Devel to main release March 23

.ansible-lint

@@ -1,11 +1,21 @@
 parseable: true
 quiet: true
 skip_list:
- - '204'
- - '305'
- - '303'
- - '403'
- - '306'
- - '602'
+ - 'schema'
+ - 'no-changed-when'
+ - 'var-spacing'
+ - 'fqcn-builtins'
+ - 'experimental'
+ - 'name[play]'
+ - 'name[casing]'
+ - 'name[template]'
+ - 'fqcn[action]'
+ - '204'
+ - '305'
+ - '303'
+ - '403'
+ - '306'
+ - '602'
+ - '208'
 use_default_rules: true
 verbosity: 0

.github/workflows/github_networks.tf

@@ -1,11 +1,53 @@
 resource "aws_vpc" "Main" {
  cidr_block = var.main_vpc_cidr
- tags = var.instance_tags
+ instance_tenancy = "default"
+ tags = {
+ Environment = "${var.environment}"
+ Name = "${var.namespace}-VPC"
+ }
 }
 
 resource "aws_internet_gateway" "IGW" {
  vpc_id = aws_vpc.Main.id
  tags = {
+ Environment = "${var.environment}"
  Name = "${var.namespace}-IGW"
  }
 }
+
+resource "aws_subnet" "publicsubnets" {
+ vpc_id = aws_vpc.Main.id
+ cidr_block = var.public_subnets
+ availability_zone = var.availability_zone
+ tags = {
+ Environment = "${var.environment}"
+ Name = "${var.namespace}-pubsub"
+ }
+}
+
+resource "aws_subnet" "Main" {
+ vpc_id = aws_vpc.Main.id
+ availability_zone = var.availability_zone
+ cidr_block = var.private_subnets
+ tags = {
+ Environment = "${var.environment}"
+ Name = "${var.namespace}-prvsub"
+ }
+}
+
+resource "aws_route_table" "PublicRT" {
+ vpc_id = aws_vpc.Main.id
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.IGW.id
+ }
+ tags = {
+ Environment = "${var.environment}"
+ Name = "${var.namespace}-publicRT"
+ }
+}
+
+resource "aws_route_table_association" "rt_associate_public" {
+ subnet_id = aws_subnet.Main.id
+ route_table_id = aws_route_table.PublicRT.id
+}

.github/workflows/github_vars.tfvars

@@ -4,9 +4,10 @@
 // 
 
 namespace = "github_actions"
+environment = "lockdown_github_repo_workflow"
 
 // Matching pair name found in AWS for keypairs PEM key
 ami_key_pair_name = "github_actions"
 main_vpc_cidr = "172.22.0.0/24"
 public_subnets = "172.22.0.128/26"
-private_subnets = "172.22.0.192/26"
+private_subnets = "172.22.0.192/26"

.github/workflows/linux_benchmark_testing.yml

@@ -26,12 +26,12 @@ jobs:
  runs-on: ubuntu-latest
 
  steps:
- - uses: actions/first-interaction@v1.1.0
+ - uses: actions/first-interaction@main
  with:
  repo-token: ${{ secrets.GITHUB_TOKEN }}
  pr-message: |-
  Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! 
- Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well.
+ Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
  # This workflow contains a single job called "build"
  build:
  # The type of runner that the job will run on
@@ -44,7 +44,7 @@ jobs:
  steps:
  # Checks-out your repository under $GITHUB_WORKSPACE, 
  # so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
  with:
  ref: ${{ github.event.pull_request.head.sha }}
 
@@ -81,18 +81,9 @@ jobs:
  working-directory: .github/workflows
  run: cat hosts.yml
 
-# Centos 7 images take a while to come up insert sleep or playbook fails
+# Aws deployments taking a while to come up insert sleep or playbook fails
 
- - name: Check if test os is rhel7
- working-directory: .github/workflows
- id: test_os
- run: >-
- echo "::set-output name=RHEL7::$(
- grep -c RHEL7 OS.tfvars
- )"
-
- - name: if RHEL7 - Sleep for 60 seconds
- if: steps.test_os.outputs.RHEL7 >= 1
+ - name: Sleep for 60 seconds
  run: sleep 60s
  shell: bash
 
@@ -117,4 +108,4 @@ jobs:
  env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+ run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false

.github/workflows/main.tf

@@ -5,9 +5,6 @@ provider "aws" {
 
 // Create a security group with access to port 22 and port 80 open to serve HTTP traffic
 
-data "aws_vpc" "default" {
- default = true
-}
 
 resource "random_id" "server" {
  keepers = {
@@ -19,16 +16,16 @@ resource "random_id" "server" {
 }
 
 resource "aws_security_group" "github_actions" {
- name = "${var.namespace}-${random_id.server.hex}"
- vpc_id = data.aws_vpc.default.id
+ name = "${var.namespace}-${random_id.server.hex}-SG"
+ vpc_id = aws_vpc.Main.id
 
  ingress {
  from_port = 22
  to_port = 22
  protocol = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
  }
-
+ 
  ingress {
  from_port = 80
  to_port = 80
@@ -43,30 +40,33 @@ resource "aws_security_group" "github_actions" {
  cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
+ Environment = "${var.environment}"
  Name = "${var.namespace}-SG"
-  }
+ }
 }
 
 // instance setup
 
 resource "aws_instance" "testing_vm" {
  ami = var.ami_id
+ availability_zone = var.availability_zone
  associate_public_ip_address = true
  key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
  instance_type = var.instance_type
  tags = var.instance_tags
  vpc_security_group_ids = [aws_security_group.github_actions.id]
+ subnet_id = aws_subnet.Main.id
  root_block_device {
- delete_on_termination = true
+  delete_on_termination = true
  }
 }
 
 // generate inventory file
 resource "local_file" "inventory" {
- filename  = "./hosts.yml"
+ filename = "./hosts.yml"
  directory_permission = "0755"
  file_permission = "0644"
- content  = <<EOF
+ content = <<EOF
  # benchmark host
  all:
  hosts:

.github/workflows/update_galaxy.yml

@@ -0,0 +1,20 @@
+---
+
+# This is a basic workflow to help you get started with Actions
+
+name: update galaxy
+
+# Controls when the action will run.
+# Triggers the workflow on merge request events to the main branch
+on:
+ push:
+ branches:
+ - main
+jobs:
+ update_role:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - uses: hspaans/ansible-galaxy-action@master
+ with:
+ api_key: ${{ secrets.GALAXY_API_KEY }}

.github/workflows/variables.tf

@@ -6,6 +6,12 @@ variable "aws_region" {
  type = string
 }
 
+variable "availability_zone" {
+ description = "List of availability zone in the region"
+ default = "us-east-1b"
+ type = string
+}
+
 variable "instance_type" {
  description = "EC2 Instance Type"
  default = "t3.micro"
@@ -29,7 +35,7 @@ variable "ami_os" {
 
 variable "ami_id" {
  description = "AMI ID reference"
- type  = string
+ type = string
 }
 
 variable "ami_username" {
@@ -47,6 +53,11 @@ variable "namespace" {
  type = string
 }
 
+variable "environment" {
+ description = "Env Name used across all tags"
+ type = string
+}
+
 // taken from github_vars.tfvars &
 
 variable "main_vpc_cidr" {
@@ -62,4 +73,4 @@ variable "public_subnets" {
 variable "private_subnets" {
  description = "private subnet cidr block"
  type = string
-}
+}

.yamllint

@@ -2,22 +2,31 @@
 ignore: |
  tests/
  molecule/
+ .github/
  .gitlab-ci.yml
  *molecule.yml
 
 extends: default
 
 rules:
- indentation:
- # Requiring 4 space indentation
- spaces: 4
- # Requiring consistent indentation within a file, either indented or not
- indent-sequences: consistent
- truthy: disable
- braces:
- max-spaces-inside: 1
- level: error
- brackets:
- max-spaces-inside: 1
- level: error
- line-length: disable
+ indentation:
+ # Requiring 4 space indentation
+ spaces: 4
+ # Requiring consistent indentation within a file, either indented or not
+ indent-sequences: consistent
+ #truthy: disable
+ braces:
+ max-spaces-inside: 1
+ level: error
+ brackets:
+ max-spaces-inside: 1
+ level: error
+ line-length: disable
+ key-duplicates: enable
+ new-line-at-end-of-file: enable
+ new-lines:
+ type: unix
+ trailing-spaces: enable
+ truthy:
+ allowed-values: ['true', 'false']
+ check-keys: true