Merge pull request #15 from ansible-lockdown/devel

workflow linting
ansible-lockdown · Sep 20, 2023 · e974855 · e974855
2 parents f1e0418 + e71bfe2
commit e974855
Show file tree

Hide file tree

Showing 37 changed files with 6,762 additions and 1 deletion.
diff --git a/.ansible-lint b/.ansible-lint
@@ -0,0 +1,24 @@
+---
+
+parseable: true
+quiet: true
+skip_list:
+    - 'schema'
+    - 'no-changed-when'
+    - 'var-spacing'
+    - 'fqcn-builtins'
+    - 'experimental'
+    - 'name[play]'
+    - 'name[casing]'
+    - 'name[template]'
+    - 'fqcn[action]'
+    - 'key-order[task]'
+    - '204'
+    - '305'
+    - '303'
+    - '403'
+    - '306'
+    - '602'
+    - '208'
+use_default_rules: true
+verbosity: 0
diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json
@@ -0,0 +1 @@
+[]
diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
@@ -0,0 +1,128 @@
+{
+  "version": "1.4.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        ".config/.gitleaks-report.json"
+      ]
+    }
+  ],
+  "results": {
+    "tasks/parse_etc_passwd.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tasks/parse_etc_passwd.yml",
+        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
+        "is_verified": false,
+        "line_number": 19
+      }
+    ]
+  },
+  "generated_at": "2023-09-18T09:16:50Z"
+}
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,6 @@
+# adding github settings to show correct language
+*.sh linguist-detectable=true
+*.yml linguist-detectable=true
+*.ps1 linguist-detectable=true
+*.j2 linguist-detectable=true
+*.md linguist-documentation
diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars
@@ -0,0 +1,9 @@
+#Ami Ubuntu 20
+ami_id        = "ami-05fe5907b25984493"
+ami_os        = "ubuntu20"
+ami_username  = "ubuntu"
+ami_user_home = "/home/ubuntu"
+instance_tags = {
+  Name        = "UBUNTU20-STIG"
+  Environment = "Ansible_Lockdown_GH_PR_Pipeline"
+}
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -0,0 +1,138 @@
+---
+
+    name: Devel pipeline
+
+    on: # yamllint disable-line rule:truthy
+      pull_request_target:
+          types: [opened, reopened, synchronize]
+          branches:
+              - devel
+          paths:
+              - '**.yml'
+              - '**.sh'
+              - '**.j2'
+              - '**.ps1'
+              - '**.cfg'
+
+    # A workflow run is made up of one or more jobs
+    # that can run sequentially or in parallel
+    jobs:
+      # This will create messages for first time contributers and direct them to the Discord server
+        welcome:
+          runs-on: ubuntu-latest
+
+          steps:
+              - uses: actions/first-interaction@main
+                with:
+                  repo-token: ${{ secrets.GITHUB_TOKEN }}
+                  pr-message: |-
+                      Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+
+        # This workflow contains a single job which tests the playbook
+        playbook-test:
+          # The type of runner that the job will run on
+          runs-on: ubuntu-latest
+          env:
+            ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+            # Imported as a variable by terraform
+            TF_VAR_repository: ${{ github.event.repository.name }}
+          defaults:
+            run:
+              shell: bash
+              working-directory: .github/workflows/github_linux_IaC
+
+          steps:
+            - name: Clone ${{ github.event.repository.name }}
+              uses: actions/checkout@v3
+              with:
+                ref: ${{ github.event.pull_request.head.sha }}
+
+            # Pull in terraform code for linux servers
+            - name: Clone github IaC plan
+              uses: actions/checkout@v3
+              with:
+                repository: ansible-lockdown/github_linux_IaC
+                path: .github/workflows/github_linux_IaC
+
+            - name: Add_ssh_key
+              working-directory: .github/workflows
+              env:
+                  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+                  PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+              run: |
+                mkdir .ssh
+                chmod 700 .ssh
+                echo $PRIVATE_KEY > .ssh/github_actions.pem
+                chmod 600 .ssh/github_actions.pem
+
+            - name: DEBUG - Show IaC files
+              if: env.ENABLE_DEBUG == 'true'
+              run: |
+                echo "OSVAR = $OSVAR"
+                echo "benchmark_type = $benchmark_type"
+                pwd
+                ls
+              env:
+                # Imported from github variables this is used to load the relvent OS.tfvars file
+                OSVAR: ${{ vars.OSVAR }}
+                benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+            - name: Terraform_Init
+              id: init
+              run: terraform init
+              env:
+                # Imported from github variables this is used to load the relvent OS.tfvars file
+                OSVAR: ${{ vars.OSVAR }}
+                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+            - name: Terraform_Validate
+              id: validate
+              run: terraform validate
+              env:
+                # Imported from github variables this is used to load the relvent OS.tfvars file
+                OSVAR: ${{ vars.OSVAR }}
+                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+            - name: Terraform_Apply
+              id: apply
+              env:
+                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                OSVAR: ${{ vars.OSVAR }}
+                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+
+  ## Debug Section
+            - name: DEBUG - Show Ansible hostfile
+              if: env.ENABLE_DEBUG == 'true'
+              run: cat hosts.yml
+
+      # Aws deployments taking a while to come up insert sleep or playbook fails
+
+            - name: Sleep for 60 seconds
+              run: sleep 60s
+
+          # Run the ansible playbook
+            - name: Run_Ansible_Playbook
+              uses: arillso/action.playbook@master
+              with:
+                playbook: site.yml
+                inventory: .github/workflows/github_linux_IaC/hosts.yml
+                galaxy_file: collections/requirements.yml
+                private_key: ${{ secrets.SSH_PRV_KEY }}
+        #          verbose: 3
+              env:
+                ANSIBLE_HOST_KEY_CHECKING: "false"
+                ANSIBLE_DEPRECATION_WARNINGS: "false"
+
+          # Remove test system - User secrets to keep if necessary
+
+            - name: Terraform_Destroy
+              if: always() && env.ENABLE_DEBUG == 'false'
+              env:
+                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                OSVAR: ${{ vars.OSVAR }}
+                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf
@@ -0,0 +1,53 @@
+resource "aws_vpc" "Main" {
+  cidr_block       = var.main_vpc_cidr
+  instance_tenancy = "default"
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-VPC"
+  }
+}
+
+resource "aws_internet_gateway" "IGW" {
+  vpc_id = aws_vpc.Main.id
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-IGW"
+  }
+}
+
+resource "aws_subnet" "publicsubnets" {
+  vpc_id            = aws_vpc.Main.id
+  cidr_block        = var.public_subnets
+  availability_zone = var.availability_zone
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-pubsub"
+  }
+}
+
+resource "aws_subnet" "Main" {
+  vpc_id     = aws_vpc.Main.id
+  cidr_block = var.private_subnets
+  availability_zone = var.availability_zone
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-prvsub"
+  }
+}
+
+resource "aws_route_table" "PublicRT" {
+  vpc_id = aws_vpc.Main.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.IGW.id
+  }
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-publicRT"
+  }
+}
+
+resource "aws_route_table_association" "rt_associate_public" {
+  subnet_id      = aws_subnet.Main.id
+  route_table_id = aws_route_table.PublicRT.id
+}
diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars
@@ -0,0 +1,14 @@
+// github_actions variables
+// Resourced in github_networks.tf
+// Declared in variables.tf
+// 
+
+namespace   = "github_actions"
+environment = "lockdown_github_repo_workflow"
+
+// Matching pair name found in AWS for keypairs PEM key
+ami_key_pair_name = "github_actions"
+private_key       = ".ssh/github_actions.pem"
+main_vpc_cidr     = "172.22.0.0/24"
+public_subnets    = "172.22.0.128/26"
+private_subnets   = "172.22.0.192/26"