v1r2 release - workflow and audit updates #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Main pipeline | |
on: # yamllint disable-line rule:truthy | |
pull_request_target: | |
types: [opened, reopened, synchronize] | |
branches: | |
- main | |
paths: | |
- '**.yml' | |
- '**.sh' | |
- '**.j2' | |
- '**.ps1' | |
- '**.cfg' | |
# Allow permissions for AWS auth | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
# A workflow run is made up of one or more jobs | |
# that can run sequentially or in parallel | |
jobs: | |
# This will create messages for first time contributers and direct them to the Discord server | |
welcome: | |
runs-on: self-hosted | |
steps: | |
- uses: actions/first-interaction@main | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
pr-message: |- | |
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! | |
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. | |
# This workflow contains a single job that tests the playbook | |
playbook-test: | |
# The type of runner that the job will run on | |
runs-on: self-hosted | |
env: | |
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} | |
# Imported as a variable by terraform | |
TF_VAR_repository: ${{ github.event.repository.name }} | |
AWS_REGION : "us-east-1" | |
ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} | |
defaults: | |
run: | |
shell: bash | |
working-directory: .github/workflows/github_linux_IaC | |
# working-directory: .github/workflows | |
steps: | |
- name: Git clone the lockdown repository to test | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: If a variable for IAC_BRANCH is set use that branch | |
working-directory: .github/workflows | |
run: | | |
if [ ${{ vars.IAC_BRANCH }} != '' ]; then | |
echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV | |
echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" | |
else | |
echo IAC_BRANCH=main >> $GITHUB_ENV | |
fi | |
# Pull in terraform code for linux servers | |
- name: Clone GitHub IaC plan | |
uses: actions/checkout@v4 | |
with: | |
repository: ansible-lockdown/github_linux_IaC | |
path: .github/workflows/github_linux_IaC | |
ref: ${{ env.IAC_BRANCH }} | |
# Uses dedicated restricted role and policy to enable this only for this task | |
# No credentials are part of github for AWS auth | |
- name: configure aws credentials | |
uses: aws-actions/configure-aws-credentials@main | |
with: | |
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} | |
role-session-name: ${{ secrets.AWS_ROLE_SESSION }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: DEBUG - Show IaC files | |
if: env.ENABLE_DEBUG == 'true' | |
run: | | |
echo "OSVAR = $OSVAR" | |
echo "benchmark_type = $benchmark_type" | |
echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" | |
echo "VPC_ID" = $AWS_VPC_SECGRP_ID" | |
pwd | |
ls | |
env: | |
# Imported from GitHub variables this is used to load the relevant OS.tfvars file | |
OSVAR: ${{ vars.OSVAR }} | |
benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} | |
VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} | |
- name: Tofu init | |
id: init | |
run: tofu init | |
env: | |
# Imported from GitHub variables this is used to load the relevant OS.tfvars file | |
OSVAR: ${{ vars.OSVAR }} | |
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
- name: Tofu validate | |
id: validate | |
run: tofu validate | |
env: | |
# Imported from GitHub variables this is used to load the relevant OS.tfvars file | |
OSVAR: ${{ vars.OSVAR }} | |
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
- name: Tofu apply | |
id: apply | |
env: | |
OSVAR: ${{ vars.OSVAR }} | |
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} | |
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} | |
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false | |
## Debug Section | |
- name: DEBUG - Show Ansible hostfile | |
if: env.ENABLE_DEBUG == 'true' | |
run: cat hosts.yml | |
# Aws deployments taking a while to come up insert sleep or playbook fails | |
- name: Sleep to allow system to come up | |
run: sleep ${{ vars.BUILD_SLEEPTIME }} | |
# Run the Ansible playbook | |
- name: Run_Ansible_Playbook | |
env: | |
ANSIBLE_HOST_KEY_CHECKING: "false" | |
ANSIBLE_DEPRECATION_WARNINGS: "false" | |
run: | | |
/opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml | |
# Remove test system - User secrets to keep if necessary | |
- name: Tofu Destroy | |
if: always() && env.ENABLE_DEBUG == 'false' | |
env: | |
OSVAR: ${{ vars.OSVAR }} | |
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} | |
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} | |
run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false |