It looks more and more like we are going to use a public cloud for running our tests. This would also be much more defensive against malicious tests trying to exfiltrate things from the RH internal network.

However, we do need to run our rhel-* image builds inside of RH network, as http://download.devel.redhat.com/ is not accessible publicly. That only requires little resources though, and is not performance critical. Running this on TF would be ideal.

mvadkert says that it should support nested virtualization, even though it's not very scalable (see above, it doesn't have to be).

It also supports secrets, even through the GitHub action. We can use that to give it an S3 token for image and log upload, and possibly the GitHub token for updating the image refresh PR status.

Deliverable: Demo draft PR which builds a rhel-10-2 bots image in TF and proves that secrets work. Use a dummy value, as we are going to test that on a fork, and our bots GitHub project doesn't have an S3 token anyway.