From 9e9cc7c0791a7eebfe3c08aaf94f2300f88a92e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:41:55 +0100 Subject: [PATCH 1/9] updated workflows Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- .github/workflows/github_networks.tf | 46 ++- .github/workflows/github_vars.tfvars | 3 +- .github/workflows/main.tf | 12 +- .github/workflows/terraform.tfstate | 8 - .github/workflows/terraform.tfstate.backup | 370 --------------------- .github/workflows/variables.tf | 5 + 7 files changed, 57 insertions(+), 389 deletions(-) delete mode 100644 .github/workflows/terraform.tfstate delete mode 100644 .github/workflows/terraform.tfstate.backup diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index a5e2fda..0bfba59 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -5,5 +5,5 @@ ami_username = "ec2-user" ami_user_home = "/home/ec2-user" instance_tags = { Name = "RHEL9-CIS" - Environment = "lockdown_github_repo_workflow" + Environment = "github_test_pipeline" } diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index 4db9025..e20fb05 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -1,11 +1,51 @@ resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - tags = var.instance_tags + cidr_block = var.main_vpc_cidr + instance_tenancy = "default" + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-VPC" + } } resource "aws_internet_gateway" "IGW" { vpc_id = aws_vpc.Main.id tags = { - Name = "${var.namespace}-IGW" + Environment = "${var.environment}" + Name = "${var.namespace}-IGW" } } + +resource "aws_subnet" "publicsubnets" { + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-pubsub" + } +} + +resource "aws_subnet" "Main" { + vpc_id = aws_vpc.Main.id + cidr_block = var.private_subnets + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-prvsub" + } +} + +resource "aws_route_table" "PublicRT" { + vpc_id = aws_vpc.Main.id + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.IGW.id + } + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-publicRT" + } +} + +resource "aws_route_table_association" "rt_associate_public" { + subnet_id = aws_subnet.Main.id + route_table_id = aws_route_table.PublicRT.id +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index c3ac76b..2a7e263 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -3,7 +3,8 @@ // Declared in variables.tf // -namespace = "github_actions" +namespace = "github_actions" +environment = "github_test_pipeline" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index b231d2a..5bf002e 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -5,9 +5,6 @@ provider "aws" { // Create a security group with access to port 22 and port 80 open to serve HTTP traffic -data "aws_vpc" "default" { - default = true -} resource "random_id" "server" { keepers = { @@ -19,8 +16,8 @@ resource "random_id" "server" { } resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}" - vpc_id = data.aws_vpc.default.id + name = "${var.namespace}-${random_id.server.hex}-SG" + vpc_id = aws_vpc.Main.id ingress { from_port = 22 @@ -43,7 +40,8 @@ resource "aws_security_group" "github_actions" { cidr_blocks = ["0.0.0.0/0"] } tags = { - Name = "${var.namespace}-SG" + Environment = "${var.environment}" + Name = "${var.namespace}-SG" } } @@ -56,6 +54,7 @@ resource "aws_instance" "testing_vm" { instance_type = var.instance_type tags = var.instance_tags vpc_security_group_ids = [aws_security_group.github_actions.id] + subnet_id = aws_subnet.Main.id root_block_device { delete_on_termination = true } @@ -80,3 +79,4 @@ resource "local_file" "inventory" { audit_git_version: devel EOF } + diff --git a/.github/workflows/terraform.tfstate b/.github/workflows/terraform.tfstate deleted file mode 100644 index 6a8982d..0000000 --- a/.github/workflows/terraform.tfstate +++ /dev/null @@ -1,8 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 15, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [] -} diff --git a/.github/workflows/terraform.tfstate.backup b/.github/workflows/terraform.tfstate.backup deleted file mode 100644 index ffbb4b0..0000000 --- a/.github/workflows/terraform.tfstate.backup +++ /dev/null @@ -1,370 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 7, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [ - { - "mode": "data", - "type": "aws_vpc", - "name": "default", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-05ef27c517862c3b1", - "cidr_block": "172.31.0.0/16", - "cidr_block_associations": [ - { - "association_id": "vpc-cidr-assoc-0a0f361027d9f91f3", - "cidr_block": "172.31.0.0/16", - "state": "associated" - } - ], - "default": true, - "dhcp_options_id": "dopt-c5dfccbe", - "enable_dns_hostnames": true, - "enable_dns_support": true, - "filter": null, - "id": "vpc-05ef27c517862c3b1", - "instance_tenancy": "default", - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "main_route_table_id": "rtb-0a40eb856c7d79f1d", - "owner_id": "817651307868", - "state": null, - "tags": { - "Name": "Default VPC" - } - }, - "sensitive_attributes": [] - } - ] - }, - { - "mode": "managed", - "type": "aws_instance", - "name": "testing_vm", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "ami": "ami-0c41531b8d18cc72b", - "arn": "arn:aws:ec2:us-east-1:817651307868:instance/i-0d997714170ce8898", - "associate_public_ip_address": true, - "availability_zone": "us-east-1a", - "capacity_reservation_specification": [ - { - "capacity_reservation_preference": "open", - "capacity_reservation_target": [] - } - ], - "cpu_core_count": 1, - "cpu_threads_per_core": 2, - "credit_specification": [ - { - "cpu_credits": "unlimited" - } - ], - "disable_api_termination": false, - "ebs_block_device": [], - "ebs_optimized": false, - "enclave_options": [ - { - "enabled": false - } - ], - "ephemeral_block_device": [], - "get_password_data": false, - "hibernation": false, - "host_id": null, - "iam_instance_profile": "", - "id": "i-0d997714170ce8898", - "instance_initiated_shutdown_behavior": "stop", - "instance_state": "running", - "instance_type": "t3.micro", - "ipv6_address_count": 0, - "ipv6_addresses": [], - "key_name": "github_actions", - "launch_template": [], - "maintenance_options": [ - { - "auto_recovery": "default" - } - ], - "metadata_options": [ - { - "http_endpoint": "enabled", - "http_put_response_hop_limit": 1, - "http_tokens": "optional", - "instance_metadata_tags": "disabled" - } - ], - "monitoring": false, - "network_interface": [], - "outpost_arn": "", - "password_data": "", - "placement_group": "", - "placement_partition_number": null, - "primary_network_interface_id": "eni-0417127dc77918518", - "private_dns": "ip-172-31-8-170.ec2.internal", - "private_ip": "172.31.8.170", - "public_dns": "ec2-3-238-53-150.compute-1.amazonaws.com", - "public_ip": "3.238.53.150", - "root_block_device": [ - { - "delete_on_termination": true, - "device_name": "/dev/sda1", - "encrypted": false, - "iops": 100, - "kms_key_id": "", - "tags": null, - "throughput": 0, - "volume_id": "vol-0392840b878024a68", - "volume_size": 10, - "volume_type": "gp2" - } - ], - "secondary_private_ips": [], - "security_groups": [ - "github_actions-5eb7d7f8d9c46a1c" - ], - "source_dest_check": true, - "subnet_id": "subnet-0ad8888b9fd53204f", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tenancy": "default", - "timeouts": null, - "user_data": null, - "user_data_base64": null, - "user_data_replace_on_change": false, - "volume_tags": null, - "vpc_security_group_ids": [ - "sg-054e3f94c98fc64f2" - ] - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMCwidXBkYXRlIjo2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==", - "dependencies": [ - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_internet_gateway", - "name": "IGW", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:internet-gateway/igw-0ef39abda6f14481d", - "id": "igw-0ef39abda6f14481d", - "owner_id": "817651307868", - "tags": { - "Name": "github_actions-IGW" - }, - "tags_all": { - "Name": "github_actions-IGW" - }, - "vpc_id": "vpc-068452c798d98b17f" - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_vpc.Main" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_security_group", - "name": "github_actions", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:security-group/sg-054e3f94c98fc64f2", - "description": "Managed by Terraform", - "egress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 0, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "-1", - "security_groups": [], - "self": false, - "to_port": 0 - } - ], - "id": "sg-054e3f94c98fc64f2", - "ingress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 22, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 22 - }, - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 80, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 80 - } - ], - "name": "github_actions-5eb7d7f8d9c46a1c", - "name_prefix": "", - "owner_id": "817651307868", - "revoke_rules_on_delete": false, - "tags": { - "Name": "github_actions-SG" - }, - "tags_all": { - "Name": "github_actions-SG" - }, - "timeouts": null, - "vpc_id": "vpc-05ef27c517862c3b1" - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6OTAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=", - "dependencies": [ - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_vpc", - "name": "Main", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-068452c798d98b17f", - "assign_generated_ipv6_cidr_block": false, - "cidr_block": "172.22.0.0/24", - "default_network_acl_id": "acl-08a831aefd0ff6f65", - "default_route_table_id": "rtb-09ae50e860e80fb1f", - "default_security_group_id": "sg-01ff3ec71f0cd3115", - "dhcp_options_id": "dopt-c5dfccbe", - "enable_classiclink": false, - "enable_classiclink_dns_support": false, - "enable_dns_hostnames": false, - "enable_dns_support": true, - "id": "vpc-068452c798d98b17f", - "instance_tenancy": "default", - "ipv4_ipam_pool_id": null, - "ipv4_netmask_length": null, - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "ipv6_cidr_block_network_border_group": "", - "ipv6_ipam_pool_id": "", - "ipv6_netmask_length": 0, - "main_route_table_id": "rtb-09ae50e860e80fb1f", - "owner_id": "817651307868", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - } - }, - "sensitive_attributes": [], - "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" - } - ] - }, - { - "mode": "managed", - "type": "local_file", - "name": "inventory", - "provider": "provider[\"registry.terraform.io/hashicorp/local\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "content": " # benchmark host\n all:\n hosts:\n rhel9:\n ansible_host: 3.238.53.150\n ansible_user: ec2-user\n vars:\n setup_audit: true\n run_audit: true\n system_is_ec2: true\n audit_git_version: devel\n", - "content_base64": null, - "directory_permission": "0755", - "file_permission": "0644", - "filename": "./hosts.yml", - "id": "697bfe9ff397a4b5e3f46caf3c48481a3d485375", - "sensitive_content": null, - "source": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_instance.testing_vm", - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "random_id", - "name": "server", - "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "b64_std": "XrfX+NnEahw=", - "b64_url": "XrfX-NnEahw", - "byte_length": 8, - "dec": "6825161224108665372", - "hex": "5eb7d7f8d9c46a1c", - "id": "XrfX-NnEahw", - "keepers": { - "ami_id": "ami-0c41531b8d18cc72b" - }, - "prefix": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==" - } - ] - } - ] -} diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 752ee88..90a1dd4 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -52,6 +52,11 @@ variable "namespace" { type = string } +variable "environment" { + description = "Env Name used across all tags" + type = string +} + // taken from github_vars.tfvars & variable "main_vpc_cidr" { From 419d00551a31e35c51d009c1dd8e0cb82b3d285a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:48:11 +0100 Subject: [PATCH 2/9] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index b120eee..ee9aff4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -10,6 +10,8 @@ - added more to logrotate 4.3.x - sure to logrotate now a seperate package - grub path now standard to /boot/grub2/grub.cfg - 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer +- workflow update +- removed doc update ## 0.1 From 420d432531a6f75d0468e16aa035ce1765971f7d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:50:38 +0100 Subject: [PATCH 3/9] removed old file Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.old | 429 ---------------------------- 1 file changed, 429 deletions(-) delete mode 100644 templates/ansible_vars_goss.yml.old diff --git a/templates/ansible_vars_goss.yml.old b/templates/ansible_vars_goss.yml.old deleted file mode 100644 index f10c74f..0000000 --- a/templates/ansible_vars_goss.yml.old +++ /dev/null @@ -1,429 +0,0 @@ -## metadata for Audit benchmark -benchmark_version: '1.0.1' - -# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS -is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} - -rhel9cis_os_distribution: {{ ansible_distribution | lower }} - -# timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: {{ audit_cmd_timeout }} - -# Taken from LE rhel8-cis -rhel9cis_section1: {{ rhel9cis_section1 }} -rhel9cis_section2: {{ rhel9cis_section2 }} -rhel9cis_section3: {{ rhel9cis_section3 }} -rhel9cis_section4: {{ rhel9cis_section4 }} -rhel9cis_section5: {{ rhel9cis_section5 }} -rhel9cis_section6: {{ rhel9cis_section6 }} - -rhel9cis_level_1: {{ rhel9cis_level_1 }} -rhel9cis_level_2: {{ rhel9cis_level_2 }} - -rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} - - - -# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy -run_heavy_tests: true -{% if rhel9cis_legacy_boot is defined %} -rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} -{% endif %} - - -rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} -# These variables correspond with the CIS rule IDs or paragraph numbers defined in -# the CIS benchmark documents. -# PLEASE NOTE: These work in coordination with the section # group variables and tags. -# You must enable an entire section in order for the variables below to take effect. -# Section 1 rules -rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} -rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} -rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} -rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }} -rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }} -rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }} -rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }} -rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }} -rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }} -rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }} -rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }} -rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} -rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} -rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }} -rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }} -rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }} -rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }} -rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }} -rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }} -rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }} -rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }} -rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }} -rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }} -rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }} -rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }} -rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }} -rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed -rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} -rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} -rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} -rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }} -rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} -rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} -rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} -rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} -rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} -rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} -rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} -rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} -rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} - -rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} -rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} -rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} -rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }} -rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }} -rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }} -rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }} -rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }} -rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }} -rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }} -rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }} -rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }} -rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} -rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} -rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} -rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} - - -# section 2 rules -rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} -rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }} -rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }} -rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }} -rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }} -rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }} -rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }} -rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }} -rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }} -rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }} -rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }} -rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }} -rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }} -rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }} -rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }} -rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }} -rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} -rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} -rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} -rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} -rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} -rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} -rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} - - -# Section 3 rules -rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} -rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} -rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} -rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} -rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }} -rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }} -rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }} -rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }} -rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }} -rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }} -rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }} -rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }} -rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }} -rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }} -rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }} -rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} -rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} -rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} -rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }} -rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} -rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} -rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} -rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }} -rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }} - - -# Section 4 rules -rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }} -rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }} -rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }} -rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }} -rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }} -rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }} -rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }} -rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }} -rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }} -rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }} -rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }} -rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }} -rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }} -rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }} -rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }} -rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }} -rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }} -rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }} -rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }} -rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }} -rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }} -rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }} -rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} -rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} -rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} -rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} -rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} -rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }} -rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }} -rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }} -rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }} -rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} -rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} - -# Section 5 -rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }} -rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }} -rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }} -rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }} -rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }} -rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} -rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} -rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} - -rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} -rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }} -rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }} -rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }} -rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }} -rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }} -rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }} -rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }} -rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }} -rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }} -rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }} -rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }} -rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }} -rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }} -rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }} -rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }} -rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }} -rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }} -rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }} -rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }} - -rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }} -rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }} -rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }} - -rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }} -rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }} -rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }} -rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }} - -rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }} -rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }} -rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }} -rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }} -rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }} - -rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }} -rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }} -rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }} -rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }} - -rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }} -rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }} - -# Section 6 -rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }} -rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }} -rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }} -rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }} -rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }} -rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }} -rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }} -rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }} -rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }} -rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }} -rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }} -rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }} -rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }} -rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }} - -rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }} -rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }} -rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }} -rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }} -rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }} -rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }} -rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }} -rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }} -rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }} -rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }} -rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }} -rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }} -rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }} -rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }} -rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }} -rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }} -rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }} -rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }} -rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }} -rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} - - -# Service configuration booleans set true to keep service -rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} -rhel9cis_cups_server: {{ rhel9cis_cups_server }} -rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} -rhel9cis_dns_server: {{ rhel9cis_dns_server }} -rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} -rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} -rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} -rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} -rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} -rhel9cis_samba_server: {{ rhel9cis_samba_server }} -rhel9cis_squid_server: {{ rhel9cis_squid_server }} -rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} -rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} -rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} -rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} -rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} - - -rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} - -# client services -rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} -rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} -rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} - - - - -# AIDE -rhel9cis_config_aide: {{ rhel9cis_config_aide }} - -# aide setup via - cron, timer -rhel9_aide_scan: cron - -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: {{ rhel9cis_aide_cron.cron_user }} - cron_file: '{{ rhel9cis_aide_cron.cron_file }}' - aide_job: ' {{ rhel9cis_aide_cron.aide_job }}' - aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}' - aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}' - aide_day: '{{ rhel9cis_aide_cron.aide_day }}' - aide_month: '{{ rhel9cis_aide_cron.aide_month }}' - aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}' - -# 1.5.1 Bootloader password -rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }} -rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} - -# 1.10 crypto -rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} - -# Warning Banner Content (issue, issue.net, motd) -rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} -# End Banner - - -# Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: {{ rhel9cis_gui }} - -# xinetd required -rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} - -# IPv6 required -rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} - -# System network parameters (host only OR host and router) -rhel9cis_is_router: {{ rhel9cis_is_router }} - - -rhel9cis_firewall: {{ rhel9cis_firewall }} -#rhel9cis_firewall: iptables -rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }} -rhel9cis_firewall_interface: -- enp0s3 -- enp0s8 - -rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} - - -### Section 4 -## auditd settings -rhel9cis_auditd: - space_left_action: {{ rhel9cis_auditd.space_left_action}} - action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }} - admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }} - max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }} - -## syslog -rhel9_cis_rsyslog: true - -### Section 5 -rhel9cis_sshd_limited: false -#Note the following to understand precedence and layout -rhel9cis_sshd_access: - AllowUser: - AllowGroup: - DenyUser: - DenyGroup: - -rhel9cis_ssh_aliveinterval: "300" -rhel9cis_ssh_countmax: "3" - -rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} - -## PAM -rhel9cis_pam_password: - minlen: {{ rhel9cis_pam_password.minlen }} - minclass: {{ rhel9cis_pam_password.minclass }} -rhel9cis_pam_passwd_retry: "3" -# faillock or tally2 -rhel9cis_accountlock: faillock - -## note this is to skip tests -skip_rhel9cis_pam_passwd_auth: true -skip_rhel9cis_pam_system_auth: true - -# choose one of below -rhel9cis_pwhistory_so: "14" -rhel9cis_unix_so: false -rhel9cis_passwd_remember: "5" - -# logins.def password settings -rhel9cis_pass: - max_days: {{ rhel9cis_pass.max_days }} - min_days: {{ rhel9cis_pass.min_days }} - warn_age: {{ rhel9cis_pass.warn_age }} - -# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example -rhel9cis_authselect: - custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} - default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} - options: {{ rhel9cis_authselect.options }} - -# 5.3.1 Enable automation to creat custom profile settings, using the setings above -rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} - -# 5.3.2 Enable automation to select custom profile options, using the settings above -rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} - -# 5.7 -rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }} -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} From f863e97a9201c9f26e6755c390c12e37f7d70cc9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 11:53:12 +0100 Subject: [PATCH 4/9] change var file order Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f802b4c..5b2a708 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -73,7 +73,7 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false ## Debug Section - name: DEBUG - Show Ansible hostfile @@ -117,4 +117,4 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false From d83ee52a986921c2dca2316e4a0c4d9cb6555656 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 12:23:32 +0100 Subject: [PATCH 5/9] added availibility zone Signed-off-by: Mark Bolwell --- .github/workflows/github_networks.tf | 5 +++-- .github/workflows/terraform.tfvars | 9 +++++---- .github/workflows/variables.tf | 6 ++++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index e20fb05..d0dd081 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -16,8 +16,9 @@ resource "aws_internet_gateway" "IGW" { } resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets + availability_zone = var.availability_zone tags = { Environment = "${var.environment}" Name = "${var.namespace}-pubsub" diff --git a/.github/workflows/terraform.tfvars b/.github/workflows/terraform.tfvars index 6d98b8b..d894ec4 100644 --- a/.github/workflows/terraform.tfvars +++ b/.github/workflows/terraform.tfvars @@ -1,5 +1,6 @@ // vars should be loaded by OSname.tfvars -aws_region = "us-east-1" -ami_os = var.ami_os -ami_username = var.ami_username -instance_tags = var.instance_tags +availability_zone = "us-east-1b" +aws_region = "us-east-1" +ami_os = var.ami_os +ami_username = var.ami_username +instance_tags = var.instance_tags diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 90a1dd4..7e05228 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -6,6 +6,12 @@ variable "aws_region" { type = string } +variable "availability_zone" { + description = "List of availability zone in the region" + default = "us-east-1b" + type = string +} + variable "instance_type" { description = "EC2 Instance Type" default = "t3.micro" From f247239844390b6dc4ff581b91195ec17146e93c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 12:42:48 +0100 Subject: [PATCH 6/9] added availibility zone to instance Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 5bf002e..61da17c 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -49,6 +49,7 @@ resource "aws_security_group" "github_actions" { resource "aws_instance" "testing_vm" { ami = var.ami_id + availability_zone = var.availability_zone associate_public_ip_address = true key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs instance_type = var.instance_type From 2e53bdfef785b76b2c04fb40f827354251195553 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 12:56:45 +0100 Subject: [PATCH 7/9] add avail zone to subnet Signed-off-by: Mark Bolwell --- .github/workflows/github_networks.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index d0dd081..ba77764 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -28,6 +28,7 @@ resource "aws_subnet" "publicsubnets" { resource "aws_subnet" "Main" { vpc_id = aws_vpc.Main.id cidr_block = var.private_subnets + availability_zone = var.availability_zone tags = { Environment = "${var.environment}" Name = "${var.namespace}-prvsub" From 045bbc30cb4dc2670edc6a3150028fba2af9987a Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 23 Aug 2022 11:23:10 -0400 Subject: [PATCH 8/9] updated environment tags and sleep timeout to 120s Signed-off-by: George Nalen --- .github/workflows/OS.tfvars | 2 +- .github/workflows/github_vars.tfvars | 2 +- .github/workflows/linux_benchmark_testing.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 0bfba59..a5e2fda 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -5,5 +5,5 @@ ami_username = "ec2-user" ami_user_home = "/home/ec2-user" instance_tags = { Name = "RHEL9-CIS" - Environment = "github_test_pipeline" + Environment = "lockdown_github_repo_workflow" } diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 2a7e263..e50753d 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -4,7 +4,7 @@ // namespace = "github_actions" -environment = "github_test_pipeline" +environment = "lockdown_github_repo_workflow" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 5b2a708..5ad1702 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,7 +93,7 @@ jobs: - name: if RHEL7 - Sleep for 60 seconds #if: steps.test_os.outputs.RHEL7 >= 1 - run: sleep 60s + run: sleep 120s shell: bash # Run the ansible playbook From 4853d45ca7c5ae4aef24050ddc4c49068b1d16e3 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 23 Aug 2022 11:24:42 -0400 Subject: [PATCH 9/9] updated sleep timeout from 120s to 60s Signed-off-by: George Nalen --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 5ad1702..5b2a708 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,7 +93,7 @@ jobs: - name: if RHEL7 - Sleep for 60 seconds #if: steps.test_os.outputs.RHEL7 >= 1 - run: sleep 120s + run: sleep 60s shell: bash # Run the ansible playbook