From a6abda7dfee9b5e399a2813007209bd035b09b42 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 12 Feb 2024 16:17:44 +0000
Subject: [PATCH 01/14] updated metafile

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 meta/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/main.yml b/meta/main.yml
index 7252738..08837c3 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -5,7 +5,7 @@ galaxy_info:
     description: "Apply the Debian 11 CIS benchmarks"
     company: "MindPoint Group"
     license: MIT
-    namespace: ansible_lockdown
+    namespace: ansible-lockdown
     role_name: debian11_cis
     min_ansible_version: 2.15.1
     platforms:

From fc80cd8b64fd17ee8dee3e7e60332e6c0237733b Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 12 Feb 2024 16:19:38 +0000
Subject: [PATCH 02/14] updated metafile

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 meta/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/main.yml b/meta/main.yml
index 08837c3..ebdb5df 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -5,7 +5,7 @@ galaxy_info:
     description: "Apply the Debian 11 CIS benchmarks"
     company: "MindPoint Group"
     license: MIT
-    namespace: ansible-lockdown
+    namespace: mindpointgroup
     role_name: debian11_cis
     min_ansible_version: 2.15.1
     platforms:

From 55af27bf63e589f93f51067ef16f056a53981b4e Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Tue, 13 Feb 2024 08:17:55 +0000
Subject: [PATCH 03/14] updated cis version ref

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index d2935bc..c4152b4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -13,7 +13,7 @@ skip_reboot: true
 ## Benchmark name used by auditing control role
 # The audit variable found at the base
 benchmark: DEBIAN11-CIS
-benchmark_version: v1.0.0
+benchmark_version: 1.0.0
 # Used for audit
 debian11cis_level_1: true
 debian11cis_level_2: true

From 3462fdbe037abfee1005d08d887e8e4dc8894a7d Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Tue, 13 Feb 2024 13:40:49 +0000
Subject: [PATCH 04/14] updated to latest versions

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 .../workflows/devel_pipeline_validation.yml   | 271 +++++++++---------
 .../workflows/main_pipeline_validation.yml    | 250 ++++++++--------
 2 files changed, 261 insertions(+), 260 deletions(-)

diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
index 9fbe7aa..9cf8911 100644
--- a/.github/workflows/devel_pipeline_validation.yml
+++ b/.github/workflows/devel_pipeline_validation.yml
@@ -1,138 +1,139 @@
 ---
 
-    name: Devel pipeline
-
-    on: # yamllint disable-line rule:truthy
-      pull_request_target:
-          types: [opened, reopened, synchronize]
-          branches:
-              - devel
-          paths:
-              - '**.yml'
-              - '**.sh'
-              - '**.j2'
-              - '**.ps1'
-              - '**.cfg'
-
-    # A workflow run is made up of one or more jobs
-    # that can run sequentially or in parallel
-    jobs:
-      # This will create messages for first time contributers and direct them to the Discord server
-        welcome:
-          runs-on: ubuntu-latest
-
-          steps:
-              - uses: actions/first-interaction@main
-                with:
-                  repo-token: ${{ secrets.GITHUB_TOKEN }}
-                  pr-message: |-
-                      Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-
-        # This workflow contains a single job that tests the playbook
-        playbook-test:
-          # The type of runner that the job will run on
-          runs-on: ubuntu-latest
-          env:
-            ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
-            # Imported as a variable by terraform
-            TF_VAR_repository: ${{ github.event.repository.name }}
-          defaults:
-            run:
-              shell: bash
-              working-directory: .github/workflows/github_linux_IaC
-
-          steps:
-            - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v4
+  name: Devel pipeline
+
+  on: # yamllint disable-line rule:truthy
+    pull_request_target:
+        types: [opened, reopened, synchronize]
+        branches:
+            - devel
+        paths:
+            - '**.yml'
+            - '**.sh'
+            - '**.j2'
+            - '**.ps1'
+            - '**.cfg'
+
+  # A workflow run is made up of one or more jobs
+  # that can run sequentially or in parallel
+  jobs:
+    # This will create messages for first time contributers and direct them to the Discord server
+      welcome:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/first-interaction@main
               with:
-                ref: ${{ github.event.pull_request.head.sha }}
-
-            # Pull in terraform code for linux servers
-            - name: Clone GitHub IaC plan
-              uses: actions/checkout@v4
-              with:
-                repository: ansible-lockdown/github_linux_IaC
-                path: .github/workflows/github_linux_IaC
-
-            - name: Add_ssh_key
-              working-directory: .github/workflows
-              env:
-                  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-                  PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
-              run: |
-                mkdir .ssh
-                chmod 700 .ssh
-                echo $PRIVATE_KEY > .ssh/github_actions.pem
-                chmod 600 .ssh/github_actions.pem
-
-            - name: DEBUG - Show IaC files
-              if: env.ENABLE_DEBUG == 'true'
-              run: |
-                echo "OSVAR = $OSVAR"
-                echo "benchmark_type = $benchmark_type"
-                pwd
-                ls
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Init
-              id: init
-              run: terraform init
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Validate
-              id: validate
-              run: terraform validate
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Apply
-              id: apply
-              env:
-                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
-
-  ## Debug Section
-            - name: DEBUG - Show Ansible hostfile
-              if: env.ENABLE_DEBUG == 'true'
-              run: cat hosts.yml
-
-      # Aws deployments taking a while to come up insert sleep or playbook fails
-
-            - name: Sleep for 60 seconds
-              run: sleep ${{ vars.BUILD_SLEEPTIME }}
-
-          # Run the Ansibleplaybook
-            - name: Run_Ansible_Playbook
-              uses: arillso/action.playbook@master
-              with:
-                playbook: site.yml
-                inventory: .github/workflows/github_linux_IaC/hosts.yml
-                galaxy_file: collections/requirements.yml
-                private_key: ${{ secrets.SSH_PRV_KEY }}
-        #          verbose: 3
-              env:
-                ANSIBLE_HOST_KEY_CHECKING: "false"
-                ANSIBLE_DEPRECATION_WARNINGS: "false"
-
-          # Remove test system - User secrets to keep if necessary
-
-            - name: Terraform_Destroy
-              if: always() && env.ENABLE_DEBUG == 'false'
-              env:
-                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                pr-message: |-
+                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+
+      # This workflow contains a single job that tests the playbook
+      playbook-test:
+        # The type of runner that the job will run on
+        runs-on: ubuntu-latest
+        env:
+          ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+          # Imported as a variable by terraform
+          TF_VAR_repository: ${{ github.event.repository.name }}
+        defaults:
+          run:
+            shell: bash
+            working-directory: .github/workflows/github_linux_IaC
+
+        steps:
+          - name: Clone ${{ github.event.repository.name }}
+            uses: actions/checkout@v4
+            with:
+              ref: ${{ github.event.pull_request.head.sha }}
+
+          # Pull in terraform code for linux servers
+          - name: Clone GitHub IaC plan
+            uses: actions/checkout@v4
+            with:
+              repository: ansible-lockdown/github_linux_IaC
+              path: .github/workflows/github_linux_IaC
+
+          - name: Add_ssh_key
+            working-directory: .github/workflows
+            env:
+                SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+                PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+            run: |
+              mkdir .ssh
+              chmod 700 .ssh
+              echo $PRIVATE_KEY > .ssh/github_actions.pem
+              chmod 600 .ssh/github_actions.pem
+
+          - name: DEBUG - Show IaC files
+            if: env.ENABLE_DEBUG == 'true'
+            run: |
+              echo "OSVAR = $OSVAR"
+              echo "benchmark_type = $benchmark_type"
+              pwd
+              ls
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Terraform_Init
+            id: init
+            run: terraform init
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Terraform_Validate
+            id: validate
+            run: terraform validate
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Terraform_Apply
+            id: apply
+            env:
+              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+            run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+
+## Debug Section
+          - name: DEBUG - Show Ansible hostfile
+            if: env.ENABLE_DEBUG == 'true'
+            run: cat hosts.yml
+
+    # Aws deployments taking a while to come up insert sleep or playbook fails
+
+          - name: Sleep for 60 seconds
+            run: sleep ${{ vars.BUILD_SLEEPTIME }}
+
+        # Run the Ansible playbook
+          - name: Run_Ansible_Playbook
+            uses: arillso/action.playbook@master
+            with:
+              playbook: site.yml
+              inventory: .github/workflows/github_linux_IaC/hosts.yml
+              galaxy_file: collections/requirements.yml
+              private_key: ${{ secrets.SSH_PRV_KEY }}
+      #          verbose: 3
+            env:
+              ANSIBLE_HOST_KEY_CHECKING: "false"
+              ANSIBLE_DEPRECATION_WARNINGS: "false"
+              ANSIBLE_INJECT_FACT_VARS: "false"
+
+        # Remove test system - User secrets to keep if necessary
+
+          - name: Terraform_Destroy
+            if: always() && env.ENABLE_DEBUG == 'false'
+            env:
+              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+            run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
index 67ee9d9..6fa4c58 100644
--- a/.github/workflows/main_pipeline_validation.yml
+++ b/.github/workflows/main_pipeline_validation.yml
@@ -1,127 +1,127 @@
 ---
 
-    name: Main pipeline
-
-    on: # yamllint disable-line rule:truthy
-      pull_request_target:
-          types: [opened, reopened, synchronize]
-          branches:
-              - main
-          paths:
-              - '**.yml'
-              - '**.sh'
-              - '**.j2'
-              - '**.ps1'
-              - '**.cfg'
-
-    # A workflow run is made up of one or more jobs
-    # that can run sequentially or in parallel
-    jobs:
-
-        # This workflow contains a single job that tests the playbook
-        playbook-test:
-          # The type of runner that the job will run on
-          runs-on: ubuntu-latest
-          env:
-            ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
-            # Imported as a variable by terraform
-            TF_VAR_repository: ${{ github.event.repository.name }}
-          defaults:
-            run:
-              shell: bash
-              working-directory: .github/workflows/github_linux_IaC
-
-          steps:
-            - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v4
-              with:
-                ref: ${{ github.event.pull_request.head.sha }}
-
-            # Pull in terraform code for linux servers
-            - name: Clone GitHub IaC plan
-              uses: actions/checkout@v4
-              with:
-                repository: ansible-lockdown/github_linux_IaC
-                path: .github/workflows/github_linux_IaC
-
-            - name: Add_ssh_key
-              working-directory: .github/workflows
-              env:
-                  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-                  PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
-              run: |
-                mkdir .ssh
-                chmod 700 .ssh
-                echo $PRIVATE_KEY > .ssh/github_actions.pem
-                chmod 600 .ssh/github_actions.pem
-
-            - name: DEBUG - Show IaC files
-              if: env.ENABLE_DEBUG == 'true'
-              run: |
-                echo "OSVAR = $OSVAR"
-                echo "benchmark_type = $benchmark_type"
-                pwd
-                ls
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Init
-              id: init
-              run: terraform init
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Validate
-              id: validate
-              run: terraform validate
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Apply
-              id: apply
-              env:
-                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
-
-  ## Debug Section
-            - name: DEBUG - Show Ansible hostfile
-              if: env.ENABLE_DEBUG == 'true'
-              run: cat hosts.yml
-
-      # Aws deployments taking a while to come up insert sleep or playbook fails
-
-            - name: Sleep for 60 seconds
-              run: sleep ${{ vars.BUILD_SLEEPTIME }}
-
-          # Run the Ansibleplaybook
-            - name: Run_Ansible_Playbook
-              uses: arillso/action.playbook@master
-              with:
-                playbook: site.yml
-                inventory: .github/workflows/github_linux_IaC/hosts.yml
-                galaxy_file: collections/requirements.yml
-                private_key: ${{ secrets.SSH_PRV_KEY }}
-        #          verbose: 3
-              env:
-                ANSIBLE_HOST_KEY_CHECKING: "false"
-                ANSIBLE_DEPRECATION_WARNINGS: "false"
-
-          # Remove test system - User secrets to keep if necessary
-
-            - name: Terraform_Destroy
-              if: always() && env.ENABLE_DEBUG == 'false'
-              env:
-                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+  name: Main pipeline
+
+  on: # yamllint disable-line rule:truthy
+    pull_request_target:
+        types: [opened, reopened, synchronize]
+        branches:
+            - main
+        paths:
+            - '**.yml'
+            - '**.sh'
+            - '**.j2'
+            - '**.ps1'
+            - '**.cfg'
+
+  # A workflow run is made up of one or more jobs
+  # that can run sequentially or in parallel
+  jobs:
+
+      # This workflow contains a single job that tests the playbook
+      playbook-test:
+        # The type of runner that the job will run on
+        runs-on: ubuntu-latest
+        env:
+          ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+          # Imported as a variable by terraform
+          TF_VAR_repository: ${{ github.event.repository.name }}
+        defaults:
+          run:
+            shell: bash
+            working-directory: .github/workflows/github_linux_IaC
+
+        steps:
+          - name: Clone ${{ github.event.repository.name }}
+            uses: actions/checkout@v4
+            with:
+              ref: ${{ github.event.pull_request.head.sha }}
+
+          # Pull in terraform code for linux servers
+          - name: Clone GitHub IaC plan
+            uses: actions/checkout@v4
+            with:
+              repository: ansible-lockdown/github_linux_IaC
+              path: .github/workflows/github_linux_IaC
+
+          - name: Add_ssh_key
+            working-directory: .github/workflows
+            env:
+                SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+                PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+            run: |
+              mkdir .ssh
+              chmod 700 .ssh
+              echo $PRIVATE_KEY > .ssh/github_actions.pem
+              chmod 600 .ssh/github_actions.pem
+
+          - name: DEBUG - Show IaC files
+            if: env.ENABLE_DEBUG == 'true'
+            run: |
+              echo "OSVAR = $OSVAR"
+              echo "benchmark_type = $benchmark_type"
+              pwd
+              ls
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Terraform_Init
+            id: init
+            run: terraform init
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Terraform_Validate
+            id: validate
+            run: terraform validate
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Terraform_Apply
+            id: apply
+            env:
+              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+            run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+
+## Debug Section
+          - name: DEBUG - Show Ansible hostfile
+            if: env.ENABLE_DEBUG == 'true'
+            run: cat hosts.yml
+
+    # Aws deployments taking a while to come up insert sleep or playbook fails
+
+          - name: Sleep for 60 seconds
+            run: sleep ${{ vars.BUILD_SLEEPTIME }}
+
+        # Run the Ansible playbook
+          - name: Run_Ansible_Playbook
+            uses: arillso/action.playbook@master
+            with:
+              playbook: site.yml
+              inventory: .github/workflows/github_linux_IaC/hosts.yml
+              galaxy_file: collections/requirements.yml
+              private_key: ${{ secrets.SSH_PRV_KEY }}
+      #          verbose: 3
+            env:
+              ANSIBLE_HOST_KEY_CHECKING: "false"
+              ANSIBLE_DEPRECATION_WARNINGS: "false"
+
+        # Remove test system - User secrets to keep if necessary
+
+          - name: Terraform_Destroy
+            if: always() && env.ENABLE_DEBUG == 'false'
+            env:
+              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+            run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false

From e855e7a3c9a7f799de846cf64165996d93cf779b Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 19 Feb 2024 17:48:17 +0000
Subject: [PATCH 05/14] [pre-commit.ci] pre-commit autoupdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.2...v24.2.0)
- [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1)
---
 .pre-commit-config.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f5c1824..82858b5 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -42,7 +42,7 @@ repos:
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.2
+  rev: v24.2.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -61,6 +61,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.33.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint

From 6fed4a5b4eae38e0be8c81f6c6deacfb1b7b773d Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 4 Mar 2024 17:45:59 +0000
Subject: [PATCH 06/14] added credits

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index e7da012..abfe19f 100644
--- a/README.md
+++ b/README.md
@@ -160,3 +160,8 @@ EOF
 apt update
 apt install grub-pc -y
 ```
+
+## Credits and Thanks
+
+Massive thanks to the fantastic community and all its members.
+This includes a huge thanks and credit to the original authors and maintainers.

From 4a6b34cff70f8a42d1b7f6746fd306c0e79214c1 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 22 Apr 2024 14:12:16 +0100
Subject: [PATCH 07/14] [pre-commit.ci] pre-commit autoupdate (#6)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.5.0...v4.6.0)
- [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.2](https://github.com/ansible-community/ansible-lint/compare/v24.2.0...v24.2.2)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
---
 .pre-commit-config.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 82858b5..976cd4a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.5.0
+  rev: v4.6.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -42,7 +42,7 @@ repos:
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.2.0
+  rev: v24.2.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

From e2b418df1ef701ebc6ef7760ea20a0dea090ad1d Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Thu, 13 Jun 2024 13:17:16 +0100
Subject: [PATCH 08/14] [pre-commit.ci] pre-commit autoupdate (#7)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](https://github.com/Yelp/detect-secrets/compare/v1.4.0...v1.5.0)
- [github.com/gitleaks/gitleaks: v8.18.2 → v8.18.3](https://github.com/gitleaks/gitleaks/compare/v8.18.2...v8.18.3)
- [github.com/ansible-community/ansible-lint: v24.2.2 → v24.6.0](https://github.com/ansible-community/ansible-lint/compare/v24.2.2...v24.6.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
---
 .pre-commit-config.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 976cd4a..d85e471 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -30,19 +30,19 @@ repos:
 
 # Scan for passwords
 - repo: https://github.com/Yelp/detect-secrets
-  rev: v1.4.0
+  rev: v1.5.0
   hooks:
   - id: detect-secrets
     args: [ '--baseline', '.config/.secrets.baseline' ]
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.2
+  rev: v8.18.3
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.2.2
+  rev: v24.6.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint

From daf6d827d59aa45702c77ed29c583941669ae3a8 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 24 Jun 2024 17:46:56 +0000
Subject: [PATCH 09/14] [pre-commit.ci] pre-commit autoupdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/gitleaks/gitleaks: v8.18.3 → v8.18.4](https://github.com/gitleaks/gitleaks/compare/v8.18.3...v8.18.4)
- [github.com/ansible-community/ansible-lint: v24.6.0 → v24.6.1](https://github.com/ansible-community/ansible-lint/compare/v24.6.0...v24.6.1)
---
 .pre-commit-config.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d85e471..3942a46 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -36,13 +36,13 @@ repos:
     args: [ '--baseline', '.config/.secrets.baseline' ]
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.3
+  rev: v8.18.4
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.6.0
+  rev: v24.6.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint

From eb90cc18e1062dd83b5d810378117567b1b119ba Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 12 Jul 2024 14:58:52 +0100
Subject: [PATCH 10/14] update audit

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml                | 38 +++++++++++++++----------
 tasks/audit_only.yml             |  2 +-
 tasks/post_remediation_audit.yml | 26 ++++++++---------
 tasks/pre_remediation_audit.yml  | 48 +++++++++++++++++---------------
 vars/audit.yml                   |  7 +++--
 5 files changed, 65 insertions(+), 56 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index c4152b4..700c969 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -31,26 +31,30 @@ debian11cis_ask_passwd_to_boot: false
 # This allows the ability to skip tasks that may cause an issue
 debian11cis_uses_root: false
 
+###
 ### Settings for associated Audit role using Goss
 ###
 
-##########################################
+###########################################
 ### Goss is required on the remote host ###
-## Refer to vars/auditd.yml for any other settings ##
+### vars/audit.yml for other settings  ###
 
 # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
 
 # enable audits to run - this runs the audit and get the latest content
 run_audit: false
+# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
+audit_run_heavy_tests: true
 
-# Only run Audit do not remediate
+## Only run Audit do not remediate
 audit_only: false
-# As part of audit_only
-# This will enable files to be copied back to control node
+### As part of audit_only ###
+# This will enable files to be copied back to control node in audit_only mode
 fetch_audit_files: false
-# Path to copy the files to will create dir structure
+# Path to copy the files to will create dir structure in audit_only mode
 audit_capture_files_dir: /some/location to copy to on control node
+#############################
 
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
@@ -63,20 +67,24 @@ get_audit_binary_method: download
 audit_bin_copy_location: /some/accessible/path
 
 # how to get audit files onto host options
-# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
+# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# archive or copy:
-audit_conf_copy: "some path to copy from"
+# If using either archive, copy, get_url:
+## Note will work with .tar files - zip will require extra configuration
+### If using get_url this is expecting github url in tar.gz format e.g.
+### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
+audit_conf_source: "some path or url to copy from"
 
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
-audit_run_heavy_tests: true
+# Destination for the audit content to be placed on managed node
+# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
+audit_conf_dest: "/opt"
 
-### End Goss enablements ####
+# Where the audit logs are stored
+audit_log_dir: '/opt'
 
+### Goss Settings ##
+####### END ########
 # tweak role to run in a chroot, such as in kickstart %post script
 debian11cis_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
 
diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml
index 864f5bb..ab5a573 100644
--- a/tasks/audit_only.yml
+++ b/tasks/audit_only.yml
@@ -22,7 +22,7 @@
   when:
       - audit_only
   ansible.builtin.debug:
-      msg: "The Audit results are: {{ pre_audit_summary }}."
+      msg: "{{ audit_results.split('\n') }}"
 
 - name: Audit_only | Stop Playbook Audit Only selected
   when:
diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
index 2c51bbb..d58e921 100644
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@@ -1,11 +1,11 @@
 ---
 
 - name: Post Audit | Run post_remediation {{ benchmark }} audit
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"
-      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
+      AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
       AUDIT_FILE: goss.yml
 
 - name: Post Audit | ensure audit files readable by users
@@ -21,26 +21,24 @@
   when:
       - audit_format == "json"
   block:
-      - name: capture data {{ post_audit_outfile }}
-        ansible.builtin.shell: cat {{ post_audit_outfile }}
-        register: post_audit
+      - name: Post Audit | Capture audit data if json format
+        ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
+        register: post_audit_summary
         changed_when: false
 
-      - name: Capture post-audit result
+      - name: Post Audit | Set Fact for audit summary
         ansible.builtin.set_fact:
-            post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
-        vars:
-            summary: summary."summary-line"
+            post_audit_results: "{{ post_audit_summary.stdout }}"
 
 - name: Post Audit | Capture audit data if documentation format
   when:
       - audit_format == "documentation"
   block:
-      - name: Post Audit | capture data {{ post_audit_outfile }}
-        ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
-        register: post_audit
+      - name: Post Audit | Capture audit data if documentation format
+        ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation"
+        register: post_audit_summary
         changed_when: false
 
-      - name: Post Audit | Capture post-audit result
+      - name: Post Audit | Set Fact for audit summary
         ansible.builtin.set_fact:
-            post_audit_summary: "{{ post_audit.stdout_lines }}"
+            post_audit_results: "{{ post_audit_summary.stdout }}"
diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
index e3a261e..a745826 100644
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@@ -5,7 +5,8 @@
       - setup_audit
   tags:
       - setup_audit
-  ansible.builtin.include_tasks: LE_audit_setup.yml
+  ansible.builtin.include_tasks:
+      file: LE_audit_setup.yml
 
 - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
   ansible.builtin.file:
@@ -32,23 +33,25 @@
   when:
       - audit_content == 'copy'
   ansible.builtin.copy:
-      src: "{{ audit_local_copy }}"
+      src: "{{ audit_conf_source }}"
       dest: "{{ audit_conf_dest }}"
       mode: preserve
 
 - name: Pre Audit Setup | Unarchive audit content files on server
   when:
-      - audit_content == 'archived'
+      - audit_content == 'archive'
   ansible.builtin.unarchive:
-      src: "{{ audit_conf_copy  }}"
-      dest: "{{ audit_conf_dir }}"
+      src: "{{ audit_conf_source }}"
+      dest: "{{ audit_conf_dest }}"
 
 - name: Pre Audit Setup | Get audit content from url
   when:
       - audit_content == 'get_url'
-  ansible.builtin.get_url:
-      url: "{{ audit_files_url }}"
-      dest: "{{ audit_conf_dir }}"
+  ansible.builtin.unarchive:
+      src: "{{ audit_conf_source }}"
+      dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
+      remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
+      extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"
 
 - name: Pre Audit Setup | Check Goss is available
   when:
@@ -77,42 +80,41 @@
       mode: '0600'
 
 - name: Pre Audit | Run pre_remediation {{ benchmark }} audit
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"
-      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
+      AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
       AUDIT_FILE: goss.yml
 
 - name: Pre Audit | Capture audit data if json format
   when:
       - audit_format == "json"
   block:
-      - name: capture data {{ pre_audit_outfile }}
-        ansible.builtin.shell: cat {{ pre_audit_outfile }}
-        register: pre_audit
+      - name: Pre Audit | Capture audit data if json format
+        ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
+        register: pre_audit_summary
         changed_when: false
 
-      - name: Pre Audit | Capture pre-audit result
+      - name: Pre Audit | Set Fact for audit summary
         ansible.builtin.set_fact:
-            pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
-        vars:
-            summary: summary."summary-line"
+            pre_audit_results: "{{ pre_audit_summary.stdout }}"
 
 - name: Pre Audit | Capture audit data if documentation format
   when:
       - audit_format == "documentation"
   block:
-      - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format
-        ansible.builtin.shell: tail -2 {{ pre_audit_outfile }}
-        register: pre_audit
+      - name: Pre Audit | Capture audit data if documentation format
+        ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}"  | tac | tr '\n' ' '
+        register: pre_audit_summary
         changed_when: false
 
-      - name: Pre Audit | Capture pre-audit result | documentation format
+      - name: Pre Audit | Set Fact for audit summary
         ansible.builtin.set_fact:
-            pre_audit_summary: "{{ pre_audit.stdout_lines }}"
+            pre_audit_results: "{{ pre_audit_summary.stdout }}"
 
 - name: Audit_Only | Run Audit Only
   when:
       - audit_only
-  ansible.builtin.import_tasks: audit_only.yml
+  ansible.builtin.import_tasks:
+      file: audit_only.yml
diff --git a/vars/audit.yml b/vars/audit.yml
index e7fca7f..d438197 100644
--- a/vars/audit.yml
+++ b/vars/audit.yml
@@ -38,6 +38,7 @@ audit_format: json
 
 audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
 audit_results: |
-      The pre remediation results are: {{ pre_audit_summary }}.
-      The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ audit_out_dir }}
+      The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}}
+      {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
+
+      Full breakdown can be found in {{ audit_log_dir }}

From e8e379f6bb71b2214c34f46047029d8715e2d71a Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 12 Jul 2024 15:01:01 +0100
Subject: [PATCH 11/14] typo fix

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/prelim.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index 78608b6..978cb7f 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -165,7 +165,7 @@
         changed_when: false
         register: gid_min_id
 
-      - name: "PRELIM | set_facts for interactive uid/gid"
+      - name: "PRELIM | Set facts for interactive uid/gid"
         ansible.builtin.set_fact:
             min_int_uid: "{{ uid_min_id.stdout }}"
             max_int_uid: "{{ uid_max_id.stdout }}"

From 7bef0e029ac6e93dbbbac02ae1611465c666c4c7 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 12 Jul 2024 15:17:10 +0100
Subject: [PATCH 12/14] issue #9 thanks to @fgierlinger

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index e9dbd0d..df7a7eb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -59,7 +59,7 @@
 
       - name: Check debian11cis_grub_user password variable has been changed | check password is set
         ansible.builtin.assert:
-            that: debian11cis_password_set_grub_user.stdout.find('$y$') != -1 or debian11cis_grub_user_passwd.find('$y$') != -1 and debian11cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
+            that: debian11cis_set_grub_user_pass and {{'true' if debian11cis_grub_user_passwd | regex_search('^\$y\$|^\$6\$') else 'false' }} and debian11cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
             msg: "This role will not set the {{ debian11cis_grub_user }} user password is not set or debian11cis_grub_user_passwd variable has not been set correctly"
         when:
             - "'$y$' in debian11cis_password_set_grub_user.stdout"

From a58b3ff41639a1147543e14a9a52c6f4877d0c59 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 12 Jul 2024 15:21:17 +0100
Subject: [PATCH 13/14] updated workflow

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 .../workflows/devel_pipeline_validation.yml   | 88 +++++++++++-------
 .../workflows/main_pipeline_validation.yml    | 93 ++++++++++++-------
 .github/workflows/update_galaxy.yml           | 30 +++---
 3 files changed, 130 insertions(+), 81 deletions(-)

diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
index 9cf8911..e02fe1f 100644
--- a/.github/workflows/devel_pipeline_validation.yml
+++ b/.github/workflows/devel_pipeline_validation.yml
@@ -13,13 +13,21 @@
             - '**.j2'
             - '**.ps1'
             - '**.cfg'
+    # Allow manual running of workflow
+    workflow_dispatch:
+
+  # Allow permissions for AWS auth
+  permissions:
+    id-token: write
+    contents: read
+    pull-requests: read
 
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
       welcome:
-        runs-on: ubuntu-latest
+        runs-on: self-hosted
 
         steps:
             - uses: actions/first-interaction@main
@@ -32,76 +40,94 @@
       # This workflow contains a single job that tests the playbook
       playbook-test:
         # The type of runner that the job will run on
-        runs-on: ubuntu-latest
+        runs-on: self-hosted
         env:
           ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
           # Imported as a variable by terraform
           TF_VAR_repository: ${{ github.event.repository.name }}
+          AWS_REGION: "us-east-1"
+          ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
         defaults:
           run:
             shell: bash
             working-directory: .github/workflows/github_linux_IaC
+            # working-directory: .github/workflows
 
         steps:
-          - name: Clone ${{ github.event.repository.name }}
+
+          - name: Git clone the lockdown repository to test
             uses: actions/checkout@v4
             with:
               ref: ${{ github.event.pull_request.head.sha }}
 
+          - name: If a variable for IAC_BRANCH is set use that branch
+            working-directory: .github/workflows
+            run: |
+              if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+                 echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+                 echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+              else
+                 echo IAC_BRANCH=main >> $GITHUB_ENV
+              fi
+
+
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4
             with:
               repository: ansible-lockdown/github_linux_IaC
               path: .github/workflows/github_linux_IaC
+              ref: ${{ env.IAC_BRANCH }}
 
-          - name: Add_ssh_key
-            working-directory: .github/workflows
-            env:
-                SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-                PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
-            run: |
-              mkdir .ssh
-              chmod 700 .ssh
-              echo $PRIVATE_KEY > .ssh/github_actions.pem
-              chmod 600 .ssh/github_actions.pem
+          # Uses dedicated restricted role and policy to enable this only for this task
+          # No credentials are part of github for AWS auth
+          - name: configure aws credentials
+            uses: aws-actions/configure-aws-credentials@main
+            with:
+              role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+              role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+              aws-region: ${{ env.AWS_REGION }}
 
           - name: DEBUG - Show IaC files
             if: env.ENABLE_DEBUG == 'true'
             run: |
               echo "OSVAR = $OSVAR"
               echo "benchmark_type = $benchmark_type"
+              echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID"
+              echo "VPC_ID" = $AWS_VPC_SECGRP_ID"
               pwd
               ls
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
 
-          - name: Terraform_Init
+          - name: Tofu init
             id: init
-            run: terraform init
+            run: tofu init
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Terraform_Validate
+          - name: Tofu validate
             id: validate
-            run: terraform validate
+            run: tofu validate
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Terraform_Apply
+          - name: Tofu apply
             id: apply
             env:
-              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
 
 ## Debug Section
           - name: DEBUG - Show Ansible hostfile
@@ -110,30 +136,24 @@
 
     # Aws deployments taking a while to come up insert sleep or playbook fails
 
-          - name: Sleep for 60 seconds
+          - name: Sleep to allow system to come up
             run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
         # Run the Ansible playbook
           - name: Run_Ansible_Playbook
-            uses: arillso/action.playbook@master
-            with:
-              playbook: site.yml
-              inventory: .github/workflows/github_linux_IaC/hosts.yml
-              galaxy_file: collections/requirements.yml
-              private_key: ${{ secrets.SSH_PRV_KEY }}
-      #          verbose: 3
             env:
               ANSIBLE_HOST_KEY_CHECKING: "false"
               ANSIBLE_DEPRECATION_WARNINGS: "false"
-              ANSIBLE_INJECT_FACT_VARS: "false"
+            run: |
+              /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
 
         # Remove test system - User secrets to keep if necessary
 
-          - name: Terraform_Destroy
+          - name: Tofu Destroy
             if: always() && env.ENABLE_DEBUG == 'false'
             env:
-              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
index 6fa4c58..4a5adc9 100644
--- a/.github/workflows/main_pipeline_validation.yml
+++ b/.github/workflows/main_pipeline_validation.yml
@@ -14,83 +14,117 @@
             - '**.ps1'
             - '**.cfg'
 
+  # Allow permissions for AWS auth
+  permissions:
+    id-token: write
+    contents: read
+    pull-requests: read
+
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
+    # This will create messages for first time contributers and direct them to the Discord server
+      welcome:
+        runs-on: self-hosted
+
+        steps:
+            - uses: actions/first-interaction@main
+              with:
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                pr-message: |-
+                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
       # This workflow contains a single job that tests the playbook
       playbook-test:
         # The type of runner that the job will run on
-        runs-on: ubuntu-latest
+        runs-on: self-hosted
         env:
           ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
           # Imported as a variable by terraform
           TF_VAR_repository: ${{ github.event.repository.name }}
+          AWS_REGION : "us-east-1"
+          ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
         defaults:
           run:
             shell: bash
             working-directory: .github/workflows/github_linux_IaC
+            # working-directory: .github/workflows
 
         steps:
-          - name: Clone ${{ github.event.repository.name }}
+
+          - name: Git clone the lockdown repository to test
             uses: actions/checkout@v4
             with:
               ref: ${{ github.event.pull_request.head.sha }}
 
+          - name: If a variable for IAC_BRANCH is set use that branch
+            working-directory: .github/workflows
+            run: |
+              if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+                 echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+                 echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+              else
+                 echo IAC_BRANCH=main >> $GITHUB_ENV
+              fi
+
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4
             with:
               repository: ansible-lockdown/github_linux_IaC
               path: .github/workflows/github_linux_IaC
+              ref: ${{ env.IAC_BRANCH }}
 
-          - name: Add_ssh_key
-            working-directory: .github/workflows
-            env:
-                SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-                PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
-            run: |
-              mkdir .ssh
-              chmod 700 .ssh
-              echo $PRIVATE_KEY > .ssh/github_actions.pem
-              chmod 600 .ssh/github_actions.pem
+          # Uses dedicated restricted role and policy to enable this only for this task
+          # No credentials are part of github for AWS auth
+          - name: configure aws credentials
+            uses: aws-actions/configure-aws-credentials@main
+            with:
+              role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+              role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+              aws-region: ${{ env.AWS_REGION }}
 
           - name: DEBUG - Show IaC files
             if: env.ENABLE_DEBUG == 'true'
             run: |
               echo "OSVAR = $OSVAR"
               echo "benchmark_type = $benchmark_type"
+              echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID"
+              echo "VPC_ID" = $AWS_VPC_SECGRP_ID"
               pwd
               ls
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
 
-          - name: Terraform_Init
+          - name: Tofu init
             id: init
-            run: terraform init
+            run: tofu init
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Terraform_Validate
+          - name: Tofu validate
             id: validate
-            run: terraform validate
+            run: tofu validate
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Terraform_Apply
+          - name: Tofu apply
             id: apply
             env:
-              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
 
 ## Debug Section
           - name: DEBUG - Show Ansible hostfile
@@ -99,29 +133,24 @@
 
     # Aws deployments taking a while to come up insert sleep or playbook fails
 
-          - name: Sleep for 60 seconds
+          - name: Sleep to allow system to come up
             run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
         # Run the Ansible playbook
           - name: Run_Ansible_Playbook
-            uses: arillso/action.playbook@master
-            with:
-              playbook: site.yml
-              inventory: .github/workflows/github_linux_IaC/hosts.yml
-              galaxy_file: collections/requirements.yml
-              private_key: ${{ secrets.SSH_PRV_KEY }}
-      #          verbose: 3
             env:
               ANSIBLE_HOST_KEY_CHECKING: "false"
               ANSIBLE_DEPRECATION_WARNINGS: "false"
+            run: |
+              /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
 
         # Remove test system - User secrets to keep if necessary
 
-          - name: Terraform_Destroy
+          - name: Tofu Destroy
             if: always() && env.ENABLE_DEBUG == 'false'
             env:
-              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml
index f935280..b6ee6a1 100644
--- a/.github/workflows/update_galaxy.yml
+++ b/.github/workflows/update_galaxy.yml
@@ -1,19 +1,19 @@
 ---
 
-name: update galaxy
+    name: update galaxy
 
-on:
-    push:
-        branches:
-            - main
-jobs:
-    update_role:
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout repo
-              uses: actions/checkout@v4
+    on:
+        push:
+            branches:
+                - main
+    jobs:
+        update_role:
+            runs-on: ubuntu-latest
+            steps:
+                - name: Checkout repo
+                  uses: actions/checkout@v4
 
-            - name: Action Ansible Galaxy Release ${{ github.ref_name }}
-              uses: ansible-actions/ansible-galaxy-action@main
-              with:
-                galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
+                - name: Action Ansible Galaxy Release ${{ github.ref_name }}
+                  uses: ansible-actions/ansible-galaxy-action@main
+                  with:
+                    galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}

From e1bb96b1f2cff112ef74f65eabe18ef230e7bf56 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 15 Jul 2024 17:49:38 +0000
Subject: [PATCH 14/14] [pre-commit.ci] pre-commit autoupdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/ansible-community/ansible-lint: v24.6.1 → v24.7.0](https://github.com/ansible-community/ansible-lint/compare/v24.6.1...v24.7.0)
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 3942a46..9b4a326 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -42,7 +42,7 @@ repos:
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.6.1
+  rev: v24.7.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint