From 9e9cc7c0791a7eebfe3c08aaf94f2300f88a92e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:41:55 +0100 Subject: [PATCH] updated workflows Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- .github/workflows/github_networks.tf | 46 ++- .github/workflows/github_vars.tfvars | 3 +- .github/workflows/main.tf | 12 +- .github/workflows/terraform.tfstate | 8 - .github/workflows/terraform.tfstate.backup | 370 --------------------- .github/workflows/variables.tf | 5 + 7 files changed, 57 insertions(+), 389 deletions(-) delete mode 100644 .github/workflows/terraform.tfstate delete mode 100644 .github/workflows/terraform.tfstate.backup diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index a5e2fda..0bfba59 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -5,5 +5,5 @@ ami_username = "ec2-user" ami_user_home = "/home/ec2-user" instance_tags = { Name = "RHEL9-CIS" - Environment = "lockdown_github_repo_workflow" + Environment = "github_test_pipeline" } diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index 4db9025..e20fb05 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -1,11 +1,51 @@ resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - tags = var.instance_tags + cidr_block = var.main_vpc_cidr + instance_tenancy = "default" + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-VPC" + } } resource "aws_internet_gateway" "IGW" { vpc_id = aws_vpc.Main.id tags = { - Name = "${var.namespace}-IGW" + Environment = "${var.environment}" + Name = "${var.namespace}-IGW" } } + +resource "aws_subnet" "publicsubnets" { + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-pubsub" + } +} + +resource "aws_subnet" "Main" { + vpc_id = aws_vpc.Main.id + cidr_block = var.private_subnets + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-prvsub" + } +} + +resource "aws_route_table" "PublicRT" { + vpc_id = aws_vpc.Main.id + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.IGW.id + } + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-publicRT" + } +} + +resource "aws_route_table_association" "rt_associate_public" { + subnet_id = aws_subnet.Main.id + route_table_id = aws_route_table.PublicRT.id +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index c3ac76b..2a7e263 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -3,7 +3,8 @@ // Declared in variables.tf // -namespace = "github_actions" +namespace = "github_actions" +environment = "github_test_pipeline" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index b231d2a..5bf002e 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -5,9 +5,6 @@ provider "aws" { // Create a security group with access to port 22 and port 80 open to serve HTTP traffic -data "aws_vpc" "default" { - default = true -} resource "random_id" "server" { keepers = { @@ -19,8 +16,8 @@ resource "random_id" "server" { } resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}" - vpc_id = data.aws_vpc.default.id + name = "${var.namespace}-${random_id.server.hex}-SG" + vpc_id = aws_vpc.Main.id ingress { from_port = 22 @@ -43,7 +40,8 @@ resource "aws_security_group" "github_actions" { cidr_blocks = ["0.0.0.0/0"] } tags = { - Name = "${var.namespace}-SG" + Environment = "${var.environment}" + Name = "${var.namespace}-SG" } } @@ -56,6 +54,7 @@ resource "aws_instance" "testing_vm" { instance_type = var.instance_type tags = var.instance_tags vpc_security_group_ids = [aws_security_group.github_actions.id] + subnet_id = aws_subnet.Main.id root_block_device { delete_on_termination = true } @@ -80,3 +79,4 @@ resource "local_file" "inventory" { audit_git_version: devel EOF } + diff --git a/.github/workflows/terraform.tfstate b/.github/workflows/terraform.tfstate deleted file mode 100644 index 6a8982d..0000000 --- a/.github/workflows/terraform.tfstate +++ /dev/null @@ -1,8 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 15, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [] -} diff --git a/.github/workflows/terraform.tfstate.backup b/.github/workflows/terraform.tfstate.backup deleted file mode 100644 index ffbb4b0..0000000 --- a/.github/workflows/terraform.tfstate.backup +++ /dev/null @@ -1,370 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 7, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [ - { - "mode": "data", - "type": "aws_vpc", - "name": "default", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-05ef27c517862c3b1", - "cidr_block": "172.31.0.0/16", - "cidr_block_associations": [ - { - "association_id": "vpc-cidr-assoc-0a0f361027d9f91f3", - "cidr_block": "172.31.0.0/16", - "state": "associated" - } - ], - "default": true, - "dhcp_options_id": "dopt-c5dfccbe", - "enable_dns_hostnames": true, - "enable_dns_support": true, - "filter": null, - "id": "vpc-05ef27c517862c3b1", - "instance_tenancy": "default", - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "main_route_table_id": "rtb-0a40eb856c7d79f1d", - "owner_id": "817651307868", - "state": null, - "tags": { - "Name": "Default VPC" - } - }, - "sensitive_attributes": [] - } - ] - }, - { - "mode": "managed", - "type": "aws_instance", - "name": "testing_vm", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "ami": "ami-0c41531b8d18cc72b", - "arn": "arn:aws:ec2:us-east-1:817651307868:instance/i-0d997714170ce8898", - "associate_public_ip_address": true, - "availability_zone": "us-east-1a", - "capacity_reservation_specification": [ - { - "capacity_reservation_preference": "open", - "capacity_reservation_target": [] - } - ], - "cpu_core_count": 1, - "cpu_threads_per_core": 2, - "credit_specification": [ - { - "cpu_credits": "unlimited" - } - ], - "disable_api_termination": false, - "ebs_block_device": [], - "ebs_optimized": false, - "enclave_options": [ - { - "enabled": false - } - ], - "ephemeral_block_device": [], - "get_password_data": false, - "hibernation": false, - "host_id": null, - "iam_instance_profile": "", - "id": "i-0d997714170ce8898", - "instance_initiated_shutdown_behavior": "stop", - "instance_state": "running", - "instance_type": "t3.micro", - "ipv6_address_count": 0, - "ipv6_addresses": [], - "key_name": "github_actions", - "launch_template": [], - "maintenance_options": [ - { - "auto_recovery": "default" - } - ], - "metadata_options": [ - { - "http_endpoint": "enabled", - "http_put_response_hop_limit": 1, - "http_tokens": "optional", - "instance_metadata_tags": "disabled" - } - ], - "monitoring": false, - "network_interface": [], - "outpost_arn": "", - "password_data": "", - "placement_group": "", - "placement_partition_number": null, - "primary_network_interface_id": "eni-0417127dc77918518", - "private_dns": "ip-172-31-8-170.ec2.internal", - "private_ip": "172.31.8.170", - "public_dns": "ec2-3-238-53-150.compute-1.amazonaws.com", - "public_ip": "3.238.53.150", - "root_block_device": [ - { - "delete_on_termination": true, - "device_name": "/dev/sda1", - "encrypted": false, - "iops": 100, - "kms_key_id": "", - "tags": null, - "throughput": 0, - "volume_id": "vol-0392840b878024a68", - "volume_size": 10, - "volume_type": "gp2" - } - ], - "secondary_private_ips": [], - "security_groups": [ - "github_actions-5eb7d7f8d9c46a1c" - ], - "source_dest_check": true, - "subnet_id": "subnet-0ad8888b9fd53204f", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tenancy": "default", - "timeouts": null, - "user_data": null, - "user_data_base64": null, - "user_data_replace_on_change": false, - "volume_tags": null, - "vpc_security_group_ids": [ - "sg-054e3f94c98fc64f2" - ] - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMCwidXBkYXRlIjo2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==", - "dependencies": [ - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_internet_gateway", - "name": "IGW", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:internet-gateway/igw-0ef39abda6f14481d", - "id": "igw-0ef39abda6f14481d", - "owner_id": "817651307868", - "tags": { - "Name": "github_actions-IGW" - }, - "tags_all": { - "Name": "github_actions-IGW" - }, - "vpc_id": "vpc-068452c798d98b17f" - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_vpc.Main" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_security_group", - "name": "github_actions", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:security-group/sg-054e3f94c98fc64f2", - "description": "Managed by Terraform", - "egress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 0, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "-1", - "security_groups": [], - "self": false, - "to_port": 0 - } - ], - "id": "sg-054e3f94c98fc64f2", - "ingress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 22, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 22 - }, - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 80, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 80 - } - ], - "name": "github_actions-5eb7d7f8d9c46a1c", - "name_prefix": "", - "owner_id": "817651307868", - "revoke_rules_on_delete": false, - "tags": { - "Name": "github_actions-SG" - }, - "tags_all": { - "Name": "github_actions-SG" - }, - "timeouts": null, - "vpc_id": "vpc-05ef27c517862c3b1" - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6OTAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=", - "dependencies": [ - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_vpc", - "name": "Main", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-068452c798d98b17f", - "assign_generated_ipv6_cidr_block": false, - "cidr_block": "172.22.0.0/24", - "default_network_acl_id": "acl-08a831aefd0ff6f65", - "default_route_table_id": "rtb-09ae50e860e80fb1f", - "default_security_group_id": "sg-01ff3ec71f0cd3115", - "dhcp_options_id": "dopt-c5dfccbe", - "enable_classiclink": false, - "enable_classiclink_dns_support": false, - "enable_dns_hostnames": false, - "enable_dns_support": true, - "id": "vpc-068452c798d98b17f", - "instance_tenancy": "default", - "ipv4_ipam_pool_id": null, - "ipv4_netmask_length": null, - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "ipv6_cidr_block_network_border_group": "", - "ipv6_ipam_pool_id": "", - "ipv6_netmask_length": 0, - "main_route_table_id": "rtb-09ae50e860e80fb1f", - "owner_id": "817651307868", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - } - }, - "sensitive_attributes": [], - "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" - } - ] - }, - { - "mode": "managed", - "type": "local_file", - "name": "inventory", - "provider": "provider[\"registry.terraform.io/hashicorp/local\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "content": " # benchmark host\n all:\n hosts:\n rhel9:\n ansible_host: 3.238.53.150\n ansible_user: ec2-user\n vars:\n setup_audit: true\n run_audit: true\n system_is_ec2: true\n audit_git_version: devel\n", - "content_base64": null, - "directory_permission": "0755", - "file_permission": "0644", - "filename": "./hosts.yml", - "id": "697bfe9ff397a4b5e3f46caf3c48481a3d485375", - "sensitive_content": null, - "source": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_instance.testing_vm", - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "random_id", - "name": "server", - "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "b64_std": "XrfX+NnEahw=", - "b64_url": "XrfX-NnEahw", - "byte_length": 8, - "dec": "6825161224108665372", - "hex": "5eb7d7f8d9c46a1c", - "id": "XrfX-NnEahw", - "keepers": { - "ami_id": "ami-0c41531b8d18cc72b" - }, - "prefix": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==" - } - ] - } - ] -} diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 752ee88..90a1dd4 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -52,6 +52,11 @@ variable "namespace" { type = string } +variable "environment" { + description = "Env Name used across all tags" + type = string +} + // taken from github_vars.tfvars & variable "main_vpc_cidr" {