Merge pull request #420 from ansible-lockdown/devel

Stig v3r10 to main

Author: uk-bolly

.ansible-lint

@@ -1,12 +1,20 @@
 parseable: true
 quiet: true
 skip_list:
-  - '204'
-  - '208'
-  - '305'
-  - '303'
-  - '403'
-  - '306'
-  - '602'
+    - 'schema'
+    - 'no-changed-when'
+    - 'var-spacing'
+    - 'experimental'
+    - 'name[play]'
+    - 'name[casing]'
+    - 'name[template]'
+    - 'fqcn[action]'
+    - '204'
+    - '305'
+    - '303'
+    - '403'
+    - '306'
+    - '602'
+    - '208'
 use_default_rules: true
 verbosity: 0

.github/workflows/OS.tfvars

@@ -5,5 +5,5 @@ ami_username  = "centos"
 ami_user_home = "/home/centos"
 instance_tags = {
   Name        = "RHEL7-STIG"
-  Environment = "lockdown_github_repo_workflow"
+  Environment       = "github_test_pipeline"
 }

.github/workflows/github_networks.tf

@@ -1,11 +1,53 @@
 resource "aws_vpc" "Main" {
-  cidr_block = var.main_vpc_cidr
-  tags = var.instance_tags
+  cidr_block       = var.main_vpc_cidr
+  instance_tenancy = "default"
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-VPC"
+  }
 }
 
 resource "aws_internet_gateway" "IGW" {
   vpc_id = aws_vpc.Main.id
   tags = {
-    Name      = "${var.namespace}-IGW"
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-IGW"
+  }
+}
+
+resource "aws_subnet" "publicsubnets" {
+  vpc_id            = aws_vpc.Main.id
+  cidr_block        = var.public_subnets
+  availability_zone = var.availability_zone
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-pubsub"
+  }
+}
+
+resource "aws_subnet" "Main" {
+  vpc_id     = aws_vpc.Main.id
+  cidr_block = var.private_subnets
+  availability_zone = var.availability_zone
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-prvsub"
+  }
+}
+
+resource "aws_route_table" "PublicRT" {
+  vpc_id = aws_vpc.Main.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.IGW.id
+  }
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-publicRT"
   }
 }
+
+resource "aws_route_table_association" "rt_associate_public" {
+  subnet_id      = aws_subnet.Main.id
+  route_table_id = aws_route_table.PublicRT.id
+}

.github/workflows/github_vars.tfvars

@@ -3,10 +3,12 @@
 // Declared in variables.tf
 // 
 
-namespace         = "github_actions"
+namespace   = "github_actions"
+environment = "lockdown_github_repo_workflow"
 
 // Matching pair name found in AWS for keypairs PEM key
 ami_key_pair_name = "github_actions"
+private_key       = ".ssh/github_actions.pem"
 main_vpc_cidr     = "172.22.0.0/24"
 public_subnets    = "172.22.0.128/26"
-private_subnets   = "172.22.0.192/26"
+private_subnets   = "172.22.0.192/26"

.github/workflows/linux_benchmark_testing.yml

@@ -5,116 +5,107 @@ name: linux_benchmark_pipeline
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
 # events but only for the devel branch
-on:
-  pull_request_target:
-    types: [opened, reopened, synchronize]
-    branches:
-      - devel
-      - main
-    paths:
-      - '**.yml'
-      - '**.sh'
-      - '**.j2'
-      - '**.ps1'
-      - '**.cfg'
+on:  # yamllint disable-line rule:truthy
+    pull_request_target:
+        types: [opened, reopened, synchronize]
+        branches:
+            - devel
+            - main
+        paths:
+            - '**.yml'
+            - '**.sh'
+            - '**.j2'
+            - '**.ps1'
+            - '**.cfg'
 
 # A workflow run is made up of one or more jobs
 # that can run sequentially or in parallel
 jobs:
   # This will create messages for first time contributers and direct them to the Discord server
-  welcome:
-      runs-on: ubuntu-latest
-
-      steps:
-          - uses: actions/first-interaction@v1.1.0
-            with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                  Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! 
-                  Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well.
+    welcome:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/first-interaction@main
+              with:
+                  repo-token: ${{ secrets.GITHUB_TOKEN }}
+                  pr-message: |-
+                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                    Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
   # This workflow contains a single job called "build"
-  build:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
-
-    env: 
-      ENABLE_DEBUG: false
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, 
-      # so your job can access it
-      - uses: actions/checkout@v2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Add_ssh_key
-        working-directory: .github/workflows
-        env:
-          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-          PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
-        run: |
-          mkdir .ssh
-          chmod 700 .ssh
-          echo $PRIVATE_KEY > .ssh/github_actions.pem
-          chmod 600 .ssh/github_actions.pem
-
-### Build out the server
-      - name: Terraform_Init
-        working-directory: .github/workflows
-        run: terraform init
-
-      - name: Terraform_Validate
-        working-directory: .github/workflows
-        run: terraform validate
-
-      - name: Terraform_Apply
-        working-directory: .github/workflows
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
-
-## Debug Section
-      - name: DEBUG - Show Ansible hostfile
-        if: env.ENABLE_DEBUG == 'true'
-        working-directory: .github/workflows
-        run: cat hosts.yml
-
-# Centos 7 images take a while to come up insert sleep or playbook fails
-
-      - name: Check if test os is rhel7
-        working-directory: .github/workflows
-        id: test_os
-        run: >-
-          echo "::set-output name=RHEL7::$(
-          grep -c RHEL7 OS.tfvars
-          )"
-
-      - name: if RHEL7 - Sleep for 60 seconds
-        if: steps.test_os.outputs.RHEL7 >= 1
-        run: sleep 60s
-        shell: bash
-
-# Run the ansible playbook
-      - name: Run_Ansible_Playbook
-        uses: arillso/action.playbook@master
-        with:
-          playbook: site.yml
-          inventory: .github/workflows/hosts.yml
-          galaxy_file: collections/requirements.yml
-          private_key: ${{ secrets.SSH_PRV_KEY }}
-#          verbose: 3
-        env:
-          ANSIBLE_HOST_KEY_CHECKING: "false"
-          ANSIBLE_DEPRECATION_WARNINGS: "false"
-
-# Remove test system - User secrets to keep if necessary
+    build:
+        # The type of runner that the job will run on
+        runs-on: ubuntu-latest
 
-      - name: Terraform_Destroy
-        working-directory: .github/workflows
-        if: always() && env.ENABLE_DEBUG == 'false'
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+            ENABLE_DEBUG: false
+
+        # Steps represent a sequence of tasks that will be executed as part of the job
+        steps:
+            # Checks-out your repository under $GITHUB_WORKSPACE,
+            # so your job can access it
+            - uses: actions/checkout@v3
+              with:
+                  ref: ${{ github.event.pull_request.head.sha }}
+
+            - name: Add_ssh_key
+              working-directory: .github/workflows
+              env:
+                  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+                  PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+              run: |
+                  mkdir .ssh
+                  chmod 700 .ssh
+                  echo $PRIVATE_KEY > .ssh/github_actions.pem
+                  chmod 600 .ssh/github_actions.pem
+
+      ### Build out the server
+            - name: Terraform_Init
+              working-directory: .github/workflows
+              run: terraform init
+
+            - name: Terraform_Validate
+              working-directory: .github/workflows
+              run: terraform validate
+
+            - name: Terraform_Apply
+              working-directory: .github/workflows
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+
+      ## Debug Section
+            - name: DEBUG - Show Ansible hostfile
+              if: env.ENABLE_DEBUG == 'true'
+              working-directory: .github/workflows
+              run: cat hosts.yml
+
+      # Aws deployments taking a while to come up insert sleep or playbook fails
+
+            - name: Sleep for 60 seconds
+              run: sleep 60s
+              shell: bash
+
+      # Run the ansible playbook
+            - name: Run_Ansible_Playbook
+              uses: arillso/action.playbook@master
+              with:
+                  playbook: site.yml
+                  inventory: .github/workflows/hosts.yml
+                  galaxy_file: collections/requirements.yml
+                  private_key: ${{ secrets.SSH_PRV_KEY }}
+      #           verbose: 3
+              env:
+                  ANSIBLE_HOST_KEY_CHECKING: "false"
+                  ANSIBLE_DEPRECATION_WARNINGS: "false"
+
+      # Remove test system - User secrets to keep if necessary
+
+            - name: Terraform_Destroy
+              working-directory: .github/workflows
+              if: always() && env.ENABLE_DEBUG == 'false'
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false

.github/workflows/main.tf

@@ -5,9 +5,6 @@ provider "aws" {
 
 // Create a security group with access to port 22 and port 80 open to serve HTTP traffic
 
-data "aws_vpc" "default" {
-  default = true
-}
 
 resource "random_id" "server" {
   keepers = {
@@ -19,8 +16,8 @@ resource "random_id" "server" {
 }
 
 resource "aws_security_group" "github_actions" {
-  name   = "${var.namespace}-${random_id.server.hex}"
-  vpc_id = data.aws_vpc.default.id
+  name   = "${var.namespace}-${random_id.server.hex}-SG"
+  vpc_id = aws_vpc.Main.id
 
   ingress {
     from_port   = 22
@@ -43,6 +40,7 @@ resource "aws_security_group" "github_actions" {
     cidr_blocks = ["0.0.0.0/0"]
   }
   tags = {
+    Environment = "${var.environment}"
     Name = "${var.namespace}-SG"
  }
 }
@@ -51,11 +49,13 @@ resource "aws_security_group" "github_actions" {
 
 resource "aws_instance" "testing_vm" {
   ami                         = var.ami_id
+  availability_zone           = var.availability_zone
   associate_public_ip_address = true
   key_name                    = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
   instance_type               = var.instance_type
   tags                        = var.instance_tags
   vpc_security_group_ids      = [aws_security_group.github_actions.id]
+  subnet_id                   = aws_subnet.Main.id
   root_block_device {
         delete_on_termination = true
   }
@@ -77,7 +77,8 @@ resource "local_file" "inventory" {
         setup_audit: true
         run_audit: true
         system_is_ec2: true
-        audit_git_version: devel
+        rhel_07_010340: false
+        rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.somethingnewhere'
     EOF
 }
 

.github/workflows/terraform.tfvars

@@ -1,4 +1,5 @@
 // vars should be loaded by OSname.tfvars
+availability_zone      = "us-east-1b"
 aws_region    = "us-east-1"
 ami_os        = var.ami_os
 ami_username  = var.ami_username