ansible-lockdown
diff --git a/‎.ansible-lint‎
Lines changed: 10 additions & 0 deletions b/‎.ansible-lint‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.gitattributes‎
Lines changed: 6 additions & 0 deletions b/‎.gitattributes‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/benchmark_tracking_controller.yml‎
Lines changed: 38 additions & 0 deletions b/‎.github/workflows/benchmark_tracking_controller.yml‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎.github/workflows/devel_pipeline_validation.yml‎
Lines changed: 152 additions & 0 deletions b/‎.github/workflows/devel_pipeline_validation.yml‎
Lines changed: 152 additions & 0 deletions
diff --git a/‎.github/workflows/devel_pipeline_validation_gpo.yml‎
Lines changed: 152 additions & 0 deletions b/‎.github/workflows/devel_pipeline_validation_gpo.yml‎
Lines changed: 152 additions & 0 deletions
diff --git a/‎.github/workflows/export_badges_private.yml‎
Lines changed: 27 additions & 0 deletions b/‎.github/workflows/export_badges_private.yml‎
Lines changed: 27 additions & 0 deletions
@@ -0,0 +1,10 @@
+---
+
+parseable: true
+quiet: true
+skip_list:
+  - 'package-latest'
+  - 'risky-shell-pipe'
+  - yaml[line-length]
+use_default_rules: true
+verbosity: 0
@@ -0,0 +1,6 @@
+# adding github settings to show correct language
+*.sh linguist-detectable=true
+*.yml linguist-detectable=true
+*.ps1 linguist-detectable=true
+*.j2 linguist-detectable=true
+*.md linguist-documentation
@@ -0,0 +1,38 @@
+---
+
+# GitHub schedules all cron jobs in UTC.
+# This expression will run the job every day at 9 AM Eastern Time during Daylight Saving Time (mid-March to early November).
+# This expression will run the job every day at 8 AM Eastern Time during Standard Time (early November to mid-March).
+
+name: Central Benchmark Orchestrator
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 13 * * *'  # Runs daily at 9 AM ET
+  workflow_dispatch:
+
+jobs:
+  call-benchmark-tracker:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest')
+    name: Start Benchmark Tracker
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/benchmark_track.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+
+  call-monitor-promotions:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    name: Monitor Promotions and Auto-Promote
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/benchmark_promote.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
@@ -0,0 +1,152 @@
+---
+
+# This is a basic workflow to help you get started with Actions
+
+name: Ansible Remediate Devel Pipeline Validation
+
+# Controls when the action will run.
+# Triggers the workflow on push or pull request
+# events but only for the devel branch and any branch that contains benchmark in name.
+on:  # yamllint disable-line rule:truthy
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+    branches:
+      - devel
+      - benchmark*
+    paths:
+      - '**.yml'
+      - '**.sh'
+      - '**.j2'
+      - '**.ps1'
+      - '**.cfg'
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+# This section contains all the jobs below that are running in the workflow.
+jobs:
+  # This will create messages for the first time contributors and direct them to the Discord server
+  welcome:
+    # The type of runner that the job will run on.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/first-interaction@main
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          pr-message: |-
+            Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+            Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+
+  build-azure-windows:
+    # Use the AWS self-hosted runner
+    runs-on: self-hosted
+    env:
+      # Imported as a variable by OpenTofu.
+      ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
+      ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
+      WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
+      WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
+      OSVAR: ${{ vars.OSVAR }}
+      TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+      TF_VAR_repository: ${{ github.event.repository.name }}
+      ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+      ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: .github/workflows/github_windows_IaC
+
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
+      - name: Clone ${{ github.event.repository.name }}
+        uses: actions/checkout@v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: If a variable for IAC_BRANCH is set use that branch
+        working-directory: .github/workflows
+        run: |
+          if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+              echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+              echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+          else
+              echo IAC_BRANCH=main >> $GITHUB_ENV
+          fi
+
+      # Pull In OpenTofu Code For Windows Azure
+      - name: Clone IaC Repository
+        uses: actions/checkout@v6.0.2
+        with:
+          repository: ansible-lockdown/github_windows_IaC
+          path: .github/workflows/github_windows_IaC
+          ref: ${{ env.IAC_BRANCH }}
+
+      # Sensitive Data Stored And Passed To OpenTofu
+      # Default Working Dir Defined In Defaults Above.
+      - name: Save Sensitive Info
+        run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
+
+      # Show the Os Var and Benchmark Type And Load
+      - name: DEBUG - Show IaC files
+        if: env.ENABLE_DEBUG == 'true'
+        run: |
+          echo "OSVAR = $OSVAR"
+          echo "benchmark_type = $benchmark_type"
+          pwd
+          ls
+        env:
+          # Imported from github variables this is used to load the relevant OS.tfvars file
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      # Initialize The OpenTofu Working Directory
+      - name: Tofu init
+        id: init
+        run: tofu init
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      # Validate The Syntax Of OpenTofu Files
+      - name: Tofu validate
+        id: validate
+        run: tofu validate
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      # Execute The Actions And Build Azure Server
+      - name: Tofo Apply
+        id: apply
+        env:
+          # Imported from github variables this is used to load the relevant OS.tfvars file
+          WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
+          WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+        run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+
+      # Debug Section
+      - name: DEBUG - Show Ansible Hostfile
+        if: env.ENABLE_DEBUG == 'true'
+        run: cat hosts.yml
+
+      # Run the Ansible Playbook
+      - name: Run_Ansible_Playbook
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: "false"
+          ANSIBLE_DEPRECATION_WARNINGS: "false"
+        run: |
+          /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml ../../../site.yml
+
+      # Destroy The Azure Test System
+      - name: Tofu Destroy
+        if: always() && env.ENABLE_DEBUG == 'false'
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+        run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve
@@ -0,0 +1,152 @@
+---
+
+# This is a basic workflow to help you get started with Actions
+
+name: GPO Devel Pipeline Validation
+
+# Controls when the action will run.
+# Triggers the workflow on push or pull request
+# events but only for the devel branch and any branch that contains benchmark in name.
+on:  # yamllint disable-line rule:truthy
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+    branches:
+      - devel
+      - benchmark*
+    paths:
+      - '**.yml'
+      - '**.sh'
+      - '**.j2'
+      - '**.ps1'
+      - '**.cfg'
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+# This section contains all the jobs below that are running in the workflow.
+jobs:
+  # This will create messages for the first time contributors and direct them to the Discord server
+  welcome:
+    # The type of runner that the job will run on.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/first-interaction@main
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          pr-message: |-
+            Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+            Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+
+  build-azure-windows-gpo:
+    # Use the AWS self-hosted runner
+    runs-on: self-hosted
+    env:
+      # Imported as a variable by OpenTofu.
+      ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
+      ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
+      WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
+      WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
+      GPO_OSVAR: ${{ vars.GPO_OSVAR }}
+      TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+      TF_VAR_repository: ${{ github.event.repository.name }}
+      ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+      ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: .github/workflows/github_windows_IaC
+
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
+      - name: Clone ${{ github.event.repository.name }}
+        uses: actions/checkout@v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: If a variable for IAC_BRANCH is set use that branch
+        working-directory: .github/workflows
+        run: |
+          if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+              echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+              echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+          else
+              echo IAC_BRANCH=main >> $GITHUB_ENV
+          fi
+
+      # Pull In OpenTofu Code For Windows Azure
+      - name: Clone IaC Repository
+        uses: actions/checkout@v6.0.2
+        with:
+          repository: ansible-lockdown/github_windows_IaC
+          path: .github/workflows/github_windows_IaC
+          ref: ${{ env.IAC_BRANCH }}
+
+      # Sensitive Data Stored And Passed To OpenTofu
+      # Default Working Dir Defined In Defaults Above.
+      - name: Save Sensitive Info
+        run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
+
+      # Show the Os Var and Benchmark Type And Load
+      - name: DEBUG - Show IaC files
+        if: env.ENABLE_DEBUG == 'true'
+        run: |
+          echo "GPO_OSVAR = $GPO_OSVAR"
+          echo "benchmark_type = $benchmark_type"
+          pwd
+          ls
+        env:
+          # Imported from github variables this is used to load the relevant OS.tfvars file
+          GPO_OSVAR: ${{ vars.GPO_OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      # Initialize The OpenTofu Working Directory
+      - name: Tofu init
+        id: init
+        run: tofu init
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          GPO_OSVAR: ${{ vars.GPO_OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      # Validate The Syntax Of OpenTofu Files
+      - name: Tofu validate
+        id: validate
+        run: tofu validate
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          GPO_OSVAR: ${{ vars.GPO_OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+      # Execute The Actions And Build Azure Server
+      - name: Tofo Apply
+        id: apply
+        env:
+          # Imported from github variables this is used to load the relevant OS.tfvars file
+          WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
+          WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
+          OSVAR: ${{ vars.OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+        run: tofu apply -var-file "${GPO_OSVAR}.tfvars" --auto-approve -input=false
+
+      # Debug Section
+      - name: DEBUG - Show Ansible Hostfile
+        if: env.ENABLE_DEBUG == 'true'
+        run: cat hosts.yml
+
+      # Run the Ansible Playbook
+      - name: Run_Ansible_Playbook
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: "false"
+          ANSIBLE_DEPRECATION_WARNINGS: "false"
+        run: |
+          /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml ../../../site.yml
+
+      # Destroy The Azure Test System
+      - name: Tofu Destroy
+        if: always() && env.ENABLE_DEBUG == 'false'
+        env:
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          GPO_OSVAR: ${{ vars.GPO_OSVAR }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+        run: tofu destroy -var-file "${GPO_OSVAR}.tfvars" --auto-approve
@@ -0,0 +1,27 @@
+---
+
+name: Export Private Repo Badges
+
+# Use different minute offsets with the same hourly pattern:
+# Repo Group Suggested Cron Expression Explanation
+# Group A 0 */6 * * * Starts at top of hour
+# Group B 10 */6 * * * Starts art 10 after
+# And So On
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 */6 * * *'
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && startsWith(github.repository, 'ansible-lockdown/Private-')) || (github.event_name == 'push' && github.ref_name == 'latest')
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/export_badges_private.yml@self_hosted
+    with:
+      # Full org/repo path passed for GitHub API calls (e.g., ansible-lockdown/Private-Windows-2016-CIS)
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}