Merge pull request #90 from ansible-lockdown/devel

April 26 updates

Author: uk-bolly

.github/workflows/devel_pipeline_validation.yml

@@ -1,162 +1,163 @@
 ---
 
-  name: Devel pipeline
-
-  on: # yamllint disable-line rule:truthy
-    pull_request_target:
-      types: [opened, reopened, synchronize]
-      branches:
-        - devel
-        - benchmark*
-      paths:
-        - '**.yml'
-        - '**.sh'
-        - '**.j2'
-        - '**.ps1'
-        - '**.cfg'
-    # Allow manual running of workflow
-    workflow_dispatch:
-
-  # A workflow run is made up of one or more jobs
-  # that can run sequentially or in parallel
-  jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-    welcome:
-      runs-on: ubuntu-latest
-
-      permissions:
-        issues: write
-        pull-requests: write
-
-      steps:
-        - uses: actions/first-interaction@main
-          with:
-            repo_token: ${{ secrets.GITHUB_TOKEN }}
-            issue_message: |-
-                Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
-                Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-            pr_message: |-
-                Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-
-    # This workflow contains a single job that tests the playbook
-    playbook-test:
-      # The type of runner that the job will run on
-      runs-on: self-hosted
-
-      # Allow permissions for AWS auth
-      permissions:
-        id-token: write
-        contents: read
-        pull-requests: read
-
-      env:
-        ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
-        # Imported as a variable by terraform
-        TF_VAR_repository: ${{ github.event.repository.name }}
-        AWS_REGION: "us-east-1"
-        ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
-      defaults:
-        run:
-          shell: bash
-          working-directory: .github/workflows/github_linux_IaC
-          # working-directory: .github/workflows
-
-      steps:
-
-        - name: Git clone the lockdown repository to test
-          uses: actions/checkout@v4
-          with:
-            ref: ${{ github.event.pull_request.head.sha }}
-
-        - name: If a variable for IAC_BRANCH is set use that branch
-          working-directory: .github/workflows
-          run: |
-            if [ ${{ vars.IAC_BRANCH }} != '' ]; then
-                echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
-                echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
-            else
-                echo IAC_BRANCH=main >> $GITHUB_ENV
-            fi
-
-        # Pull in terraform code for linux servers
-        - name: Clone GitHub IaC plan
-          uses: actions/checkout@v4
-          with:
-            repository: ansible-lockdown/github_linux_IaC
-            path: .github/workflows/github_linux_IaC
-            ref: ${{ env.IAC_BRANCH }}
-
-        # Uses dedicated restricted role and policy to enable this only for this task
-        # No credentials are part of github for AWS auth
-        - name: configure aws credentials
-          uses: aws-actions/configure-aws-credentials@main
-          with:
-            role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-            role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
-            aws-region: ${{ env.AWS_REGION }}
-
-        - name: DEBUG - Show IaC files
-          if: env.ENABLE_DEBUG == 'true'
-          run: |
-            echo "OSVAR = $OSVAR"
-            echo "benchmark_type = $benchmark_type"
-            pwd
-          env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
-            benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-        - name: Tofu init
-          id: init
-          run: tofu init
-          env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-        - name: Tofu validate
-          id: validate
-          run: tofu validate
-          env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-        - name: Tofu apply
-          id: apply
-          env:
-            OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
-            TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
-          run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+name: Devel pipeline
+
+on: # yamllint disable-line rule:truthy
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+    branches:
+      - devel
+      - benchmark*
+    paths:
+      - '**.yml'
+      - '**.sh'
+      - '**.j2'
+      - '**.ps1'
+      - '**.cfg'
+  # Allow manual running of workflow
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs
+# that can run sequentially or in parallel
+jobs:
+  # This will create messages for first time contributers and direct them to the Discord server
+  welcome:
+    runs-on: ubuntu-latest
+
+    permissions:
+      issues: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/first-interaction@main
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          issue_message: |-
+              Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          pr_message: |-
+              Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+
+  # This workflow contains a single job that tests the playbook
+  playbook-test:
+    # The type of runner that the job will run on
+    runs-on: self-hosted
+
+    # Allow permissions for AWS auth
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+
+    env:
+      ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+      # Imported as a variable by terraform
+      TF_VAR_repository: ${{ github.event.repository.name }}
+      AWS_REGION: "us-east-1"
+      ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+    defaults:
+      run:
+        shell: bash
+        working-directory: .github/workflows/github_linux_IaC
+        # working-directory: .github/workflows
+
+    steps:
+
+      - name: Git clone the lockdown repository to test
+        uses: actions/checkout@v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: If a variable for IAC_BRANCH is set use that branch
+        working-directory: .github/workflows
+        run: |
+          if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+              echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+              echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+          else
+              echo IAC_BRANCH=main >> $GITHUB_ENV
+          fi
+
+      # Pull in terraform code for linux servers
+      - name: Clone GitHub IaC plan
+        uses: actions/checkout@v6.0.2
+        with:
+          repository: ansible-lockdown/github_linux_IaC
+          path: .github/workflows/github_linux_IaC
+          ref: ${{ env.IAC_BRANCH }}
+
+      # Uses dedicated restricted role and policy to enable this only for this task
+      # No credentials are part of github for AWS auth
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@main
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: DEBUG - Show IaC files
+        if: env.ENABLE_DEBUG == 'true'
+        run: |
+          echo "OSVAR = $OSVAR"
+          echo "benchmark_type = $benchmark_type"
+          pwd
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          OSVAR: ${{ vars.OSVAR }}
+          benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      - name: Tofu init
+        id: init
+        run: tofu init
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      - name: Tofu validate
+        id: validate
+        run: tofu validate
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      - name: Tofu apply
+        id: apply
+        env:
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_ansible_version: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+          TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+          TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+        run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
 
 ## Debug Section
-        - name: DEBUG - Show Ansible hostfile
-          if: env.ENABLE_DEBUG == 'true'
-          run: cat hosts.yml
-
-  # Aws deployments taking a while to come up insert sleep or playbook fails
-
-        - name: Sleep to allow system to come up
-          run: sleep ${{ vars.BUILD_SLEEPTIME }}
-
-      # Run the Ansible playbook
-        - name: Run_Ansible_Playbook
-          env:
-            ANSIBLE_HOST_KEY_CHECKING: "false"
-            ANSIBLE_DEPRECATION_WARNINGS: "false"
-          run: |
-            /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
-
-      # Remove test system - User secrets to keep if necessary
-
-        - name: Tofu Destroy
-          if: always() && env.ENABLE_DEBUG == 'false'
-          env:
-            OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
-            TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
-          run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+      - name: DEBUG - Show Ansible hostfile
+        if: env.ENABLE_DEBUG == 'true'
+        run: cat hosts.yml
+
+# Aws deployments taking a while to come up insert sleep or playbook fails
+
+      - name: Sleep to allow system to come up
+        run: sleep ${{ vars.BUILD_SLEEPTIME }}
+
+    # Run the Ansible playbook
+      - name: Run_Ansible_Playbook
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: "false"
+          ANSIBLE_DEPRECATION_WARNINGS: "false"
+        run: |
+          /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
+
+    # Remove test system - User secrets to keep if necessary
+
+      - name: Tofu Destroy
+        if: always() && env.ENABLE_DEBUG == 'false'
+        env:
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+          TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+        run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false

.github/workflows/export_badges_private.yml

@@ -2,7 +2,6 @@
 
 name: Export Private Repo Badges
 
-
 on:
   push:
     branches: