From d0204393607ec61f35189d5e217e63635f505bd8 Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Mon, 14 Nov 2022 13:26:57 -0500
Subject: [PATCH 1/4] Remove Debian Buster-specific leftovers

There are some leftover configuration elements that should be removed
since this configuration now uses Debian Bullseye. These are
specifically for using cisagov/ansible-role-backports and installing
python3-botocore from Buster Backports.
---
 src/aws.yml          | 16 ----------------
 src/requirements.yml |  2 --
 2 files changed, 18 deletions(-)

diff --git a/src/aws.yml b/src/aws.yml
index 2075473..cdd214c 100644
--- a/src/aws.yml
+++ b/src/aws.yml
@@ -6,24 +6,8 @@
   roles:
     - amazon_efs_utils
     - amazon_ssm_agent
-    # This is for the python3-botocore task below
-    - backports
     - chrony_aws
     - cloudwatch_agent
     # The instance types used for almost all the instances expose EBS
     # volumes as NVMe block devices, so that's why we need nvme here.
     - nvme
-  tasks:
-    # The version of python3-botocore in Debian Buster is too old to
-    # support IMDSv2.  I was able to get a more recent version
-    # published to buster-backports that does support IMDSv2, so we
-    # should use that.
-    - name: Install python3-botocore from buster-backports for Debian Buster
-      ansible.builtin.apt:
-        default_release: buster-backports
-        name:
-          - python3-botocore
-        state: latest
-      when:
-        - ansible_distribution == "Debian"
-        - ansible_distribution_release == "buster"
diff --git a/src/requirements.yml b/src/requirements.yml
index 6ed3c79..e16eb0a 100644
--- a/src/requirements.yml
+++ b/src/requirements.yml
@@ -5,8 +5,6 @@
   name: amazon_ssm_agent
 - src: https://github.com/cisagov/ansible-role-automated-security-updates
   name: automated_security_updates
-- src: https://github.com/cisagov/ansible-role-backports
-  name: backports
 - src: https://github.com/cisagov/ansible-role-banner
   name: banner
 - src: https://github.com/cisagov/ansible-role-chrony-aws

From b0a7680388f2e4dd57df3771c733548ee8dca0b0 Mon Sep 17 00:00:00 2001
From: Jeremy Frasier <jeremy.frasier@trio.dhs.gov>
Date: Thu, 24 Nov 2022 11:37:00 -0500
Subject: [PATCH 2/4] Set use_proxy to false for Ansible provisioners

This fixes our cisagov/*-packer builds, which have all been failing
recently now that Ubuntu 22.04 is the default for GitHub Actions'
runners.  See, for example, this failing build:
https://github.com/cisagov/samba-packer/actions/runs/3534584325
and this successful build:
https://github.com/cisagov/samba-packer/actions/runs/3541656743

The proxy uses an RSA key, which the newer version of OpenSSL in
GitHub Actions' Ubuntu 22.04 runner host now rejects as insecure.
Note that this same change was already made in cisagov/cyhy-amis#441.

It is also worth noting that use_proxy = false is the default setting
for Ansible; Packer explicitly overrides this default.
---
 src/packer.pkr.hcl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl
index 71d6ada..d3727ca 100644
--- a/src/packer.pkr.hcl
+++ b/src/packer.pkr.hcl
@@ -114,17 +114,20 @@ build {
 
   provisioner "ansible" {
     playbook_file = "src/upgrade.yml"
+    use_proxy     = false
     use_sftp      = true
   }
 
   provisioner "ansible" {
     playbook_file = "src/python.yml"
+    use_proxy     = false
     use_sftp      = true
   }
 
   provisioner "ansible" {
     ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"]
     playbook_file    = "src/playbook.yml"
+    use_proxy        = false
     use_sftp         = true
   }
 

From 2fa19ff7e4a437c6b38c3570d17c5ff629227b12 Mon Sep 17 00:00:00 2001
From: dav3r <david.redmin@trio.dhs.gov>
Date: Wed, 16 Nov 2022 14:33:17 -0500
Subject: [PATCH 3/4] Add wildcard to .tfvars in .gitignore

This ensures that .tfvars files in subdirectories are also ignored by git.
---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 239f171..1f58245 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,4 +17,4 @@ dist
 ## Terraform ##
 .terraform
 .terraform.lock.hcl
-.tfvars
+*.tfvars

From 8be21b27a5483266e178e5e149ee7395334d4787 Mon Sep 17 00:00:00 2001
From: dav3r <david.redmin@trio.dhs.gov>
Date: Mon, 28 Nov 2022 14:17:42 -0500
Subject: [PATCH 4/4] Align .gitignore with cisagov/skeleton-tf-module

Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com>
---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index 1f58245..ae01225 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,4 +17,6 @@ dist
 ## Terraform ##
 .terraform
 .terraform.lock.hcl
+terraform.tfstate
+terraform.tfstate.backup
 *.tfvars