cisagov · jsf9k · Mar 5, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
@@ -181,14 +181,17 @@ jobs:
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       # TODO: https://github.com/cisagov/skeleton-generic/issues/165
-      # We are temporarily using a branch of @mcdonnnj's fork of terraform-docs that
-      # groups changes from his PRs until they are approved and merged:
+      # We are temporarily using the cisagov branch of @mcdonnnj's
+      # fork of terraform-docs that groups changes from his PRs until
+      # they are approved and merged:
       # https://github.com/terraform-docs/terraform-docs/pull/745
       # https://github.com/terraform-docs/terraform-docs/pull/901
-      # This temporary fix will allow for ATX header support when terraform-docs is run
-      # during linting and output delimiter rows with cell spacing that passes
+      #
+      # This temporary fix (via the cisagov branch) allows for ATX
+      # header support when terraform-docs is run during linting and
+      # outputs delimiter rows with cell spacing that passes
       # Markdownlint's MD060/table-column-style rule.
-      - name: Clone ATX headers branch from terraform-docs fork
+      - name: Clone cisagov branch from terraform-docs fork
         run: |
           git clone \
            --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \
@@ -205,7 +208,13 @@ jobs:
           python -m pip install --upgrade pip setuptools
           pip install --upgrade --requirement requirements-test.txt
       - name: Install Ansible roles
-        run: ansible-galaxy install --force --role-file ansible/requirements.yml
+        run: >-
+          ansible-galaxy role install --force
+          --role-file ansible/requirements.yml
+      - name: Install Ansible collections
+        run: >-
+          ansible-galaxy collection install --force
+          --requirements-file ansible/requirements.yml
       # This must happen before pre-commit is run or the Packer format
       # linter will throw an error.
       - name: Install Packer plugins

@@ -1,5 +1,22 @@
 ---
 collections:
+  # Required by the following Ansible roles:
+  # - ansible-role-cdm-nessus-agent (uses amazon.aws.s3_object)
+  # - ansible-role-crowdstrike (uses amazon.aws.s3_object)
+  - amazon.aws
+  # Required by the following Ansible roles:
+  # - ansible-role-amazon-ssm-agent (uses community.general.snap)
+  # - ansible-role-automated-security-updates (uses community.general.ini_file)
+  # - ansible-role-cloudwatch-agent (uses community.general.ini_file)
+  # - ansible-role-hardening-2 (uses community.general.modprobe and
+  #   community.general.ufw)
+  # - ansible-role-persist-journald (uses community.general.ini_file)
+  # - ansible-role-systemd-resolved (uses community.general.ini_file)
+  # - ansible-role-ufw (uses community.general.ufw)
+  #
+  # Also required by the following playbooks:
+  # - ansible/cdm.yml (uses community.general.ufw)
+  # - ansible/ufw.yml (uses community.general.ufw)
   - community.general
 roles:
   - name: amazon_ssm_agent

@@ -13,8 +13,11 @@ ansible>=10,<11
 # requirements-test.txt in cisagov/skeleton-ansible-role and
 # .pre-commit-config.yaml in cisagov/skeleton-generic.
 ansible-core>=2.17.7
-# Required because we are using the amazon.aws.aws_ssm Ansible lookup
-# plugin to pull a parameter value from AWS Parameter Store.
+# Required because we are using the amazon.aws.s3_object Ansible module
+# in our Ansible code in the following roles:
+# - ansible-role-cdm-nessus-agent (uses amazon.aws.s3_object)
+# - ansible-role-crowdstrike (uses amazon.aws.s3_object)
+# https://docs.ansible.com/projects/ansible/latest/collections/amazon/aws/s3_object_module.html
 boto3
 # The bump-version script requires at least version 3 of semver.
 semver>=3