Adding working GitHub action workflow (#26)

* Fixed configs. Currently working locally.

* Updated workflow.

* Updated GitHub action workflow.

* Removed daily cron workflow schedule.

.github/workflows/workflow.yml

@@ -1,100 +1,35 @@
-name: 'Apply latest configuration profiles via Fleet'
-description: 'Applies the latest MDM configuration profiles to a Fleet team'
-
-inputs:
-  FLEET_API_TOKEN:
-    description: 'Fleet API Token'
-    required: true
-  FLEET_URL:
-    description: 'Fleet URL'
-    required: true
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-      with:
-        repository: ${{ inputs.MDM_CONFIG_REPO }}
-
-    - name: Install fleetctl
-      run: npm install -g fleetctl
-      shell: bash
-
-    - name: Configure fleetctl
-      run: fleetctl config set --address ${{ inputs.FLEET_URL }} --token ${{ inputs.FLEET_API_TOKEN }}
-      shell: bash
-
-    - name: Run fleetctl apply
-      run: |
-        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-        # STEP 1: Apply config
-        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-        # Combine the contents of all the top-level config into a single YAML document
-
-        # - Include the contents of no-team.controls.yml
-        # TODO
-
-        # - Include the contents of default.settings.yml
-        # TODO
-
-        # - Include anything of `kind: config` in default.queries.yml
-        # TODO
-
-        # - Include anything of `kind: config` in default.policies.yml
-        # TODO
-
-        # Apply top-level config with `--replace` (replaces all existing top-level config)
-        # TODO
-
-        # Loop through folders in /teams and combine the contents of all team config into a single YAML document
-
-        # - Include the contents of <folder-name>.controls.yml
-        # TODO
-
-        # - Include the contents of <folder-name>.settings.yml
-        # TODO
-
-        # - Include anything of `kind: team` in <folder-name>.queries.yml
-        # TODO
-
-        # - Include anything of `kind: team` in <folder-name>.policies.yml
-        # TODO
-
-        # Apply team config with `--replace` (replaces all existing config for this team)
-        # TODO
-
-        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-        # STEP 2: Apply queries
-        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-        # Compile all queries into a single YAML document
-
-        # - Include anything of `kind: query` in default.queries.yml
-        # TODO
-        
-        # - Loop through folders in /teams and include anything of `kind: query` in <folder-name>.queries.yml for each
-        # TODO
-        
-        # Apply compiled queries YAML with `--replace` (deletes any queries in Fleet that aren't present in this config)
-        # TODO
-
-        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-        # STEP 3: Apply policies
-        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-        # Compile all policies into a single YAML document
-        # TODO
-        
-        # - Include anything of `kind: policy` in default.policies.yml
-        # TODO
-        
-        # - Loop through folders in /teams and include anything of `kind: policy` in <folder-name>.policies.yml for each
-        # TODO
-        
-        # Apply compiled policies YAML with `--replace` (deletes any policies in Fleet that aren't present in this config)
-        # TODO
-
-        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-        # All done!
-        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-      shell: bash
+name: 'Apply latest configuration to Fleet'
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch: # allows manual triggering
+
+defaults:
+  run:
+    shell: bash
+
+# Add FLEET_URL and FLEET_API_TOKEN to the repository secrets.
+# In addition, specify or add secrets for all the environment variables that are mentioned in the global/team YAML files.
+env:
+  FLEET_SSO_METADATA: ${{ secrets.FLEET_SSO_METADATA }}
+  FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
+  FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
+  FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
+
+jobs:
+  build-docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout GitOps repository
+        uses: actions/checkout@v4
+
+      - name: Install fleetctl
+        run: npm install -g fleetctl
+
+      - name: Configure fleetctl
+        run: fleetctl config set --address ${{ secrets.FLEET_URL }} --token ${{ secrets.FLEET_API_TOKEN }}
+
+      - name: Run fleetctl gitops commands
+        run: ./workflow.sh

README.md

@@ -2,23 +2,30 @@
 
 > #### 🚧 Fleet GitOps is currently in development.
 >
-> In the mean time, you can explore this repo for a preview of Fleet's GitOps best practice, and track its progress [here](https://github.com/fleetdm/fleet/issues/13643).
+> In the meantime, you can explore this repo for a preview of Fleet's GitOps best practice, and track its progress [here](https://github.com/fleetdm/fleet/issues/13643).
 
 This folder illustrates the best practice for using Fleet with a GitOps workflow.
 
-How to setup a GitOps workflow to manage Fleet:
+How to set up a GitOps workflow to manage Fleet:
 
 1. Clone this repository.
 
 2. Make any changes to policies, queries, controls, and more defined in the files.
 
-3. Create your own GitHub repository and push your cloned and modified code to your repo.
+3. Create your own GitHub repository.
 
-4. Add Fleet's open-source [GitHub action](https://github.com/fleetdm/fleet-gitops) to your repo. Now, when anyone makes a change to any file, the action will run and update Fleet.
+4. Add `FLEET_URL` and `FLEET_API_KEY` to your GitHub repository secrets.
+
+5. Update the `env` section of your [.github/workflows/workflow.yml](https://github.com/fleetdm/fleet-gitops/blob/main/.github/workflows/workflow.yml) file for all the environment variables that are mentioned in your `default.yml` and `teams/*.yml` YAML files. For the environment variables that map to secrets, add the required secrets to your GitHub repository secrets.
+
+6. Push your cloned and modified code to your repo.
+
+7. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit, the action will run and update Fleet.
 
 #### Structure:
 
 - `lib/` - folder for policies, queries, configuration profiles, scripts, and agent options. These files can be referenced in top level keys in the `default.yml` file and the files in the `teams/` folder.
 - `default.yml` - file that defines the queries, policies, controls, and agent options for all hosts. If you're using Fleet Premium, this file updates queries and policies that run on all hosts ("All teams"). Controls and agent options are defined for hosts on "No team."
-- `teams/` - folder for teams in Fleet. These files define the controls, queries, policies, and agent options for hosts assigned to the specified team.
-- `.github/workflows/workflow.yml` - TODO: Explain how to add/update secrets. That's what this file is used for
+- `teams/` - folder for teams in Fleet. These `*.yml` files define the controls, queries, policies, and agent options for hosts assigned to the specified team.
+- `.github/workflows/workflow.yml` - the GitHub Actions workflow file that applies the latest configuration to Fleet.
+- `workflow.sh` - the bash script that applies the latest configuration to Fleet by executing `fleetctl gitops`. This script is used in the GitHub Actions workflow file. It can be run standalone during development.

default.yml

@@ -6,15 +6,14 @@ controls: # Controls added to "No team"
   macos_settings:
     custom_settings:
       - path: ./lib/macos-password.mobileconfig
-#     DDM support coming soon
-#     - path: ../lib/macos-os-updates.ddm.json
+      # - path: ../lib/macos-os-updates.ddm.json (DDM coming soon)
   windows_settings:
     custom_settings:
-    - path: ./lib/windows-screenlock.xml
+      - path: ./lib/windows-screenlock.xml
   scripts:
     - path: ./lib/collect-fleetd-logs.sh
 queries:
-- path: ./lib/collect-fleetd-update-channels.queries.yml
+  - path: ./lib/collect-fleetd-update-channels.queries.yml
 policies:
 agent_options:
   path: ./lib/agent-options.yml

lib/agent-options.yml

@@ -2,8 +2,8 @@ command_line_flags:
 config:
   decorators:
     load:
-    - SELECT uuid AS host_uuid FROM system_info;
-    - SELECT hostname AS hostname FROM system_info;
+      - SELECT uuid AS host_uuid FROM system_info;
+      - SELECT hostname AS hostname FROM system_info;
   options:
     disable_distributed: false
     distributed_interval: 10

lib/collect-fleetd-update-channels.queries.yml

@@ -1,4 +1,4 @@
-- name: Collect fleetd update channels 
+- name: Collect fleetd update channels
   description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering."
   query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info;
   interval: 300 # 5 minutes

lib/collect-usb-devices.queries.yml

@@ -1,4 +1,4 @@
-- name: Collect USB devices 
+- name: Collect USB devices
   description: Collects the USB devices that are currently connected to macOS and Linux hosts.
   query: SELECT model, vendor FROM usb_devices;
   interval: 300 # 5 minutes

teams/workstations-canary.yml

@@ -15,32 +15,32 @@ controls:
     grace_period_days: 2
   macos_settings:
     custom_settings:
-    # - path: ../lib/macos-os-updates.ddm.json (DDM coming soon)
-    - path: ../lib/macos-password.mobileconfig
+      # - path: ../lib/macos-os-updates.ddm.json (DDM coming soon)
+      - path: ../lib/macos-password.mobileconfig
   windows_settings:
     custom_settings:
-    - path: ../lib/windows-screenlock.xml
+      - path: ../lib/windows-screenlock.xml
   macos_setup:
-      # bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg (Example URL)
-      enable_end_user_authentication: true
-      macos_setup_assistant: ../lib/automatic-enrollment.dep.json
+    # bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg (Example URL)
+    # enable_end_user_authentication: true
+    macos_setup_assistant: ../lib/automatic-enrollment.dep.json
   scripts:
-  - path: ../lib/remove-zoom-artifacts.script.sh
-  - path: ../lib/set-timezone.script.sh
-queries: 
-- path: ../lib/collect-usb-devices.queries.yml
-- path: ../lib/collect-failed-login-attempts.queries.yml
-- name: Collect fleetd update channels 
-  description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering."
-  query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info;
-  interval: 300
-  observer_can_run: true
-  automations_enabled: false
+    - path: ../lib/remove-zoom-artifacts.script.sh
+    - path: ../lib/set-timezone.script.sh
+queries:
+  - path: ../lib/collect-usb-devices.queries.yml
+  - path: ../lib/collect-failed-login-attempts.queries.yml
+  - name: Collect fleetd update channels
+    description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering."
+    query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info;
+    interval: 300
+    observer_can_run: true
+    automations_enabled: false
 policies:
   - path: ../lib/macos-device-health.policies.yml
   - path: ../lib/windows-device-health.policies.yml
 agent_options:
   path: ../lib/agent-options.yml
 team_settings:
   secrets:
-  - secret: "$FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET"
+    - secret: "$FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET"

teams/workstations.yml

@@ -15,26 +15,26 @@ controls:
     grace_period_days: 2
   macos_settings:
     custom_settings:
-    # - path: ../lib/macos-os-updates.ddm.json (DDM coming soon)
-    - path: ../lib/macos-password.mobileconfig
+      # - path: ../lib/macos-os-updates.ddm.json (DDM coming soon)
+      - path: ../lib/macos-password.mobileconfig
   windows_settings:
     custom_settings:
     - path: ../lib/windows-screenlock.xml
   macos_setup:
       # bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg (example URL)
-      enable_end_user_authentication: true
+      # enable_end_user_authentication: true
       macos_setup_assistant: ../lib/automatic-enrollment.dep.json
   scripts:
-  - path: ../lib/remove-zoom-artifacts.script.sh
-  - path: ../lib/set-timezone.script.sh
-queries: 
-- path: ../lib/collect-usb-devices.queries.yml
-- path: ../lib/collect-failed-login-attempts.queries.yml
+    - path: ../lib/remove-zoom-artifacts.script.sh
+    - path: ../lib/set-timezone.script.sh
+queries:
+  - path: ../lib/collect-usb-devices.queries.yml
+  - path: ../lib/collect-failed-login-attempts.queries.yml
 policies:
   - path: ../lib/macos-device-health.policies.yml
   - path: ../lib/windows-device-health.policies.yml
 agent_options:
   path: ../lib/agent-options.yml
 team_settings:
   secrets:
-  - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET"
+    - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET"

workflow.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# -e: Immediately exit if any command has a non-zero exit status.
+# -x: Print all executed commands to the terminal.
+# -u: Exit if an undefined variable is used.
+# -o pipefail: Exit if any command in a pipeline fails.
+set -exuo pipefail
+
+GLOBAL_FILE=./default.yml
+FLEETCTL="${FLEETCTL:-fleetctl}"
+
+# Validate that global file contains org_settings
+grep -Exq "^org_settings:.*" $GLOBAL_FILE
+
+if compgen -G ./teams/*.yml > /dev/null; then
+  # Validate that every team has a unique name.
+  # This is a limited check that assumes all team files contain the phrase: `name: <team_name>`
+  ! perl -nle 'print $1 if /^name:\s*(.+)$/' ./teams/*.yml | sort | uniq -d | grep . -cq
+fi
+
+# Dry run
+$FLEETCTL gitops -f $GLOBAL_FILE --dry-run
+for team_file in ./teams/*.yml; do
+  $FLEETCTL gitops -f "$team_file" --dry-run
+done
+
+# Real run
+$FLEETCTL gitops -f $GLOBAL_FILE
+for team_file in ./teams/*.yml; do
+  $FLEETCTL gitops -f "$team_file"
+done