Feature/enforced provisioner

command/build.go

@@ -150,6 +150,26 @@ func (c *BuildCommand) RunContext(buildCtx context.Context, cla *BuildArgs) int
 		return ret
 	}
 
+	// Fetch and inject enforced provisioners from HCP Packer (if configured)
+	if !cla.SkipEnforcement {
+		if err := hcpRegistry.FetchEnforcedBlocks(buildCtx); err != nil {
+			return writeDiags(c.Ui, nil, hcl.Diagnostics{
+				&hcl.Diagnostic{
+					Summary:  "HCP: fetching enforced provisioners failed",
+					Severity: hcl.DiagError,
+					Detail:   err.Error(),
+				},
+			})
+		}
+
+		diags := hcpRegistry.InjectEnforcedProvisioners(builds)
+		if diags.HasErrors() {
+			return writeDiags(c.Ui, nil, diags)
+		}
+	} else {
+		c.Ui.Say("Skipping HCP Packer enforced provisioners (--skip-enforcement flag set)")
+	}
+
 	if cla.Debug {
 		c.Ui.Say("Debug mode enabled. Builds will not be parallelized.")
 	}
@@ -456,6 +476,7 @@ Options:
   -warn-on-undeclared-var       Display warnings for user variable files containing undeclared variables.
   -ignore-prerelease-plugins    Disable the loading of prerelease plugin binaries (x.y.z-dev).
   -use-sequential-evaluation    Fallback to using a sequential approach for local/datasource evaluation.
+  -skip-enforcement             Skip injection of HCP Packer enforced provisioners.
 `
 
 	return strings.TrimSpace(helpText)

command/build_test.go

@@ -1131,6 +1131,16 @@ func TestBuildCommand_ParseArgs(t *testing.T) {
 			},
 			0,
 		},
+		{fields{defaultMeta},
+			args{[]string{"-skip-enforcement", "file.json"}},
+			&BuildArgs{
+				MetaArgs:        MetaArgs{Path: "file.json"},
+				ParallelBuilds:  math.MaxInt64,
+				Color:           true,
+				SkipEnforcement: true,
+			},
+			0,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(fmt.Sprintf("%s", tt.args.args), func(t *testing.T) {

command/cli.go

@@ -101,6 +101,8 @@ func (ba *BuildArgs) AddFlagSets(flags *flag.FlagSet) {
 
 	flags.BoolVar(&ba.ReleaseOnly, "ignore-prerelease-plugins", false, "Disable the loading of prerelease plugin binaries (x.y.z-dev).")
 
+	flags.BoolVar(&ba.SkipEnforcement, "skip-enforcement", false, "Skip injection of HCP Packer enforced provisioners. Requires admin privileges.")
+
 	ba.MetaArgs.AddFlagSets(flags)
 }
 
@@ -136,6 +138,7 @@ type BuildArgs struct {
 	ParallelBuilds                      int64
 	OnError                             string
 	ReleaseOnly                         bool
+	SkipEnforcement                     bool
 }
 
 func (ia *InitArgs) AddFlagSets(flags *flag.FlagSet) {

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.8.0
 	github.com/hashicorp/hcl/v2 v2.24.0
-	github.com/hashicorp/hcp-sdk-go v0.167.0
+	github.com/hashicorp/hcp-sdk-go v0.172.0
 	github.com/hashicorp/packer-plugin-sdk v0.6.7
 	github.com/jehiah/go-strftime v0.0.0-20171201141054-1d33003b3869
 	github.com/klauspost/compress v1.18.5

go.sum

@@ -732,8 +732,8 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
 github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
-github.com/hashicorp/hcp-sdk-go v0.167.0 h1:t2v+mm3gN1z4qvdJ7g9RuDdXDvIExMtjV1Fvzn2LuVc=
-github.com/hashicorp/hcp-sdk-go v0.167.0/go.mod h1:v2vbpNIrmgUTelW4Z+ur+aQuSPxeaVK3xytFdpEXvSg=
+github.com/hashicorp/hcp-sdk-go v0.172.0 h1:j4VrSN2yd8prFb8Y0gQWQbTpsV5uVPgYEUozOGfPOOc=
+github.com/hashicorp/hcp-sdk-go v0.172.0/go.mod h1:v2vbpNIrmgUTelW4Z+ur+aQuSPxeaVK3xytFdpEXvSg=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY=
 github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=

hcl2template/enforced_provisioner.go

@@ -0,0 +1,81 @@
+// Copyright IBM Corp. 2013, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package hcl2template
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/packer/packer"
+)
+
+// GetCoreBuildProvisionerFromBlock converts a ProvisionerBlock to a CoreBuildProvisioner.
+// This is used for enforced provisioners that need to be injected into builds.
+func (cfg *PackerConfig) GetCoreBuildProvisionerFromBlock(pb *ProvisionerBlock, buildName string) (packer.CoreBuildProvisioner, hcl.Diagnostics) {
+	var diags hcl.Diagnostics
+
+	// Get the provisioner plugin
+	provisioner, err := cfg.parser.PluginConfig.Provisioners.Start(pb.PType)
+	if err != nil {
+		diags = append(diags, &hcl.Diagnostic{
+			Severity: hcl.DiagError,
+			Summary:  fmt.Sprintf("Failed to start enforced provisioner %q", pb.PType),
+			Detail:   fmt.Sprintf("The provisioner plugin could not be loaded: %s", err.Error()),
+		})
+		return packer.CoreBuildProvisioner{}, diags
+	}
+
+	// Create basic builder variables
+	builderVars := map[string]interface{}{
+		"packer_core_version":        cfg.CorePackerVersionString,
+		"packer_debug":               strconv.FormatBool(cfg.debug),
+		"packer_force":               strconv.FormatBool(cfg.force),
+		"packer_on_error":            cfg.onError,
+		"packer_sensitive_variables": cfg.sensitiveInputVariableKeys(),
+	}
+
+	// Create evaluation context
+	ectx := cfg.EvalContext(BuildContext, nil)
+
+	// Create the HCL2Provisioner wrapper
+	hclProvisioner := &HCL2Provisioner{
+		Provisioner:      provisioner,
+		provisionerBlock: pb,
+		evalContext:      ectx,
+		builderVariables: builderVars,
+	}
+
+	if pb.Override != nil {
+		if override, ok := pb.Override[buildName]; ok {
+			if typedOverride, ok := override.(map[string]interface{}); ok {
+				hclProvisioner.override = typedOverride
+			}
+		}
+	}
+
+	// Prepare the provisioner
+	err = hclProvisioner.HCL2Prepare(nil)
+	if err != nil {
+		diags = append(diags, &hcl.Diagnostic{
+			Severity: hcl.DiagError,
+			Summary:  fmt.Sprintf("Failed to prepare enforced provisioner %q", pb.PType),
+			Detail:   err.Error(),
+		})
+		return packer.CoreBuildProvisioner{}, diags
+	}
+
+	// Wrap provisioner with any special behavior (pause, timeout, retry)
+	wrappedProvisioner := packer.WrapProvisionerWithOptions(hclProvisioner, packer.ProvisionerWrapOptions{
+		PauseBefore: pb.PauseBefore,
+		Timeout:     pb.Timeout,
+		MaxRetries:  pb.MaxRetries,
+	})
+
+	return packer.CoreBuildProvisioner{
+		PType:       pb.PType,
+		PName:       pb.PName,
+		Provisioner: wrappedProvisioner,
+	}, diags
+}

hcl2template/enforced_provisioner_parser.go

@@ -0,0 +1,146 @@
+// Copyright IBM Corp. 2013, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package hcl2template
+
+import (
+	"encoding/json"
+	"log"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/hclparse"
+	"github.com/zclconf/go-cty/cty"
+)
+
+var standaloneProvisionerSchema = &hcl.BodySchema{
+	Blocks: []hcl.BlockHeaderSchema{
+		{Type: buildProvisionerLabel, LabelNames: []string{"type"}},
+	},
+}
+
+// ParseProvisionerBlocks parses raw provisioner block content into ProvisionerBlocks.
+// It accepts HCL, HCL JSON, and the legacy JSON payload used for enforced provisioners.
+func ParseProvisionerBlocks(blockContent string) ([]*ProvisionerBlock, hcl.Diagnostics) {
+	parser := &Parser{Parser: hclparse.NewParser()}
+	return parser.parseProvisionerBlocks(blockContent)
+}
+
+func (p *Parser) parseProvisionerBlocks(blockContent string) ([]*ProvisionerBlock, hcl.Diagnostics) {
+	hclParser := p.Parser
+	if hclParser == nil {
+		hclParser = hclparse.NewParser()
+	}
+
+	log.Printf("[DEBUG] parsing provisioner block content as HCL")
+
+	file, diags := hclParser.ParseHCL([]byte(blockContent), "provisioner.pkr.hcl")
+	if !diags.HasErrors() {
+		provisioners, provisionerDiags := p.parseProvisionerBlocksFromFile(file, diags)
+		if provisionerDiags.HasErrors() {
+			return nil, provisionerDiags
+		}
+		log.Printf("[DEBUG] parsed provisioner block content as HCL")
+		return provisioners, provisionerDiags
+	}
+	log.Printf("[DEBUG] failed to parse provisioner block content as HCL, trying JSON fallback")
+
+	jsonFile, jsonDiags := hclParser.ParseJSON([]byte(blockContent), "provisioner.pkr.json")
+	if jsonDiags.HasErrors() {
+		log.Printf("[DEBUG] failed to parse provisioner block content as JSON")
+		return nil, append(diags, jsonDiags...)
+	}
+
+	provisioners, provisionerDiags := p.parseProvisionerBlocksFromFile(jsonFile, jsonDiags)
+	if !provisionerDiags.HasErrors() && len(provisioners) > 0 {
+		log.Printf("[DEBUG] parsed provisioner block content as JSON")
+		return provisioners, provisionerDiags
+	}
+
+	legacyJSON, ok, err := normalizeLegacyProvisionersJSON(blockContent)
+	if err == nil && ok {
+		legacyFile, legacyDiags := hclParser.ParseJSON([]byte(legacyJSON), "provisioner_legacy.pkr.json")
+		if !legacyDiags.HasErrors() {
+			legacyProvisioners, legacyProvisionerDiags := p.parseProvisionerBlocksFromFile(legacyFile, legacyDiags)
+			if !legacyProvisionerDiags.HasErrors() && len(legacyProvisioners) > 0 {
+				log.Printf("[DEBUG] parsed provisioner block content as legacy JSON")
+				return legacyProvisioners, legacyProvisionerDiags
+			}
+		}
+	}
+
+	if provisionerDiags.HasErrors() {
+		return nil, provisionerDiags
+	}
+	log.Printf("[DEBUG] parsed provisioner block content as JSON but found no valid provisioner blocks")
+	return provisioners, provisionerDiags
+}
+
+func normalizeLegacyProvisionersJSON(blockContent string) (string, bool, error) {
+	type legacyPayload struct {
+		Provisioners []map[string]interface{} `json:"provisioners"`
+	}
+
+	var payload legacyPayload
+	if err := json.Unmarshal([]byte(blockContent), &payload); err != nil {
+		return "", false, err
+	}
+
+	if len(payload.Provisioners) == 0 {
+		return "", false, nil
+	}
+
+	normalized := make([]map[string]interface{}, 0, len(payload.Provisioners))
+	for _, provisioner := range payload.Provisioners {
+		typeName, ok := provisioner["type"].(string)
+		if !ok || typeName == "" {
+			continue
+		}
+
+		cfg := make(map[string]interface{})
+		for key, value := range provisioner {
+			if key == "type" {
+				continue
+			}
+			cfg[key] = value
+		}
+
+		normalized = append(normalized, map[string]interface{}{typeName: cfg})
+	}
+
+	if len(normalized) == 0 {
+		return "", false, nil
+	}
+
+	out := map[string]interface{}{
+		buildProvisionerLabel: normalized,
+	}
+
+	b, err := json.Marshal(out)
+	if err != nil {
+		return "", false, err
+	}
+
+	return string(b), true, nil
+}
+
+func (p *Parser) parseProvisionerBlocksFromFile(file *hcl.File, diags hcl.Diagnostics) ([]*ProvisionerBlock, hcl.Diagnostics) {
+	content, moreDiags := file.Body.Content(standaloneProvisionerSchema)
+	diags = append(diags, moreDiags...)
+	if diags.HasErrors() {
+		return nil, diags
+	}
+
+	ectx := &hcl.EvalContext{Variables: map[string]cty.Value{}}
+	provisioners := make([]*ProvisionerBlock, 0, len(content.Blocks))
+
+	for _, block := range content.Blocks {
+		provisioner, moreDiags := p.decodeProvisioner(block, ectx)
+		diags = append(diags, moreDiags...)
+		if moreDiags.HasErrors() {
+			continue
+		}
+		provisioners = append(provisioners, provisioner)
+	}
+
+	return provisioners, diags
+}