ansible-lockdown · mfortin · Feb 2, 2024 · Feb 12, 2024 · Feb 12, 2024 · Feb 12, 2024
diff --git a/.ansible-lint b/.ansible-lint
@@ -4,12 +4,11 @@ skip_list:
     - 'schema'
     - 'no-changed-when'
     - 'var-spacing'
-    - 'fqcn-builtins'
     - 'experimental'
     - 'name[play]'
     - 'name[casing]'
     - 'name[template]'
-    - 'fqcn[action]'
+    - 'key-order[task]'
     - '204'
     - '305'
     - '303'

diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars
diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf
diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars
diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml
@@ -33,21 +33,34 @@ jobs:
                       Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
                       Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
     # This workflow contains a single job called "build"
-    build:
+    playbook-test:
         # The type of runner that the job will run on
         runs-on: ubuntu-latest
-
         env:
-            ENABLE_DEBUG: false
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
+            ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG || 'false' }}
+            OSVAR: AMAZON2
+            BENCHMARK_TYPE: CIS
+            # Imported as a variable by terraform
+            TF_VAR_repository: ${{ github.event.repository.name }}
+        defaults:
+            run:
+                shell: bash
+                working-directory: .github/workflows/github_linux_IaC
+
+        # Steps represent a sequence of tasks that will be executed as part of the job
         steps:
-            # Checks-out your repository under $GITHUB_WORKSPACE,
-            # so your job can access it
-            - uses: actions/checkout@v3
+            - name: Clone ${{ github.event.repository.name }}
+              uses: actions/checkout@v3
               with:
                   ref: ${{ github.event.pull_request.head.sha }}
 
+            # Pull in terraform code for linux servers
+            - name: Clone github IaC plan
+              uses: actions/checkout@v3
+              with:
+                  repository: ansible-lockdown/github_linux_IaC
+                  path: .github/workflows/github_linux_IaC
+
             - name: Add_ssh_key
               working-directory: .github/workflows
               env:
@@ -59,53 +72,73 @@ jobs:
                   echo $PRIVATE_KEY > .ssh/github_actions.pem
                   chmod 600 .ssh/github_actions.pem
 
-            ### Build out the server
+            - name: DEBUG - Show IaC files
+              if: env.ENABLE_DEBUG == 'true'
+              run: |
+                  echo "OSVAR = $OSVAR"
+                  echo "benchmark_type = $benchmark_type"
+                  pwd
+                  ls
+              env:
+                  # Imported from github variables this is used to load the relvent OS.tfvars file
+                  OSVAR: ${{ env.OSVAR }}
+                  benchmark_type: ${{ env.BENCHMARK_TYPE }}
+
             - name: Terraform_Init
-              working-directory: .github/workflows
+              id: init
               run: terraform init
+              env:
+                  # Imported from github variables this is used to load the relvent OS.tfvars file
+                  OSVAR: ${{ env.OSVAR }}
+                  TF_VAR_benchmark_type: ${{ env.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
-              working-directory: .github/workflows
+              id: validate
               run: terraform validate
+              env:
+                  # Imported from github variables this is used to load the relvent OS.tfvars file
+                  OSVAR: ${{ env.OSVAR }}
+                  TF_VAR_benchmark_type: ${{ env.BENCHMARK_TYPE }}
 
             - name: Terraform_Apply
-              working-directory: .github/workflows
+              id: apply
               env:
                   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-              run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+                  OSVAR: ${{ env.OSVAR }}
+                  TF_VAR_benchmark_type: ${{ env.BENCHMARK_TYPE }}
+              run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
 
-            ## Debug Section
+  ## Debug Section
             - name: DEBUG - Show Ansible hostfile
               if: env.ENABLE_DEBUG == 'true'
-              working-directory: .github/workflows
               run: cat hosts.yml
 
-            # Aws deployments taking a while to come up insert sleep or playbook fails
+      # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
               run: sleep 60s
-              shell: bash
 
-            # Run the ansible playbook
+          # Run the ansible playbook
             - name: Run_Ansible_Playbook
-              uses: arillso/action.playbook@master
+              uses: ansible-lockdown/action.playbook@main
               with:
                   playbook: site.yml
-                  inventory: .github/workflows/hosts.yml
+                  inventory: .github/workflows/github_linux_IaC/hosts.yml
                   galaxy_file: collections/requirements.yml
                   private_key: ${{ secrets.SSH_PRV_KEY }}
         #          verbose: 3
               env:
                   ANSIBLE_HOST_KEY_CHECKING: "false"
                   ANSIBLE_DEPRECATION_WARNINGS: "false"
 
-            # Remove test system - User secrets to keep if necessary
+          # Remove test system - User secrets to keep if necessary
 
             - name: Terraform_Destroy
-              working-directory: .github/workflows
               if: always() && env.ENABLE_DEBUG == 'false'
               env:
                   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-              run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
+                  OSVAR: ${{ env.OSVAR }}
+                  TF_VAR_benchmark_type: ${{ env.BENCHMARK_TYPE }}
+              run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf
diff --git a/.github/workflows/terraform.tfvars b/.github/workflows/terraform.tfvars
diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf