feat(init): add gha and packer

Author: dungpham91

.github/workflows/packer.yml

@@ -0,0 +1,52 @@
+name: Build Packer AMI
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "packer/**"
+
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Packer
+        uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 # v3.1.0
+
+      - name: Set up AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Build Packer AMI
+        run: |
+          cd packer
+          packer fmt .
+          packer init .
+          packer validate build.pkr.hcl
+          packer build build.pkr.hcl
+
+  slack-notify:
+    needs:
+      - build
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+       - name: Slack notification
+         uses: come25136/workflow-notification-for-slack@main
+         with:
+           repo_token: ${{ secrets.GITHUB_TOKEN }}
+           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/pr-check.yml

@@ -0,0 +1,51 @@
+name: PR Check
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - '**/*.tf'
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  terraform-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: '1.10.4'
+
+      - name: Check Terraform format
+        run: terraform fmt -recursive .
+
+      - name: Validate Terraform code
+        run: terraform validate
+
+      - name: Install Checkov
+        run: |
+          python -m pip install --upgrade pip
+          pip install checkov
+
+      - name: Scan Terraform with Checkov
+        run: checkov -d . --quiet
+
+  slack-notify:
+    needs:
+      - terraform-check
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+       - name: Slack notification
+         uses: come25136/workflow-notification-for-slack@main
+         with:
+           repo_token: ${{ secrets.GITHUB_TOKEN }}
+           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.gitignore

@@ -0,0 +1,38 @@
+# Terraform
+.terraform/
+
+# Local .tfstate files
+*.tfstate
+*.tfstate.*
+
+# .tfvars files that are included with version control
+*.tfvars
+
+# .tfvars files that are not included with version control
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Crash log files
+crash.log
+
+# Exclude all .tfplan files
+*.tfplan
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# If you use the "remote" backend, exclude the .terraform directory
+# since it will be populated with remote state files
+.terraform
+
+# Ignore .hcl files for CLI command configuration
+*.hcl
+
+# Except .hcl files in packer/ directory
+!packer/**/*.hcl
+
+# CLI .terraform directories (local)
+.tf/

atlantis.yaml

@@ -0,0 +1,13 @@
+version: 3
+projects:
+  - name: dev
+    dir: env/dev
+    workspace: default
+    autoplan:
+      enabled: true
+
+  - name: qa
+    dir: env/qa
+    workspace: default
+    autoplan:
+      enabled: true

packer/build.pkr.hcl

@@ -0,0 +1,149 @@
+#------------------------------------------------------------------------------
+# Packer plugin
+#------------------------------------------------------------------------------
+packer {
+  required_plugins {
+    amazon = {
+      source  = "github.com/hashicorp/amazon"
+      version = "v1.3.4"
+    }
+  }
+}
+
+#------------------------------------------------------------------------------
+# Variables
+#------------------------------------------------------------------------------
+variable "ami_name_prefix" {
+  type    = string
+  default = "amazon-eks-node"
+}
+
+variable "aws_tag_unit" {
+  type    = string
+  default = "devops"
+}
+
+variable "aws_tag_environment" {
+  type    = string
+  default = "dev"
+}
+
+variable "aws_tag_owner" {
+  type    = string
+  default = "devopslite"
+}
+
+variable "aws_tag_project" {
+  type    = string
+  default = "devopslite"
+}
+
+variable "region" {
+  type    = string
+  default = "us-east-1"
+}
+
+variable "vpc_id" {
+  type    = string
+  default = "vpc-09eaa132bddb868ba"
+}
+
+variable "public_subnet_id" {
+  type    = string
+  default = "subnet-09eafbc8bd301fc34"
+}
+
+variable "communicator" {
+  description = "communication method used for instance"
+  default     = "ssh"
+}
+
+variable "ssh_username" {
+  description = "ssh username for packer to use for provisioning"
+  default     = "ec2-user"
+}
+
+locals {
+  timestamp = timestamp()
+  date_part = formatdate("YYYYMMDD", local.timestamp)
+  time_part = formatdate("HHmmss", local.timestamp)
+  ami_name  = "${var.ami_name_prefix}-${local.date_part}-${local.time_part}"
+}
+
+#------------------------------------------------------------------------------
+# Sources
+#------------------------------------------------------------------------------
+source "amazon-ebs" "eks_node" {
+  ami_description             = "A node AMI used in EKS with Wazuh agent, based on Amazon Linux 2023."
+  ami_name                    = local.ami_name
+  instance_type               = "t3a.small"
+  region                      = var.region
+  vpc_id                      = var.vpc_id
+  subnet_id                   = var.public_subnet_id
+  associate_public_ip_address = true
+
+  source_ami_filter {
+    filters = {
+      architecture          = "x86_64"
+      name                  = "amazon-eks-node-al2023-x86_64-standard-1.31-*"
+      "root-device-type"    = "ebs"
+      "virtualization-type" = "hvm"
+    }
+
+    most_recent = true
+    owners      = ["602401143452"]
+  }
+
+  run_tags = {
+    Name        = local.ami_name
+    Environment = var.aws_tag_environment
+    Owners      = var.aws_tag_owner
+    Project     = var.aws_tag_project
+  }
+
+  run_volume_tags = {
+    Name        = local.ami_name
+    Environment = var.aws_tag_environment
+    Owners      = var.aws_tag_owner
+    Project     = var.aws_tag_project
+  }
+
+  tags = {
+    Name        = local.ami_name
+    Environment = var.aws_tag_environment
+    Owners      = var.aws_tag_owner
+    Project     = var.aws_tag_project
+  }
+
+  snapshot_tags = {
+    Name        = local.ami_name
+    Environment = var.aws_tag_environment
+    Owners      = var.aws_tag_owner
+    Project     = var.aws_tag_project
+  }
+
+  communicator = var.communicator
+  ssh_username = var.ssh_username
+}
+
+#------------------------------------------------------------------------------
+# Build AMI
+#------------------------------------------------------------------------------
+build {
+  sources = ["source.amazon-ebs.eks_node"]
+
+  provisioner "shell" {
+    inline = [
+      "sudo dnf upgrade -y",
+      "sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH",
+      "sudo bash -c 'cat > /etc/yum.repos.d/wazuh.repo << EOF\n[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-\\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1\nEOF'",
+      "sudo dnf install -y wazuh-agent",
+      "sudo sed -i 's/<address>MANAGER_IP<\\/address>/<address>siem.devopslite.com<\\/address>/g' /var/ossec/etc/ossec.conf",
+      "sudo systemctl daemon-reload",
+      "sudo systemctl enable wazuh-agent",
+      "echo 'Completed install wazuh-agent' > /tmp/wazuh-agent-install.log",
+      "cat /tmp/wazuh-agent-install.log",
+      "sudo sed -i \"s/^enabled=1/enabled=0/\" /etc/yum.repos.d/wazuh.repo",
+    ]
+  }
+}