Created by Paul Kelleher on Mar 26, 2023
In order to build a new image, you need to follow the following steps
Base OS Selection
required
- Publisher
- Offer
- SKU
You need to select which base OS you want to use from the Azure Platform - and that image needs to be available in the sane region as your SIG
The details required are
Publisher
Offer
SKU
Version
and you can either look up the image via the portal, via this very handy site or via the cli
az vm image list --all --location uksouth
to show all images
or you can select via Publisher etc
az vm image list-publishers --location uksouth az vm image list-offers --publisher Canonical --location uksouth az vm image list-skus --publisher Canonical --offer UbuntuServer --location uksouth
to get output in a more readable form, append -o table to your query
az vm image list --all --location uksouth -o table
CIS Hardening Role
required
- GitHub Role Link
- https not ssh
- public repositories only
The CIS hardening is applied by using an ansible role that for the POC uses publicly available roles by passing the location to the process - specifying any options by supplying a custom vars.yml
https://www.lockdownenterprise.com/#GH_AL_Landing provide a number of Ansible Roles to apply CIS via GitHub
You can find the URL and enter your desired URL
https://github.com/ansible-lockdown/UBUNTU18-CIS
be sure to use the https url and remove the .git from the end of the URL
Create Image Definition
Required
- git
- permission to clone and push to repo
go to the secops-infrastructure repository and create a new local branch for your update
git clone git@github.com:pknw1-example-business/secops-infrastructure.git cd secops-infrastructure git checkout -b new_base_os vi 05_custom_image_configurations.tf
typical file
locals {
images = {
github_runner = {
input_publisher = "Canonical"
input_offer = "0002-com-ubuntu-minimal-bionic-daily"
input_sku = "minimal-18_04-daily-lts"
input_generation = "1"
input_os_size = "minimal"
image_label = "minimal"
cis_role_url = "https://github.com/ansible-lockdown/UBUNTU18-CIS"
create_repo = true
}
focal = {
input_publisher = "Canonical"
input_offer = "0001-com-ubuntu-minimal-focal"
input_sku = "minimal-20_04-lts"
input_generation = "1"
input_os_size = "minimal"
image_label = "min2004"
cis_role_url = "https://github.com/ansible-lockdown/UBUNTU20-STIG"
create_repo = true
}
jammy = {
input_publisher = "Canonical"
input_offer = "0001-com-ubuntu-minimal-jammy"
input_sku = "minimal-22_04-lts"
input_generation = "1"
input_os_size = "minimal"
image_label = "min2204"
cis_role_url = "https://github.com/ansible-lockdown/UBUNTU22-CIS"
create_repo = true
}
}
}
you can now add in your new definition
new_os = {
input_publisher = "Canonical"
input_offer = "0001-com-ubuntu-minimal-jammy"
input_sku = "minimal-22_04-lts"
input_generation = "1"
input_os_size = "minimal"
image_label = "min2204"
cis_role_url = "https://github.com/ansible-lockdown/UBUNTU22-CIS"
}
you can now commit your image - this will automatically run terraform plan to verify changes
plan.txt[command]/home/runner/work/_temp/060e776a-af9f-492e-9cfc-dfd571273620/terraform-bin plan -no-color -input=false
github_repository.base_images["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004]
github_repository.base_images["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal]
github_repository.base_images["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204]
github_repository_file.roles["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/roles/requirements.yml]
github_actions_secret.PAT["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:PAT]
github_actions_secret.PAT["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:PAT]
github_actions_secret.AZURE_CREDENTIALS["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:AZURE_CREDENTIALS]
github_actions_secret.AZURE_CREDENTIALS["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:AZURE_CREDENTIALS]
github_repository_file.roles["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/custom/roles/requirements.yml]
github_actions_secret.AZURE_CREDENTIALS["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:AZURE_CREDENTIALS]
github_repository_file.roles["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/custom/roles/requirements.yml]
github_actions_secret.PAT["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:PAT]
github_repository_file.cis["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/custom/playbooks/playbook.yml]
github_repository_file.cis["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/playbooks/playbook.yml]
github_repository_file.cis["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/custom/playbooks/playbook.yml]
github_repository_file.readme["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/README1ST.MD]
github_repository_file.readme["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/README1ST.MD]
github_repository_file.readme["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/README1ST.MD]
github_actions_secret.ARM_CLIENT_SECRET["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_CLIENT_SECRET]
github_actions_secret.ARM_CLIENT_SECRET["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_CLIENT_SECRET]
github_actions_secret.ARM_CLIENT_SECRET["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_SECRET]
module.shared_image_gallery.data.azurerm_client_config.current: Reading...
module.shared_image_gallery.azurerm_resource_group.shared_image_gallery[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg]
module.packer_resources.azurerm_resource_group.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg]
data.azurerm_client_config.current: Reading...
module.shared_image_gallery.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0zZmVhZTZjMi0xMGMzLTQzZmMtYWNlMS02ZDYzMTYyMGM1MmE7b2JqZWN0SWQ9OWFmMjVjOTAtNGZjOS00Y2E3LTk1YzctMTA5M2E2M2VkMTQ3O3N1YnNjcmlwdGlvbklkPTYyNWI2NmQ3LTViMTEtNDBmYi05OWFiLWJhMzAzYzEzZWE4ODt0ZW5hbnRJZD01MzhjZjZmZC1mNWQ0LTQ0NTEtOGU0YS04OGMzNGYyZjI2MTk=]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0zZmVhZTZjMi0xMGMzLTQzZmMtYWNlMS02ZDYzMTYyMGM1MmE7b2JqZWN0SWQ9OWFmMjVjOTAtNGZjOS00Y2E3LTk1YzctMTA5M2E2M2VkMTQ3O3N1YnNjcmlwdGlvbklkPTYyNWI2NmQ3LTViMTEtNDBmYi05OWFiLWJhMzAzYzEzZWE4ODt0ZW5hbnRJZD01MzhjZjZmZC1mNWQ0LTQ0NTEtOGU0YS04OGMzNGYyZjI2MTk=]
github_actions_secret.ARM_TENANT_ID["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_TENANT_ID]
github_actions_secret.ARM_CLIENT_ID["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_CLIENT_ID]
github_actions_secret.subscriptionid["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_SUBSCRIPTION_ID]
github_repository_file.tfvars["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/dev.tfvars]
github_repository_file.tfvars["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/dev.tfvars]
github_repository_file.tfvars["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/dev.tfvars]
github_actions_secret.ARM_CLIENT_ID["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_ID]
github_actions_secret.ARM_CLIENT_ID["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_CLIENT_ID]
github_actions_secret.ARM_TENANT_ID["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_TENANT_ID]
github_actions_secret.ARM_TENANT_ID["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_TENANT_ID]
github_actions_secret.subscriptionid["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_SUBSCRIPTION_ID]
github_actions_secret.subscriptionid["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_SUBSCRIPTION_ID]
module.shared_image_gallery.data.azurerm_resource_group.shared_image_gallery: Reading...
module.shared_image_gallery.data.azurerm_resource_group.shared_image_gallery: Read complete after 0s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg]
module.packer_resources.data.azurerm_resource_group.packer_build: Reading...
module.packer_resources.data.azurerm_resource_group.packer_build: Read complete after 0s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg]
module.shared_image_gallery.azurerm_shared_image_gallery.shared_image_gallery: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images]
module.packer_resources.azurerm_virtual_network.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet]
module.packer_resources.azurerm_network_security_group.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg]
module.packer_resources.data.azurerm_virtual_network.packer_build: Reading...
module.packer_resources.azurerm_network_security_rule.packer_build_inbound[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg/securityRules/sshin]
module.packer_resources.azurerm_network_security_rule.packer_build_out: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg/securityRules/allout]
module.packer_resources.data.azurerm_virtual_network.packer_build: Read complete after 1s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet]
module.packer_resources.azurerm_subnet.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet/subnets/packer_build]
module.packer_resources.azurerm_subnet_network_security_group_association.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet/subnets/packer_build]
azurerm_shared_image.shared_image["jammy"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204]
azurerm_shared_image.shared_image["github_runner"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0002-com-ubuntu-minimal-bionic-daily-minimal-18_04-daily-lts-minimal]
azurerm_shared_image.shared_image["focal"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-focal-minimal-20_04-lts-min2004]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
- destroy
<= read (data resources)
Terraform will perform the following actions:
# data.github_actions_public_key.public_key["focal"] will be read during apply
# (depends on a resource or a module with changes pending)
<= data "github_actions_public_key" "public_key" {
+ id = (known after apply)
+ key = (known after apply)
+ key_id = (known after apply)
+ repository = "secops-baseos-focal-minimal-20_04-lts-min2004"
}
# data.github_actions_public_key.public_key["github_runner"] will be read during apply
# (depends on a resource or a module with changes pending)
<= data "github_actions_public_key" "public_key" {
+ id = (known after apply)
+ key = (known after apply)
+ key_id = (known after apply)
+ repository = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal"
}
# azurerm_shared_image.shared_image["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "azurerm_shared_image" "shared_image" {
- accelerated_network_support_enabled = false -> null
- architecture = "x64" -> null
- confidential_vm_enabled = false -> null
- confidential_vm_supported = false -> null
- disk_types_not_allowed = [] -> null
- gallery_name = "secops_base_images" -> null
- hyper_v_generation = "V1" -> null
- id = "/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204" -> null
- location = "uksouth" -> null
- max_recommended_memory_in_gb = 0 -> null
- max_recommended_vcpu_count = 0 -> null
- min_recommended_memory_in_gb = 0 -> null
- min_recommended_vcpu_count = 0 -> null
- name = "Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204" -> null
- os_type = "Linux" -> null
- resource_group_name = "secops_base_images-rg" -> null
- specialized = false -> null
- tags = {} -> null
- trusted_launch_enabled = false -> null
- identifier {
- offer = "0001-com-ubuntu-minimal-jammy-minimal-22_04-lts" -> null
- publisher = "Contino" -> null
- sku = "min2204" -> null
}
}
# github_actions_secret.ARM_CLIENT_ID["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_actions_secret" "ARM_CLIENT_ID" {
- created_at = "2023-03-25 07:53:50 +0000 UTC" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_ID" -> null
- plaintext_value = (sensitive value) -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- secret_name = "ARM_CLIENT_ID" -> null
- updated_at = "2023-03-25 07:53:50 +0000 UTC" -> null
}
# github_actions_secret.ARM_CLIENT_SECRET["focal"] will be created
+ resource "github_actions_secret" "ARM_CLIENT_SECRET" {
+ created_at = (known after apply)
+ id = (known after apply)
+ plaintext_value = (sensitive value)
+ repository = "secops-baseos-focal-minimal-20_04-lts-min2004"
+ secret_name = "ARM_CLIENT_SECRET"
+ updated_at = (known after apply)
}
# github_actions_secret.ARM_CLIENT_SECRET["github_runner"] will be created
+ resource "github_actions_secret" "ARM_CLIENT_SECRET" {
+ created_at = (known after apply)
+ id = (known after apply)
+ plaintext_value = (sensitive value)
+ repository = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal"
+ secret_name = "ARM_CLIENT_SECRET"
+ updated_at = (known after apply)
}
# github_actions_secret.ARM_CLIENT_SECRET["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_actions_secret" "ARM_CLIENT_SECRET" {
- created_at = "2023-03-25 07:53:53 +0000 UTC" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_SECRET" -> null
- plaintext_value = (sensitive value) -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- secret_name = "ARM_CLIENT_SECRET" -> null
- updated_at = "2023-03-25 07:53:53 +0000 UTC" -> null
}
# github_actions_secret.ARM_TENANT_ID["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_actions_secret" "ARM_TENANT_ID" {
- created_at = "2023-03-25 07:53:55 +0000 UTC" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_TENANT_ID" -> null
- plaintext_value = (sensitive value) -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- secret_name = "ARM_TENANT_ID" -> null
- updated_at = "2023-03-25 07:53:55 +0000 UTC" -> null
}
# github_actions_secret.AZURE_CREDENTIALS["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_actions_secret" "AZURE_CREDENTIALS" {
- created_at = "2023-03-25 07:54:14 +0000 UTC" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204:AZURE_CREDENTIALS" -> null
- plaintext_value = (sensitive value) -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- secret_name = "AZURE_CREDENTIALS" -> null
- updated_at = "2023-03-25 07:54:14 +0000 UTC" -> null
}
# github_actions_secret.PAT["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_actions_secret" "PAT" {
- created_at = "2023-03-25 07:54:05 +0000 UTC" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204:PAT" -> null
- plaintext_value = (sensitive value) -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- secret_name = "PAT" -> null
- updated_at = "2023-03-25 07:54:05 +0000 UTC" -> null
}
# github_actions_secret.subscriptionid["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_actions_secret" "subscriptionid" {
- created_at = "2023-03-25 07:53:59 +0000 UTC" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_SUBSCRIPTION_ID" -> null
- plaintext_value = (sensitive value) -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- secret_name = "ARM_SUBSCRIPTION_ID" -> null
- updated_at = "2023-03-25 07:53:59 +0000 UTC" -> null
}
# github_repository.base_images["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_repository" "base_images" {
- allow_auto_merge = false -> null
- allow_merge_commit = true -> null
- allow_rebase_merge = true -> null
- allow_squash_merge = true -> null
- allow_update_branch = false -> null
- archived = false -> null
- default_branch = "main" -> null
- delete_branch_on_merge = false -> null
- etag = "W/\"93d2a9ff9930e8a9509989a3e2629d4014268e7c4aa38068d0b321c18a695b55\"" -> null
- full_name = "pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- git_clone_url = "git://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null
- has_discussions = false -> null
- has_downloads = false -> null
- has_issues = false -> null
- has_projects = false -> null
- has_wiki = false -> null
- html_url = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- http_clone_url = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- is_template = false -> null
- merge_commit_message = "PR_TITLE" -> null
- merge_commit_title = "MERGE_MESSAGE" -> null
- name = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- node_id = "R_kgDOJOE5NA" -> null
- private = true -> null
- repo_id = 618740020 -> null
- squash_merge_commit_message = "COMMIT_MESSAGES" -> null
- squash_merge_commit_title = "COMMIT_OR_PR_TITLE" -> null
- ssh_clone_url = "git@github.com:pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null
- svn_url = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- topics = [] -> null
- visibility = "private" -> null
- vulnerability_alerts = false -> null
- template {
- include_all_branches = false -> null
- owner = "pknw1-example-business" -> null
- repository = "secops-baseos-template" -> null
}
}
# github_repository_file.cis["github_runner"] will be updated in-place
~ resource "github_repository_file" "cis" {
~ content = <<-EOT
---
- name: Run cis
hosts: localhost
become: true
connection: local
- vars-files:
- - vars.yml
roles:
- UBUNTU18-CIS
EOT
id = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/playbooks/playbook.yml"
# (9 unchanged attributes hidden)
}
# github_repository_file.cis["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_repository_file" "cis" {
- branch = "main" -> null
- commit_author = "Terraform User" -> null
- commit_email = "terraform@example.com" -> null
- commit_message = "Add custom/playbooks/playbook.yml" -> null
- commit_sha = "3589f34f056bd3b94f62205d26ec6c5ecbe021ba" -> null
- content = <<-EOT
---
- name: Run cis
hosts: localhost
become: true
connection: local
roles:
- UBUNTU22-CIS
EOT -> null
- file = "custom/playbooks/playbook.yml" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204/custom/playbooks/playbook.yml" -> null
- overwrite_on_create = true -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- sha = "35a84d3d12264ae4ae8c52586c452342822e51fd" -> null
}
# github_repository_file.readme["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_repository_file" "readme" {
- branch = "main" -> null
- commit_author = "Terraform User" -> null
- commit_email = "terraform@example.com" -> null
- commit_message = "Add README1ST.MD" -> null
- commit_sha = "bccd6353b140f41351ac626271a8fa62653ee36e" -> null
- content = "# update the [ARM_CLIENT_SECRET](https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204/settings/secrets/actions/ARM_CLIENT_SECRET) value first!" -> null
- file = "README1ST.MD" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204/README1ST.MD" -> null
- overwrite_on_create = true -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- sha = "70bc796e8db8f22b0f2d8c2a8024a5faefd0525e" -> null
}
# github_repository_file.roles["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_repository_file" "roles" {
- branch = "main" -> null
- commit_author = "Terraform User" -> null
- commit_email = "terraform@example.com" -> null
- commit_message = "Add custom/roles/requirements.yml" -> null
- commit_sha = "0b6261b73cd990e978fd8ef7a4a095c33c78265c" -> null
- content = "- src: https://github.com/ansible-lockdown/UBUNTU22-CIS" -> null
- file = "custom/roles/requirements.yml" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204/custom/roles/requirements.yml" -> null
- overwrite_on_create = true -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- sha = "c7dcb902b472a2af2bb36425d6dc16391d8798e8" -> null
}
# github_repository_file.tfvars["jammy"] will be destroyed
# (because key ["jammy"] is not in for_each map)
- resource "github_repository_file" "tfvars" {
- branch = "main" -> null
- commit_author = "Terraform User" -> null
- commit_email = "terraform@example.com" -> null
- commit_message = "Managed by Terraform" -> null
- commit_sha = "8c5298bf9a5c16eec9df3cb60472ebb94fe93d8e" -> null
- content = <<-EOT
location="uksouth"
subscription_id="625b66d7-5b11-40fb-99ab-ba303c13ea88"
client_id="3feae6c2-10c3-43fc-ace1-6d631620c52a"
tenant_id="538cf6fd-f5d4-4451-8e4a-88c34f2f2619"
azure_source_image_publisher="Canonical"
azure_source_image_offer="0001-com-ubuntu-minimal-jammy"
azure_source_image_sku="minimal-22_04-lts"
shared_image_gallery_destination_subscription_id=""
shared_image_gallery_destination_resource_group="secops_base_images-rg"
shared_image_gallery_destination_gallery_name="secops_base_images"
cis_role_url= "https://github.com/ansible-lockdown/UBUNTU22-CIS"
custom_label="min2204"
build_resource_group_name="secops_base_images_build-rg"
managed_image_resource_group_name="secops_base_images-rg"
EOT -> null
- file = "dev.tfvars" -> null
- id = "secops-baseos-jammy-minimal-22_04-lts-min2204/dev.tfvars" -> null
- overwrite_on_create = true -> null
- repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null
- sha = "77e004dc1c91aaf293f5ffb329b70e18d87e50e0" -> null
}
# module.packer_resources.azurerm_network_security_rule.packer_build_inbound[0] will be created
+ resource "azurerm_network_security_rule" "packer_build_inbound" {
+ access = "Allow"
+ destination_address_prefix = "*"
+ destination_port_range = "22"
+ direction = "Inbound"
+ id = (known after apply)
+ name = "sshin"
+ network_security_group_name = "packer_nsg"
+ priority = 110
+ protocol = "Tcp"
+ resource_group_name = "secops_base_images_build-rg"
+ source_address_prefix = "*"
+ source_port_range = "*"
}
# module.packer_resources.azurerm_network_security_rule.packer_build_out will be created
+ resource "azurerm_network_security_rule" "packer_build_out" {
+ access = "Allow"
+ destination_address_prefix = "*"
+ destination_port_range = "*"
+ direction = "Outbound"
+ id = (known after apply)
+ name = "allout"
+ network_security_group_name = "packer_nsg"
+ priority = 110
+ protocol = "Tcp"
+ resource_group_name = "secops_base_images_build-rg"
+ source_address_prefix = "*"
+ source_port_range = "*"
}
Plan: 4 to add, 1 to change, 12 to destroy.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
::debug::Terraform exited with code 0.
::debug::stdout: github_repository.base_images["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004]%0Agithub_repository.base_images["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal]%0Agithub_repository.base_images["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204]%0Agithub_repository_file.roles["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/roles/requirements.yml]%0Agithub_actions_secret.PAT["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:PAT]%0Agithub_actions_secret.PAT["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:PAT]%0Agithub_actions_secret.AZURE_CREDENTIALS["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:AZURE_CREDENTIALS]%0Agithub_actions_secret.AZURE_CREDENTIALS["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:AZURE_CREDENTIALS]%0Agithub_repository_file.roles["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/custom/roles/requirements.yml]%0Agithub_actions_secret.AZURE_CREDENTIALS["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:AZURE_CREDENTIALS]%0Agithub_repository_file.roles["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/custom/roles/requirements.yml]%0Agithub_actions_secret.PAT["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:PAT]%0Agithub_repository_file.cis["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/custom/playbooks/playbook.yml]%0Agithub_repository_file.cis["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/playbooks/playbook.yml]%0Agithub_repository_file.cis["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/custom/playbooks/playbook.yml]%0Agithub_repository_file.readme["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/README1ST.MD]%0Agithub_repository_file.readme["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/README1ST.MD]%0Agithub_repository_file.readme["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/README1ST.MD]%0Agithub_actions_secret.ARM_CLIENT_SECRET["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_CLIENT_SECRET]%0Agithub_actions_secret.ARM_CLIENT_SECRET["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_CLIENT_SECRET]%0Agithub_actions_secret.ARM_CLIENT_SECRET["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_SECRET]%0Amodule.shared_image_gallery.data.azurerm_client_config.current: Reading...%0Amodule.shared_image_gallery.azurerm_resource_group.shared_image_gallery[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg]%0Amodule.packer_resources.azurerm_resource_group.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg]%0Adata.azurerm_client_config.current: Reading...%0Amodule.shared_image_gallery.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0zZmVhZTZjMi0xMGMzLTQzZmMtYWNlMS02ZDYzMTYyMGM1MmE7b2JqZWN0SWQ9OWFmMjVjOTAtNGZjOS00Y2E3LTk1YzctMTA5M2E2M2VkMTQ3O3N1YnNjcmlwdGlvbklkPTYyNWI2NmQ3LTViMTEtNDBmYi05OWFiLWJhMzAzYzEzZWE4ODt0ZW5hbnRJZD01MzhjZjZmZC1mNWQ0LTQ0NTEtOGU0YS04OGMzNGYyZjI2MTk=]%0Adata.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0zZmVhZTZjMi0xMGMzLTQzZmMtYWNlMS02ZDYzMTYyMGM1MmE7b2JqZWN0SWQ9OWFmMjVjOTAtNGZjOS00Y2E3LTk1YzctMTA5M2E2M2VkMTQ3O3N1YnNjcmlwdGlvbklkPTYyNWI2NmQ3LTViMTEtNDBmYi05OWFiLWJhMzAzYzEzZWE4ODt0ZW5hbnRJZD01MzhjZjZmZC1mNWQ0LTQ0NTEtOGU0YS04OGMzNGYyZjI2MTk=]%0Agithub_actions_secret.ARM_TENANT_ID["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_TENANT_ID]%0Agithub_actions_secret.ARM_CLIENT_ID["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_CLIENT_ID]%0Agithub_actions_secret.subscriptionid["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004:ARM_SUBSCRIPTION_ID]%0Agithub_repository_file.tfvars["focal"]: Refreshing state... [id=secops-baseos-focal-minimal-20_04-lts-min2004/dev.tfvars]%0Agithub_repository_file.tfvars["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/dev.tfvars]%0Agithub_repository_file.tfvars["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204/dev.tfvars]%0Agithub_actions_secret.ARM_CLIENT_ID["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_ID]%0Agithub_actions_secret.ARM_CLIENT_ID["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_CLIENT_ID]%0Agithub_actions_secret.ARM_TENANT_ID["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_TENANT_ID]%0Agithub_actions_secret.ARM_TENANT_ID["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_TENANT_ID]%0Agithub_actions_secret.subscriptionid["github_runner"]: Refreshing state... [id=secops-baseos-github_runner-minimal-18_04-daily-lts-minimal:ARM_SUBSCRIPTION_ID]%0Agithub_actions_secret.subscriptionid["jammy"]: Refreshing state... [id=secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_SUBSCRIPTION_ID]%0Amodule.shared_image_gallery.data.azurerm_resource_group.shared_image_gallery: Reading...%0Amodule.shared_image_gallery.data.azurerm_resource_group.shared_image_gallery: Read complete after 0s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg]%0Amodule.packer_resources.data.azurerm_resource_group.packer_build: Reading...%0Amodule.packer_resources.data.azurerm_resource_group.packer_build: Read complete after 0s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg]%0Amodule.shared_image_gallery.azurerm_shared_image_gallery.shared_image_gallery: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images]%0Amodule.packer_resources.azurerm_virtual_network.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet]%0Amodule.packer_resources.azurerm_network_security_group.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg]%0Amodule.packer_resources.data.azurerm_virtual_network.packer_build: Reading...%0Amodule.packer_resources.azurerm_network_security_rule.packer_build_inbound[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg/securityRules/sshin]%0Amodule.packer_resources.azurerm_network_security_rule.packer_build_out: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/networkSecurityGroups/packer_nsg/securityRules/allout]%0Amodule.packer_resources.data.azurerm_virtual_network.packer_build: Read complete after 1s [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet]%0Amodule.packer_resources.azurerm_subnet.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet/subnets/packer_build]%0Amodule.packer_resources.azurerm_subnet_network_security_group_association.packer_build[0]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images_build-rg/providers/Microsoft.Network/virtualNetworks/secops_base_images-vnet/subnets/packer_build]%0Aazurerm_shared_image.shared_image["jammy"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204]%0Aazurerm_shared_image.shared_image["github_runner"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0002-com-ubuntu-minimal-bionic-daily-minimal-18_04-daily-lts-minimal]%0Aazurerm_shared_image.shared_image["focal"]: Refreshing state... [id=/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-focal-minimal-20_04-lts-min2004]%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A ~ update in-place%0A - destroy%0A <= read (data resources)%0A%0ATerraform will perform the following actions:%0A%0A # data.github_actions_public_key.public_key["focal"] will be read during apply%0A # (depends on a resource or a module with changes pending)%0A <= data "github_actions_public_key" "public_key" {%0A + id = (known after apply)%0A + key = (known after apply)%0A + key_id = (known after apply)%0A + repository = "secops-baseos-focal-minimal-20_04-lts-min2004"%0A }%0A%0A # data.github_actions_public_key.public_key["github_runner"] will be read during apply%0A # (depends on a resource or a module with changes pending)%0A <= data "github_actions_public_key" "public_key" {%0A + id = (known after apply)%0A + key = (known after apply)%0A + key_id = (known after apply)%0A + repository = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal"%0A }%0A%0A # azurerm_shared_image.shared_image["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "azurerm_shared_image" "shared_image" {%0A - accelerated_network_support_enabled = false -> null%0A - architecture = "x64" -> null%0A - confidential_vm_enabled = false -> null%0A - confidential_vm_supported = false -> null%0A - disk_types_not_allowed = [] -> null%0A - gallery_name = "secops_base_images" -> null%0A - hyper_v_generation = "V1" -> null%0A - id = "/subscriptions/625b66d7-5b11-40fb-99ab-ba303c13ea88/resourceGroups/secops_base_images-rg/providers/Microsoft.Compute/galleries/secops_base_images/images/Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204" -> null%0A - location = "uksouth" -> null%0A - max_recommended_memory_in_gb = 0 -> null%0A - max_recommended_vcpu_count = 0 -> null%0A - min_recommended_memory_in_gb = 0 -> null%0A - min_recommended_vcpu_count = 0 -> null%0A - name = "Canonical-0001-com-ubuntu-minimal-jammy-minimal-22_04-lts-min2204" -> null%0A - os_type = "Linux" -> null%0A - resource_group_name = "secops_base_images-rg" -> null%0A - specialized = false -> null%0A - tags = {} -> null%0A - trusted_launch_enabled = false -> null%0A%0A - identifier {%0A - offer = "0001-com-ubuntu-minimal-jammy-minimal-22_04-lts" -> null%0A - publisher = "Contino" -> null%0A - sku = "min2204" -> null%0A }%0A }%0A%0A # github_actions_secret.ARM_CLIENT_ID["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_actions_secret" "ARM_CLIENT_ID" {%0A - created_at = "2023-03-25 07:53:50 +0000 UTC" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_ID" -> null%0A - plaintext_value = (sensitive value) -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - secret_name = "ARM_CLIENT_ID" -> null%0A - updated_at = "2023-03-25 07:53:50 +0000 UTC" -> null%0A }%0A%0A # github_actions_secret.ARM_CLIENT_SECRET["focal"] will be created%0A + resource "github_actions_secret" "ARM_CLIENT_SECRET" {%0A + created_at = (known after apply)%0A + id = (known after apply)%0A + plaintext_value = (sensitive value)%0A + repository = "secops-baseos-focal-minimal-20_04-lts-min2004"%0A + secret_name = "ARM_CLIENT_SECRET"%0A + updated_at = (known after apply)%0A }%0A%0A # github_actions_secret.ARM_CLIENT_SECRET["github_runner"] will be created%0A + resource "github_actions_secret" "ARM_CLIENT_SECRET" {%0A + created_at = (known after apply)%0A + id = (known after apply)%0A + plaintext_value = (sensitive value)%0A + repository = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal"%0A + secret_name = "ARM_CLIENT_SECRET"%0A + updated_at = (known after apply)%0A }%0A%0A # github_actions_secret.ARM_CLIENT_SECRET["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_actions_secret" "ARM_CLIENT_SECRET" {%0A - created_at = "2023-03-25 07:53:53 +0000 UTC" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_CLIENT_SECRET" -> null%0A - plaintext_value = (sensitive value) -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - secret_name = "ARM_CLIENT_SECRET" -> null%0A - updated_at = "2023-03-25 07:53:53 +0000 UTC" -> null%0A }%0A%0A # github_actions_secret.ARM_TENANT_ID["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_actions_secret" "ARM_TENANT_ID" {%0A - created_at = "2023-03-25 07:53:55 +0000 UTC" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_TENANT_ID" -> null%0A - plaintext_value = (sensitive value) -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - secret_name = "ARM_TENANT_ID" -> null%0A - updated_at = "2023-03-25 07:53:55 +0000 UTC" -> null%0A }%0A%0A # github_actions_secret.AZURE_CREDENTIALS["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_actions_secret" "AZURE_CREDENTIALS" {%0A - created_at = "2023-03-25 07:54:14 +0000 UTC" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204:AZURE_CREDENTIALS" -> null%0A - plaintext_value = (sensitive value) -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - secret_name = "AZURE_CREDENTIALS" -> null%0A - updated_at = "2023-03-25 07:54:14 +0000 UTC" -> null%0A }%0A%0A # github_actions_secret.PAT["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_actions_secret" "PAT" {%0A - created_at = "2023-03-25 07:54:05 +0000 UTC" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204:PAT" -> null%0A - plaintext_value = (sensitive value) -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - secret_name = "PAT" -> null%0A - updated_at = "2023-03-25 07:54:05 +0000 UTC" -> null%0A }%0A%0A # github_actions_secret.subscriptionid["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_actions_secret" "subscriptionid" {%0A - created_at = "2023-03-25 07:53:59 +0000 UTC" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204:ARM_SUBSCRIPTION_ID" -> null%0A - plaintext_value = (sensitive value) -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - secret_name = "ARM_SUBSCRIPTION_ID" -> null%0A - updated_at = "2023-03-25 07:53:59 +0000 UTC" -> null%0A }%0A%0A # github_repository.base_images["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_repository" "base_images" {%0A - allow_auto_merge = false -> null%0A - allow_merge_commit = true -> null%0A - allow_rebase_merge = true -> null%0A - allow_squash_merge = true -> null%0A - allow_update_branch = false -> null%0A - archived = false -> null%0A - default_branch = "main" -> null%0A - delete_branch_on_merge = false -> null%0A - etag = "W/\"93d2a9ff9930e8a9509989a3e2629d4014268e7c4aa38068d0b321c18a695b55\"" -> null%0A - full_name = "pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - git_clone_url = "git://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null%0A - has_discussions = false -> null%0A - has_downloads = false -> null%0A - has_issues = false -> null%0A - has_projects = false -> null%0A - has_wiki = false -> null%0A - html_url = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - http_clone_url = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - is_template = false -> null%0A - merge_commit_message = "PR_TITLE" -> null%0A - merge_commit_title = "MERGE_MESSAGE" -> null%0A - name = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - node_id = "R_kgDOJOE5NA" -> null%0A - private = true -> null%0A - repo_id = 618740020 -> null%0A - squash_merge_commit_message = "COMMIT_MESSAGES" -> null%0A - squash_merge_commit_title = "COMMIT_OR_PR_TITLE" -> null%0A - ssh_clone_url = "git@github.com:pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204.git" -> null%0A - svn_url = "https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - topics = [] -> null%0A - visibility = "private" -> null%0A - vulnerability_alerts = false -> null%0A%0A - template {%0A - include_all_branches = false -> null%0A - owner = "pknw1-example-business" -> null%0A - repository = "secops-baseos-template" -> null%0A }%0A }%0A%0A # github_repository_file.cis["github_runner"] will be updated in-place%0A ~ resource "github_repository_file" "cis" {%0A ~ content = <<-EOT%0A ---%0A - name: Run cis%0A hosts: localhost%0A become: true%0A connection: local%0A - vars-files:%0A - - vars.yml%0A roles:%0A - UBUNTU18-CIS%0A EOT%0A id = "secops-baseos-github_runner-minimal-18_04-daily-lts-minimal/custom/playbooks/playbook.yml"%0A # (9 unchanged attributes hidden)%0A }%0A%0A # github_repository_file.cis["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_repository_file" "cis" {%0A - branch = "main" -> null%0A - commit_author = "Terraform User" -> null%0A - commit_email = "terraform@example.com" -> null%0A - commit_message = "Add custom/playbooks/playbook.yml" -> null%0A - commit_sha = "3589f34f056bd3b94f62205d26ec6c5ecbe021ba" -> null%0A - content = <<-EOT%0A ---%0A - name: Run cis%0A hosts: localhost%0A become: true%0A connection: local%0A roles:%0A - UBUNTU22-CIS%0A EOT -> null%0A - file = "custom/playbooks/playbook.yml" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204/custom/playbooks/playbook.yml" -> null%0A - overwrite_on_create = true -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - sha = "35a84d3d12264ae4ae8c52586c452342822e51fd" -> null%0A }%0A%0A # github_repository_file.readme["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_repository_file" "readme" {%0A - branch = "main" -> null%0A - commit_author = "Terraform User" -> null%0A - commit_email = "terraform@example.com" -> null%0A - commit_message = "Add README1ST.MD" -> null%0A - commit_sha = "bccd6353b140f41351ac626271a8fa62653ee36e" -> null%0A - content = "# update the [ARM_CLIENT_SECRET](https://github.com/pknw1-example-business/secops-baseos-jammy-minimal-22_04-lts-min2204/settings/secrets/actions/ARM_CLIENT_SECRET) value first!" -> null%0A - file = "README1ST.MD" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204/README1ST.MD" -> null%0A - overwrite_on_create = true -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - sha = "70bc796e8db8f22b0f2d8c2a8024a5faefd0525e" -> null%0A }%0A%0A # github_repository_file.roles["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_repository_file" "roles" {%0A - branch = "main" -> null%0A - commit_author = "Terraform User" -> null%0A - commit_email = "terraform@example.com" -> null%0A - commit_message = "Add custom/roles/requirements.yml" -> null%0A - commit_sha = "0b6261b73cd990e978fd8ef7a4a095c33c78265c" -> null%0A - content = "- src: https://github.com/ansible-lockdown/UBUNTU22-CIS" -> null%0A - file = "custom/roles/requirements.yml" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204/custom/roles/requirements.yml" -> null%0A - overwrite_on_create = true -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - sha = "c7dcb902b472a2af2bb36425d6dc16391d8798e8" -> null%0A }%0A%0A # github_repository_file.tfvars["jammy"] will be destroyed%0A # (because key ["jammy"] is not in for_each map)%0A - resource "github_repository_file" "tfvars" {%0A - branch = "main" -> null%0A - commit_author = "Terraform User" -> null%0A - commit_email = "terraform@example.com" -> null%0A - commit_message = "Managed by Terraform" -> null%0A - commit_sha = "8c5298bf9a5c16eec9df3cb60472ebb94fe93d8e" -> null%0A - content = <<-EOT%0A location="uksouth"%0A subscription_id="625b66d7-5b11-40fb-99ab-ba303c13ea88"%0A client_id="3feae6c2-10c3-43fc-ace1-6d631620c52a"%0A tenant_id="538cf6fd-f5d4-4451-8e4a-88c34f2f2619"%0A azure_source_image_publisher="Canonical"%0A azure_source_image_offer="0001-com-ubuntu-minimal-jammy"%0A azure_source_image_sku="minimal-22_04-lts"%0A shared_image_gallery_destination_subscription_id=""%0A shared_image_gallery_destination_resource_group="secops_base_images-rg"%0A shared_image_gallery_destination_gallery_name="secops_base_images"%0A cis_role_url= "https://github.com/ansible-lockdown/UBUNTU22-CIS"%0A custom_label="min2204"%0A build_resource_group_name="secops_base_images_build-rg"%0A managed_image_resource_group_name="secops_base_images-rg"%0A EOT -> null%0A - file = "dev.tfvars" -> null%0A - id = "secops-baseos-jammy-minimal-22_04-lts-min2204/dev.tfvars" -> null%0A - overwrite_on_create = true -> null%0A - repository = "secops-baseos-jammy-minimal-22_04-lts-min2204" -> null%0A - sha = "77e004dc1c91aaf293f5ffb329b70e18d87e50e0" -> null%0A }%0A%0A # module.packer_resources.azurerm_network_security_rule.packer_build_inbound[0] will be created%0A + resource "azurerm_network_security_rule" "packer_build_inbound" {%0A + access = "Allow"%0A + destination_address_prefix = "*"%0A + destination_port_range = "22"%0A + direction = "Inbound"%0A + id = (known after apply)%0A + name = "sshin"%0A + network_security_group_name = "packer_nsg"%0A + priority = 110%0A + protocol = "Tcp"%0A + resource_group_name = "secops_base_images_build-rg"%0A + source_address_prefix = "*"%0A + source_port_range = "*"%0A }%0A%0A # module.packer_resources.azurerm_network_security_rule.packer_build_out will be created%0A + resource "azurerm_network_security_rule" "packer_build_out" {%0A + access = "Allow"%0A + destination_address_prefix = "*"%0A + destination_port_range = "*"%0A + direction = "Outbound"%0A + id = (known after apply)%0A + name = "allout"%0A + network_security_group_name = "packer_nsg"%0A + priority = 110%0A + protocol = "Tcp"%0A + resource_group_name = "secops_base_images_build-rg"%0A + source_address_prefix = "*"%0A + source_port_range = "*"%0A }%0A%0APlan: 4 to add, 1 to change, 12 to destroy.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ANote: You didn't use the -out option to save this plan, so Terraform can't%0Aguarantee to take exactly these actions if you run "terraform apply" now.%0A
::debug::stderr:
::debug::exitcode: 0
Creating the Custom OS repository
Required
- permission to merge to main
- access to
ARM_CLIENT_SECRETvalue to update the new repo
Create a pull request and if checks pass, merge into main
When you merge into main, a new repository is created for this customisation
using the template repo https://github.com/pknw1-example-business/secops-baseos-template
the setup process is mostly automated
creates a new image definition in the SIG
creates a new repo using a name generated from your definition
create a pre-populated
dev.tfvarsfor your buildcreate the
custom/roles/requirements.ymllto install the CIS rolecreate the
custom/playbooks/playbook.ymlto run the CIS rolecreate the required github secrets and populate them (ARM_CLIENT_SECRET is NOT SET)
you should now have a new repoi with files and config custom to your build
now the final step is to set the ARM_CLIENT_SECRET value
Attachments:
Azure Image Factory-tr.png (image/png)
image-20230326-143342.png (image/png)
image-20230326-143318.png (image/png)
image-20230326-142101.png (image/png)
image-20230326-142009.png (image/png)