Merge pull request #89 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

.ansible-lint

@@ -1,10 +1,9 @@
 ---
-# See https://ansible-lint.readthedocs.io/en/latest/configuring.html
-# for a list of the configuration elements that can exist in this
-# file.
+# See https://ansible-lint.readthedocs.io/configuring/ for a list of
+# the configuration elements that can exist in this file.
 enable_list:
   # Useful checks that one must opt-into.  See here for more details:
-  # https://ansible-lint.readthedocs.io/en/latest/rules.html
+  # https://ansible-lint.readthedocs.io/rules/
   - fcqn-builtins
   - no-log-password
   - no-same-owner

.github/workflows/build.yml

@@ -30,7 +30,10 @@ jobs:
       - id: setup-go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.19"
+          # There is no expectation for actual Go code so we disable caching as
+          # it relies on the existence of a go.sum file.
+          cache: false
+          go-version: "1.20"
       - name: Lookup Go cache directory
         id: go-cache
         run: |

.pre-commit-config.yaml

@@ -31,35 +31,54 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.33.0
+    rev: v0.34.0
     hooks:
       - id: markdownlint
         args:
           - --config=.mdl_config.yaml
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.0-alpha.6
+    rev: v3.0.0-alpha.9-for-vscode
     hooks:
       - id: prettier
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.30.0
+    rev: v1.32.0
     hooks:
       - id: yamllint
         args:
           - --strict
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.22.0
+    rev: 0.23.1
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.2.1
+    rev: v3.3.2
     hooks:
       - id: validate_manifest
 
+  # Go hooks
+  - repo: https://github.com/TekWizely/pre-commit-golang
+    rev: v1.0.0-rc.1
+    hooks:
+      # Style Checkers
+      - id: go-critic
+      # StaticCheck
+      - id: go-staticcheck-repo-mod
+      # Go Build
+      - id: go-build-repo-mod
+      # Go Mod Tidy
+      - id: go-mod-tidy-repo
+      # Go Test
+      - id: go-test-repo-mod
+      # Go Vet
+      - id: go-vet-repo-mod
+      # GoSec
+      - id: go-sec-repo-mod
+
   # Shell script hooks
   - repo: https://github.com/cisagov/pre-commit-shfmt
     rev: v0.0.2
@@ -98,7 +117,7 @@ repos:
         name: bandit (everything else)
         exclude: tests
   - repo: https://github.com/psf/black
-    rev: 23.1.0
+    rev: 23.3.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -112,31 +131,31 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.1.1
+    rev: v1.3.0
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.3.1
+    rev: v3.4.0
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible-community/ansible-lint
-    rev: v5.4.0
+    rev: v6.17.0
     hooks:
       - id: ansible-lint
       # files: molecule/default/playbook.yml
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.1
+    rev: v1.80.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
 
   # Docker hooks
   - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v2.1.1
+    rev: v3.0.1
     hooks:
       - id: docker-compose-check
 

setup-env

@@ -65,7 +65,7 @@ done
 eval set -- "$PARAMS"
 
 # Check to see if pyenv is installed
-if [ -z "$(command -v pyenv)" ] || [ -z "$(command -v pyenv-virtualenv)" ]; then
+if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && [ ! -f "$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv" ]; }; then
   echo "pyenv and pyenv-virtualenv are required."
   if [[ "$OSTYPE" == "darwin"* ]]; then
     cat << 'END_OF_LINE'
@@ -186,5 +186,5 @@ else:
 END_OF_LINE
 )"
 
-# Qapla
+# Qapla'
 echo "Success!"

src/automated-security-updates.yml

@@ -2,7 +2,7 @@
 - hosts: all
   name: Configure for automated security updates
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Set up automated security updates
       ansible.builtin.include_role:

src/aws.yml

@@ -2,7 +2,7 @@
 - hosts: all
   name: AWS-specific roles
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Install Amazon SSM Agent
       ansible.builtin.include_role:

src/base.yml

@@ -2,7 +2,7 @@
 - hosts: all
   name: Setup base image
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Install and configure automated security updates
       ansible.builtin.include_role:

src/cdm.yml

@@ -2,13 +2,13 @@
 - hosts: all
   name: Configure for the CISA CDM environment
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Install CrowdStrike
       ansible.builtin.include_role:
         name: crowdstrike
       vars:
-        third_party_bucket_name: "{{ build_bucket }}"
+        crowdstrike_third_party_bucket_name: "{{ build_bucket }}"
     - name: Configure UFW for CISA CDM traffic
       community.general.ufw:
         comment: >

src/harden.yml

@@ -2,7 +2,7 @@
 - hosts: all
   name: Hardening tasks
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Harden system
       ansible.builtin.include_role:

src/openvpn.yml

@@ -2,7 +2,7 @@
 - hosts: all
   name: Install OpenVPN
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Install OpenVPN
       ansible.builtin.include_role:

src/python.yml

@@ -2,7 +2,7 @@
 - hosts: all
   name: Install pip3/python3 and remove pip2/python2
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     # If pip were to be installed first, then the OS _could_ pull
     # different Python packages than what would be installed via the

src/requirements.yml

@@ -1,37 +1,40 @@
 ---
-- name: amazon_ssm_agent
-  src: https://github.com/cisagov/ansible-role-amazon-ssm-agent
-- name: automated_security_updates
-  src: https://github.com/cisagov/ansible-role-automated-security-updates
-- name: banner
-  src: https://github.com/cisagov/ansible-role-banner
-- name: chrony_aws
-  src: https://github.com/cisagov/ansible-role-chrony-aws
-- name: clamav
-  src: https://github.com/cisagov/ansible-role-clamav
-- name: cloudwatch_agent
-  src: https://github.com/cisagov/ansible-role-cloudwatch-agent
-- name: crowdstrike
-  src: https://github.com/cisagov/ansible-role-crowdstrike
-- name: freeipa_client
-  src: https://github.com/cisagov/ansible-role-freeipa-client
-- name: harden
-  src: https://github.com/cisagov/ansible-role-hardening
-- name: htop
-  src: https://github.com/cisagov/ansible-role-htop
-- name: nvme
-  src: https://github.com/cisagov/ansible-role-nvme
-- name: openvpn
-  src: https://github.com/cisagov/ansible-role-openvpn
-- name: persist_journald
-  src: https://github.com/cisagov/ansible-role-persist-journald
-- name: pip
-  src: https://github.com/cisagov/ansible-role-pip
-- name: python
-  src: https://github.com/cisagov/ansible-role-python
-- name: remove_python2
-  src: https://github.com/cisagov/ansible-role-remove-python2
-- name: ufw
-  src: https://github.com/cisagov/ansible-role-ufw
-- name: upgrade
-  src: https://github.com/cisagov/ansible-role-upgrade
+collections:
+  - community.general
+roles:
+  - name: amazon_ssm_agent
+    src: https://github.com/cisagov/ansible-role-amazon-ssm-agent
+  - name: automated_security_updates
+    src: https://github.com/cisagov/ansible-role-automated-security-updates
+  - name: banner
+    src: https://github.com/cisagov/ansible-role-banner
+  - name: chrony_aws
+    src: https://github.com/cisagov/ansible-role-chrony-aws
+  - name: clamav
+    src: https://github.com/cisagov/ansible-role-clamav
+  - name: cloudwatch_agent
+    src: https://github.com/cisagov/ansible-role-cloudwatch-agent
+  - name: crowdstrike
+    src: https://github.com/cisagov/ansible-role-crowdstrike
+  - name: freeipa_client
+    src: https://github.com/cisagov/ansible-role-freeipa-client
+  - name: harden
+    src: https://github.com/cisagov/ansible-role-hardening
+  - name: htop
+    src: https://github.com/cisagov/ansible-role-htop
+  - name: nvme
+    src: https://github.com/cisagov/ansible-role-nvme
+  - name: openvpn
+    src: https://github.com/cisagov/ansible-role-openvpn
+  - name: persist_journald
+    src: https://github.com/cisagov/ansible-role-persist-journald
+  - name: pip
+    src: https://github.com/cisagov/ansible-role-pip
+  - name: python
+    src: https://github.com/cisagov/ansible-role-python
+  - name: remove_python2
+    src: https://github.com/cisagov/ansible-role-remove-python2
+  - name: ufw
+    src: https://github.com/cisagov/ansible-role-ufw
+  - name: upgrade
+    src: https://github.com/cisagov/ansible-role-upgrade

src/ufw.yml

@@ -24,7 +24,7 @@
       - port: ldaps
         proto: tcp
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Install UFW
       ansible.builtin.include_role:

src/upgrade.yml

@@ -2,7 +2,7 @@
 - hosts: all
   name: Upgrade base image
   become: yes
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Upgrade all packages
       ansible.builtin.include_role:

src/version.txt

@@ -1 +1 @@
-__version__ = "0.3.5"
+__version__ = "0.3.6"