
• How do we enable continuous monitoring to report VMs that are using the latest image in a Golden Image family?
• Can we run a vulnerability scan on the Golden Image?