Skip to content

Commit

Permalink
Merge pull request #80 from cisagov/lineage/skeleton
Browse files Browse the repository at this point in the history
⚠️ CONFLICT! Lineage pull request for: skeleton
  • Loading branch information
jsf9k authored Aug 16, 2024
2 parents cf69a3b + 0bd9cfc commit 7330acd
Show file tree
Hide file tree
Showing 10 changed files with 228 additions and 49 deletions.
10 changes: 9 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,13 @@ jobs:
- lint
- test
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
# Nessus does not support ARM64 on Debian.
# - arm64
- x86_64
steps:
- id: harden-runner
name: Harden the runner
Expand Down Expand Up @@ -315,7 +322,8 @@ jobs:
# This runs through the AMI creation process but does not
# actually create an AMI
run: |
packer build -timestamp-ui \
packer build -only amazon-ebs.${{ matrix.architecture }} \
-timestamp-ui \
-var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \
-var skip_create_ami=true \
src/packer.pkr.hcl
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/prerelease.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ jobs:
needs:
- diagnostics
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
# Nessus does not support ARM64 on Debian.
# - arm64
- x86_64
steps:
- id: harden-runner
name: Harden the runner
Expand Down Expand Up @@ -108,7 +115,8 @@ jobs:
run: packer init src
- name: Create machine image
run: |
packer build -timestamp-ui \
packer build -only amazon-ebs.${{ matrix.architecture }} \
-timestamp-ui \
-var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \
-var is_prerelease=${{ github.event.release.prerelease }} \
-var release_tag=${{ github.event.release.tag_name }} \
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,13 @@ jobs:
needs:
- diagnostics
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
# Nessus does not support ARM64 on Debian.
# - arm64
- x86_64
steps:
- id: harden-runner
name: Harden the runner
Expand Down Expand Up @@ -123,7 +130,8 @@ jobs:
run: packer init src
- name: Create machine image
run: |
packer build -timestamp-ui \
packer build -only amazon-ebs.${{ matrix.architecture }} \
-timestamp-ui \
-var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \
-var is_prerelease=${{ github.event.release.prerelease }} \
-var release_tag=${{ github.event.release.tag_name }} \
Expand Down
46 changes: 32 additions & 14 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ default_language_version:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
rev: v4.6.0
hooks:
- id: check-case-conflict
- id: check-executables-have-shebangs
Expand All @@ -31,7 +31,7 @@ repos:

# Text file hooks
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.39.0
rev: v0.41.0
hooks:
- id: markdownlint
args:
Expand All @@ -46,7 +46,7 @@ repos:
# mirror does not pull tags for old major versions once a new major
# version tag is published.
additional_dependencies:
- prettier@3.2.5
- prettier@3.3.1
- repo: https://github.com/adrienverge/yamllint
rev: v1.35.1
hooks:
Expand All @@ -56,14 +56,14 @@ repos:

# GitHub Actions hooks
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.28.0
rev: 0.28.4
hooks:
- id: check-github-actions
- id: check-github-workflows

# pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit
rev: v3.6.2
rev: v3.7.1
hooks:
- id: validate_manifest

Expand Down Expand Up @@ -98,7 +98,7 @@ repos:

# Shell script hooks
- repo: https://github.com/scop/pre-commit-shfmt
rev: v3.7.0-4
rev: v3.8.0-1
hooks:
- id: shfmt
args:
Expand All @@ -116,14 +116,14 @@ repos:
# Redirect operators are followed by a space
- --space-redirects
- repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.9.0.6
rev: v0.10.0.1
hooks:
- id: shellcheck

# Python hooks
# Run bandit on the "tests" tree with a configuration
- repo: https://github.com/PyCQA/bandit
rev: 1.7.7
rev: 1.7.8
hooks:
- id: bandit
name: bandit (tests tree)
Expand All @@ -138,7 +138,7 @@ repos:
name: bandit (everything else)
exclude: tests
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 24.2.0
rev: 24.4.2
hooks:
- id: black
- repo: https://github.com/PyCQA/flake8
Expand All @@ -152,24 +152,42 @@ repos:
hooks:
- id: isort
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.8.0
rev: v1.10.0
hooks:
- id: mypy
- repo: https://github.com/asottile/pyupgrade
rev: v3.15.1
rev: v3.15.2
hooks:
- id: pyupgrade

# Ansible hooks
- repo: https://github.com/ansible/ansible-lint
rev: v24.2.0
rev: v24.6.0
hooks:
- id: ansible-lint
# files: molecule/default/playbook.yml
additional_dependencies:
# On its own ansible-lint does not pull in ansible, only
# ansible-core. Therefore, if an Ansible module lives in
# ansible instead of ansible-core, the linter will complain
# that the module is unknown. In these cases it is
# necessary to add the ansible package itself as an
# additional dependency, with the same pinning as is done in
# requirements-test.txt of cisagov/skeleton-ansible-role.
# - ansible>=9,<10
# ansible-core 2.16.3 through 2.16.6 suffer from the bug
# discussed in ansible/ansible#82702, which breaks any
# symlinked files in vars, tasks, etc. for any Ansible role
# installed via ansible-galaxy. Hence we never want to
# install those versions.
#
# Note that any changes made to this dependency must also be
# made in requirements.txt in cisagov/skeleton-packer and
# requirements-test.txt in cisagov/skeleton-ansible-role.
- ansible-core>=2.16.7

# Terraform hooks
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.88.0
rev: v1.90.0
hooks:
- id: terraform_fmt
- id: terraform_validate
Expand Down
16 changes: 6 additions & 10 deletions requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,15 @@
# often breaking changes across major versions. This is the reason
# for the upper bound.
ansible>=8,<10
# TODO: Remove this pin when possible. See
# cisagov/skeleton-packer#312 for more details.
#
# ansible-core 2.16.3 and later suffer from the bug discussed in
# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in
# ansible/ansible#82702, which breaks any symlinked files in vars,
# tasks, etc. for any Ansible role installed via ansible-galaxy.
# Hence we never want to install those versions.
#
# See also cisagov/skeleton-ansible-role#178 and
# cisagov/skeleton-generic#180. Note from these PRs that any changes
# made to this dependency must also be made in requirements-test.txt
# in cisagov/skeleton-ansible-role and .pre-commit-config.yaml in
# cisagov/skeleton-generic.
ansible-core<2.16.3
# Note that any changes made to this dependency must also be made in
# requirements-test.txt in cisagov/skeleton-ansible-role and
# .pre-commit-config.yaml in cisagov/skeleton-generic.
ansible-core>=2.16.7
boto3
docopt
semver
Expand Down
74 changes: 69 additions & 5 deletions src/packer.pkr.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,22 @@ variable "skip_create_ami" {
type = bool
}

data "amazon-ami" "debian_bookworm" {
# Nessus does not support ARM64 on Debian.
# data "amazon-ami" "debian_bookworm_arm64" {
# filters = {
# architecture = "arm64"
# name = "debian-12-arm64-*"
# root-device-type = "ebs"
# virtualization-type = "hvm"
# }
# most_recent = true
# owners = ["136693071363"]
# region = var.build_region
# }

data "amazon-ami" "debian_bookworm_x86_64" {
filters = {
architecture = "x86_64"
name = "debian-12-amd64-*"
root-device-type = "ebs"
virtualization-type = "hvm"
Expand All @@ -86,7 +100,52 @@ data "amazon-ami" "debian_bookworm" {

locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }

source "amazon-ebs" "nessus" {
# Nessus does not support ARM64 on Debian.
# source "amazon-ebs" "arm64" {
# ami_name = "nessus-hvm-${local.timestamp}-arm64-ebs"
# ami_regions = var.ami_regions
# associate_public_ip_address = true
# encrypt_boot = true
# instance_type = "t4g.small"
# kms_key_id = var.build_region_kms
# launch_block_device_mappings {
# delete_on_termination = true
# device_name = "/dev/xvda"
# encrypted = true
# volume_size = 8
# volume_type = "gp3"
# }
# region = var.build_region
# region_kms_key_ids = var.region_kms_keys
# skip_create_ami = var.skip_create_ami
# source_ami = data.amazon-ami.debian_bookworm_arm64.id
# ssh_username = "admin"
# subnet_filter {
# filters = {
# "tag:Name" = "AMI Build"
# }
# }
# tags = {
# Application = "Nessus"
# Architecture = "arm64"
# Base_AMI_Name = data.amazon-ami.debian_bookworm_arm64.name
# GitHub_Release_URL = var.release_url
# OS_Version = "Debian Bookworm"
# Pre_Release = var.is_prerelease
# Release = var.release_tag
# Team = "VM Fusion - Development"
# }
# # Many Linux distributions are now disallowing the use of RSA keys,
# # so it makes sense to use an ED25519 key instead.
# temporary_key_pair_type = "ed25519"
# vpc_filter {
# filters = {
# "tag:Name" = "AMI Build"
# }
# }
# }

source "amazon-ebs" "x86_64" {
ami_name = "nessus-hvm-${local.timestamp}-x86_64-ebs"
ami_regions = var.ami_regions
associate_public_ip_address = true
Expand All @@ -103,7 +162,7 @@ source "amazon-ebs" "nessus" {
region = var.build_region
region_kms_key_ids = var.region_kms_keys
skip_create_ami = var.skip_create_ami
source_ami = data.amazon-ami.debian_bookworm.id
source_ami = data.amazon-ami.debian_bookworm_x86_64.id
ssh_username = "admin"
subnet_filter {
filters = {
Expand All @@ -112,7 +171,8 @@ source "amazon-ebs" "nessus" {
}
tags = {
Application = "Nessus"
Base_AMI_Name = data.amazon-ami.debian_bookworm.name
Architecture = "x86_64"
Base_AMI_Name = data.amazon-ami.debian_bookworm_x86_64.name
GitHub_Release_URL = var.release_url
OS_Version = "Debian Bookworm"
Pre_Release = var.is_prerelease
Expand All @@ -130,7 +190,11 @@ source "amazon-ebs" "nessus" {
}

build {
sources = ["source.amazon-ebs.nessus"]
sources = [
# Nessus does not support ARM64 on Debian.
# "source.amazon-ebs.arm64",
"source.amazon-ebs.x86_64",
]

provisioner "ansible" {
playbook_file = "src/upgrade.yml"
Expand Down
2 changes: 1 addition & 1 deletion src/version.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.2.1"
__version__ = "0.2.2"
Loading

0 comments on commit 7330acd

Please sign in to comment.