From 4e47f411096ad6e843b123213a8f8cc95d6063dc Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 21 Feb 2025 12:02:56 +0000
Subject: [PATCH] updated fqcn

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 .../benchmark_pipeline_validation.yml         | 156 ++++++++++++++++++
 .gitignore                                    |   3 +
 tasks/section_1/cis_1.1.3.x.yml               |   2 +-
 tasks/section_1/cis_1.1.4.x.yml               |   2 +-
 tasks/section_1/cis_1.1.5.x.yml               |   2 +-
 tasks/section_1/cis_1.1.6.x.yml               |   2 +-
 tasks/section_1/cis_1.1.7.x.yml               |   2 +-
 7 files changed, 164 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/benchmark_pipeline_validation.yml

diff --git a/.github/workflows/benchmark_pipeline_validation.yml b/.github/workflows/benchmark_pipeline_validation.yml
new file mode 100644
index 0000000..8d76acb
--- /dev/null
+++ b/.github/workflows/benchmark_pipeline_validation.yml
@@ -0,0 +1,156 @@
+---
+
+  name: Benchmark pipeline
+
+  on: # yamllint disable-line rule:truthy
+    pull_request_target:
+        types: [opened, reopened, synchronize]
+        branches:
+            - benchmark*
+        paths:
+            - '**.yml'
+            - '**.sh'
+            - '**.j2'
+            - '**.ps1'
+            - '**.cfg'
+
+  # Allow permissions for AWS auth
+  permissions:
+    id-token: write
+    contents: read
+    pull-requests: read
+
+  # A workflow run is made up of one or more jobs
+  # that can run sequentially or in parallel
+  jobs:
+    # This will create messages for first time contributers and direct them to the Discord server
+      welcome:
+        runs-on: self-hosted
+
+        steps:
+            - uses: actions/first-interaction@main
+              with:
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                pr-message: |-
+                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+
+      # This workflow contains a single job that tests the playbook
+      playbook-test:
+        # The type of runner that the job will run on
+        runs-on: self-hosted
+        env:
+          ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+          # Imported as a variable by terraform
+          TF_VAR_repository: ${{ github.event.repository.name }}
+          AWS_REGION : "us-east-1"
+          ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+        defaults:
+          run:
+            shell: bash
+            working-directory: .github/workflows/github_linux_IaC
+            # working-directory: .github/workflows
+
+        steps:
+
+          - name: Git clone the lockdown repository to test
+            uses: actions/checkout@v4
+            with:
+              ref: ${{ github.event.pull_request.head.sha }}
+
+          - name: If a variable for IAC_BRANCH is set use that branch
+            working-directory: .github/workflows
+            run: |
+              if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+                 echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+                 echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+              else
+                 echo IAC_BRANCH=main >> $GITHUB_ENV
+              fi
+
+          # Pull in terraform code for linux servers
+          - name: Clone GitHub IaC plan
+            uses: actions/checkout@v4
+            with:
+              repository: ansible-lockdown/github_linux_IaC
+              path: .github/workflows/github_linux_IaC
+              ref: ${{ env.IAC_BRANCH }}
+
+          # Uses dedicated restricted role and policy to enable this only for this task
+          # No credentials are part of github for AWS auth
+          - name: configure aws credentials
+            uses: aws-actions/configure-aws-credentials@main
+            with:
+              role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+              role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+              aws-region: ${{ env.AWS_REGION }}
+
+          - name: DEBUG - Show IaC files
+            if: env.ENABLE_DEBUG == 'true'
+            run: |
+              echo "OSVAR = $OSVAR"
+              echo "benchmark_type = $benchmark_type"
+              echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID"
+              echo "VPC_ID" = $AWS_VPC_SECGRP_ID"
+              pwd
+              ls
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
+
+          - name: Tofu init
+            id: init
+            run: tofu init
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Tofu validate
+            id: validate
+            run: tofu validate
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Tofu apply
+            id: apply
+            env:
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+
+## Debug Section
+          - name: DEBUG - Show Ansible hostfile
+            if: env.ENABLE_DEBUG == 'true'
+            run: cat hosts.yml
+
+    # Aws deployments taking a while to come up insert sleep or playbook fails
+
+          - name: Sleep to allow system to come up
+            run: sleep ${{ vars.BUILD_SLEEPTIME }}
+
+        # Run the Ansible playbook
+          - name: Run_Ansible_Playbook
+            env:
+              ANSIBLE_HOST_KEY_CHECKING: "false"
+              ANSIBLE_DEPRECATION_WARNINGS: "false"
+            run: |
+              /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
+
+        # Remove test system - User secrets to keep if necessary
+
+          - name: Tofu Destroy
+            if: always() && env.ENABLE_DEBUG == 'false'
+            env:
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
diff --git a/.gitignore b/.gitignore
index f67408e..e9b0c1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,3 +46,6 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
+
+# ansible-lint
+.ansible
diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml
index d219b39..c376189 100644
--- a/tasks/section_1/cis_1.1.3.x.yml
+++ b/tasks/section_1/cis_1.1.3.x.yml
@@ -26,7 +26,7 @@
 - name: |
           "1.1.3.2 | PATCH | Ensure nodev option set on /var partition"
           "1.1.3.3 | PATCH | Ensure nosuid option set on /var partition"
-  ansible.builtin.mount:
+  ansible.posix.mount:
       name: /var
       src: "{{ item.device }}"
       fstype: "{{ item.fstype }}"
diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml
index d04ac02..9f15fd2 100644
--- a/tasks/section_1/cis_1.1.4.x.yml
+++ b/tasks/section_1/cis_1.1.4.x.yml
@@ -28,7 +28,7 @@
           "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition"
           "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
           "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition"
-  ansible.builtin.mount:
+  ansible.posix.mount:
       name: /var/tmp
       src: "{{ item.device }}"
       fstype: "{{ item.fstype }}"
diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml
index af4e230..7f115d7 100644
--- a/tasks/section_1/cis_1.1.5.x.yml
+++ b/tasks/section_1/cis_1.1.5.x.yml
@@ -27,7 +27,7 @@
           "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition"
           "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition"
           "1.1.5.4 | PATCH | Ensure nosuid option set on /var/log partition"
-  ansible.builtin.mount:
+  ansible.posix.mount:
       name: /var/log
       src: "{{ item.device }}"
       fstype: "{{ item.fstype }}"
diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml
index d20e83d..f19c997 100644
--- a/tasks/section_1/cis_1.1.6.x.yml
+++ b/tasks/section_1/cis_1.1.6.x.yml
@@ -27,7 +27,7 @@
           "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition"
           "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition"
           "1.1.6.4 | PATCH | Ensure nosuid option set on /var/log/audit partition"
-  ansible.builtin.mount:
+  ansible.posix.mount:
       name: /var/log/audit
       src: "{{ item.device }}"
       fstype: "{{ item.fstype }}"
diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml
index d081811..f075a31 100644
--- a/tasks/section_1/cis_1.1.7.x.yml
+++ b/tasks/section_1/cis_1.1.7.x.yml
@@ -26,7 +26,7 @@
 - name: |
     "1.1.7.2 | PATCH | Ensure nodev option set on /home partition
      1.1.7.3 | PATCH | Ensure nosuid option set on /home partition"
-  ansible.builtin.mount:
+  ansible.posix.mount:
       name: /home
       src: "{{ item.device }}"
       fstype: "{{ item.fstype }}"