docs: add docs how build gh base image (#43)

edersonbrilhante · web-flow · commit 459e1e23dc72 · 2025-06-09T17:03:25.000+03:00
diff --git a/docs/configurations/build/gh_base_image.md b/docs/configurations/build/gh_base_image.md
@@ -0,0 +1,75 @@
+# Building the GitHub Actions Base Image with Packer
+
+This guide explains how to build the Forge GitHub Actions runner base image using [Packer](https://www.packer.io/).
+
+## Prerequisites
+
+- [Packer](https://www.packer.io/downloads) installed
+- AWS CLI configured with credentials and permissions to build AMIs
+- The required VPC and subnet exist in your AWS account
+- (Optional) Splunk Observability credentials if you want to enable Splunk OTel Collector
+- (Optional) Teleport for secure SSH access
+
+## Required Variables
+
+You must provide the following variables to Packer:
+
+- `subnet_id`: The subnet where the instance will be launched
+- `vpc_id`: The VPC where the instance will be launched
+- `allowed_ssh_cidrs`: CIDR blocks allowed to SSH into the instance (for debugging)
+- `aws_region`: The AWS region to build the image in
+
+Example values:
+- `subnet_id=subnet-0123456789abcdef0`
+- `vpc_id=vpc-0123456789abcdef0`
+- `allowed_ssh_cidrs=10.0.0.0/8`
+- `aws_region=us-west-2`
+
+## (Optional) Splunk OTel Collector and Teleport
+
+If you want to include the Splunk OpenTelemetry Collector in your image, set the following environment variables **before** running Packer:
+
+```sh
+export SPLUNK_ACCESS_TOKEN=<your_splunk_access_token>
+export SPLUNK_REALM=<your_splunk_realm>
+```
+
+If you want to include Teleport or Splunk OTel Collector roles in the build, enable them in your Ansible playbook by uncommenting the roles:
+
+`forge/examples/build/ansible/build_gh_base_image.yaml`
+```yaml
+roles:
+  - role: teleport  
+  - role: splunk_otel_collector
+```
+
+## Build Command
+
+Run the following command from the directory containing your Packer template:
+
+```sh
+cd forge/examples/build/packer
+packer build \
+  -var "subnet_id=<your_subnet_id>" \
+  -var "vpc_id=<your_vpc_id>" \
+  -var "allowed_ssh_cidrs=<your_allowed_ssh_cidrs>" \
+  -var "aws_region=<your_aws_region>" \
+  .
+```
+
+**Example:**
+```sh
+cd forge/examples/build/packer
+packer build \
+  -var "subnet_id=subnet-0123456789abcdef0" \
+  -var "vpc_id=vpc-0123456789abcdef0" \
+  -var "allowed_ssh_cidrs=10.0.0.0/8" \
+  -var "aws_region=us-west-2" \
+  .
+```
+
+## Notes
+
+- Make sure your AWS user/role has permissions to create EC2 instances, AMIs, and related resources.
+- If you enable the Splunk OTel Collector, ensure your access token and realm are valid.
+- The resulting AMI can be used as the base image for Forge GitHub Actions runners.
diff --git a/docs/configurations/index.md b/docs/configurations/index.md
@@ -8,10 +8,12 @@ This guide helps you navigate ForgeMT configuration modules—from platform setu
 
 Start here if you're deploying for the first time:
 
-1. [First Tenant Deployment](./deployments/forge_tenant.md)
-2. [Tenant Usage Guide](../tenant-usage/index.md)
-3. [Secrets Reference](./secrets.md)
-4. [Module Dependency Guide](./dependency.md)
+1. [First Tenant Deployment](./deployments/new_tenant.md)
+2. [Build GitHub Actions Base Image](./build/gh_base_image.md)
+3. [EKS Deployment Example](./deployments/forge_eks.md)
+4. [Splunk Integration Example](./deployments/splunk_deployment.md)
+5. [Secrets Reference](./secrets.md)
+6. [Module Dependency Guide](./dependency.md)
 
 ---
 
@@ -68,26 +70,30 @@ Optional modules for observability, access, and compliance.
 
 | Item                     | Purpose                                       |
 |--------------------------|-----------------------------------------------|
-| `infra/secrets`          | Provisions secrets for GitHub Apps and Splunk |
 | [Secrets Reference](./secrets.md) | Documents required keys, formats, scopes |
 | [Dependency Guide](./dependency.md) | Shows setup order across modules     |
 
 ---
 
-## Deployment Scenarios
+## Deployment & Build Scenarios
 
 Ready-made configuration examples:
 
-- [First Tenant Deployment](./deployments/forge_tenant.md)
-- [Splunk Integration](./deployments/splunk_deployment.md)
+- [First Tenant Deployment](./deployments/new_tenant.md)
+- [Build GitHub Actions Base Image](./build/gh_base_image.md)
+- [EKS Deployment Example](./deployments/forge_eks.md)
+- [Splunk Integration Example](./deployments/splunk_deployment.md)
 
 View all: [Deployment Index](./deployments/index.md)
 
 ---
 
 ## Recommended Setup Order
 
-1. Deploy base `infra/` modules (VPCs, EKS, IAM, S3, etc.)
-2. Deploy `platform/forge_runners`
-3. Configure secrets and tenant GitHub Apps
-4. Enable integrations (e.g., Splunk, Teleport)
+1. Build the GitHub Actions base image ([guide](./build/gh_base_image.md))
+2. Deploy base `infra/` modules (VPCs, EKS, IAM, S3, etc.)
+3. Deploy `platform/forge_runners`
+4. Configure secrets and tenant GitHub Apps
+5. Enable integrations (e.g., Splunk, Teleport)
+
+---
diff --git a/examples/build/ansible/group_vars/all/common.yaml b/examples/build/ansible/group_vars/all/common.yaml
@@ -11,3 +11,6 @@ aws_cli_checksum: bb1fcbbdaffc006dce62827083605b9953d23a1b42b3a7375733d9a6d7c94b
 # renovate: datasource=github-tags depName=github-aws-runners/terraform-aws-github-runner registryUrl=https://github.com/
 tf_aws_github_runner_version: 6.5.5
 install_runner_shell: https://raw.githubusercontent.com/github-aws-runners/terraform-aws-github-runner/v{{ tf_aws_github_runner_version }}/modules/runners/templates/install-runner.sh
+
+teleport_comm_ca_pin: <teleport_comm_ca_pin>  # e.g. sha256:3c2f8b1d4e5f7c6a9b0c8d9e1f2a3b4c5d6e7f8g9h0i1j2k3l4m5n6o7p8q9r0
+teleport_comm_auth_server: <teleport_comm_auth_server>  # e.g. teleport.example.com:443
