initial

Signed-off-by: Mark Bolwell <[email protected]>

Author: uk-bolly

.gitignore

@@ -0,0 +1,68 @@
+.env
+*.log
+*.retry
+.vagrant
+tests/*redhat-subscription
+tests/Dockerfile
+*.iso
+*.box
+packer_cache
+delete*
+ignore*
+.cache
+# VSCode
+.vscode
+.github/*
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+.output-mpg
+
+# DS_Store
+.DS_Store
+._*
+
+# Linux Editors
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+.elc
+auto-save-list
+tramp
+.\#*
+*.swp
+*.swo
+rh-creds.env
+travis.env
+
+# Lockdown-specific
+benchparse/
+*xccdf.xml
+*.retry
+test_inv
+
+# refactr workflow gitignore
+.github/workflow/
+
+# GitHub Issue and PR Templates
+.github/ISSUE_TEMPLATE
+.github/pull_request_template.md
+
+# terraform
+.terraform/
+.terraform.local.hcl
+.terraform*
+terraform.tfstate*
+hosts.yml
+
+*_key
+*.pub
+
+# Ignore dynamic inventory
+AWS_config/inventory.yml
+
+# ignore roles for repo
+playbooks/roles/awx_*/
+playbooks/roles/ansible_*/

AMAZON2.tfvars

@@ -0,0 +1,6 @@
+# Amazon Linux 2
+ami_id        = "ami-03e0b06f01d45a4eb"
+ami_os        = "AmazonLinux2"
+ami_username  = "ec2-user"
+ami_user_home = "/home/ec2-user"
+benchmark_os  = "Amazon2"

README.md

@@ -0,0 +1,42 @@
+# Github linux IaC
+
+terraform workflow files for use with the LE linux based pipelines
+
+## Requirements
+
+Each repo needs to have the following variables set
+repository variables required - settings/actions/variables
+
+- OSVARS = OS TYPE for benchmark
+- Benchmark_type = Type of benchmark (CIS or STIG)
+
+eg.
+
+```shell
+OSVARS RHEL9
+BENCHMARK_TYPE CIS
+```
+
+## Overview
+
+This is called by the repository workflow to pull in this content.
+This enables us to manage the workflow and IAC centrally, enabling us to quickly change anything for improvements of issues with a certain region.
+
+```mermaid
+A[Benchmark Pipeline] -->|Starts the github workflow|B[Loads linux_benchmark_testing]
+    B --> C[Imports variables set in repo]
+    C --> D[STEP - Welcome Message]
+    D --> E[Sends welcome if first PR and invite to discord]
+    C --> F[STEP - Build testing pipeline]
+    F --> G[Starts runner based on ubuntu latest]
+    G --> H[Imports Variables for usage across workflow]
+    H --> I[Git Clone in repo and source branch PR is requested from]
+    I --> J[Git Clone this content for IaC portion of pipeline]
+    J --> K[creates a local key to be used - Secret]
+    K --> L[Runs terraform steps]
+    L -->|terraform init|M[Initiates terraform]
+    M -->|terraform validate|N[Validates config]
+    N -->|terraform apply|O[Runs terraform and sets up host]
+    O -->|sleep 60 seconds|P[If Debug variable set output ansible hosts]
+    P --> Q[Runs ansible playbook] --> |terraform destroy|R[Destroys all the IaC config]
+```

RHEL7.tfvars

@@ -0,0 +1,7 @@
+#Ami  centos 7.11
+ami_id        = "ami-00e87074e52e6c9f9"
+ami_os        = "centos7"
+ami_username  = "centos"
+ami_user_home = "/home/centos"
+benchmark_os  = "RHEL7"
+

RHEL8.tfvars

@@ -0,0 +1,6 @@
+#Ami Rocky 85
+ami_id        = "ami-043ceee68871e0bb5"
+ami_os        = "rocky8"
+ami_username  = "rocky"
+ami_user_home = "/home/rocky"
+benchmark_os  = "RHEL8"

RHEL9.tfvars

@@ -0,0 +1,6 @@
+#Ami Alma 9.2
+ami_id        = "ami-06bc84fafec254e1d"
+ami_os        = "rhel9"
+ami_username  = "ec2-user"
+ami_user_home = "/home/ec2-user"
+benchmark_os  = "RHEL9"

UBUNTU18.tfvars

@@ -0,0 +1,6 @@
+#Ami ubuntu1804
+ami_id        = "ami-0d9b9c46fcdf2864f"
+ami_os        = "ubuntu18"
+ami_username  = "ubuntu"
+ami_user_home = "/home/ubuntu"
+benchmark_os  = "UBUNTU18"

UBUNTU20.tfvars

@@ -0,0 +1,6 @@
+#Ami ubuntu 2004 
+ami_id        = "ami-05fe5907b25984493"
+ami_os        = "ubuntu20"
+ami_username  = "ubuntu"
+ami_user_home = "/home/ubuntu"
+benchmark_os  = "UBUNTU20"

UBUNTU22.tfvars

@@ -0,0 +1,6 @@
+#Ami ubuntu 2204 
+ami_id        = "ami-051dcca84f1edfff1"
+ami_os        = "ubuntu22"
+ami_username  = "ubuntu"
+ami_user_home = "/home/ubuntu"
+benchmark_os  = "UBUNTU22"

github_networks.tf

@@ -0,0 +1,53 @@
+resource "aws_vpc" "Main" {
+  cidr_block       = var.main_vpc_cidr
+  instance_tenancy = "default"
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-VPC"
+  }
+}
+
+resource "aws_internet_gateway" "IGW" {
+  vpc_id = aws_vpc.Main.id
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-IGW"
+  }
+}
+
+resource "aws_subnet" "publicsubnets" {
+  vpc_id            = aws_vpc.Main.id
+  cidr_block        = var.public_subnets
+  availability_zone = var.availability_zone
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-pubsub"
+  }
+}
+
+resource "aws_subnet" "Main" {
+  vpc_id            = aws_vpc.Main.id
+  cidr_block        = var.private_subnets
+  availability_zone = var.availability_zone
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-prvsub"
+  }
+}
+
+resource "aws_route_table" "PublicRT" {
+  vpc_id = aws_vpc.Main.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.IGW.id
+  }
+  tags = {
+    Environment = "${var.environment}"
+    Name        = "${var.namespace}-publicRT"
+  }
+}
+
+resource "aws_route_table_association" "rt_associate_public" {
+  subnet_id      = aws_subnet.Main.id
+  route_table_id = aws_route_table.PublicRT.id
+}

github_vars.tfvars

@@ -0,0 +1,13 @@
+// github_actions variables
+// Resourced in github_networks.tf
+// Declared in variables.tf
+// 
+
+namespace = "Lockdown_enterprise_workflow"
+
+// Matching pair name found in AWS for keypairs PEM key
+ami_key_pair_name = "github_actions"
+private_key       = ".ssh/github_actions.pem"
+main_vpc_cidr     = "172.22.0.0/24"
+public_subnets    = "172.22.0.128/26"
+private_subnets   = "172.22.0.192/26"

linux_benchmark_testing.yml

@@ -0,0 +1,127 @@
+# This is a basic workflow to help you get started with Actions
+
+name: linux_benchmark_pipeline
+
+# Controls when the action will run.
+# Triggers the workflow on push or pull request
+# events but only for the devel branch
+on: # yamllint disable-line rule:truthy
+    pull_request_target:
+        types: [opened, reopened, synchronize]
+        branches:
+            - devel
+            - main
+        paths:
+            - '**.yml'
+            - '**.sh'
+            - '**.j2'
+            - '**.ps1'
+            - '**.cfg'
+
+# A workflow run is made up of one or more jobs
+# that can run sequentially or in parallel
+jobs:
+  # This will create messages for first time contributers and direct them to the Discord server
+    welcome:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/first-interaction@main
+              with:
+                  repo-token: ${{ secrets.GITHUB_TOKEN }}
+                  pr-message: |-
+                      Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+      # This workflow contains a single job called "build"
+    build:
+      # The type of runner that the job will run on
+        runs-on: ubuntu-latest
+        defaults:
+          run:
+            shell: bash
+            working-directory: .github/workflows/github_linux_IaC
+
+        env:
+            ENABLE_DEBUG: false
+            # Imported as a variable by terraform
+            TF_VAR_repository: ${{ github.event.repository.name }}
+            # Imported from github variables this is used to load the relvent OS.tfvars file
+            OSVAR: ${{ env.OSVAR }}
+            BENCHMARK_TYPE: ${{ env.BENCHMARK_TYPE }}
+
+        # Steps represent a sequence of tasks that will be executed as part of the job
+        steps:
+          # Checks-out your repository under $GITHUB_WORKSPACE,
+          # so your job can access it
+            - name: Clone ${{ github.event.repository.name }}
+              uses: actions/checkout@v3
+              with:
+                  ref: ${{ github.event.pull_request.head.sha }}
+
+          # Pull in terraform code for linux servers
+            - name: Clone github IaC plan
+              uses: actions/checkout@v3
+              with:
+                respository: ansible-lockdown/github_linux_IaC
+                path: github_linux_IaC
+
+            - name: Add_ssh_key
+              working-directory: .github/workflows
+              env:
+                  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+                  PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+              run: |
+                mkdir .ssh
+                chmod 700 .ssh
+                echo $PRIVATE_KEY > .ssh/github_actions.pem
+                chmod 600 .ssh/github_actions.pem
+
+### Build out the server
+
+            - name: Terraform_Init
+              id: init
+              run: terraform init
+
+            - name: Terraform_Validate
+              id: validate
+              run: terraform validate
+
+            - name: Terraform_Apply
+              id: apply
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+
+      ## Debug Section
+            - name: DEBUG - Show Ansible hostfile
+              if: env.ENABLE_DEBUG == 'true'
+              run: cat hosts.yml
+
+      # Aws deployments taking a while to come up insert sleep or playbook fails
+
+            - name: Sleep for 60 seconds
+              run: sleep 60s
+              shell: bash
+
+      # Run the ansible playbook
+            - name: Run_Ansible_Playbook
+              uses: arillso/action.playbook@master
+              with:
+                  playbook: site.yml
+                  inventory: .github/workflows/github_IaC/hosts.yml
+                  galaxy_file: collections/requirements.yml
+                  private_key: ${{ secrets.SSH_PRV_KEY }}
+        #          verbose: 3
+              env:
+                  ANSIBLE_HOST_KEY_CHECKING: "false"
+                  ANSIBLE_DEPRECATION_WARNINGS: "false"
+
+      # Remove test system - User secrets to keep if necessary
+
+            - name: Terraform_Destroy
+              if: always() && env.ENABLE_DEBUG == 'false'
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false