updated workflow files

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-07-26 16:28:29 +01:00 · 2023-07-26 16:28:29 +01:00 · 09c14e2ca8
commit 09c14e2ca8
parent bcf7399d02
7 changed files with 80 additions and 288 deletions
--- a/.github/workflows/OS.tfvars
+++ b/.github/workflows/OS.tfvars
@ -1,9 +0,0 @@
 #Ami Alma 9
 ami_id        = "ami-0845395779540e3cb"
 ami_os        = "rhel9"
 ami_username  = "ec2-user"
 ami_user_home = "/home/ec2-user"
 instance_tags = {
  Name        = "RHEL9-CIS"
  Environment = "lockdown_github_repo_workflow"
 }
--- a/.github/workflows/github_networks.tf
+++ b/.github/workflows/github_networks.tf
@ -1,53 +0,0 @@
 resource "aws_vpc" "Main" {
  cidr_block       = var.main_vpc_cidr
  instance_tenancy = "default"
  tags = {
    Environment = "${var.environment}"
    Name        = "${var.namespace}-VPC"
  }
 }
 resource "aws_internet_gateway" "IGW" {
  vpc_id = aws_vpc.Main.id
  tags = {
    Environment = "${var.environment}"
    Name        = "${var.namespace}-IGW"
  }
 }
 resource "aws_subnet" "publicsubnets" {
  vpc_id            = aws_vpc.Main.id
  cidr_block        = var.public_subnets
  availability_zone = var.availability_zone
  tags = {
    Environment = "${var.environment}"
    Name        = "${var.namespace}-pubsub"
  }
 }
 resource "aws_subnet" "Main" {
  vpc_id     = aws_vpc.Main.id
  cidr_block = var.private_subnets
  availability_zone = var.availability_zone
  tags = {
    Environment = "${var.environment}"
    Name        = "${var.namespace}-prvsub"
  }
 }
 resource "aws_route_table" "PublicRT" {
  vpc_id = aws_vpc.Main.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.IGW.id
  }
  tags = {
    Environment = "${var.environment}"
    Name        = "${var.namespace}-publicRT"
  }
 }
 resource "aws_route_table_association" "rt_associate_public" {
  subnet_id      = aws_subnet.Main.id
  route_table_id = aws_route_table.PublicRT.id
 }
--- a/.github/workflows/github_vars.tfvars
+++ b/.github/workflows/github_vars.tfvars
@ -1,14 +0,0 @@
 // github_actions variables
 // Resourced in github_networks.tf
 // Declared in variables.tf
 // 
 namespace   = "github_actions"
 environment = "lockdown_github_repo_workflow"
 // Matching pair name found in AWS for keypairs PEM key
 ami_key_pair_name = "github_actions"
 private_key       = ".ssh/github_actions.pem"
 main_vpc_cidr     = "172.22.0.0/24"
 public_subnets    = "172.22.0.128/26"
 private_subnets   = "172.22.0.192/26"
--- a/.github/workflows/linux_benchmark_testing.yml
+++ b/.github/workflows/linux_benchmark_testing.yml
@ -1,3 +1,5 @@
 ---
 # This is a basic workflow to help you get started with Actions
 name: linux_benchmark_pipeline
@ -6,48 +8,61 @@ name: linux_benchmark_pipeline
 # Triggers the workflow on push or pull request
 # events but only for the devel branch
 on: # yamllint disable-line rule:truthy
-    pull_request_target:
+  pull_request_target:
-        types: [opened, reopened, synchronize]
+      types: [opened, reopened, synchronize]
-        branches:
+      branches:
-            - devel
+          - devel
-            - main
+          - main
-        paths:
+      paths:
-            - '**.yml'
+          - '**.yml'
-            - '**.sh'
+          - '**.sh'
-            - '**.j2'
+          - '**.j2'
-            - '**.ps1'
+          - '**.ps1'
-            - '**.cfg'
+          - '**.cfg'
 # A workflow run is made up of one or more jobs
 # that can run sequentially or in parallel
 jobs:
  # This will create messages for first time contributers and direct them to the Discord server
    welcome:
-        runs-on: ubuntu-latest
+      runs-on: ubuntu-latest
-        steps:
+      steps:
-            - uses: actions/first-interaction@main
+          - uses: actions/first-interaction@main
-              with:
+            with:
-                  repo-token: ${{ secrets.GITHUB_TOKEN }}
+              repo-token: ${{ secrets.GITHUB_TOKEN }}
-                  pr-message: |-
+              pr-message: |-
-                      Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                  Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                  Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
      # This workflow contains a single job called "build"
    build:
      # The type of runner that the job will run on
        runs-on: ubuntu-latest
        env:
-            ENABLE_DEBUG: false
+            ENABLE_DEBUG: true
            # Imported as a variable by terraform
            TF_VAR_repository: ${{ github.event.repository.name }}
        defaults:
          run:
            shell: bash
            working-directory: .github/workflows/github_linux_IaC
        # Steps represent a sequence of tasks that will be executed as part of the job
        steps:
-          # Checks-out your repository under $GITHUB_WORKSPACE, 
+          # Checks-out your repository under $GITHUB_WORKSPACE,
          # so your job can access it
-            - uses: actions/checkout@v3
+            - name: Clone ${{ github.event.repository.name }}
              uses: actions/checkout@v3
              with:
                  ref: ${{ github.event.pull_request.head.sha }}
          # Pull in terraform code for linux servers
            - name: Clone github IaC plan
              uses: actions/checkout@v3
              with:
                repository: ansible-lockdown/github_linux_IaC
                path: .github/workflows/github_linux_IaC
            - name: Add_ssh_key
              working-directory: .github/workflows
              env:
@ -58,54 +73,77 @@ jobs:
                chmod 700 .ssh
                echo $PRIVATE_KEY > .ssh/github_actions.pem
                chmod 600 .ssh/github_actions.pem
            - name: DEBUG - Show IaC files
              if: env.ENABLE_DEBUG == 'true'
              run: |
                echo "OSVAR = $OSVAR"
                echo "benchmark_type = $benchmark_type"
                pwd
                ls
              env:
                  # Imported from github variables this is used to load the relvent OS.tfvars file
                  OSVAR: ${{ vars.OSVAR }}
                  benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 ### Build out the server
            - name: Terraform_Init
-              working-directory: .github/workflows
+              id: init
              run: terraform init
              env:
                # Imported from github variables this is used to load the relvent OS.tfvars file
                OSVAR: ${{ vars.OSVAR }}
                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
            - name: Terraform_Validate
-              working-directory: .github/workflows
+              id: validate
              run: terraform validate
              env:
                # Imported from github variables this is used to load the relvent OS.tfvars file
                OSVAR: ${{ vars.OSVAR }}
                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
            - name: Terraform_Apply
-              working-directory: .github/workflows
+              id: apply
              env:
-                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-              run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
+                OSVAR: ${{ vars.OSVAR }}
                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
              run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
      ## Debug Section
            - name: DEBUG - Show Ansible hostfile
              if: env.ENABLE_DEBUG == 'true'
              working-directory: .github/workflows
              run: cat hosts.yml
      # Aws deployments taking a while to come up insert sleep or playbook fails
            - name: Sleep for 60 seconds
              run: sleep 60s
              shell: bash
      # Run the ansible playbook
            - name: Run_Ansible_Playbook
              uses: arillso/action.playbook@master
              with:
-                  playbook: site.yml
+                playbook: site.yml
-                  inventory: .github/workflows/hosts.yml
+                inventory: .github/workflows/github_linux_IaC/hosts.yml
-                  galaxy_file: collections/requirements.yml
+                galaxy_file: collections/requirements.yml
-                  private_key: ${{ secrets.SSH_PRV_KEY }}
+                private_key: ${{ secrets.SSH_PRV_KEY }}
        #          verbose: 3
              env:
-                  ANSIBLE_HOST_KEY_CHECKING: "false"
+                ANSIBLE_HOST_KEY_CHECKING: "false"
-                  ANSIBLE_DEPRECATION_WARNINGS: "false"
+                ANSIBLE_DEPRECATION_WARNINGS: "false"
      # Remove test system - User secrets to keep if necessary
            - name: Terraform_Destroy
-              working-directory: .github/workflows
+              if: always()
              if: always() && env.ENABLE_DEBUG == 'false'
              env:
-                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-              run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
+                OSVAR: ${{ vars.OSVAR }}
                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
              run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
--- a/.github/workflows/main.tf
+++ b/.github/workflows/main.tf
@ -1,83 +0,0 @@
 provider "aws" {
  profile = ""
  region  = var.aws_region
 }
 // Create a security group with access to port 22 and port 80 open to serve HTTP traffic
 resource "random_id" "server" {
  keepers = {
    # Generate a new id each time we switch to a new AMI id
    ami_id = "${var.ami_id}"
  }
  byte_length = 8
 }
 resource "aws_security_group" "github_actions" {
  name   = "${var.namespace}-${random_id.server.hex}-SG"
  vpc_id = aws_vpc.Main.id
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Environment = "${var.environment}"
    Name        = "${var.namespace}-SG"
  }
 }
 // instance setup
 resource "aws_instance" "testing_vm" {
  ami                         = var.ami_id
  availability_zone           = var.availability_zone
  associate_public_ip_address = true
  key_name                    = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
  instance_type               = var.instance_type
  tags                        = var.instance_tags
  vpc_security_group_ids      = [aws_security_group.github_actions.id]
  subnet_id                   = aws_subnet.Main.id
  root_block_device {
    delete_on_termination = true
  }
 }
 // generate inventory file
 resource "local_file" "inventory" {
  filename             = "./hosts.yml"
  directory_permission = "0755"
  file_permission      = "0644"
  content              = <<EOF
    # benchmark host
    all:
      hosts:
        ${var.ami_os}:
          ansible_host: ${aws_instance.testing_vm.public_ip}
          ansible_user: ${var.ami_username}
      vars:
        setup_audit: true
        run_audit: true
        system_is_ec2: true
        skip_reboot: false
        rhel9cis_rule_5_6_6: false  # skip root passwd check and keys only
    EOF
 }
--- a/.github/workflows/terraform.tfvars
+++ b/.github/workflows/terraform.tfvars
@ -1,6 +0,0 @@
 // vars should be loaded by OSname.tfvars
 availability_zone      = "us-east-1b"
 aws_region             = "us-east-1"
 ami_os                 = var.ami_os
 ami_username           = var.ami_username
 instance_tags          = var.instance_tags
--- a/.github/workflows/variables.tf
+++ b/.github/workflows/variables.tf
@ -1,81 +0,0 @@
 // Taken from the OSname.tfvars
 variable "aws_region" {
  description = "AWS region"
  default     = "us-east-1"
  type        = string
 }
 variable "availability_zone" {
  description = "List of availability zone in the region"
  default     = "us-east-1b"
  type        = string
 }
 variable "instance_type" {
  description = "EC2 Instance Type"
  default     = "t3.micro"
  type        = string
 }
 variable "instance_tags" {
  description = "Tags to set for instances"
  type        = map(string)
 }
 variable "ami_key_pair_name" {
  description = "Name of key pair in AWS thats used"
  type        = string
 }
 variable "private_key" {
  description = "path to private key for ssh"
  type        = string
 }
 variable "ami_os" {
  description = "AMI OS Type"
  type        = string
 }
 variable "ami_id" {
  description = "AMI ID reference"
  type        = string
 }
 variable "ami_username" {
  description = "Username for the ami id"
  type        = string
 }
 variable "ami_user_home" {
  description = "home dir for the username"
  type        = string
 }
 variable "namespace" {
  description = "Name used across all tags"
  type        = string
 }
 variable "environment" {
  description = "Env Name used across all tags"
  type        = string
 }
 // taken from github_vars.tfvars &
 variable "main_vpc_cidr" {
  description = "Private cidr block to be used for vpc"
  type        = string
 }
 variable "public_subnets" {
  description = "public subnet cidr block"
  type        = string
 }
 variable "private_subnets" {
  description = "private subnet cidr block"
  type        = string
 }