Created by Paul Kelleher, last modified on Mar 28, 2023

In order to build a new image, you need to follow the following steps

Base OS Selection

required

  • Publisher
  • Offer
  • SKU

You need to select which base OS you want to use from the Azure Platform - and that image needs to be available in the sane region as your SIG

The details required are

  • Publisher

  • Offer

  • SKU

  • Version

and you can either look up the image via the portal, via this very handy site or via the cli

az vm image list --all --location uksouth

Click here to expand...

to show all images

or you can select via Publisher etc

az vm image list-publishers --location uksouth
az vm image list-offers --publisher Canonical --location uksouth
az vm image list-skus --publisher Canonical --offer UbuntuServer --location uksouth

to get output in a more readable form, append -o table to your query

az vm image list --all --location uksouth -o table

Image Settings

Azure `publisher

Azure OIffer

Azure Sku

Hardening Role

Canonical

0001-com-ubuntu-minimal-bionic

minimal-18_04-lts-gen2

16_04

Xenial Xerus

Canonical

UbuntuServer

16_04-lts-gen2

16_04

Xenial Xerus

Canonical

UbuntuServer

18_04-lts-gen2

18_04

Bionic Beaver

https://github.com/ansible-lockdown/UBUNTU18-CIS

Canonical

UbuntuServer

19_04-gen2

10_04

Eoan Ermine

Canonical

0001-com-ubuntu-minimal-focal

minimal-20_04-lts-gen2

20_04

Focal Fossa

https://github.com/ansible-lockdown/UBUNTU20-CIS

Canonical

0001-com-ubuntu-server-focal

20_04-lts-gen2

20_04

Focal Fossa

https://github.com/ansible-lockdown/UBUNTU20-CIS

Canonical

0001-com-ubuntu-server-groovy

20_10-gen2

20_10

Groovy Gorilla

https://github.com/ansible-lockdown/UBUNTU20-CIS

Canonical

0001-com-ubuntu-minimal-jammy

minimal-22_04-lts-gen2

22_04

Jammy Jellyfish

https://github.com/ansible-lockdown/UBUNTU22-CIS

Canonical

0001-com-ubuntu-server-jammy

22_04-lts-gen2

22_04

Jammy Jellyfish

https://github.com/ansible-lockdown/UBUNTU22-CIS

Canonical

0001-com-ubuntu-minimal-kinetic

minimal-22_10-gen2

22_10

Kinetic Kudu

https://github.com/ansible-lockdown/UBUNTU22-CIS

Canonical

0001-com-ubuntu-server-kinetic

22_10-gen2

22_10

Kinetic Kudu

https://github.com/ansible-lockdown/UBUNTU22-CIS

RedHat

RHEL

74-gen2

7_4

RHEL7

https://github.com/ansible-lockdown/RHEL7-CIS

RedHat

RHEL

75-gen2

7_5

RHEL7

https://github.com/ansible-lockdown/RHEL7-CIS

RedHat

RHEL

76-gen2

7_6

RHEL7

https://github.com/ansible-lockdown/RHEL7-CIS

RedHat

RHEL

77-gen2

7_7

RHEL7

https://github.com/ansible-lockdown/RHEL7-CIS

RedHat

RHEL

78-gen2

7_8

RHEL7

https://github.com/ansible-lockdown/RHEL7-CIS

RedHat

RHEL

79-gen2

7_9

RHEL7

https://github.com/ansible-lockdown/RHEL7-CIS

RedHat

RHEL

7lvm-gen2

RHEL7

https://github.com/ansible-lockdown/RHEL7-CIS

RedHat

RHEL

8-gen2

8_0

RHEL8

https://github.com/ansible-lockdown/RHEL8-CIS

RedHat

RHEL

83-gen2

8_3

RHEL8

https://github.com/ansible-lockdown/RHEL8-CIS

RedHat

RHEL

84-gen2

8_4

RHEL8

https://github.com/ansible-lockdown/RHEL8-CIS

RedHat

RHEL

85-gen2

8_5

RHEL8

https://github.com/ansible-lockdown/RHEL8-CIS

RedHat

RHEL

86-gen2

8_6

RHEL8

https://github.com/ansible-lockdown/RHEL8-CIS

RedHat

RHEL

87-gen2

8_7

RHEL8

https://github.com/ansible-lockdown/RHEL8-CIS

RedHat

RHEL

90-gen2

9_0

RHEL9

https://github.com/ansible-lockdown/RHEL9-CIS

RedHat

RHEL

91-gen2

9_1

RHEL9

https://github.com/ansible-lockdown/RHEL9-CIS

CIS Hardening Role

required

  • GitHub Role Link
  • https not ssh
  • public repositories only
  •  

The CIS hardening is applied by using an ansible role that for the POC uses publicly available roles by passing the location to the process - specifying any options by supplying a custom vars.yml

https://www.lockdownenterprise.com/#GH_AL_Landing provide a number of Ansible Roles to apply CIS via GitHub

You can find the URL and enter your desired URL 

https://github.com/ansible-lockdown/UBUNTU18-CIS

be sure to use the https url and remove the .git from the end of the URL

Create Image Definition

Required

  • git
  • permission to clone and push to repo

go to the secops-infrastructure repository and create a new local branch for your update

git clone git@github.com:pknw1-example-business/secops-infrastructure.git
cd secops-infrastructure
git checkout -b new_base_os

vi 05_custom_image_configurations.tf
typical file
locals {

  images = {
    github_runner = {
      input_publisher             = "Canonical"
      input_offer                 = "0002-com-ubuntu-minimal-bionic-daily"
      input_sku                   = "minimal-18_04-daily-lts"
      input_generation            = "1"
      input_os_size               = "minimal"
      image_label                 = "minimal"
      cis_role_url                = "https://github.com/ansible-lockdown/UBUNTU18-CIS"
      create_repo                 = true
    }
    focal = {
      input_publisher             = "Canonical"
      input_offer                 = "0001-com-ubuntu-minimal-focal"
      input_sku                   = "minimal-20_04-lts"
      input_generation            = "1"
      input_os_size               = "minimal"
      image_label                 = "min2004"
      cis_role_url                = "https://github.com/ansible-lockdown/UBUNTU20-STIG"
      create_repo                 = true
    }
    jammy = {
      input_publisher             = "Canonical"
      input_offer                 = "0001-com-ubuntu-minimal-jammy"
      input_sku                   = "minimal-22_04-lts"
      input_generation            = "1"
      input_os_size               = "minimal"
      image_label                 = "min2204"
      cis_role_url                = "https://github.com/ansible-lockdown/UBUNTU22-CIS"
      create_repo                 = true
    }
}
}

you can now add in your new definition

new_os = {
      input_publisher             = "Canonical"
      input_offer                 = "0001-com-ubuntu-minimal-jammy"
      input_sku                   = "minimal-22_04-lts"
      input_generation            = "1"
      input_os_size               = "minimal"
      image_label                 = "min2204"
      cis_role_url                = "https://github.com/ansible-lockdown/UBUNTU22-CIS"
    }

you can now commit your image - this will automatically run terraform plan to verify changes

plan.txt
[command]/home/runner/work/_temp/060e776a-af9f-492e-9cfc-dfd571273620/terraform-bin plan -no-color -input=false
github_repository.base_images["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004]
github_repository.base_images["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal]
github_repository.base_images["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204]
github_repository_file.roles["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/roles/requirements.yml]
github_actions_secret.PAT["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:PAT]
github_actions_secret.PAT["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:PAT]
github_actions_secret.AZURE_CREDENTIALS["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:AZURE_CREDENTIALS]
github_actions_secret.AZURE_CREDENTIALS["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:AZURE_CREDENTIALS]
github_repository_file.roles["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/custom/roles/requirements.yml]
github_actions_secret.AZURE_CREDENTIALS["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:AZURE_CREDENTIALS]
github_repository_file.roles["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/custom/roles/requirements.yml]
github_actions_secret.PAT["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:PAT]
github_repository_file.cis["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/custom/playbooks/playbook.yml]
github_repository_file.cis["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/playbooks/playbook.yml]
github_repository_file.cis["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/custom/playbooks/playbook.yml]
github_repository_file.readme["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/README1ST.MD]
github_repository_file.readme["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/README1ST.MD]
github_repository_file.readme["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/README1ST.MD]
github_actions_secret.ARM_CLIENT_SECRET["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_CLIENT_SECRET]
github_actions_secret.ARM_CLIENT_SECRET["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_CLIENT_SECRET]
github_actions_secret.ARM_CLIENT_SECRET["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_SECRET]
module.shared_image_gallery.data.azurerm_client_config.current: Reading...
module.shared_image_gallery.azurerm_resource_group.shared_image_gallery[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg]
module.packer_resources.azurerm_resource_group.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg]
data.azurerm_client_config.current: Reading...
module.shared_image_gallery.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0zZmVhZTZjMi0xMGMzLTQzZmMtYWNlMS02ZDYzMTYyMGM1MmE7b2JqZWN0SWQ9OWFmMjVjOTAtNGZjOS00Y2E3LTk1YzctMTA5M2E2M2VkMTQ3O3N1YnNjcmlwdGlvbklkPTYyNWI2NmQ3LTViMTEtNDBmYi05OWFiLWJhMzAzYzEzZWE4ODt0ZW5hbnRJZD01MzhjZjZmZC1mNWQ0LTQ0NTEtOGU0YS04OGMzNGYyZjI2MTk=]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0zZmVhZTZjMi0xMGMzLTQzZmMtYWNlMS02ZDYzMTYyMGM1MmE7b2JqZWN0SWQ9OWFmMjVjOTAtNGZjOS00Y2E3LTk1YzctMTA5M2E2M2VkMTQ3O3N1YnNjcmlwdGlvbklkPTYyNWI2NmQ3LTViMTEtNDBmYi05OWFiLWJhMzAzYzEzZWE4ODt0ZW5hbnRJZD01MzhjZjZmZC1mNWQ0LTQ0NTEtOGU0YS04OGMzNGYyZjI2MTk=]
github_actions_secret.ARM_TENANT_ID["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_TENANT_ID]
github_actions_secret.ARM_CLIENT_ID["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_CLIENT_ID]
github_actions_secret.subscriptionid["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_SUBSCRIPTION_ID]
github_repository_file.tfvars["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/dev.tfvars]
github_repository_file.tfvars["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/dev.tfvars]
github_repository_file.tfvars["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/dev.tfvars]
github_actions_secret.ARM_CLIENT_ID["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_ID]
github_actions_secret.ARM_CLIENT_ID["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_CLIENT_ID]
github_actions_secret.ARM_TENANT_ID["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_TENANT_ID]
github_actions_secret.ARM_TENANT_ID["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_TENANT_ID]
github_actions_secret.subscriptionid["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_SUBSCRIPTION_ID]
github_actions_secret.subscriptionid["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_SUBSCRIPTION_ID]
module.shared_image_gallery.data.azurerm_resource_group.shared_image_gallery: Reading...
module.shared_image_gallery.data.azurerm_resource_group.shared_image_gallery: Read complete after 0s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg]
module.packer_resources.data.azurerm_resource_group.packer_build: Reading...
module.packer_resources.data.azurerm_resource_group.packer_build: Read complete after 0s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg]
module.shared_image_gallery.azurerm_shared_image_gallery.shared_image_gallery: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images]
module.packer_resources.azurerm_virtual_network.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet]
module.packer_resources.azurerm_network_security_group.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg]
module.packer_resources.data.azurerm_virtual_network.packer_build: Reading...
module.packer_resources.azurerm_network_security_rule.packer_build_inbound[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg/securityRules/sshin]
module.packer_resources.azurerm_network_security_rule.packer_build_out: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg/securityRules/allout]
module.packer_resources.data.azurerm_virtual_network.packer_build: Read complete after 1s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet]
module.packer_resources.azurerm_subnet.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet/subnets/packer_build]
module.packer_resources.azurerm_subnet_network_security_group_association.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet/subnets/packer_build]
azurerm_shared_image.shared_image["jammy"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204]
azurerm_shared_image.shared_image["github_runner"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0002-com-ubuntu-minimal-bionic-daily-minimal-18_04-daily-lts-minimal]
azurerm_shared_image.shared_image["focal"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-focal-minimal-20_04-lts-min2004]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
 <= read (data resources)

Terraform will perform the following actions:

  # data.github_actions_public_key.public_key["focal"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "github_actions_public_key" "public_key" {
      + id         = (known after apply)
      + key        = (known after apply)
      + key_id     = (known after apply)
      + repository = "secops-baseos-focal-minimal-20_04-lts-min2004"
    }

  # data.github_actions_public_key.public_key["github_runner"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "github_actions_public_key" "public_key" {
      + id         = (known after apply)
      + key        = (known after apply)
      + key_id     = (known after apply)
      + repository = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal"
    }

  # azurerm_shared_image.shared_image["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "azurerm_shared_image" "shared_image" {
      - accelerated_network_support_enabled = false -> null
      - architecture                        = "x64" -> null
      - confidential_vm_enabled             = false -> null
      - confidential_vm_supported           = false -> null
      - disk_types_not_allowed              = [] -> null
      - gallery_name                        = "secops_base_images" -> null
      - hyper_v_generation                  = "V1" -> null
      - id                                  = "/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204" -> null
      - location                            = "uksouth" -> null
      - max_recommended_memory_in_gb        = 0 -> null
      - max_recommended_vcpu_count          = 0 -> null
      - min_recommended_memory_in_gb        = 0 -> null
      - min_recommended_vcpu_count          = 0 -> null
      - name                                = "Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204" -> null
      - os_type                             = "Linux" -> null
      - resource_group_name                 = "secops_base_images-rg" -> null
      - specialized                         = false -> null
      - tags                                = {} -> null
      - trusted_launch_enabled              = false -> null

      - identifier {
          - offer     = "0001-com-ubuntu-minimal-jammy-minimal-22_04-lts" -> null
          - publisher = "Contino" -> null
          - sku       = "min2204" -> null
        }
    }

  # github_actions_secret.ARM_CLIENT_ID["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_actions_secret" "ARM_CLIENT_ID" {
      - created_at      = "2023-03-25 07:53:50 +0000 UTC" -> null
      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_ID" -> null
      - plaintext_value = (sensitive value) -> null
      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - secret_name     = "ARM_CLIENT_ID" -> null
      - updated_at      = "2023-03-25 07:53:50 +0000 UTC" -> null
    }

  # github_actions_secret.ARM_CLIENT_SECRET["focal"] will be created
  + resource "github_actions_secret" "ARM_CLIENT_SECRET" {
      + created_at      = (known after apply)
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "secops-baseos-focal-minimal-20_04-lts-min2004"
      + secret_name     = "ARM_CLIENT_SECRET"
      + updated_at      = (known after apply)
    }

  # github_actions_secret.ARM_CLIENT_SECRET["github_runner"] will be created
  + resource "github_actions_secret" "ARM_CLIENT_SECRET" {
      + created_at      = (known after apply)
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal"
      + secret_name     = "ARM_CLIENT_SECRET"
      + updated_at      = (known after apply)
    }

  # github_actions_secret.ARM_CLIENT_SECRET["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_actions_secret" "ARM_CLIENT_SECRET" {
      - created_at      = "2023-03-25 07:53:53 +0000 UTC" -> null
      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_SECRET" -> null
      - plaintext_value = (sensitive value) -> null
      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - secret_name     = "ARM_CLIENT_SECRET" -> null
      - updated_at      = "2023-03-25 07:53:53 +0000 UTC" -> null
    }

  # github_actions_secret.ARM_TENANT_ID["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_actions_secret" "ARM_TENANT_ID" {
      - created_at      = "2023-03-25 07:53:55 +0000 UTC" -> null
      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_TENANT_ID" -> null
      - plaintext_value = (sensitive value) -> null
      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - secret_name     = "ARM_TENANT_ID" -> null
      - updated_at      = "2023-03-25 07:53:55 +0000 UTC" -> null
    }

  # github_actions_secret.AZURE_CREDENTIALS["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_actions_secret" "AZURE_CREDENTIALS" {
      - created_at      = "2023-03-25 07:54:14 +0000 UTC" -> null
      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:AZURE_CREDENTIALS" -> null
      - plaintext_value = (sensitive value) -> null
      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - secret_name     = "AZURE_CREDENTIALS" -> null
      - updated_at      = "2023-03-25 07:54:14 +0000 UTC" -> null
    }

  # github_actions_secret.PAT["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_actions_secret" "PAT" {
      - created_at      = "2023-03-25 07:54:05 +0000 UTC" -> null
      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:PAT" -> null
      - plaintext_value = (sensitive value) -> null
      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - secret_name     = "PAT" -> null
      - updated_at      = "2023-03-25 07:54:05 +0000 UTC" -> null
    }

  # github_actions_secret.subscriptionid["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_actions_secret" "subscriptionid" {
      - created_at      = "2023-03-25 07:53:59 +0000 UTC" -> null
      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_SUBSCRIPTION_ID" -> null
      - plaintext_value = (sensitive value) -> null
      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - secret_name     = "ARM_SUBSCRIPTION_ID" -> null
      - updated_at      = "2023-03-25 07:53:59 +0000 UTC" -> null
    }

  # github_repository.base_images["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_repository" "base_images" {
      - allow_auto_merge            = false -> null
      - allow_merge_commit          = true -> null
      - allow_rebase_merge          = true -> null
      - allow_squash_merge          = true -> null
      - allow_update_branch         = false -> null
      - archived                    = false -> null
      - default_branch              = "main" -> null
      - delete_branch_on_merge      = false -> null
      - etag                        = "W/\"93d2a9ff9930e8a9509989a3e2629d4014268e7c4aa38068d0b321c18a695b55\"" -> null
      - full_name                   = "pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - git_clone_url               = "git://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null
      - has_discussions             = false -> null
      - has_downloads               = false -> null
      - has_issues                  = false -> null
      - has_projects                = false -> null
      - has_wiki                    = false -> null
      - html_url                    = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - http_clone_url              = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null
      - id                          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - is_template                 = false -> null
      - merge_commit_message        = "PR_TITLE" -> null
      - merge_commit_title          = "MERGE_MESSAGE" -> null
      - name                        = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - node_id                     = "R_kgDOJOE5NA" -> null
      - private                     = true -> null
      - repo_id                     = 618740020 -> null
      - squash_merge_commit_message = "COMMIT_MESSAGES" -> null
      - squash_merge_commit_title   = "COMMIT_OR_PR_TITLE" -> null
      - ssh_clone_url               = "git@github.com:pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null
      - svn_url                     = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - topics                      = [] -> null
      - visibility                  = "private" -> null
      - vulnerability_alerts        = false -> null

      - template {
          - include_all_branches = false -> null
          - owner                = "pknw1-example-business" -> null
          - repository           = "secops-baseos-template" -> null
        }
    }

  # github_repository_file.cis["github_runner"] will be updated in-place
  ~ resource "github_repository_file" "cis" {
      ~ content             = <<-EOT
            ---
            - name: Run cis
              hosts: localhost
              become: true
              connection: local
          -   vars-files:
          -     - vars.yml
              roles:
                - UBUNTU18-CIS
        EOT
        id                  = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/playbooks/playbook.yml"
        # (9 unchanged attributes hidden)
    }

  # github_repository_file.cis["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_repository_file" "cis" {
      - branch              = "main" -> null
      - commit_author       = "Terraform User" -> null
      - commit_email        = "terraform@example.com" -> null
      - commit_message      = "Add custom/playbooks/playbook.yml" -> null
      - commit_sha          = "3589f34f056bd3b94f62205d26ec6c5ecbe021ba" -> null
      - content             = <<-EOT
            ---
            - name: Run cis
              hosts: localhost
              become: true
              connection: local
              roles:
                - UBUNTU22-CIS
        EOT -> null
      - file                = "custom/playbooks/playbook.yml" -> null
      - id                  = "secops-baseos-jammy-minimal-22_04-lts-min2204/custom/playbooks/playbook.yml" -> null
      - overwrite_on_create = true -> null
      - repository          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - sha                 = "35a84d3d12264ae4ae8c52586c452342822e51fd" -> null
    }

  # github_repository_file.readme["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_repository_file" "readme" {
      - branch              = "main" -> null
      - commit_author       = "Terraform User" -> null
      - commit_email        = "terraform@example.com" -> null
      - commit_message      = "Add README1ST.MD" -> null
      - commit_sha          = "bccd6353b140f41351ac626271a8fa62653ee36e" -> null
      - content             = "# update the [ARM_CLIENT_SECRET](https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204/settings/secrets/actions/ARM_CLIENT_SECRET) value first!" -> null
      - file                = "README1ST.MD" -> null
      - id                  = "secops-baseos-jammy-minimal-22_04-lts-min2204/README1ST.MD" -> null
      - overwrite_on_create = true -> null
      - repository          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - sha                 = "70bc796e8db8f22b0f2d8c2a8024a5faefd0525e" -> null
    }

  # github_repository_file.roles["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_repository_file" "roles" {
      - branch              = "main" -> null
      - commit_author       = "Terraform User" -> null
      - commit_email        = "terraform@example.com" -> null
      - commit_message      = "Add custom/roles/requirements.yml" -> null
      - commit_sha          = "0b6261b73cd990e978fd8ef7a4a095c33c78265c" -> null
      - content             = "- src: https://github.com/ansible-lockdown/UBUNTU22-CIS" -> null
      - file                = "custom/roles/requirements.yml" -> null
      - id                  = "secops-baseos-jammy-minimal-22_04-lts-min2204/custom/roles/requirements.yml" -> null
      - overwrite_on_create = true -> null
      - repository          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - sha                 = "c7dcb902b472a2af2bb36425d6dc16391d8798e8" -> null
    }

  # github_repository_file.tfvars["jammy"] will be destroyed
  # (because key ["jammy"] is not in for_each map)
  - resource "github_repository_file" "tfvars" {
      - branch              = "main" -> null
      - commit_author       = "Terraform User" -> null
      - commit_email        = "terraform@example.com" -> null
      - commit_message      = "Managed by Terraform" -> null
      - commit_sha          = "8c5298bf9a5c16eec9df3cb60472ebb94fe93d8e" -> null
      - content             = <<-EOT
            location="uksouth"
            subscription_id="625b66d7-5b11-40fb-99ab-ba303c13ea88"
            client_id="3feae6c2-10c3-43fc-ace1-6d631620c52a"
            tenant_id="538cf6fd-f5d4-4451-8e4a-88c34f2f2619"
            azure_source_image_publisher="Canonical"
            azure_source_image_offer="0001-com-ubuntu-minimal-jammy"
            azure_source_image_sku="minimal-22_04-lts"
            shared_image_gallery_destination_subscription_id=""
            shared_image_gallery_destination_resource_group="secops_base_images-rg"
            shared_image_gallery_destination_gallery_name="secops_base_images"
            cis_role_url= "https://github.com/ansible-lockdown/UBUNTU22-CIS"
            custom_label="min2204"
            build_resource_group_name="secops_base_images_build-rg"
            managed_image_resource_group_name="secops_base_images-rg"
        EOT -> null
      - file                = "dev.tfvars" -> null
      - id                  = "secops-baseos-jammy-minimal-22_04-lts-min2204/dev.tfvars" -> null
      - overwrite_on_create = true -> null
      - repository          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
      - sha                 = "77e004dc1c91aaf293f5ffb329b70e18d87e50e0" -> null
    }

  # module.packer_resources.azurerm_network_security_rule.packer_build_inbound[0] will be created
  + resource "azurerm_network_security_rule" "packer_build_inbound" {
      + access                      = "Allow"
      + destination_address_prefix  = "*"
      + destination_port_range      = "22"
      + direction                   = "Inbound"
      + id                          = (known after apply)
      + name                        = "sshin"
      + network_security_group_name = "packer_nsg"
      + priority                    = 110
      + protocol                    = "Tcp"
      + resource_group_name         = "secops_base_images_build-rg"
      + source_address_prefix       = "*"
      + source_port_range           = "*"
    }

  # module.packer_resources.azurerm_network_security_rule.packer_build_out will be created
  + resource "azurerm_network_security_rule" "packer_build_out" {
      + access                      = "Allow"
      + destination_address_prefix  = "*"
      + destination_port_range      = "*"
      + direction                   = "Outbound"
      + id                          = (known after apply)
      + name                        = "allout"
      + network_security_group_name = "packer_nsg"
      + priority                    = 110
      + protocol                    = "Tcp"
      + resource_group_name         = "secops_base_images_build-rg"
      + source_address_prefix       = "*"
      + source_port_range           = "*"
    }

Plan: 4 to add, 1 to change, 12 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
::debug::Terraform exited with code 0.
::debug::stdout: github_repository.base_images["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004]%0Agithub_repository.base_images["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal]%0Agithub_repository.base_images["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204]%0Agithub_repository_file.roles["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/roles/requirements.yml]%0Agithub_actions_secret.PAT["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:PAT]%0Agithub_actions_secret.PAT["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:PAT]%0Agithub_actions_secret.AZURE_CREDENTIALS["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:AZURE_CREDENTIALS]%0Agithub_actions_secret.AZURE_CREDENTIALS["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:AZURE_CREDENTIALS]%0Agithub_repository_file.roles["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/custom/roles/requirements.yml]%0Agithub_actions_secret.AZURE_CREDENTIALS["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:AZURE_CREDENTIALS]%0Agithub_repository_file.roles["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/custom/roles/requirements.yml]%0Agithub_actions_secret.PAT["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:PAT]%0Agithub_repository_file.cis["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/custom/playbooks/playbook.yml]%0Agithub_repository_file.cis["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/playbooks/playbook.yml]%0Agithub_repository_file.cis["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/custom/playbooks/playbook.yml]%0Agithub_repository_file.readme["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/README1ST.MD]%0Agithub_repository_file.readme["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/README1ST.MD]%0Agithub_repository_file.readme["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/README1ST.MD]%0Agithub_actions_secret.ARM_CLIENT_SECRET["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_CLIENT_SECRET]%0Agithub_actions_secret.ARM_CLIENT_SECRET["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_CLIENT_SECRET]%0Agithub_actions_secret.ARM_CLIENT_SECRET["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_SECRET]%0Amodule.shared_image_gallery.data.azurerm_client_config.current: Reading...%0Amodule.shared_image_gallery.azurerm_resource_group.shared_image_gallery[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg]%0Amodule.packer_resources.azurerm_resource_group.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg]%0Adata.azurerm_client_config.current: Reading...%0Amodule.shared_image_gallery.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0zZmVhZTZjMi0xMGMzLTQzZmMtYWNlMS02ZDYzMTYyMGM1MmE7b2JqZWN0SWQ9OWFmMjVjOTAtNGZjOS00Y2E3LTk1YzctMTA5M2E2M2VkMTQ3O3N1YnNjcmlwdGlvbklkPTYyNWI2NmQ3LTViMTEtNDBmYi05OWFiLWJhMzAzYzEzZWE4ODt0ZW5hbnRJZD01MzhjZjZmZC1mNWQ0LTQ0NTEtOGU0YS04OGMzNGYyZjI2MTk=]%0Adata.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0zZmVhZTZjMi0xMGMzLTQzZmMtYWNlMS02ZDYzMTYyMGM1MmE7b2JqZWN0SWQ9OWFmMjVjOTAtNGZjOS00Y2E3LTk1YzctMTA5M2E2M2VkMTQ3O3N1YnNjcmlwdGlvbklkPTYyNWI2NmQ3LTViMTEtNDBmYi05OWFiLWJhMzAzYzEzZWE4ODt0ZW5hbnRJZD01MzhjZjZmZC1mNWQ0LTQ0NTEtOGU0YS04OGMzNGYyZjI2MTk=]%0Agithub_actions_secret.ARM_TENANT_ID["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_TENANT_ID]%0Agithub_actions_secret.ARM_CLIENT_ID["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_CLIENT_ID]%0Agithub_actions_secret.subscriptionid["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_SUBSCRIPTION_ID]%0Agithub_repository_file.tfvars["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/dev.tfvars]%0Agithub_repository_file.tfvars["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/dev.tfvars]%0Agithub_repository_file.tfvars["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/dev.tfvars]%0Agithub_actions_secret.ARM_CLIENT_ID["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_ID]%0Agithub_actions_secret.ARM_CLIENT_ID["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_CLIENT_ID]%0Agithub_actions_secret.ARM_TENANT_ID["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_TENANT_ID]%0Agithub_actions_secret.ARM_TENANT_ID["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_TENANT_ID]%0Agithub_actions_secret.subscriptionid["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_SUBSCRIPTION_ID]%0Agithub_actions_secret.subscriptionid["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_SUBSCRIPTION_ID]%0Amodule.shared_image_gallery.data.azurerm_resource_group.shared_image_gallery: Reading...%0Amodule.shared_image_gallery.data.azurerm_resource_group.shared_image_gallery: Read complete after 0s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg]%0Amodule.packer_resources.data.azurerm_resource_group.packer_build: Reading...%0Amodule.packer_resources.data.azurerm_resource_group.packer_build: Read complete after 0s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg]%0Amodule.shared_image_gallery.azurerm_shared_image_gallery.shared_image_gallery: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images]%0Amodule.packer_resources.azurerm_virtual_network.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet]%0Amodule.packer_resources.azurerm_network_security_group.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg]%0Amodule.packer_resources.data.azurerm_virtual_network.packer_build: Reading...%0Amodule.packer_resources.azurerm_network_security_rule.packer_build_inbound[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg/securityRules/sshin]%0Amodule.packer_resources.azurerm_network_security_rule.packer_build_out: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg/securityRules/allout]%0Amodule.packer_resources.data.azurerm_virtual_network.packer_build: Read complete after 1s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet]%0Amodule.packer_resources.azurerm_subnet.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet/subnets/packer_build]%0Amodule.packer_resources.azurerm_subnet_network_security_group_association.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet/subnets/packer_build]%0Aazurerm_shared_image.shared_image["jammy"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204]%0Aazurerm_shared_image.shared_image["github_runner"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0002-com-ubuntu-minimal-bionic-daily-minimal-18_04-daily-lts-minimal]%0Aazurerm_shared_image.shared_image["focal"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-focal-minimal-20_04-lts-min2004]%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A  ~ update in-place%0A  - destroy%0A <= read (data resources)%0A%0ATerraform will perform the following actions:%0A%0A  # data.github_actions_public_key.public_key["focal"] will be read during apply%0A  # (depends on a resource or a module with changes pending)%0A <= data "github_actions_public_key" "public_key" {%0A      + id         = (known after apply)%0A      + key        = (known after apply)%0A      + key_id     = (known after apply)%0A      + repository = "secops-baseos-focal-minimal-20_04-lts-min2004"%0A    }%0A%0A  # data.github_actions_public_key.public_key["github_runner"] will be read during apply%0A  # (depends on a resource or a module with changes pending)%0A <= data "github_actions_public_key" "public_key" {%0A      + id         = (known after apply)%0A      + key        = (known after apply)%0A      + key_id     = (known after apply)%0A      + repository = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal"%0A    }%0A%0A  # azurerm_shared_image.shared_image["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "azurerm_shared_image" "shared_image" {%0A      - accelerated_network_support_enabled = false -> null%0A      - architecture                        = "x64" -> null%0A      - confidential_vm_enabled             = false -> null%0A      - confidential_vm_supported           = false -> null%0A      - disk_types_not_allowed              = [] -> null%0A      - gallery_name                        = "secops_base_images" -> null%0A      - hyper_v_generation                  = "V1" -> null%0A      - id                                  = "/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204" -> null%0A      - location                            = "uksouth" -> null%0A      - max_recommended_memory_in_gb        = 0 -> null%0A      - max_recommended_vcpu_count          = 0 -> null%0A      - min_recommended_memory_in_gb        = 0 -> null%0A      - min_recommended_vcpu_count          = 0 -> null%0A      - name                                = "Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204" -> null%0A      - os_type                             = "Linux" -> null%0A      - resource_group_name                 = "secops_base_images-rg" -> null%0A      - specialized                         = false -> null%0A      - tags                                = {} -> null%0A      - trusted_launch_enabled              = false -> null%0A%0A      - identifier {%0A          - offer     = "0001-com-ubuntu-minimal-jammy-minimal-22_04-lts" -> null%0A          - publisher = "Contino" -> null%0A          - sku       = "min2204" -> null%0A        }%0A    }%0A%0A  # github_actions_secret.ARM_CLIENT_ID["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_actions_secret" "ARM_CLIENT_ID" {%0A      - created_at      = "2023-03-25 07:53:50 +0000 UTC" -> null%0A      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_ID" -> null%0A      - plaintext_value = (sensitive value) -> null%0A      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - secret_name     = "ARM_CLIENT_ID" -> null%0A      - updated_at      = "2023-03-25 07:53:50 +0000 UTC" -> null%0A    }%0A%0A  # github_actions_secret.ARM_CLIENT_SECRET["focal"] will be created%0A  + resource "github_actions_secret" "ARM_CLIENT_SECRET" {%0A      + created_at      = (known after apply)%0A      + id              = (known after apply)%0A      + plaintext_value = (sensitive value)%0A      + repository      = "secops-baseos-focal-minimal-20_04-lts-min2004"%0A      + secret_name     = "ARM_CLIENT_SECRET"%0A      + updated_at      = (known after apply)%0A    }%0A%0A  # github_actions_secret.ARM_CLIENT_SECRET["github_runner"] will be created%0A  + resource "github_actions_secret" "ARM_CLIENT_SECRET" {%0A      + created_at      = (known after apply)%0A      + id              = (known after apply)%0A      + plaintext_value = (sensitive value)%0A      + repository      = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal"%0A      + secret_name     = "ARM_CLIENT_SECRET"%0A      + updated_at      = (known after apply)%0A    }%0A%0A  # github_actions_secret.ARM_CLIENT_SECRET["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_actions_secret" "ARM_CLIENT_SECRET" {%0A      - created_at      = "2023-03-25 07:53:53 +0000 UTC" -> null%0A      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_SECRET" -> null%0A      - plaintext_value = (sensitive value) -> null%0A      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - secret_name     = "ARM_CLIENT_SECRET" -> null%0A      - updated_at      = "2023-03-25 07:53:53 +0000 UTC" -> null%0A    }%0A%0A  # github_actions_secret.ARM_TENANT_ID["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_actions_secret" "ARM_TENANT_ID" {%0A      - created_at      = "2023-03-25 07:53:55 +0000 UTC" -> null%0A      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_TENANT_ID" -> null%0A      - plaintext_value = (sensitive value) -> null%0A      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - secret_name     = "ARM_TENANT_ID" -> null%0A      - updated_at      = "2023-03-25 07:53:55 +0000 UTC" -> null%0A    }%0A%0A  # github_actions_secret.AZURE_CREDENTIALS["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_actions_secret" "AZURE_CREDENTIALS" {%0A      - created_at      = "2023-03-25 07:54:14 +0000 UTC" -> null%0A      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:AZURE_CREDENTIALS" -> null%0A      - plaintext_value = (sensitive value) -> null%0A      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - secret_name     = "AZURE_CREDENTIALS" -> null%0A      - updated_at      = "2023-03-25 07:54:14 +0000 UTC" -> null%0A    }%0A%0A  # github_actions_secret.PAT["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_actions_secret" "PAT" {%0A      - created_at      = "2023-03-25 07:54:05 +0000 UTC" -> null%0A      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:PAT" -> null%0A      - plaintext_value = (sensitive value) -> null%0A      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - secret_name     = "PAT" -> null%0A      - updated_at      = "2023-03-25 07:54:05 +0000 UTC" -> null%0A    }%0A%0A  # github_actions_secret.subscriptionid["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_actions_secret" "subscriptionid" {%0A      - created_at      = "2023-03-25 07:53:59 +0000 UTC" -> null%0A      - id              = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_SUBSCRIPTION_ID" -> null%0A      - plaintext_value = (sensitive value) -> null%0A      - repository      = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - secret_name     = "ARM_SUBSCRIPTION_ID" -> null%0A      - updated_at      = "2023-03-25 07:53:59 +0000 UTC" -> null%0A    }%0A%0A  # github_repository.base_images["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_repository" "base_images" {%0A      - allow_auto_merge            = false -> null%0A      - allow_merge_commit          = true -> null%0A      - allow_rebase_merge          = true -> null%0A      - allow_squash_merge          = true -> null%0A      - allow_update_branch         = false -> null%0A      - archived                    = false -> null%0A      - default_branch              = "main" -> null%0A      - delete_branch_on_merge      = false -> null%0A      - etag                        = "W/\"93d2a9ff9930e8a9509989a3e2629d4014268e7c4aa38068d0b321c18a695b55\"" -> null%0A      - full_name                   = "pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - git_clone_url               = "git://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null%0A      - has_discussions             = false -> null%0A      - has_downloads               = false -> null%0A      - has_issues                  = false -> null%0A      - has_projects                = false -> null%0A      - has_wiki                    = false -> null%0A      - html_url                    = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - http_clone_url              = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null%0A      - id                          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - is_template                 = false -> null%0A      - merge_commit_message        = "PR_TITLE" -> null%0A      - merge_commit_title          = "MERGE_MESSAGE" -> null%0A      - name                        = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - node_id                     = "R_kgDOJOE5NA" -> null%0A      - private                     = true -> null%0A      - repo_id                     = 618740020 -> null%0A      - squash_merge_commit_message = "COMMIT_MESSAGES" -> null%0A      - squash_merge_commit_title   = "COMMIT_OR_PR_TITLE" -> null%0A      - ssh_clone_url               = "git@github.com:pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null%0A      - svn_url                     = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - topics                      = [] -> null%0A      - visibility                  = "private" -> null%0A      - vulnerability_alerts        = false -> null%0A%0A      - template {%0A          - include_all_branches = false -> null%0A          - owner                = "pknw1-example-business" -> null%0A          - repository           = "secops-baseos-template" -> null%0A        }%0A    }%0A%0A  # github_repository_file.cis["github_runner"] will be updated in-place%0A  ~ resource "github_repository_file" "cis" {%0A      ~ content             = <<-EOT%0A            ---%0A            - name: Run cis%0A              hosts: localhost%0A              become: true%0A              connection: local%0A          -   vars-files:%0A          -     - vars.yml%0A              roles:%0A                - UBUNTU18-CIS%0A        EOT%0A        id                  = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/playbooks/playbook.yml"%0A        # (9 unchanged attributes hidden)%0A    }%0A%0A  # github_repository_file.cis["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_repository_file" "cis" {%0A      - branch              = "main" -> null%0A      - commit_author       = "Terraform User" -> null%0A      - commit_email        = "terraform@example.com" -> null%0A      - commit_message      = "Add custom/playbooks/playbook.yml" -> null%0A      - commit_sha          = "3589f34f056bd3b94f62205d26ec6c5ecbe021ba" -> null%0A      - content             = <<-EOT%0A            ---%0A            - name: Run cis%0A              hosts: localhost%0A              become: true%0A              connection: local%0A              roles:%0A                - UBUNTU22-CIS%0A        EOT -> null%0A      - file                = "custom/playbooks/playbook.yml" -> null%0A      - id                  = "secops-baseos-jammy-minimal-22_04-lts-min2204/custom/playbooks/playbook.yml" -> null%0A      - overwrite_on_create = true -> null%0A      - repository          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - sha                 = "35a84d3d12264ae4ae8c52586c452342822e51fd" -> null%0A    }%0A%0A  # github_repository_file.readme["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_repository_file" "readme" {%0A      - branch              = "main" -> null%0A      - commit_author       = "Terraform User" -> null%0A      - commit_email        = "terraform@example.com" -> null%0A      - commit_message      = "Add README1ST.MD" -> null%0A      - commit_sha          = "bccd6353b140f41351ac626271a8fa62653ee36e" -> null%0A      - content             = "# update the [ARM_CLIENT_SECRET](https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204/settings/secrets/actions/ARM_CLIENT_SECRET) value first!" -> null%0A      - file                = "README1ST.MD" -> null%0A      - id                  = "secops-baseos-jammy-minimal-22_04-lts-min2204/README1ST.MD" -> null%0A      - overwrite_on_create = true -> null%0A      - repository          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - sha                 = "70bc796e8db8f22b0f2d8c2a8024a5faefd0525e" -> null%0A    }%0A%0A  # github_repository_file.roles["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_repository_file" "roles" {%0A      - branch              = "main" -> null%0A      - commit_author       = "Terraform User" -> null%0A      - commit_email        = "terraform@example.com" -> null%0A      - commit_message      = "Add custom/roles/requirements.yml" -> null%0A      - commit_sha          = "0b6261b73cd990e978fd8ef7a4a095c33c78265c" -> null%0A      - content             = "- src: https://github.com/ansible-lockdown/UBUNTU22-CIS" -> null%0A      - file                = "custom/roles/requirements.yml" -> null%0A      - id                  = "secops-baseos-jammy-minimal-22_04-lts-min2204/custom/roles/requirements.yml" -> null%0A      - overwrite_on_create = true -> null%0A      - repository          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - sha                 = "c7dcb902b472a2af2bb36425d6dc16391d8798e8" -> null%0A    }%0A%0A  # github_repository_file.tfvars["jammy"] will be destroyed%0A  # (because key ["jammy"] is not in for_each map)%0A  - resource "github_repository_file" "tfvars" {%0A      - branch              = "main" -> null%0A      - commit_author       = "Terraform User" -> null%0A      - commit_email        = "terraform@example.com" -> null%0A      - commit_message      = "Managed by Terraform" -> null%0A      - commit_sha          = "8c5298bf9a5c16eec9df3cb60472ebb94fe93d8e" -> null%0A      - content             = <<-EOT%0A            location="uksouth"%0A            subscription_id="625b66d7-5b11-40fb-99ab-ba303c13ea88"%0A            client_id="3feae6c2-10c3-43fc-ace1-6d631620c52a"%0A            tenant_id="538cf6fd-f5d4-4451-8e4a-88c34f2f2619"%0A            azure_source_image_publisher="Canonical"%0A            azure_source_image_offer="0001-com-ubuntu-minimal-jammy"%0A            azure_source_image_sku="minimal-22_04-lts"%0A            shared_image_gallery_destination_subscription_id=""%0A            shared_image_gallery_destination_resource_group="secops_base_images-rg"%0A            shared_image_gallery_destination_gallery_name="secops_base_images"%0A            cis_role_url= "https://github.com/ansible-lockdown/UBUNTU22-CIS"%0A            custom_label="min2204"%0A            build_resource_group_name="secops_base_images_build-rg"%0A            managed_image_resource_group_name="secops_base_images-rg"%0A        EOT -> null%0A      - file                = "dev.tfvars" -> null%0A      - id                  = "secops-baseos-jammy-minimal-22_04-lts-min2204/dev.tfvars" -> null%0A      - overwrite_on_create = true -> null%0A      - repository          = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A      - sha                 = "77e004dc1c91aaf293f5ffb329b70e18d87e50e0" -> null%0A    }%0A%0A  # module.packer_resources.azurerm_network_security_rule.packer_build_inbound[0] will be created%0A  + resource "azurerm_network_security_rule" "packer_build_inbound" {%0A      + access                      = "Allow"%0A      + destination_address_prefix  = "*"%0A      + destination_port_range      = "22"%0A      + direction                   = "Inbound"%0A      + id                          = (known after apply)%0A      + name                        = "sshin"%0A      + network_security_group_name = "packer_nsg"%0A      + priority                    = 110%0A      + protocol                    = "Tcp"%0A      + resource_group_name         = "secops_base_images_build-rg"%0A      + source_address_prefix       = "*"%0A      + source_port_range           = "*"%0A    }%0A%0A  # module.packer_resources.azurerm_network_security_rule.packer_build_out will be created%0A  + resource "azurerm_network_security_rule" "packer_build_out" {%0A      + access                      = "Allow"%0A      + destination_address_prefix  = "*"%0A      + destination_port_range      = "*"%0A      + direction                   = "Outbound"%0A      + id                          = (known after apply)%0A      + name                        = "allout"%0A      + network_security_group_name = "packer_nsg"%0A      + priority                    = 110%0A      + protocol                    = "Tcp"%0A      + resource_group_name         = "secops_base_images_build-rg"%0A      + source_address_prefix       = "*"%0A      + source_port_range           = "*"%0A    }%0A%0APlan: 4 to add, 1 to change, 12 to destroy.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ANote: You didn't use the -out option to save this plan, so Terraform can't%0Aguarantee to take exactly these actions if you run "terraform apply" now.%0A
::debug::stderr: 
::debug::exitcode: 0

Creating the Custom OS repository

Required

  • permission to merge to main
  • access to ARM_CLIENT_SECRET value to update the new repo

Create a pull request and if checks pass, merge into main

When you merge into main, a new repository is created for this customisation

using the template repo https://github.com/pknw1-example-business/secops-baseos-template

the setup process is mostly automated

  1. creates a new image definition in the SIG

  2. creates a new repo using a name generated from your definition

  3. creates a new branch named after the OS release version

  4. create a pre-populated dev.tfvars for your build in the new branch

  5. create the custom/roles/requirements.ymll to install the CIS role in the new branch

  6. create the custom/playbooks/playbook.yml to run the CIS role in the new branch

  7. create a pull request against main for the new branch

  8. create the required github secrets and populate them

you should now have a new repoi with files and config custom to your build

now the final step is to set the ARM_CLIENT_SECRET value

Custom OS Initial State

Any time the base OS version changes for your chosen Microsoft Azure base image, that version number will be updated to the current version in dev.tfvars - which is will then be created in your repository under a new branch (along with any other changed files)

if your initial version is 20.04.123456, the first tine you enter your repo, there will be a branch named 20.04.123456 - and a pull request automatically opened

every tine there. is an update, you sill see a new branch with a PR generated

The Pull Request WILL. NOT automatically merge - verifying all checkls and approving the update is down to the repo owner

Attachments:

image-20230326-142009.png (image/png)
image-20230326-142101.png (image/png)
image-20230326-143318.png (image/png)
image-20230326-143342.png (image/png)
Azure Image Factory-tr.png (image/png)
0_0?a=405&x=72&y=69&w=1810&h=689&store=1&accept=image%2F*&auth=LCA%205d9fc87904639731f37cccfb23ae56c0cb3b60077f290289cdc71106b7eecc8e-ts%3D1679843710 (image/png)