Merge pull request #171 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

.github/workflows/build.yml

@@ -238,6 +238,14 @@ jobs:
       - lint
       - test
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          # There is no ARM-based official Kali AMI in the AWS AMI
+          # Catalog.
+          # - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -315,7 +323,8 @@ jobs:
         # This runs through the AMI creation process but does not
         # actually create an AMI
         run: |
-          packer build -timestamp-ui \
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \
             -var skip_create_ami=true \
             src/packer.pkr.hcl

.github/workflows/prerelease.yml

@@ -33,6 +33,14 @@ jobs:
     needs:
       - diagnostics
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          # There is no ARM-based official Kali AMI in the AWS AMI
+          # Catalog.
+          # - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -114,7 +122,8 @@ jobs:
           # take over an hour to create this AMI.
           AWS_MAX_ATTEMPTS: 480
         run: |
-          packer build -timestamp-ui \
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \
             -var is_prerelease=${{ github.event.release.prerelease }} \
             -var release_tag=${{ github.event.release.tag_name }} \

.github/workflows/release.yml

@@ -40,6 +40,14 @@ jobs:
     needs:
       - diagnostics
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          # There is no ARM-based official Kali AMI in the AWS AMI
+          # Catalog.
+          # - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -130,7 +138,8 @@ jobs:
           # another.
           AWS_MAX_ATTEMPTS: 480
         run: |
-          packer build -timestamp-ui \
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \
             -var is_prerelease=${{ github.event.release.prerelease }} \
             -var release_tag=${{ github.event.release.tag_name }} \

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -31,7 +31,7 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.41.0
     hooks:
       - id: markdownlint
         args:
@@ -46,7 +46,7 @@ repos:
         # mirror does not pull tags for old major versions once a new major
         # version tag is published.
         additional_dependencies:
-          - prettier@3.2.5
+          - prettier@3.3.1
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.35.1
     hooks:
@@ -56,14 +56,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.0
+    rev: 0.28.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.6.2
+    rev: v3.7.1
     hooks:
       - id: validate_manifest
 
@@ -98,7 +98,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.7.0-4
+    rev: v3.8.0-1
     hooks:
       - id: shfmt
         args:
@@ -116,14 +116,14 @@ repos:
           # Redirect operators are followed by a space
           - --space-redirects
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.9.0.6
+    rev: v0.10.0.1
     hooks:
       - id: shellcheck
 
   # Python hooks
   # Run bandit on the "tests" tree with a configuration
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.7
+    rev: 1.7.8
     hooks:
       - id: bandit
         name: bandit (tests tree)
@@ -138,7 +138,7 @@ repos:
         name: bandit (everything else)
         exclude: tests
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.2.0
+    rev: 24.4.2
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -152,24 +152,42 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.10.0
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.1
+    rev: v3.15.2
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v24.2.0
+    rev: v24.6.0
     hooks:
       - id: ansible-lint
-      # files: molecule/default/playbook.yml
+        additional_dependencies:
+          # On its own ansible-lint does not pull in ansible, only
+          # ansible-core.  Therefore, if an Ansible module lives in
+          # ansible instead of ansible-core, the linter will complain
+          # that the module is unknown.  In these cases it is
+          # necessary to add the ansible package itself as an
+          # additional dependency, with the same pinning as is done in
+          # requirements-test.txt of cisagov/skeleton-ansible-role.
+          # - ansible>=9,<10
+          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
+          # discussed in ansible/ansible#82702, which breaks any
+          # symlinked files in vars, tasks, etc. for any Ansible role
+          # installed via ansible-galaxy.  Hence we never want to
+          # install those versions.
+          #
+          # Note that any changes made to this dependency must also be
+          # made in requirements.txt in cisagov/skeleton-packer and
+          # requirements-test.txt in cisagov/skeleton-ansible-role.
+          - ansible-core>=2.16.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.90.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

requirements.txt

@@ -13,19 +13,15 @@
 # often breaking changes across major versions.  This is the reason
 # for the upper bound.
 ansible>=8,<10
-# TODO: Remove this pin when possible.  See
-# cisagov/skeleton-packer#312 for more details.
-#
-# ansible-core 2.16.3 and later suffer from the bug discussed in
+# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in
 # ansible/ansible#82702, which breaks any symlinked files in vars,
 # tasks, etc. for any Ansible role installed via ansible-galaxy.
+# Hence we never want to install those versions.
 #
-# See also cisagov/skeleton-ansible-role#178 and
-# cisagov/skeleton-generic#180.  Note from these PRs that any changes
-# made to this dependency must also be made in requirements-test.txt
-# in cisagov/skeleton-ansible-role and .pre-commit-config.yaml in
-# cisagov/skeleton-generic.
-ansible-core<2.16.3
+# Note that any changes made to this dependency must also be made in
+# requirements-test.txt in cisagov/skeleton-ansible-role and
+# .pre-commit-config.yaml in cisagov/skeleton-generic.
+ansible-core>=2.16.7
 boto3
 docopt
 semver

src/packer.pkr.hcl

@@ -73,9 +73,23 @@ variable "skip_create_ami" {
   type        = bool
 }
 
-data "amazon-ami" "kali_linux" {
+# There is no ARM-based official Kali AMI in the AWS AMI Catalog.
+# data "amazon-ami" "kali_arm64" {
+#   filters = {
+#     architecture        = "arm64"
+#     name                = "kali-last-snapshot-arm64-2024.2.0-*"
+#     root-device-type    = "ebs"
+#     virtualization-type = "hvm"
+#   }
+#   most_recent = true
+#   owners      = ["679593333241"]
+#   region      = var.build_region
+# }
+
+data "amazon-ami" "kali_x86_64" {
   filters = {
-    name                = "kali-last-snapshot-amd64-2023.4.0-*"
+    architecture        = "x86_64"
+    name                = "kali-last-snapshot-amd64-2024.2.0-*"
     root-device-type    = "ebs"
     virtualization-type = "hvm"
   }
@@ -86,7 +100,52 @@ data "amazon-ami" "kali_linux" {
 
 locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
 
-source "amazon-ebs" "kali" {
+# There is no ARM-based official Kali AMI in the AWS AMI Catalog.
+# source "amazon-ebs" "arm64" {
+#   ami_name                    = "kali-hvm-${local.timestamp}-arm64-ebs"
+#   ami_regions                 = var.ami_regions
+#   associate_public_ip_address = true
+#   encrypt_boot                = true
+#   instance_type               = "t4g.small"
+#   kms_key_id                  = var.build_region_kms
+#   launch_block_device_mappings {
+#     delete_on_termination = true
+#     device_name           = "/dev/xvda"
+#     encrypted             = true
+#     volume_size           = 30
+#     volume_type           = "gp3"
+#   }
+#   region             = var.build_region
+#   region_kms_key_ids = var.region_kms_keys
+#   skip_create_ami    = var.skip_create_ami
+#   source_ami         = data.amazon-ami.kali_arm64.id
+#   ssh_username       = "kali"
+#   subnet_filter {
+#     filters = {
+#       "tag:Name" = "AMI Build"
+#     }
+#   }
+#   tags = {
+#     Application        = "Kali"
+#     Architecture       = "arm64"
+#     Base_AMI_Name      = data.amazon-ami.kali_arm64.name
+#     GitHub_Release_URL = var.release_url
+#     OS_Version         = "Kali Linux"
+#     Pre_Release        = var.is_prerelease
+#     Release            = var.release_tag
+#     Team               = "VM Fusion - Development"
+#   }
+#   # Many Linux distributions are now disallowing the use of RSA keys,
+#   # so it makes sense to use an ED25519 key instead.
+#   temporary_key_pair_type = "ed25519"
+#   vpc_filter {
+#     filters = {
+#       "tag:Name" = "AMI Build"
+#     }
+#   }
+# }
+
+source "amazon-ebs" "x86_64" {
   ami_name                    = "kali-hvm-${local.timestamp}-x86_64-ebs"
   ami_regions                 = var.ami_regions
   associate_public_ip_address = true
@@ -103,7 +162,7 @@ source "amazon-ebs" "kali" {
   region             = var.build_region
   region_kms_key_ids = var.region_kms_keys
   skip_create_ami    = var.skip_create_ami
-  source_ami         = data.amazon-ami.kali_linux.id
+  source_ami         = data.amazon-ami.kali_x86_64.id
   ssh_username       = "kali"
   subnet_filter {
     filters = {
@@ -112,7 +171,8 @@ source "amazon-ebs" "kali" {
   }
   tags = {
     Application        = "Kali"
-    Base_AMI_Name      = data.amazon-ami.kali_linux.name
+    Architecture       = "x86_64"
+    Base_AMI_Name      = data.amazon-ami.kali_x86_64.name
     GitHub_Release_URL = var.release_url
     OS_Version         = "Kali Linux"
     Pre_Release        = var.is_prerelease
@@ -130,7 +190,11 @@ source "amazon-ebs" "kali" {
 }
 
 build {
-  sources = ["source.amazon-ebs.kali"]
+  sources = [
+    # There is no ARM-based official Kali AMI in the AWS AMI Catalog.
+    # "source.amazon-ebs.arm64",
+    "source.amazon-ebs.x86_64",
+  ]
 
   provisioner "ansible" {
     playbook_file = "src/upgrade.yml"

src/version.txt

@@ -1 +1 @@
-__version__ = "0.5.27"
+__version__ = "0.5.28"