diff --git a/.DS_Store b/.DS_Store index 48e1d4a..b983735 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..9048ad1 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,23 @@ +--- +parseable: true +quiet: true +skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - 'experimental' + - 'fqcn[action-core]' + - 'fqcn[action]' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' + - yaml[line-length] + - 'var-naming' # Older playbook no new release + # - '204' + - '305' + # - '303' + # - '403' + - '306' + # - '602' +use_default_rules: true +verbosity: 0 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9a24540 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +# adding github settings to show correct language +*.sh linguist-detectable=true +*.yml linguist-detectable=true +*.ps1 linguist-detectable=true +*.j2 linguist-detectable=true +*.md linguist-documentation \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..d3828ea --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,34 @@ +--- +name: Report Issue +about: Create a bug issue ticket to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the Issue** +A clear and concise description of what the bug is. + +**Expected Behavior** +A clear and concise description of what you expected to happen. + +**Actual Behavior** +A clear and concise description of what's happening. + +**Control(s) Affected** +What controls are being affected by the issue + +**Environment (please complete the following information):** + +- branch being used: [e.g. devel] +- Ansible Version: [e.g. 2.10] +- Host Python Version: [e.g. Python 3.7.6] +- Ansible Server Python Version: [e.g. Python 3.7.6] +- Additional Details: + +**Additional Notes** +Anything additional goes here + +**Possible Solution** +Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md new file mode 100644 index 0000000..3908075 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md @@ -0,0 +1,22 @@ +--- +name: Feature Request or Enhancement +about: Suggest an idea for this project +title: '' +labels: enhancement +assignees: '' + +--- + +## Feature Request or Enhancement + +- Feature [] +- Enhancement [] + +**Summary of Request** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Suggested Code** +Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md new file mode 100644 index 0000000..ad0629e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.md @@ -0,0 +1,18 @@ +--- +name: Question +about: Ask away....... +title: '' +labels: question +assignees: '' + +--- + +**Question** +Pose question here. + +**Environment (please complete the following information):** + +- Ansible Version: [e.g. 2.10] +- Host Python Version: [e.g. Python 3.7.6] +- Ansible Server Python Version: [e.g. Python 3.7.6] +- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..05dadb6 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,12 @@ +**Overall Review of Changes:** +A general description of the changes made that are being requested for merge + +**Issue Fixes:** +Please list (using linking) any open issues this PR addresses + +**Enhancements:** +Please list any enhancements/features that are not open issue tickets + +**How has this been tested?:** +Please give an overview of how these changes were tested. If they were not please use N/A + diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars new file mode 100644 index 0000000..634512b --- /dev/null +++ b/.github/workflows/OS.tfvars @@ -0,0 +1,9 @@ +#Ami Alma 9 +ami_id = "ami-0845395779540e3cb" +ami_os = "rhel9" +ami_username = "ec2-user" +ami_user_home = "/home/ec2-user" +instance_tags = { + Name = "RHEL9-CIS" + Environment = "lockdown_github_repo_workflow" +} diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf new file mode 100644 index 0000000..ba77764 --- /dev/null +++ b/.github/workflows/github_networks.tf @@ -0,0 +1,53 @@ +resource "aws_vpc" "Main" { + cidr_block = var.main_vpc_cidr + instance_tenancy = "default" + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-VPC" + } +} + +resource "aws_internet_gateway" "IGW" { + vpc_id = aws_vpc.Main.id + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-IGW" + } +} + +resource "aws_subnet" "publicsubnets" { + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets + availability_zone = var.availability_zone + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-pubsub" + } +} + +resource "aws_subnet" "Main" { + vpc_id = aws_vpc.Main.id + cidr_block = var.private_subnets + availability_zone = var.availability_zone + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-prvsub" + } +} + +resource "aws_route_table" "PublicRT" { + vpc_id = aws_vpc.Main.id + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.IGW.id + } + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-publicRT" + } +} + +resource "aws_route_table_association" "rt_associate_public" { + subnet_id = aws_subnet.Main.id + route_table_id = aws_route_table.PublicRT.id +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars new file mode 100644 index 0000000..24daeca --- /dev/null +++ b/.github/workflows/github_vars.tfvars @@ -0,0 +1,14 @@ +// github_actions variables +// Resourced in github_networks.tf +// Declared in variables.tf +// + +namespace = "github_actions" +environment = "lockdown_github_repo_workflow" + +// Matching pair name found in AWS for keypairs PEM key +ami_key_pair_name = "github_actions" +private_key = ".ssh/github_actions.pem" +main_vpc_cidr = "172.22.0.0/24" +public_subnets = "172.22.0.128/26" +private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml new file mode 100644 index 0000000..48e7eed --- /dev/null +++ b/.github/workflows/linux_benchmark_testing.yml @@ -0,0 +1,117 @@ +# This is a basic workflow to help you get started with Actions + +name: linux_benchmark_pipeline + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs +# that can run sequentially or in parallel +jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + +### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + +# Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + shell: bash + +# Set up requirements for random root password CIS 5.6.6 + - name: add urandom passwd to root account + shell: bash + run: | + ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" --private-key ${{ secrets.SSH_PRV_KEY }} -b + +# Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} +# verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + +# Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf new file mode 100644 index 0000000..dad096f --- /dev/null +++ b/.github/workflows/main.tf @@ -0,0 +1,84 @@ +provider "aws" { + profile = "" + region = var.aws_region +} + +// Create a security group with access to port 22 and port 80 open to serve HTTP traffic + + +resource "random_id" "server" { + keepers = { + # Generate a new id each time we switch to a new AMI id + ami_id = "${var.ami_id}" + } + + byte_length = 8 +} + +resource "aws_security_group" "github_actions" { + name = "${var.namespace}-${random_id.server.hex}-SG" + vpc_id = aws_vpc.Main.id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-SG" + } +} + +// instance setup + +resource "aws_instance" "testing_vm" { + ami = var.ami_id + availability_zone = var.availability_zone + associate_public_ip_address = true + key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs + instance_type = var.instance_type + tags = var.instance_tags + vpc_security_group_ids = [aws_security_group.github_actions.id] + subnet_id = aws_subnet.Main.id + root_block_device { + delete_on_termination = true + } +} + +// generate inventory file +resource "local_file" "inventory" { + filename = "./hosts.yml" + directory_permission = "0755" + file_permission = "0644" + content = <