From 375b6a7d96b4b765cb0a95b285a136b3b0ce84b1 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Tue, 1 Mar 2022 09:38:02 +0000 Subject: [PATCH] Collection workflows (#69) * added new workflow items Signed-off-by: Mark Bolwell * added collections requirements Signed-off-by: Mark Bolwell * added collections requirements Signed-off-by: Mark Bolwell * added pipeline infor and layout Signed-off-by: Mark Bolwell * added pipeline info and layout Signed-off-by: Mark Bolwell * updates to pipelines Signed-off-by: Mark Bolwell * updates to pipelines Signed-off-by: Mark Bolwell * added tag to audit Signed-off-by: Mark Bolwell * updated tags Signed-off-by: Mark Bolwell * updated date Signed-off-by: Mark Bolwell * updated data Signed-off-by: Mark Bolwell * updated discord info Signed-off-by: Mark Bolwell * Updated readme Signed-off-by: George Nalen * Updated run_audit tags in tasks/main.yml Signed-off-by: George Nalen Co-authored-by: George Nalen --- .github/workflows/OS.tfvars | 9 ++ .github/workflows/communitytodevel.yml | 38 ------ .github/workflows/develtomaster.yml | 38 ------ .github/workflows/github_networks.tf | 11 ++ .github/workflows/github_vars.tfvars | 12 ++ .github/workflows/linux_benchmark_testing.yml | 120 ++++++++++++++++++ .github/workflows/main.tf | 83 ++++++++++++ .github/workflows/terraform.tfvars | 5 + .github/workflows/test.sh | 6 + .github/workflows/variables.tf | 65 ++++++++++ LICENSE | 2 +- README.md | 47 ++++--- collections/requirements.yml | 8 ++ meta/main.yml | 11 +- tasks/main.yml | 5 +- 15 files changed, 362 insertions(+), 98 deletions(-) create mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/communitytodevel.yml delete mode 100644 .github/workflows/develtomaster.yml create mode 100644 .github/workflows/github_networks.tf create mode 100644 .github/workflows/github_vars.tfvars create mode 100644 .github/workflows/linux_benchmark_testing.yml create mode 100644 .github/workflows/main.tf create mode 100644 .github/workflows/terraform.tfvars create mode 100644 .github/workflows/test.sh create mode 100644 .github/workflows/variables.tf create mode 100644 collections/requirements.yml diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars new file mode 100644 index 0000000..e9094cb --- /dev/null +++ b/.github/workflows/OS.tfvars @@ -0,0 +1,9 @@ +#Ami ubuntu1804 +ami_id = "ami-0d9b9c46fcdf2864f" +ami_os = "ubuntu18" +ami_username = "ubuntu" +ami_user_home = "/home/ubuntu" +instance_tags = { + Name = "UBUNTU18-CIS" + Environment = "lockdown_github_repo_workflow" +} diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml deleted file mode 100644 index fa5b18d..0000000 --- a/.github/workflows/communitytodevel.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: CommunityToDevel - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request: - branches: [ devel ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Refactr pipeline for devel pull request/merge - - name: Refactr - Run Pipeline (to devel) - # You may pin to the exact commit or the version. - # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 - uses: refactr/action-run-pipeline@v0.1.2 - with: - # API token - api_token: '${{ secrets.REFACTR_KEY }}' - # Project ID - project_id: 5f47f0c4a13c7b18373e5556 - # Job ID - job_id: 5f933cbcf9c74e86b1609c00 - # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/UBUNTU18-CIS.git", "image": "ami-0608f6bd6e0eec7cc", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }' - # Refactr API base URL - api_url: # optional diff --git a/.github/workflows/develtomaster.yml b/.github/workflows/develtomaster.yml deleted file mode 100644 index 8e37289..0000000 --- a/.github/workflows/develtomaster.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: DevelToMaster - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request: - branches: [ main ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Refactr pipeline for devel pull request/merge - - name: Refactr - Run Pipeline (to master) - # You may pin to the exact commit or the version. - # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 - uses: refactr/action-run-pipeline@v0.1.2 - with: - # API token - api_token: '${{ secrets.REFACTR_KEY }}' - # Project ID - project_id: 5f47f0c4a13c7b18373e5556 - # Job ID - job_id: 5f90ad90f9c74e6d1e606e33 - # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/UBUNTU18-CIS.git", "image": "ami-0608f6bd6e0eec7cc", "username": "ubuntu" }' - # Refactr API base URL - api_url: # optional diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf new file mode 100644 index 0000000..d5a0db0 --- /dev/null +++ b/.github/workflows/github_networks.tf @@ -0,0 +1,11 @@ +resource "aws_vpc" "Main" { + cidr_block = var.main_vpc_cidr + tags = var.instance_tags +} + +resource "aws_internet_gateway" "IGW" { + vpc_id = aws_vpc.Main.id + tags = { + Name = "${var.namespace}-IGW" + } +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars new file mode 100644 index 0000000..38be3ed --- /dev/null +++ b/.github/workflows/github_vars.tfvars @@ -0,0 +1,12 @@ +// github_actions variables +// Resourced in github_networks.tf +// Declared in variables.tf +// + +namespace = "github_actions" + +// Matching pair name found in AWS for keypairs PEM key +ami_key_pair_name = "github_actions" +main_vpc_cidr = "172.22.0.0/24" +public_subnets = "172.22.0.128/26" +private_subnets = "172.22.0.192/26" \ No newline at end of file diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml new file mode 100644 index 0000000..3c4cf3f --- /dev/null +++ b/.github/workflows/linux_benchmark_testing.yml @@ -0,0 +1,120 @@ +# This is a basic workflow to help you get started with Actions + +name: linux_benchmark_pipeline + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs +# that can run sequentially or in parallel +jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@v1.1.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + +### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + +# Centos 7 images take a while to come up insert sleep or playbook fails + + - name: Check if test os is rhel7 + working-directory: .github/workflows + id: test_os + run: >- + echo "::set-output name=RHEL7::$( + grep -c RHEL7 OS.tfvars + )" + + - name: if RHEL7 - Sleep for 60 seconds + if: steps.test_os.outputs.RHEL7 >= 1 + run: sleep 60s + shell: bash + +# Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} +# verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + +# Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf new file mode 100644 index 0000000..9ad9240 --- /dev/null +++ b/.github/workflows/main.tf @@ -0,0 +1,83 @@ +provider "aws" { + profile = "" + region = var.aws_region +} + +// Create a security group with access to port 22 and port 80 open to serve HTTP traffic + +data "aws_vpc" "default" { + default = true +} + +resource "random_id" "server" { + keepers = { + # Generate a new id each time we switch to a new AMI id + ami_id = "${var.ami_id}" + } + + byte_length = 8 +} + +resource "aws_security_group" "github_actions" { + name = "${var.namespace}-${random_id.server.hex}" + vpc_id = data.aws_vpc.default.id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = "${var.namespace}-SG" + } +} + +// instance setup + +resource "aws_instance" "testing_vm" { + ami = var.ami_id + associate_public_ip_address = true + key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs + instance_type = var.instance_type + tags = var.instance_tags + vpc_security_group_ids = [aws_security_group.github_actions.id] + root_block_device { + delete_on_termination = true + } +} + +// generate inventory file +resource "local_file" "inventory" { + filename = "./hosts.yml" + directory_permission = "0755" + file_permission = "0644" + content = <