From d8002e865bc436f6fde6f5cfc703ca8c948f57be Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Fri, 7 Jun 2024 16:52:20 +0100 Subject: [PATCH] V3 updates - workflow updates (#3) * Add logic to IAC branch Signed-off-by: Mark Bolwell * Add logic to IAC branch Signed-off-by: Mark Bolwell * Add logic to IAC branch Signed-off-by: Mark Bolwell * Add logic to IAC branch Signed-off-by: Mark Bolwell * Tidy up of naming Signed-off-by: Mark Bolwell * Workflow alignment Signed-off-by: Mark Bolwell * Updated Signed-off-by: Mark Bolwell * ability to change ansible version Signed-off-by: Mark Bolwell * tidy up Signed-off-by: Mark Bolwell * ability to change ansible version Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 21 ++++++++--- .../workflows/main_pipeline_validation.yml | 37 +++++++++++++------ 2 files changed, 42 insertions(+), 16 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 3850ccc..e02fe1f 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,6 +1,6 @@ --- - name: Devel pipeline (tofu) + name: Devel pipeline on: # yamllint disable-line rule:truthy pull_request_target: @@ -45,7 +45,8 @@ ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} # Imported as a variable by terraform TF_VAR_repository: ${{ github.event.repository.name }} - AWS_REGION : "us-east-1" + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} defaults: run: shell: bash @@ -59,13 +60,24 @@ with: ref: ${{ github.event.pull_request.head.sha }} + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + # Pull in terraform code for linux servers - name: Clone GitHub IaC plan uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC - ref: self_hosted + ref: ${{ env.IAC_BRANCH }} # Uses dedicated restricted role and policy to enable this only for this task # No credentials are part of github for AWS auth @@ -132,9 +144,8 @@ env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" - ANSIBLE_VERSION: "2.16.6" run: | - /opt/ansible_"${ANSIBLE_VERSION}"_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml # Remove test system - User secrets to keep if necessary diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 4febe88..4a5adc9 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -44,6 +44,7 @@ # Imported as a variable by terraform TF_VAR_repository: ${{ github.event.repository.name }} AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} defaults: run: shell: bash @@ -54,6 +55,18 @@ - name: Git clone the lockdown repository to test uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi # Pull in terraform code for linux servers - name: Clone GitHub IaC plan @@ -61,33 +74,32 @@ with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC - ref: self_hosted + ref: ${{ env.IAC_BRANCH }} # Uses dedicated restricted role and policy to enable this only for this task # No credentials are part of github for AWS auth - name: configure aws credentials uses: aws-actions/configure-aws-credentials@main with: - role-to-assume: arn:aws:iam::817651307868:role/Ansible_Lockdown_Environment - role-session-name: GitHub_to_AWS_via_FederatedOIDC + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} aws-region: ${{ env.AWS_REGION }} - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} - - name: DEBUG - Show IaC files if: env.ENABLE_DEBUG == 'true' run: | echo "OSVAR = $OSVAR" echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" pwd ls env: # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} - name: Tofu init id: init @@ -110,6 +122,8 @@ env: OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false ## Debug Section @@ -119,7 +133,7 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - - name: Sleep period of time + - name: Sleep to allow system to come up run: sleep ${{ vars.BUILD_SLEEPTIME }} # Run the Ansible playbook @@ -127,9 +141,8 @@ env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" - ANSIBLE_VERSION: "2.16.6" run: | - /opt/ansible_"${ANSIBLE_VERSION}"_venv/bin/ansible-playbook -i .github/workflows/hosts.yml --private-key ~/.ssh/le_runner site.yml + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml # Remove test system - User secrets to keep if necessary @@ -138,4 +151,6 @@ env: OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false