-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from ansible-lockdown/devel
Initial release to main from devel
- Loading branch information
Showing
18 changed files
with
633 additions
and
289 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| [ | ||
| { | ||
| "Description": "Generic API Key", | ||
| "StartLine": 115, | ||
| "EndLine": 115, | ||
| "StartColumn": 18, | ||
| "EndColumn": 68, | ||
| "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", | ||
| "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", | ||
| "File": ".config/.secrets.baseline", | ||
| "SymlinkFile": "", | ||
| "Commit": "a5f558a34ac453f9581a1c37f71bd36383a9c3ed", | ||
| "Entropy": 3.8439426, | ||
| "Author": "Mark Bolwell", | ||
| "Email": "[email protected]", | ||
| "Date": "2023-08-23T09:28:17Z", | ||
| "Message": "initial\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e", | ||
| "Tags": [], | ||
| "RuleID": "generic-api-key", | ||
| "Fingerprint": "a5f558a34ac453f9581a1c37f71bd36383a9c3ed:.config/.secrets.baseline:generic-api-key:115" | ||
| } | ||
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -118,5 +118,5 @@ | |
| } | ||
| ] | ||
| }, | ||
| "generated_at": "2023-08-23T09:27:45Z" | ||
| "generated_at": "2023-08-23T10:10:15Z" | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,138 @@ | ||
| --- | ||
|
|
||
| name: Devel pipeline | ||
|
|
||
| on: # yamllint disable-line rule:truthy | ||
| pull_request_target: | ||
| types: [opened, reopened, synchronize] | ||
| branches: | ||
| - devel | ||
| paths: | ||
| - '**.yml' | ||
| - '**.sh' | ||
| - '**.j2' | ||
| - '**.ps1' | ||
| - '**.cfg' | ||
|
|
||
| # A workflow run is made up of one or more jobs | ||
| # that can run sequentially or in parallel | ||
| jobs: | ||
| # This will create messages for first time contributers and direct them to the Discord server | ||
| welcome: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/first-interaction@main | ||
| with: | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
| pr-message: |- | ||
| Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! | ||
| Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. | ||
| # This workflow contains a single job which tests the playbook | ||
| playbook-test: | ||
| # The type of runner that the job will run on | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} | ||
| # Imported as a variable by terraform | ||
| TF_VAR_repository: ${{ github.event.repository.name }} | ||
| defaults: | ||
| run: | ||
| shell: bash | ||
| working-directory: .github/workflows/github_linux_IaC | ||
|
|
||
| steps: | ||
| - name: Clone ${{ github.event.repository.name }} | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
| # Pull in terraform code for linux servers | ||
| - name: Clone github IaC plan | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| repository: ansible-lockdown/github_linux_IaC | ||
| path: .github/workflows/github_linux_IaC | ||
|
|
||
| - name: Add_ssh_key | ||
| working-directory: .github/workflows | ||
| env: | ||
| SSH_AUTH_SOCK: /tmp/ssh_agent.sock | ||
| PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" | ||
| run: | | ||
| mkdir .ssh | ||
| chmod 700 .ssh | ||
| echo $PRIVATE_KEY > .ssh/github_actions.pem | ||
| chmod 600 .ssh/github_actions.pem | ||
| - name: DEBUG - Show IaC files | ||
| if: env.ENABLE_DEBUG == 'true' | ||
| run: | | ||
| echo "OSVAR = $OSVAR" | ||
| echo "benchmark_type = $benchmark_type" | ||
| pwd | ||
| ls | ||
| env: | ||
| # Imported from github variables this is used to load the relvent OS.tfvars file | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
|
||
| - name: Terraform_Init | ||
| id: init | ||
| run: terraform init | ||
| env: | ||
| # Imported from github variables this is used to load the relvent OS.tfvars file | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
|
||
| - name: Terraform_Validate | ||
| id: validate | ||
| run: terraform validate | ||
| env: | ||
| # Imported from github variables this is used to load the relvent OS.tfvars file | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
|
||
| - name: Terraform_Apply | ||
| id: apply | ||
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
| run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false | ||
|
|
||
| ## Debug Section | ||
| - name: DEBUG - Show Ansible hostfile | ||
| if: env.ENABLE_DEBUG == 'true' | ||
| run: cat hosts.yml | ||
|
|
||
| # Aws deployments taking a while to come up insert sleep or playbook fails | ||
|
|
||
| - name: Sleep for 60 seconds | ||
| run: sleep 60s | ||
|
|
||
| # Run the ansible playbook | ||
| - name: Run_Ansible_Playbook | ||
| uses: arillso/action.playbook@master | ||
| with: | ||
| playbook: site.yml | ||
| inventory: .github/workflows/github_linux_IaC/hosts.yml | ||
| galaxy_file: collections/requirements.yml | ||
| private_key: ${{ secrets.SSH_PRV_KEY }} | ||
| # verbose: 3 | ||
| env: | ||
| ANSIBLE_HOST_KEY_CHECKING: "false" | ||
| ANSIBLE_DEPRECATION_WARNINGS: "false" | ||
|
|
||
| # Remove test system - User secrets to keep if necessary | ||
|
|
||
| - name: Terraform_Destroy | ||
| if: always() && env.ENABLE_DEBUG == 'false' | ||
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
| run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| --- | ||
|
|
||
| name: Main pipeline | ||
|
|
||
| on: # yamllint disable-line rule:truthy | ||
| pull_request_target: | ||
| types: [opened, reopened, synchronize] | ||
| branches: | ||
| - main | ||
| paths: | ||
| - '**.yml' | ||
| - '**.sh' | ||
| - '**.j2' | ||
| - '**.ps1' | ||
| - '**.cfg' | ||
|
|
||
| # A workflow run is made up of one or more jobs | ||
| # that can run sequentially or in parallel | ||
| jobs: | ||
|
|
||
| # This workflow contains a single job which tests the playbook | ||
| playbook-test: | ||
| # The type of runner that the job will run on | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} | ||
| # Imported as a variable by terraform | ||
| TF_VAR_repository: ${{ github.event.repository.name }} | ||
| defaults: | ||
| run: | ||
| shell: bash | ||
| working-directory: .github/workflows/github_linux_IaC | ||
|
|
||
| steps: | ||
| - name: Clone ${{ github.event.repository.name }} | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
| # Pull in terraform code for linux servers | ||
| - name: Clone github IaC plan | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| repository: ansible-lockdown/github_linux_IaC | ||
| path: .github/workflows/github_linux_IaC | ||
|
|
||
| - name: Add_ssh_key | ||
| working-directory: .github/workflows | ||
| env: | ||
| SSH_AUTH_SOCK: /tmp/ssh_agent.sock | ||
| PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" | ||
| run: | | ||
| mkdir .ssh | ||
| chmod 700 .ssh | ||
| echo $PRIVATE_KEY > .ssh/github_actions.pem | ||
| chmod 600 .ssh/github_actions.pem | ||
| - name: DEBUG - Show IaC files | ||
| if: env.ENABLE_DEBUG == 'true' | ||
| run: | | ||
| echo "OSVAR = $OSVAR" | ||
| echo "benchmark_type = $benchmark_type" | ||
| pwd | ||
| ls | ||
| env: | ||
| # Imported from github variables this is used to load the relvent OS.tfvars file | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
|
||
| - name: Terraform_Init | ||
| id: init | ||
| run: terraform init | ||
| env: | ||
| # Imported from github variables this is used to load the relvent OS.tfvars file | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
|
||
| - name: Terraform_Validate | ||
| id: validate | ||
| run: terraform validate | ||
| env: | ||
| # Imported from github variables this is used to load the relvent OS.tfvars file | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
|
||
| - name: Terraform_Apply | ||
| id: apply | ||
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
| run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false | ||
|
|
||
| ## Debug Section | ||
| - name: DEBUG - Show Ansible hostfile | ||
| if: env.ENABLE_DEBUG == 'true' | ||
| run: cat hosts.yml | ||
|
|
||
| # Aws deployments taking a while to come up insert sleep or playbook fails | ||
|
|
||
| - name: Sleep for 60 seconds | ||
| run: sleep 60s | ||
|
|
||
| # Run the ansible playbook | ||
| - name: Run_Ansible_Playbook | ||
| uses: arillso/action.playbook@master | ||
| with: | ||
| playbook: site.yml | ||
| inventory: .github/workflows/github_linux_IaC/hosts.yml | ||
| galaxy_file: collections/requirements.yml | ||
| private_key: ${{ secrets.SSH_PRV_KEY }} | ||
| # verbose: 3 | ||
| env: | ||
| ANSIBLE_HOST_KEY_CHECKING: "false" | ||
| ANSIBLE_DEPRECATION_WARNINGS: "false" | ||
|
|
||
| # Remove test system - User secrets to keep if necessary | ||
|
|
||
| - name: Terraform_Destroy | ||
| if: always() && env.ENABLE_DEBUG == 'false' | ||
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| OSVAR: ${{ vars.OSVAR }} | ||
| TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
| run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| --- | ||
|
|
||
| # This is a basic workflow to help you get started with Actions | ||
|
|
||
| name: update galaxy | ||
|
|
||
| # Controls when the action will run. | ||
| # Triggers the workflow on merge request events to the main branch | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| jobs: | ||
| update_role: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: robertdebock/galaxy-action@master | ||
| with: | ||
| galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} | ||
| git_branch: main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -46,3 +46,10 @@ benchparse/ | |
|
|
||
| # GitHub Action/Workflow files | ||
| .github/ | ||
|
|
||
| # key types | ||
| *.pem | ||
| *.ppk | ||
| *.key | ||
| *.rsa | ||
| *.ecdsa | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.