Created by Paul Kelleher, last modified on Apr 28, 2023

Repository Setup

Initialisation takes about 5 minutes and deploys the Infrastructure to support building and deploying images

  • Before Running the Apply workflow, you need to update the backend.tf and variables.tf

  • Add and configure the repository secrets

    • ARM_SUBSCRIPTION_ID

    • ARM_TENANT_ID

    • ARM_CLIENT_SECRET

    • ARM_CLIENT_ID

    • TF_VAR_client_secret

    • TF_VAR_PAT

  • destination resource group
    • shared image gallery
    • managed images from build process
  • build resource group
    • build vNet
      • packer build subnet
      • GitHub runner subnet
        • GitHub Runner VM
          • linuxExtension Installer
            • Ansible
            • Terraform
            • Packer
            • AZ CLI
            • Docker
        • GitHub Runner Storage Accounts
  • NSG inbound :22

The solution requires a parent repository to manage the solution and a child repository as a template

clone the repositories and perform initial configuration

gh repo create ORG/PARENT --template pknw1-example-business/secops-infrastructure --private
gh repo create ORG/CHILD --template pknw1-example-business/secops-baseos-template --private

configure secrets in the parent repository

gh repo clone ORG/PARENT && cd PARENT
gh secret set -f ./.env

configure personalisation in parent repository

modify backend.tf

sample backend.tf
vi backend.tf
<modify details for remote state>

terraform {
  backend "azurerm" {
    subscription_id      = "625b66d7-5b11-40fb-99ab-ba303c13ea88"
    resource_group_name  = "tf_state"
    storage_account_name = "continobakerytfstate"
    container_name       = "secops"
    key                  = "secops-infrastructure.tfstate"
  }
}

modify variables.tf

sample variable.tf
vi variables.tf
<modify variables for infrastructure setup>
<set the template_repo setting to the child repo name>

locals {

  location                                          = "uksouth"
  shared_image_gallery_name                         = "secops_images"
  shared_image_gallery_resource_group_name          = "secops_images-rg"
  build_resource_group_name                         = "secops_images_build-rg"
  build_vnet_name                                   = "secops_images-vnet"
  managed_image_resource_group_name                 = "secops_images-rg"
}

variable "template_repo" { default = "secops-baseos-template" }

push & apply base configuration to deploy infrastructure

Adding an Image Definition

  • Clone template repository
  • remotely add the PARENT secrets and values to the CHILD repo
  • workflow creates a backend.tf configured for each iteration of the build process
    • terraform instinctively tries to replace image versions if we simply update the source
    • the dynamic config allows the backend to provision a new state for the build as there are only build resources are deployed
      • create remote versions file with the source version
      • create dev.tfvars
      • create requirements.yml with hardening role
      • create playlist.yml to apply the role
  • build dynamic pre-populated packer manifests
    • 01_packer_manifest-local.tf
    • 02_packer_manifest_azure_arm.tf
    • 03_packer_manifest_azure_chroot.tf
    •  
    •  
  • create a shred image definition in the shared image gallery

  • modify the 99_image_definition_configuration.tf to add a definition

  • update the cis role url

  • add any custom ansible playbooks & scripts

  • apply

  •  
dev.tfavsr


update ansible files




















Operating the OS Image Repository
  • when an iupdate is applied to the source image, the update to the child repo version file causes the Validate and Apply workflow to run
  •  Create the packer manifests with
    • source image 
    • build time resources
    • a list of any user created files in /custom
      • shell scrips and ansible roles are added to manifest
      • basic install is followed by custom scripts running
      •  








secops
custom












Operating the OS Image Repository















                    


                                        

                        

                            
Attachments:

                        


                        

                                                            
                                Azure Image Factory-tr.png (image/png)
                                

                                                            
                                BIF Infogrphics - Secops.png (image/png)
                                

                                                            
                                BIF Infogrphics - custom.png (image/png)
                                

                                                            
                                BIF Infogrphics - Secops.pdf (application/pdf)
                                

                                                            
                                BIF Infogrphics - custom.pdf (application/pdf)