diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 8f5c8c5a..229920c6 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -8,3 +8,17 @@ # These folks own any files in the .github directory at the root of # the repository and any of its subdirectories. /.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj + +# These folks own all linting configuration files. +/.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.bandit.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.isort.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.mdl_config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.pre-commit-config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/requirements.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/requirements-dev.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/requirements-test.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 410ce71d..3975f277 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,16 +2,31 @@ name: build on: - push: + merge_group: + types: + - checks_requested pull_request: + push: repository_dispatch: - types: [apb] + types: + - apb + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} env: CURL_CACHE_DIR: ~/.cache/curl PIP_CACHE_DIR: ~/.cache/pip PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit RUN_TMATE: ${{ secrets.RUN_TMATE }} + TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers + TERRAFORM_DOCS_REPO_DEPTH: 1 + TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git jobs: diagnostics: @@ -27,7 +42,7 @@ jobs: egress-policy: audit - id: github-status name: Check GitHub status - uses: crazy-max/ghaction-github-status@v3 + uses: crazy-max/ghaction-github-status@v4 - id: dump-context name: Dump context uses: crazy-max/ghaction-dump-context@v2 @@ -45,20 +60,20 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: - python-version: "3.11" + python-version: ${{ steps.setup-env.outputs.python-version }} # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. cache: false - go-version: "1.20" - - name: Lookup Go cache directory - id: go-cache + go-version: ${{ steps.setup-env.outputs.go-version }} + - id: go-cache + name: Lookup Go cache directory run: | echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v3 @@ -69,6 +84,10 @@ jobs: packer${{ steps.setup-env.outputs.packer-version }}-\ tf${{ steps.setup-env.outputs.terraform-version }}-" with: + key: "${{ env.BASE_CACHE_KEY }}\ + ${{ hashFiles('**/requirements-test.txt') }}-\ + ${{ hashFiles('**/requirements.txt') }}-\ + ${{ hashFiles('**/.pre-commit-config.yaml') }}" # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the @@ -80,10 +99,6 @@ jobs: ${{ env.PRE_COMMIT_CACHE_DIR }} ${{ env.CURL_CACHE_DIR }} ${{ steps.go-cache.outputs.dir }} - key: "${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }}" restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache @@ -101,7 +116,7 @@ jobs: ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" sudo mv /usr/local/bin/packer /usr/local/bin/packer-default sudo ln -s /opt/packer/packer /usr/local/bin/packer - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install go-critic @@ -109,26 +124,38 @@ jobs: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install goimports + env: + PACKAGE_URL: golang.org/x/tools/cmd/goimports + PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install gosec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install shfmt - env: - PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt - PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install staticcheck env: PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Terraform-docs - env: - PACKAGE_URL: github.com/terraform-docs/terraform-docs - PACKAGE_VERSION: ${{ steps.setup-env.outputs.terraform-docs-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + # TODO: https://github.com/cisagov/skeleton-generic/issues/165 + # We are temporarily using @mcdonnnj's forked branch of terraform-docs + # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745 + # is approved. This temporary fix will allow for ATX header support when + # terraform-docs is run during linting. + - name: Clone ATX headers branch from terraform-docs fork + run: | + git clone \ + --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \ + --depth $TERRAFORM_DOCS_REPO_DEPTH \ + --single-branch \ + $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs + - name: Build and install terraform-docs binary + run: | + go build \ + -C /tmp/terraform-docs \ + -o $(go env GOPATH)/bin/terraform-docs - name: Install dependencies run: | python -m pip install --upgrade pip setuptools wheel diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 44e8e198..5a20438e 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -11,7 +11,26 @@ permissions: contents: read jobs: + diagnostics: + name: Run diagnostics + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 labeler: + needs: + - diagnostics permissions: # actions/checkout needs this to fetch code contents: read @@ -19,6 +38,11 @@ jobs: issues: write runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - name: Sync repository labels if: success() diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1e5ffbd7..ae40f365 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,17 +31,24 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.36.0 + rev: v0.39.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.3 + # This is the last version of v3 available from the mirror. We should hold + # here until v4, which is currently in alpha, is more stable. + rev: v3.1.0 hooks: - id: prettier + # This is the latest version of v3 available from NPM. The pre-commit + # mirror does not pull tags for old major versions once a new major + # version tag is published. + additional_dependencies: + - prettier@3.2.5 - repo: https://github.com/adrienverge/yamllint - rev: v1.32.0 + rev: v1.35.1 hooks: - id: yamllint args: @@ -49,14 +56,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.26.3 + rev: 0.28.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.4.0 + rev: v3.6.2 hooks: - id: validate_manifest @@ -78,7 +85,11 @@ repos: - id: go-vet-repo-mod # GoSec - id: go-sec-repo-mod - + # goimports + - id: go-imports-repo + args: + # Write changes to files + - -w # Nix hooks - repo: https://github.com/nix-community/nixpkgs-fmt rev: v1.3.0 @@ -86,28 +97,32 @@ repos: - id: nixpkgs-fmt # Shell script hooks - - repo: https://github.com/cisagov/pre-commit-shfmt - rev: v0.0.2 + - repo: https://github.com/scop/pre-commit-shfmt + rev: v3.7.0-4 hooks: - id: shfmt args: + # List files that will be formatted + - --list + # Write result to file instead of stdout + - --write # Indent by two spaces - - -i - - '2' + - --indent + - "2" # Binary operators may start a line - - -bn + - --binary-next-line # Switch cases are indented - - -ci + - --case-indent # Redirect operators are followed by a space - - -sr - - repo: https://github.com/detailyang/pre-commit-shell - rev: 1.0.5 + - --space-redirects + - repo: https://github.com/shellcheck-py/shellcheck-py + rev: v0.9.0.6 hooks: - - id: shell-lint + - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.5 + rev: 1.7.7 hooks: - id: bandit additional_dependencies: @@ -115,41 +130,41 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 23.9.1 + rev: 24.2.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 6.1.0 + rev: 7.0.0 hooks: - id: flake8 additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.12.0 + rev: 5.13.2 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.5.1 + rev: v1.8.0 hooks: - id: mypy additional_dependencies: - types-requests - types-PyYAML - repo: https://github.com/asottile/pyupgrade - rev: v3.10.1 + rev: v3.15.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v6.19.0 + rev: v24.2.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.83.2 + rev: v1.88.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 856023a9..20851fd3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -46,9 +46,13 @@ There are a few ways to do this, but we prefer to use create and manage a Python virtual environment specific to this project. -If you already have `pyenv` and `pyenv-virtualenv` configured you can -take advantage of the `setup-env` tool in this repo to automate the -entire environment configuration process. +We recommend using the `setup-env` script located in this repository, +as it automates the entire environment configuration process. The +dependencies required to run this script are +[GNU `getopt`](https://github.com/util-linux/util-linux/blob/master/misc-utils/getopt.1.adoc), +[`pyenv`](https://github.com/pyenv/pyenv), and [`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv). +If these tools are already configured on your system, you can simply run the +following command: ```console ./setup-env @@ -57,13 +61,18 @@ entire environment configuration process. Otherwise, follow the steps below to manually configure your environment. -#### Installing and using `pyenv` and `pyenv-virtualenv` #### +#### Installing and using GNU `getopt`, `pyenv`, and `pyenv-virtualenv` #### -On the Mac, we recommend installing [brew](https://brew.sh/). Then -installation is as simple as `brew install pyenv pyenv-virtualenv` and +On macOS, we recommend installing [brew](https://brew.sh/). Then +installation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` and adding this to your profile: ```bash +# GNU getopt must be explicitly added to the path since it is +# keg-only (https://docs.brew.sh/FAQ#what-does-keg-only-mean) +export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" + +# Setup pyenv export PYENV_ROOT="$HOME/.pyenv" export PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init --path)" @@ -71,13 +80,15 @@ eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" ``` -For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you +For Linux, Windows Subsystem for Linux (WSL), or macOS (if you don't want to use `brew`) you can use [pyenv/pyenv-installer](https://github.com/pyenv/pyenv-installer) to install the necessary tools. Before running this ensure that you have installed the prerequisites for your platform according to the [`pyenv` wiki page](https://github.com/pyenv/pyenv/wiki/common-build-problems). +GNU `getopt` is included in most Linux distributions as part of the +[`util-linux`](https://github.com/util-linux/util-linux) package. On WSL you should treat your platform as whatever Linux distribution you've chosen to install. diff --git a/ansible/playbook.yml b/ansible/playbook.yml index f22b4970..19e73b55 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Setup the inventory and wait for a bastion to become available +- name: Setup the inventory and wait for a bastion to become available + hosts: localhost gather_facts: yes check_mode: no tasks: @@ -24,15 +24,15 @@ search_regex: OpenSSH when: bastion_host is not defined -- hosts: all - name: Configure groups now that cloud-init has run +- name: Configure groups now that cloud-init has run + hosts: all become: yes become_method: ansible.builtin.sudo roles: - groups -- hosts: mongo - name: Configure MongoDB +- name: Configure MongoDB + hosts: mongo become: yes become_method: ansible.builtin.sudo roles: @@ -40,8 +40,8 @@ - mongo_logrotate - cyhy_feeds -- hosts: bod_docker - name: Configure Docker hosts for BOD 18-01 scanning and reporting +- name: Configure Docker hosts for BOD 18-01 scanning and reporting + hosts: bod_docker become: yes become_method: ansible.builtin.sudo roles: @@ -51,42 +51,42 @@ - code_gov_update - client_cert_update -- hosts: cyhy_commander - name: Configure cyhy-commander hosts +- name: Configure cyhy-commander hosts + hosts: cyhy_commander become: yes become_method: ansible.builtin.sudo roles: - cyhy_commander - role: swap vars: - swapfile_size: 2GiB + swap_swapfile_size: 2GiB - cyhy_logrotate -- hosts: nmap - name: Configure nmap scanning hosts +- name: Configure nmap scanning hosts + hosts: nmap become: yes become_method: ansible.builtin.sudo roles: - role: swap vars: - swapfile_size: 4GiB + swap_swapfile_size: 4GiB -- hosts: cyhy_runner - name: Configure cyhy-runner hosts +- name: Configure cyhy-runner hosts + hosts: cyhy_runner become: yes become_method: ansible.builtin.sudo roles: - cyhy_logrotate -- hosts: nessus - name: Configure Nessus hosts +- name: Configure Nessus hosts + hosts: nessus become: yes become_method: ansible.builtin.sudo roles: - nessus -- hosts: cyhy_reporter - name: Configure cyhy-reports hosts +- name: Configure cyhy-reports hosts + hosts: cyhy_reporter become: yes become_method: ansible.builtin.sudo roles: @@ -94,29 +94,29 @@ - cyhy_logrotate - cyhy_mailer -- hosts: cyhy_bastion - name: Configure cyhy bastion hosts +- name: Configure cyhy bastion hosts + hosts: cyhy_bastion become: yes become_method: ansible.builtin.sudo roles: - cyhy_ops -- hosts: cyhy_dashboard - name: Install and configure cyhy-dashboard +- name: Install and configure cyhy-dashboard + hosts: cyhy_dashboard become: yes become_method: ansible.builtin.sudo roles: - cyhy_dashboard -- hosts: cyhy_archive - name: Configure cyhy-archive hosts +- name: Configure cyhy-archive hosts + hosts: cyhy_archive become: yes become_method: ansible.builtin.sudo roles: - cyhy_archive -- hosts: mgmt_bastion - name: Configure management bastion hosts +- name: Configure management bastion hosts + hosts: mgmt_bastion become: yes become_method: ansible.builtin.sudo roles: diff --git a/ansible/roles/client_cert_update/templates/aws_config.j2 b/ansible/roles/client_cert_update/templates/aws_config.j2 index 47c3ff6c..a979e55d 100644 --- a/ansible/roles/client_cert_update/templates/aws_config.j2 +++ b/ansible/roles/client_cert_update/templates/aws_config.j2 @@ -1,4 +1,4 @@ [default] credential_source = Ec2InstanceMetadata -region = {{ ses_aws_region }} -role_arn = {{ ses_send_email_role }} +region = {{ client_cert_update_ses_aws_region }} +role_arn = {{ client_cert_update_ses_send_email_role }} diff --git a/ansible/roles/client_cert_update/templates/scan_read_creds.yml.j2 b/ansible/roles/client_cert_update/templates/scan_read_creds.yml.j2 index e60e60b0..910f34a9 100644 --- a/ansible/roles/client_cert_update/templates/scan_read_creds.yml.j2 +++ b/ansible/roles/client_cert_update/templates/scan_read_creds.yml.j2 @@ -1,5 +1,5 @@ --- database: - name: {{ scan_reader_db }} - uri: mongodb://{{ scan_reader_user }}:{{ scan_reader_pw }}@database1.cyhy:27017/{{ scan_reader_db }} + name: {{ client_cert_update_scan_reader_db }} + uri: mongodb://{{ client_cert_update_scan_reader_user }}:{{ client_cert_update_scan_reader_pw }}@database1.cyhy:27017/{{ client_cert_update_scan_reader_db }} version: "1" diff --git a/ansible/roles/client_cert_update/tests/test.yml b/ansible/roles/client_cert_update/tests/test.yml index caf4fb61..dc81373e 100644 --- a/ansible/roles/client_cert_update/tests/test.yml +++ b/ansible/roles/client_cert_update/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - client_cert_update diff --git a/ansible/roles/client_cert_update/vars/main.yml b/ansible/roles/client_cert_update/vars/main.yml index 5b811cdf..51b859c9 100644 --- a/ansible/roles/client_cert_update/vars/main.yml +++ b/ansible/roles/client_cert_update/vars/main.yml @@ -1,7 +1,7 @@ --- # scan-reader mongo username -scan_reader_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/user') }}" +client_cert_update_scan_reader_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/user') }}" # scan-reader mongo password -scan_reader_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/password') }}" +client_cert_update_scan_reader_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/password') }}" # scan-reader mongo database -scan_reader_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/database') }}" +client_cert_update_scan_reader_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/database') }}" diff --git a/ansible/roles/code_gov_update/templates/aws_config.j2 b/ansible/roles/code_gov_update/templates/aws_config.j2 index 47c3ff6c..63f9b394 100644 --- a/ansible/roles/code_gov_update/templates/aws_config.j2 +++ b/ansible/roles/code_gov_update/templates/aws_config.j2 @@ -1,4 +1,4 @@ [default] credential_source = Ec2InstanceMetadata -region = {{ ses_aws_region }} -role_arn = {{ ses_send_email_role }} +region = {{ code_gov_update_ses_aws_region }} +role_arn = {{ code_gov_update_ses_send_email_role }} diff --git a/ansible/roles/code_gov_update/templates/scraper.json.j2 b/ansible/roles/code_gov_update/templates/scraper.json.j2 index 1c71d41d..cd5fa83c 100644 --- a/ansible/roles/code_gov_update/templates/scraper.json.j2 +++ b/ansible/roles/code_gov_update/templates/scraper.json.j2 @@ -9,7 +9,7 @@ ], "public_only": true, "repos": [], - "token": "{{ github_pat }}", + "token": "{{ code_gov_update_github_pat }}", "url": "https://github.com" } ], diff --git a/ansible/roles/code_gov_update/tests/test.yml b/ansible/roles/code_gov_update/tests/test.yml index 4b5f2452..a803cd3b 100644 --- a/ansible/roles/code_gov_update/tests/test.yml +++ b/ansible/roles/code_gov_update/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - code_gov_update diff --git a/ansible/roles/code_gov_update/vars/main.yml b/ansible/roles/code_gov_update/vars/main.yml index 4f5f7d85..040cf83c 100644 --- a/ansible/roles/code_gov_update/vars/main.yml +++ b/ansible/roles/code_gov_update/vars/main.yml @@ -1,3 +1,3 @@ --- # The GitHub Personal Access Token -github_pat: "{{ lookup('aws_ssm', '/github/pat/code.gov') }}" +code_gov_update_github_pat: "{{ lookup('aws_ssm', '/github/pat/code.gov') }}" diff --git a/ansible/roles/cyhy_archive/tests/test.yml b/ansible/roles/cyhy_archive/tests/test.yml index a15b2dd4..ff4442ad 100644 --- a/ansible/roles/cyhy_archive/tests/test.yml +++ b/ansible/roles/cyhy_archive/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - cyhy_archive diff --git a/ansible/roles/cyhy_commander/defaults/main.yml b/ansible/roles/cyhy_commander/defaults/main.yml index 1c93a6ae..cbf1184e 100644 --- a/ansible/roles/cyhy_commander/defaults/main.yml +++ b/ansible/roles/cyhy_commander/defaults/main.yml @@ -2,12 +2,12 @@ # The maximum number of jobs to assign to each nessus host (vulnscanner). # This value is used in the "production" section of the cyhy-commander # configuration file this role generates. -jobs_per_nessus_host: 16 +cyhy_commander_jobs_per_nessus_host: 16 # The maximum number of jobs to assign to each nmap host (portscanner). # This value is used in the "production" section of the cyhy-commander # configuration file this role generates. -jobs_per_nmap_host: 8 +cyhy_commander_jobs_per_nmap_host: 8 # The maximum number of hosts that are scheduled to have scanning restarted # whose next scan stage should be updated per cyhy-commander cycle. The checks @@ -17,4 +17,4 @@ jobs_per_nmap_host: 8 # transitioned to NETSCAN1. # This value is used in the "production" section of the cyhy-commander # configuration file this role generates. -next_scan_limit: 8192 +cyhy_commander_next_scan_limit: 8192 diff --git a/ansible/roles/cyhy_commander/tasks/main.yml b/ansible/roles/cyhy_commander/tasks/main.yml index bd0b7948..08dc61ff 100644 --- a/ansible/roles/cyhy_commander/tasks/main.yml +++ b/ansible/roles/cyhy_commander/tasks/main.yml @@ -4,7 +4,7 @@ # - name: Copy ssh private key for cyhy user ansible.builtin.copy: - content: "{{ ssh_private_key }}" + content: "{{ cyhy_commander_ssh_private_key }}" dest: /var/cyhy/.ssh/id_ed25519 group: cyhy mode: 0600 @@ -93,8 +93,8 @@ ansible.builtin.blockinfile: block: | [production] - database-uri = mongodb://{{ commander_user }}:{{ commander_pw }}@database1.cyhy:27017/{{ commander_db }} - database-name = {{ commander_db }} + database-uri = mongodb://{{ cyhy_commander_commander_user }}:{{ cyhy_commander_commander_pw }}@database1.cyhy:27017/{{ cyhy_commander_commander_db }} + database-name = {{ cyhy_commander_commander_db }} marker: '; {mark} ANSIBLE MANAGED BLOCK commander' path: /etc/cyhy/cyhy.conf when: cyhy_commander_cyhy_conf_result.stat.exists @@ -110,6 +110,7 @@ - name: Load data to places collection as the cyhy user ansible.builtin.command: # noqa no-changed-when cmd: /tmp/cyhy-places/scripts/load_places.sh + become: yes become_user: cyhy # diff --git a/ansible/roles/cyhy_commander/templates/commander.conf.j2 b/ansible/roles/cyhy_commander/templates/commander.conf.j2 index 344ff7e4..84013514 100644 --- a/ansible/roles/cyhy_commander/templates/commander.conf.j2 +++ b/ansible/roles/cyhy_commander/templates/commander.conf.j2 @@ -1,6 +1,6 @@ [DEFAULT] default-section = production -database-uri = mongodb://{{ commander_user }}:{{ commander_pw }}@database1.cyhy:27017/{{ commander_db }} +database-uri = mongodb://{{ cyhy_commander_commander_user }}:{{ cyhy_commander_commander_pw }}@database1.cyhy:27017/{{ cyhy_commander_commander_db }} jobs-per-nmap-host = 8 jobs-per-nessus-host = 16 poll-interval = 30 @@ -15,11 +15,11 @@ nessus-hosts = vulnscan1 [production] database-name = cyhy -jobs-per-nmap-host = {{ jobs_per_nmap_host }} -jobs-per-nessus-host = {{ jobs_per_nessus_host }} -next-scan-limit = {{ next_scan_limit }} -nmap-hosts = {{ nmap_hosts }} -nessus-hosts = {{ nessus_hosts }} +jobs-per-nmap-host = {{ cyhy_commander_jobs_per_nmap_host }} +jobs-per-nessus-host = {{ cyhy_commander_jobs_per_nessus_host }} +next-scan-limit = {{ cyhy_commander_next_scan_limit }} +nmap-hosts = {{ cyhy_commander_nmap_hosts }} +nessus-hosts = {{ cyhy_commander_nessus_hosts }} [purge] # use to collect remaining jobs without creating new ones @@ -34,8 +34,8 @@ database-name = cyhy jobs-per-nmap-host = 0 jobs-per-nessus-host = 0 shutdown-when-idle = false -nmap-hosts = {{ nmap_hosts }} -nessus-hosts = {{ nessus_hosts }} +nmap-hosts = {{ cyhy_commander_nmap_hosts }} +nessus-hosts = {{ cyhy_commander_nessus_hosts }} [purge-trash] # purge jobs from scanners diff --git a/ansible/roles/cyhy_commander/templates/cyhy.conf.j2 b/ansible/roles/cyhy_commander/templates/cyhy.conf.j2 index c9c90711..48786b0e 100644 --- a/ansible/roles/cyhy_commander/templates/cyhy.conf.j2 +++ b/ansible/roles/cyhy_commander/templates/cyhy.conf.j2 @@ -5,6 +5,6 @@ report-key = ; BEGIN ANSIBLE MANAGED BLOCK commander [production] -database-uri = mongodb://{{ commander_user }}:{{ commander_pw }}@database1.cyhy:27017/{{ commander_db }} -database-name = {{ commander_db }} +database-uri = mongodb://{{ cyhy_commander_commander_user }}:{{ cyhy_commander_commander_pw }}@database1.cyhy:27017/{{ cyhy_commander_commander_db }} +database-name = {{ cyhy_commander_commander_db }} ; END ANSIBLE MANAGED BLOCK commander diff --git a/ansible/roles/cyhy_commander/tests/test.yml b/ansible/roles/cyhy_commander/tests/test.yml index 04996448..59291828 100644 --- a/ansible/roles/cyhy_commander/tests/test.yml +++ b/ansible/roles/cyhy_commander/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - cyhy_commander diff --git a/ansible/roles/cyhy_commander/vars/main.yml b/ansible/roles/cyhy_commander/vars/main.yml index 88b8b6dd..6aa0c70c 100644 --- a/ansible/roles/cyhy_commander/vars/main.yml +++ b/ansible/roles/cyhy_commander/vars/main.yml @@ -1,10 +1,10 @@ --- # The CyHy SSH private key -ssh_private_key: "{{ lookup('aws_ssm', '/cyhy/ssh/private_key') }}" +cyhy_commander_ssh_private_key: "{{ lookup('aws_ssm', '/cyhy/ssh/private_key') }}" # commander mongo username -commander_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/user') }}" +cyhy_commander_commander_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/user') }}" # commander mongo password -commander_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/password') }}" +cyhy_commander_commander_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/password') }}" # commander mongo database -commander_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/database') }}" +cyhy_commander_commander_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/database') }}" diff --git a/ansible/roles/cyhy_dashboard/tasks/main.yml b/ansible/roles/cyhy_dashboard/tasks/main.yml index 0b2d756c..4b0692ae 100644 --- a/ansible/roles/cyhy_dashboard/tasks/main.yml +++ b/ansible/roles/cyhy_dashboard/tasks/main.yml @@ -19,6 +19,7 @@ ansible.builtin.shell: cmd: head -c 24 /dev/urandom > /var/cyhy/web/secret_key creates: /var/cyhy/web/secret_key + become: yes become_method: ansible.builtin.sudo become_user: cyhy diff --git a/ansible/roles/cyhy_dashboard/templates/cyhy.conf.j2 b/ansible/roles/cyhy_dashboard/templates/cyhy.conf.j2 index 74bccb99..00a87923 100644 --- a/ansible/roles/cyhy_dashboard/templates/cyhy.conf.j2 +++ b/ansible/roles/cyhy_dashboard/templates/cyhy.conf.j2 @@ -4,5 +4,5 @@ database-uri = mongodb://database1.cyhy:27017/ report-key = [production] -database-uri = mongodb://{{ commander_user }}:{{ commander_pw }}@database1.cyhy:27017/{{ commander_db }} -database-name = {{ commander_db }} +database-uri = mongodb://{{ cyhy_dashboard_commander_user }}:{{ cyhy_dashboard_commander_pw }}@database1.cyhy:27017/{{ cyhy_dashboard_commander_db }} +database-name = {{ cyhy_dashboard_commander_db }} diff --git a/ansible/roles/cyhy_dashboard/tests/test.yml b/ansible/roles/cyhy_dashboard/tests/test.yml index 670e34b0..9377dcc4 100644 --- a/ansible/roles/cyhy_dashboard/tests/test.yml +++ b/ansible/roles/cyhy_dashboard/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - cyhy_dashboard diff --git a/ansible/roles/cyhy_dashboard/vars/main.yml b/ansible/roles/cyhy_dashboard/vars/main.yml index 5441d0ac..99a5b101 100644 --- a/ansible/roles/cyhy_dashboard/vars/main.yml +++ b/ansible/roles/cyhy_dashboard/vars/main.yml @@ -1,7 +1,7 @@ --- # commander mongo username -commander_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/user') }}" +cyhy_dashboard_commander_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/user') }}" # commander mongo password -commander_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/password') }}" +cyhy_dashboard_commander_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/password') }}" # commander mongo database -commander_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/database') }}" +cyhy_dashboard_commander_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/database') }}" diff --git a/ansible/roles/cyhy_feeds/tasks/main.yml b/ansible/roles/cyhy_feeds/tasks/main.yml index c72d407c..2e382943 100644 --- a/ansible/roles/cyhy_feeds/tasks/main.yml +++ b/ansible/roles/cyhy_feeds/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Create cyhy-feeds config ansible.builtin.copy: - content: "{{ config }}" + content: "{{ cyhy_feeds_config }}" dest: "/var/cyhy/scripts/cyhy-feeds/cyhy-data-extract.cfg" group: cyhy mode: 0444 @@ -31,20 +31,20 @@ src: mongodb_credentials.yml.j2 loop: # reporter - - database: "{{ reporter_db }}" + - database: "{{ cyhy_feeds_reporter_db }}" filename: cyhy.yml - username: "{{ reporter_user }}" - password: "{{ reporter_pw }}" + username: "{{ cyhy_feeds_reporter_user }}" + password: "{{ cyhy_feeds_reporter_pw }}" # scan-reader - - database: "{{ scan_reader_db }}" + - database: "{{ cyhy_feeds_scan_reader_db }}" filename: scan_reader.yml - username: "{{ scan_reader_user }}" - password: "{{ scan_reader_pw }}" + username: "{{ cyhy_feeds_scan_reader_user }}" + password: "{{ cyhy_feeds_scan_reader_pw }}" # assessment-reader - - database: "{{ assessment_read_db }}" + - database: "{{ cyhy_feeds_assessment_read_db }}" filename: assessment_reader.yml - username: "{{ assessment_read_user }}" - password: "{{ assessment_read_pw }}" + username: "{{ cyhy_feeds_assessment_read_user }}" + password: "{{ cyhy_feeds_assessment_read_pw }}" loop_control: label: "{{ item.filename }}" @@ -61,13 +61,14 @@ ansible.builtin.shell: cmd: set -o pipefail && echo {{ item | quote }} | gpg2 --trustdb-name /var/cyhy/.gnupg/trustdb.gpg --import --batch executable: /bin/bash + become: yes become_user: cyhy changed_when: "'imported: 1' in cyhy_feeds_import_gpg_key.stderr" loop: - - "{{ ncps_ae_public_gpg_key }}" - - "{{ nsd_public_gpg_key }}" - - "{{ private_gpg_key }}" - - "{{ public_gpg_key }}" + - "{{ cyhy_feeds_ncps_ae_public_gpg_key }}" + - "{{ cyhy_feeds_nsd_public_gpg_key }}" + - "{{ cyhy_feeds_private_gpg_key }}" + - "{{ cyhy_feeds_public_gpg_key }}" loop_control: label: "" register: cyhy_feeds_import_gpg_key @@ -77,8 +78,9 @@ # before quoting. A quoted newline causes a failure when gpg2 attempts to # import the owner trust. ansible.builtin.shell: - cmd: set -o pipefail && echo {{ gpg_trust | trim | quote }} | gpg2 --import-ownertrust --batch + cmd: set -o pipefail && echo {{ cyhy_feeds_gpg_trust | trim | quote }} | gpg2 --import-ownertrust --batch executable: /bin/bash + become: yes become_user: cyhy changed_when: "'inserting ownertrust' in cyhy_feeds_import_gpg_ownertrust.stderr" register: cyhy_feeds_import_gpg_ownertrust diff --git a/ansible/roles/cyhy_feeds/templates/aws_config.j2 b/ansible/roles/cyhy_feeds/templates/aws_config.j2 index bb4494f0..1dfbfdb2 100644 --- a/ansible/roles/cyhy_feeds/templates/aws_config.j2 +++ b/ansible/roles/cyhy_feeds/templates/aws_config.j2 @@ -1,7 +1,7 @@ [default] -region = {{ aws_region }} +region = {{ cyhy_feeds_aws_region }} [profile elasticsearch] credential_source = Ec2InstanceMetadata -region = {{ dmarc_import_aws_region }} -role_arn = {{ dmarc_import_es_role }} +region = {{ cyhy_feeds_dmarc_import_aws_region }} +role_arn = {{ cyhy_feeds_dmarc_import_es_role }} diff --git a/ansible/roles/cyhy_feeds/tests/test.yml b/ansible/roles/cyhy_feeds/tests/test.yml index 400fbd9f..83b83347 100644 --- a/ansible/roles/cyhy_feeds/tests/test.yml +++ b/ansible/roles/cyhy_feeds/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - cyhy_feeds diff --git a/ansible/roles/cyhy_feeds/vars/main.yml b/ansible/roles/cyhy_feeds/vars/main.yml index c8836b40..c6ad60b7 100644 --- a/ansible/roles/cyhy_feeds/vars/main.yml +++ b/ansible/roles/cyhy_feeds/vars/main.yml @@ -1,36 +1,36 @@ --- # cyhy-feeds config -config: "{{ lookup('aws_ssm', '/cyhy/feeds/config') }}" +cyhy_feeds_config: "{{ lookup('aws_ssm', '/cyhy/feeds/config') }}" # cyhy-feeds public GPG key -public_gpg_key: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/public') }}" +cyhy_feeds_public_gpg_key: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/public') }}" # cyhy-feeds private GPG key -private_gpg_key: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/private') }}" +cyhy_feeds_private_gpg_key: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/private') }}" # NSD public GPG key -nsd_public_gpg_key: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/nsd_public') }}" +cyhy_feeds_nsd_public_gpg_key: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/nsd_public') }}" # NCPS Analytics Environment public GPG key -ncps_ae_public_gpg_key: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/ncps_ae_public') }}" +cyhy_feeds_ncps_ae_public_gpg_key: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/ncps_ae_public') }}" # cyhy-feeds GPG trust -gpg_trust: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/trust') }}" +cyhy_feeds_gpg_trust: "{{ lookup('aws_ssm', '/cyhy/feeds/gpg/trust') }}" # reporter mongo username -reporter_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/user') }}" +cyhy_feeds_reporter_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/user') }}" # reporter mongo password -reporter_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/password') }}" +cyhy_feeds_reporter_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/password') }}" # reporter mongo database -reporter_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/database') }}" +cyhy_feeds_reporter_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/database') }}" # scan-reader mongo username -scan_reader_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/user') }}" +cyhy_feeds_scan_reader_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/user') }}" # scan-reader mongo password -scan_reader_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/password') }}" +cyhy_feeds_scan_reader_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/password') }}" # scan-reader mongo database -scan_reader_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/database') }}" +cyhy_feeds_scan_reader_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/database') }}" # assessment-read mongo username -assessment_read_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/assessment-read/user') }}" +cyhy_feeds_assessment_read_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/assessment-read/user') }}" # assessment-read mongo password -assessment_read_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/assessment-read/password') }}" +cyhy_feeds_assessment_read_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/assessment-read/password') }}" # assessment-read mongo database -assessment_read_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/assessment-read/database') }}" +cyhy_feeds_assessment_read_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/assessment-read/database') }}" diff --git a/ansible/roles/cyhy_mailer/tasks/main.yml b/ansible/roles/cyhy_mailer/tasks/main.yml index d56d7058..81197609 100644 --- a/ansible/roles/cyhy_mailer/tasks/main.yml +++ b/ansible/roles/cyhy_mailer/tasks/main.yml @@ -33,7 +33,7 @@ - name: Create the CSA region-to-email mapping YAML file ansible.builtin.file: - content: "{{ csa_email_yaml }}" + content: "{{ cyhy_mailer_csa_email_yaml }}" dest: /var/cyhy/cyhy-mailer/secrets/csa_emails.yml group: cyhy mode: 0444 @@ -51,7 +51,7 @@ mode: 0664 owner: cyhy path: /var/cyhy/cyhy-mailer/docker-compose.override.yml - src: /var/cyhy/cyhy-mailer/{{ docker_compose_override_file_for_mailer }} + src: /var/cyhy/cyhy-mailer/{{ cyhy_mailer_docker_compose_override_file_for_mailer }} state: link # diff --git a/ansible/roles/cyhy_mailer/templates/aws_config.j2 b/ansible/roles/cyhy_mailer/templates/aws_config.j2 index 47c3ff6c..f4ddcfe6 100644 --- a/ansible/roles/cyhy_mailer/templates/aws_config.j2 +++ b/ansible/roles/cyhy_mailer/templates/aws_config.j2 @@ -1,4 +1,4 @@ [default] credential_source = Ec2InstanceMetadata -region = {{ ses_aws_region }} -role_arn = {{ ses_send_email_role }} +region = {{ cyhy_mailer_ses_aws_region }} +role_arn = {{ cyhy_mailer_ses_send_email_role }} diff --git a/ansible/roles/cyhy_mailer/templates/database_creds.yml.j2 b/ansible/roles/cyhy_mailer/templates/database_creds.yml.j2 index d01dbb19..93ee2e90 100644 --- a/ansible/roles/cyhy_mailer/templates/database_creds.yml.j2 +++ b/ansible/roles/cyhy_mailer/templates/database_creds.yml.j2 @@ -1,5 +1,5 @@ --- database: - name: {{ reporter_db }} - uri: mongodb://{{ reporter_user }}:{{ reporter_pw }}@database1.cyhy:27017/{{ reporter_db }} + name: {{ cyhy_mailer_reporter_db }} + uri: mongodb://{{ cyhy_mailer_reporter_user }}:{{ cyhy_mailer_reporter_pw }}@database1.cyhy:27017/{{ cyhy_mailer_reporter_db }} version: "1" diff --git a/ansible/roles/cyhy_mailer/tests/test.yml b/ansible/roles/cyhy_mailer/tests/test.yml index a812a8f0..ae3632c6 100644 --- a/ansible/roles/cyhy_mailer/tests/test.yml +++ b/ansible/roles/cyhy_mailer/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - cyhy_mailer diff --git a/ansible/roles/cyhy_mailer/vars/main.yml b/ansible/roles/cyhy_mailer/vars/main.yml index a2572741..3288004e 100644 --- a/ansible/roles/cyhy_mailer/vars/main.yml +++ b/ansible/roles/cyhy_mailer/vars/main.yml @@ -1,9 +1,9 @@ --- # CSA region-to-email YAML mapping -csa_email_yaml: "{{ lookup('aws_ssm', '/cyhy/csa_email_yaml') }}" +cyhy_mailer_csa_email_yaml: "{{ lookup('aws_ssm', '/cyhy/csa_email_yaml') }}" # reporter mongo database -reporter_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/database') }}" +cyhy_mailer_reporter_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/database') }}" # reporter mongo password -reporter_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/password') }}" +cyhy_mailer_reporter_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/password') }}" # reporter mongo username -reporter_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/user') }}" +cyhy_mailer_reporter_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/user') }}" diff --git a/ansible/roles/cyhy_ops/tasks/main.yml b/ansible/roles/cyhy_ops/tasks/main.yml index b1733441..a07a1ada 100644 --- a/ansible/roles/cyhy_ops/tasks/main.yml +++ b/ansible/roles/cyhy_ops/tasks/main.yml @@ -26,4 +26,4 @@ mode: 0600 owner: cyhy_ops path: /home/cyhy_ops/.ssh/authorized_keys - loop: "{{ ops_users }}" + loop: "{{ cyhy_ops_users }}" diff --git a/ansible/roles/cyhy_ops/tests/test.yml b/ansible/roles/cyhy_ops/tests/test.yml index cb9f909c..2b81b74e 100644 --- a/ansible/roles/cyhy_ops/tests/test.yml +++ b/ansible/roles/cyhy_ops/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - cyhy_ops diff --git a/ansible/roles/cyhy_ops/vars/main.yml b/ansible/roles/cyhy_ops/vars/main.yml index a9fa7a33..e8f89790 100644 --- a/ansible/roles/cyhy_ops/vars/main.yml +++ b/ansible/roles/cyhy_ops/vars/main.yml @@ -1,3 +1,3 @@ --- # A list of the CyHy OPS users -ops_users: "{{ lookup('aws_ssm', '/cyhy/ops/users').split(',') }}" +cyhy_ops_users: "{{ lookup('aws_ssm', '/cyhy/ops/users').split(',') }}" diff --git a/ansible/roles/cyhy_reporter/tasks/main.yml b/ansible/roles/cyhy_reporter/tasks/main.yml index 10321ff4..b5ef73ff 100644 --- a/ansible/roles/cyhy_reporter/tasks/main.yml +++ b/ansible/roles/cyhy_reporter/tasks/main.yml @@ -58,4 +58,4 @@ groups: - cyhy name: "{{ item }}" - loop: "{{ dev_users }}" + loop: "{{ cyhy_reporter_dev_users }}" diff --git a/ansible/roles/cyhy_reporter/templates/cyhy.conf.j2 b/ansible/roles/cyhy_reporter/templates/cyhy.conf.j2 index 7d081f35..9cdfc27c 100644 --- a/ansible/roles/cyhy_reporter/templates/cyhy.conf.j2 +++ b/ansible/roles/cyhy_reporter/templates/cyhy.conf.j2 @@ -1,12 +1,12 @@ [DEFAULT] default-section = cyhy database-uri = mongodb://database1.cyhy:27017/ -report-key = {{ master_report_key }} +report-key = {{ cyhy_reporter_master_report_key }} [cyhy] -database-uri = mongodb://{{ commander_user }}:{{ commander_pw }}@database1.cyhy:27017/{{ commander_db }} -database-name = {{ commander_db }} +database-uri = mongodb://{{ cyhy_reporter_commander_user }}:{{ cyhy_reporter_commander_pw }}@database1.cyhy:27017/{{ cyhy_reporter_commander_db }} +database-name = {{ cyhy_reporter_commander_db }} [scan] -database-uri = mongodb://{{ scan_reader_user }}:{{ scan_reader_pw }}@database1.cyhy:27017/{{ scan_reader_db }} -database-name = {{ scan_reader_db }} +database-uri = mongodb://{{ cyhy_reporter_scan_reader_user }}:{{ cyhy_reporter_scan_reader_pw }}@database1.cyhy:27017/{{ cyhy_reporter_scan_reader_db }} +database-name = {{ cyhy_reporter_scan_reader_db }} diff --git a/ansible/roles/cyhy_reporter/tests/test.yml b/ansible/roles/cyhy_reporter/tests/test.yml index feac29cb..9ae9fa91 100644 --- a/ansible/roles/cyhy_reporter/tests/test.yml +++ b/ansible/roles/cyhy_reporter/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - cyhy_reporter diff --git a/ansible/roles/cyhy_reporter/vars/main.yml b/ansible/roles/cyhy_reporter/vars/main.yml index b37bbc5f..8df721e6 100644 --- a/ansible/roles/cyhy_reporter/vars/main.yml +++ b/ansible/roles/cyhy_reporter/vars/main.yml @@ -1,20 +1,20 @@ --- # The master key for all reports -master_report_key: "{{ lookup('aws_ssm', '/cyhy/master_report_key') }}" +cyhy_reporter_master_report_key: "{{ lookup('aws_ssm', '/cyhy/master_report_key') }}" # commander mongo username -commander_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/user') }}" +cyhy_reporter_commander_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/user') }}" # commander mongo password -commander_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/password') }}" +cyhy_reporter_commander_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/password') }}" # commander mongo database -commander_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/database') }}" +cyhy_reporter_commander_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/commander/database') }}" # scan-reader mongo username -scan_reader_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/user') }}" +cyhy_reporter_scan_reader_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/user') }}" # scan-reader mongo password -scan_reader_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/password') }}" +cyhy_reporter_scan_reader_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/password') }}" # scan-reader mongo database -scan_reader_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/database') }}" +cyhy_reporter_scan_reader_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/database') }}" # The development users -dev_users: "{{ lookup('aws_ssm', '/cyhy/dev/users').split(',') }}" +cyhy_reporter_dev_users: "{{ lookup('aws_ssm', '/cyhy/dev/users').split(',') }}" diff --git a/ansible/roles/groups/tasks/main.yml b/ansible/roles/groups/tasks/main.yml index 490c6d17..84cfbdce 100644 --- a/ansible/roles/groups/tasks/main.yml +++ b/ansible/roles/groups/tasks/main.yml @@ -29,7 +29,7 @@ append: yes groups: cyhy name: "{{ item }}" - loop: "{{ dev_users }}" + loop: "{{ groups_dev_users }}" when: getent_group.cyhy is defined - name: Add dev users to the docker group @@ -37,5 +37,5 @@ append: yes groups: docker name: "{{ item }}" - loop: "{{ dev_users }}" + loop: "{{ groups_dev_users }}" when: getent_group.docker is defined diff --git a/ansible/roles/groups/tests/test.yml b/ansible/roles/groups/tests/test.yml index edb98a7c..3cbbf531 100644 --- a/ansible/roles/groups/tests/test.yml +++ b/ansible/roles/groups/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - groups diff --git a/ansible/roles/groups/vars/main.yml b/ansible/roles/groups/vars/main.yml index f246981e..e0b54c96 100644 --- a/ansible/roles/groups/vars/main.yml +++ b/ansible/roles/groups/vars/main.yml @@ -1,3 +1,3 @@ --- # The development users -dev_users: "{{ lookup('aws_ssm', '/cyhy/dev/users').split(',') }}" +groups_dev_users: "{{ lookup('aws_ssm', '/cyhy/dev/users').split(',') }}" diff --git a/ansible/roles/mgmt_ops/tasks/main.yml b/ansible/roles/mgmt_ops/tasks/main.yml index 5cc2c037..8877d88b 100644 --- a/ansible/roles/mgmt_ops/tasks/main.yml +++ b/ansible/roles/mgmt_ops/tasks/main.yml @@ -26,4 +26,4 @@ mode: 0600 owner: mgmt_ops path: /home/mgmt_ops/.ssh/authorized_keys - loop: "{{ ops_users }}" + loop: "{{ mgmt_ops_users }}" diff --git a/ansible/roles/mgmt_ops/tests/test.yml b/ansible/roles/mgmt_ops/tests/test.yml index 143b15d7..c5ccfd36 100644 --- a/ansible/roles/mgmt_ops/tests/test.yml +++ b/ansible/roles/mgmt_ops/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - mgmt_ops diff --git a/ansible/roles/mgmt_ops/vars/main.yml b/ansible/roles/mgmt_ops/vars/main.yml index 65eb2699..ca81d6d1 100644 --- a/ansible/roles/mgmt_ops/vars/main.yml +++ b/ansible/roles/mgmt_ops/vars/main.yml @@ -1,3 +1,3 @@ --- # A list of the management OPS users -ops_users: "{{ lookup('aws_ssm', '/mgmt/ops/users').split(',') }}" +mgmt_ops_users: "{{ lookup('aws_ssm', '/mgmt/ops/users').split(',') }}" diff --git a/ansible/roles/mongo/defaults/main.yml b/ansible/roles/mongo/defaults/main.yml index 384230a0..eaa18661 100644 --- a/ansible/roles/mongo/defaults/main.yml +++ b/ansible/roles/mongo/defaults/main.yml @@ -1,2 +1,2 @@ --- -mongodb_data_root: /var/lib/mongodb +mongo_mongodb_data_root: /var/lib/mongodb diff --git a/ansible/roles/mongo/tasks/main.yml b/ansible/roles/mongo/tasks/main.yml index 163fb4d5..b515620b 100644 --- a/ansible/roles/mongo/tasks/main.yml +++ b/ansible/roles/mongo/tasks/main.yml @@ -20,37 +20,37 @@ - name: Create admin user in admin db (first user, no authentication) community.mongodb.mongodb_user: - database: "{{ admin_db }}" - name: "{{ admin_user }}" - password: "{{ admin_pw }}" - roles: "{{ admin_roles }}" + database: "{{ mongo_admin_db }}" + name: "{{ mongo_admin_user }}" + password: "{{ mongo_admin_pw }}" + roles: "{{ mongo_admin_roles }}" state: present when: mongo_check_for_mongo_users.rc == 0 - name: Update admin user in admin db (authenticate as admin) community.mongodb.mongodb_user: - database: "{{ admin_db }}" - login_database: "{{ admin_db }}" - login_password: "{{ admin_old_pw }}" - login_user: "{{ admin_user }}" - name: "{{ admin_user }}" - password: "{{ admin_pw }}" - roles: "{{ admin_roles }}" + database: "{{ mongo_admin_db }}" + login_database: "{{ mongo_admin_db }}" + login_password: "{{ mongo_admin_old_pw }}" + login_user: "{{ mongo_admin_user }}" + name: "{{ mongo_admin_user }}" + password: "{{ mongo_admin_pw }}" + roles: "{{ mongo_admin_roles }}" state: present when: mongo_check_for_mongo_users.rc != 0 - name: Update other users (authenticate as admin) community.mongodb.mongodb_user: database: "{{ lookup('aws_ssm', '/cyhy/mongo/users/' + item + '/database') }}" - login_database: "{{ admin_db }}" - login_password: "{{ admin_pw }}" - login_user: "{{ admin_user }}" + login_database: "{{ mongo_admin_db }}" + login_password: "{{ mongo_admin_pw }}" + login_user: "{{ mongo_admin_user }}" name: "{{ lookup('aws_ssm', '/cyhy/mongo/users/' + item + '/user') }}" password: "{{ lookup('aws_ssm', '/cyhy/mongo/users/' + item + '/password') }}" roles: "{{ lookup('aws_ssm', '/cyhy/mongo/users/' + item + '/roles').split(',') }}" state: present # Loop over all the users *except* for admin - loop: "{{ non_admin_users }}" + loop: "{{ mongo_non_admin_users }}" # ansible-lint throws a no-log-password on this task likely because # it is a module that needs password information and we are using a # loop. I would rather default to disabling logging than possibly diff --git a/ansible/roles/mongo/templates/mongod.conf b/ansible/roles/mongo/templates/mongod.conf index 847f0182..c37a8175 100644 --- a/ansible/roles/mongo/templates/mongod.conf +++ b/ansible/roles/mongo/templates/mongod.conf @@ -4,7 +4,7 @@ # https://docs.mongodb.com/manual/reference/configuration-options/ storage: - dbPath: "{{ mongodb_data_root }}" + dbPath: "{{ mongo_mongodb_data_root }}" engine: wiredTiger systemLog: @@ -26,7 +26,7 @@ net: mode: disabled security: - keyFile: "{{ mongodb_data_root }}/keyFile" + keyFile: "{{ mongo_mongodb_data_root }}/keyFile" # authorization # keyFile implies security.authorization # clusterAuthMode: diff --git a/ansible/roles/mongo/tests/test.yml b/ansible/roles/mongo/tests/test.yml index 660215d5..60b7e52b 100644 --- a/ansible/roles/mongo/tests/test.yml +++ b/ansible/roles/mongo/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - mongo diff --git a/ansible/roles/mongo/vars/main.yml b/ansible/roles/mongo/vars/main.yml index bad82a93..99e07a09 100644 --- a/ansible/roles/mongo/vars/main.yml +++ b/ansible/roles/mongo/vars/main.yml @@ -1,14 +1,14 @@ --- # admin mongo username -admin_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/user') }}" +mongo_admin_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/user') }}" # Old admin mongo password -admin_old_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/old_password') }}" +mongo_admin_old_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/old_password') }}" # admin mongo password -admin_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/password') }}" +mongo_admin_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/password') }}" # admin mongo database -admin_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/database') }}" +mongo_admin_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/database') }}" # admin mongo roles -admin_roles: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/roles').split(',') }}" +mongo_admin_roles: "{{ lookup('aws_ssm', '/cyhy/mongo/users/admin/roles').split(',') }}" # Non-admin MongoDB users -non_admin_users: "{{ lookup('aws_ssm', '/cyhy/mongo/users', shortnames=false, recursive=true, bypath=true) | dict2items | map(attribute='key') | map('regex_replace', '^/cyhy/mongo/users/([^/]*).*', '\\1') | unique | reject('equalto', 'admin') | list }}" +mongo_non_admin_users: "{{ lookup('aws_ssm', '/cyhy/mongo/users', shortnames=false, recursive=true, bypath=true) | dict2items | map(attribute='key') | map('regex_replace', '^/cyhy/mongo/users/([^/]*).*', '\\1') | unique | reject('equalto', 'admin') | list }}" diff --git a/ansible/roles/nessus/tasks/main.yml b/ansible/roles/nessus/tasks/main.yml index 4f58550d..12629bc7 100644 --- a/ansible/roles/nessus/tasks/main.yml +++ b/ansible/roles/nessus/tasks/main.yml @@ -60,16 +60,16 @@ ansible.builtin.apt: name: python3-pexpect state: present - when: username not in nessus_users.stdout + when: nessus_username not in nessus_users.stdout - name: Create scanner user if necessary ansible.builtin.expect: - command: "/opt/nessus/sbin/nessuscli adduser {{ username }}" + command: "/opt/nessus/sbin/nessuscli adduser {{ nessus_username }}" responses: administrator: y BLANK: "" - password: "{{ password }}" - when: username not in nessus_users.stdout + password: "{{ nessus_password }}" + when: nessus_username not in nessus_users.stdout - name: Update plugins # This task is only run as part of a block that checks if a license key diff --git a/ansible/roles/nessus/templates/cyhy-base-nessus8-policy.xml.j2 b/ansible/roles/nessus/templates/cyhy-base-nessus8-policy.xml.j2 index d8e95456..de6a6099 100644 --- a/ansible/roles/nessus/templates/cyhy-base-nessus8-policy.xml.j2 +++ b/ansible/roles/nessus/templates/cyhy-base-nessus8-policy.xml.j2 @@ -4,7 +4,7 @@ This scan policy is based off of the "External Network Scan" distributed by the Tenable Policy Distribution Service. See the CyHy version control system for history, changes and the latest version of this policy. private -{{ username }} +{{ nessus_username }} @@ -494,7 +494,7 @@ entry From address : nobody@example.edu -CyHyTesting@{{ smtp_hostname }} +CyHyTesting@{{ nessus_smtp_hostname }} 11038 @@ -503,7 +503,7 @@ entry Third party domain : example.edu -{{ smtp_hostname }} +{{ nessus_smtp_hostname }} 11149 diff --git a/ansible/roles/nessus/templates/nessus_api.yml.j2 b/ansible/roles/nessus/templates/nessus_api.yml.j2 index 32a09ba9..4c2a9c8b 100644 --- a/ansible/roles/nessus/templates/nessus_api.yml.j2 +++ b/ansible/roles/nessus/templates/nessus_api.yml.j2 @@ -1,7 +1,7 @@ --- credentials: - password: {{ password }} - username: {{ username }} + password: {{ nessus_password }} + username: {{ nessus_username }} policy: name: cyhy-base source: /tmp/cyhy-base-nessus8-policy.xml diff --git a/ansible/roles/nessus/tests/test.yml b/ansible/roles/nessus/tests/test.yml index 93540085..942762fd 100644 --- a/ansible/roles/nessus/tests/test.yml +++ b/ansible/roles/nessus/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - nessus diff --git a/ansible/roles/nessus/vars/main.yml b/ansible/roles/nessus/vars/main.yml index 01bf4015..2bdff8f5 100644 --- a/ansible/roles/nessus/vars/main.yml +++ b/ansible/roles/nessus/vars/main.yml @@ -1,5 +1,5 @@ --- # The Nessus username -username: "{{ lookup('aws_ssm', '/cyhy/nessus/username') }}" +nessus_username: "{{ lookup('aws_ssm', '/cyhy/nessus/username') }}" # The Nessus password -password: "{{ lookup('aws_ssm', '/cyhy/nessus/password') }}" +nessus_password: "{{ lookup('aws_ssm', '/cyhy/nessus/password') }}" diff --git a/ansible/roles/orchestrator/tasks/main.yml b/ansible/roles/orchestrator/tasks/main.yml index 2b93f613..3bc50a16 100644 --- a/ansible/roles/orchestrator/tasks/main.yml +++ b/ansible/roles/orchestrator/tasks/main.yml @@ -19,20 +19,20 @@ src: mongodb_credentials.yml.j2 loop: # reporter - - database: "{{ reporter_db }}" + - database: "{{ orchestrator_reporter_db }}" filename: cyhy_read_creds.yml - username: "{{ reporter_user }}" - password: "{{ reporter_pw }}" + username: "{{ orchestrator_reporter_user }}" + password: "{{ orchestrator_reporter_pw }}" # scan-reader - - database: "{{ scan_reader_db }}" + - database: "{{ orchestrator_scan_reader_db }}" filename: scan_read_creds.yml - username: "{{ scan_reader_user }}" - password: "{{ scan_reader_pw }}" + username: "{{ orchestrator_scan_reader_user }}" + password: "{{ orchestrator_scan_reader_pw }}" # scan-writer - - database: "{{ scan_writer_db }}" + - database: "{{ orchestrator_scan_writer_db }}" filename: scan_write_creds.yml - username: "{{ scan_writer_user }}" - password: "{{ scan_writer_pw }}" + username: "{{ orchestrator_scan_writer_user }}" + password: "{{ orchestrator_scan_writer_pw }}" loop_control: label: "{{ item.filename }}" diff --git a/ansible/roles/orchestrator/templates/aws_config.j2 b/ansible/roles/orchestrator/templates/aws_config.j2 index 02466bf9..7a490fc2 100644 --- a/ansible/roles/orchestrator/templates/aws_config.j2 +++ b/ansible/roles/orchestrator/templates/aws_config.j2 @@ -1,7 +1,7 @@ [profile lambda] -region = {{ aws_region }} +region = {{ orchestrator_aws_region }} [profile elasticsearch] credential_source = Ec2InstanceMetadata -region = {{ dmarc_import_aws_region }} -role_arn = {{ dmarc_import_es_role }} +region = {{ orchestrator_dmarc_import_aws_region }} +role_arn = {{ orchestrator_dmarc_import_es_role }} diff --git a/ansible/roles/orchestrator/tests/test.yml b/ansible/roles/orchestrator/tests/test.yml index 866591a6..4f24875a 100644 --- a/ansible/roles/orchestrator/tests/test.yml +++ b/ansible/roles/orchestrator/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - orchestrator diff --git a/ansible/roles/orchestrator/vars/main.yml b/ansible/roles/orchestrator/vars/main.yml index 1da1f051..496b931f 100644 --- a/ansible/roles/orchestrator/vars/main.yml +++ b/ansible/roles/orchestrator/vars/main.yml @@ -1,21 +1,21 @@ --- # reporter mongo username -reporter_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/user') }}" +orchestrator_reporter_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/user') }}" # reporter mongo password -reporter_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/password') }}" +orchestrator_reporter_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/password') }}" # reporter mongo database -reporter_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/database') }}" +orchestrator_reporter_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/reporter/database') }}" # scan-reader mongo username -scan_reader_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/user') }}" +orchestrator_scan_reader_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/user') }}" # scan-reader mongo password -scan_reader_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/password') }}" +orchestrator_scan_reader_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/password') }}" # scan-reader mongo database -scan_reader_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/database') }}" +orchestrator_scan_reader_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-reader/database') }}" # scan-writer mongo username -scan_writer_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-writer/user') }}" +orchestrator_scan_writer_user: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-writer/user') }}" # scan-writer mongo password -scan_writer_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-writer/password') }}" +orchestrator_scan_writer_pw: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-writer/password') }}" # scan-writer mongo database -scan_writer_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-writer/database') }}" +orchestrator_scan_writer_db: "{{ lookup('aws_ssm', '/cyhy/mongo/users/scan-writer/database') }}" diff --git a/ansible/roles/swap/defaults/main.yml b/ansible/roles/swap/defaults/main.yml index 1c8d3731..493bcd58 100644 --- a/ansible/roles/swap/defaults/main.yml +++ b/ansible/roles/swap/defaults/main.yml @@ -1,3 +1,3 @@ --- -swapfile_location: /swapfile -swapfile_size: 2GiB +swap_swapfile_location: /swapfile +swap_swapfile_size: 2GiB diff --git a/ansible/roles/swap/tasks/main.yml b/ansible/roles/swap/tasks/main.yml index 1787877e..f890a3d6 100644 --- a/ansible/roles/swap/tasks/main.yml +++ b/ansible/roles/swap/tasks/main.yml @@ -7,25 +7,25 @@ - name: Allocate swapfile ansible.builtin.command: - cmd: "fallocate --length {{ swapfile_size }} {{ swapfile_location }}" - creates: "{{ swapfile_location }}" + cmd: "fallocate --length {{ swap_swapfile_size }} {{ swap_swapfile_location }}" + creates: "{{ swap_swapfile_location }}" register: swap_allocate_swapfile - name: Set swapfile permissions ansible.builtin.file: mode: 0600 - path: "{{ swapfile_location }}" + path: "{{ swap_swapfile_location }}" - name: Create swapfile ansible.builtin.command: # noqa no-handler - cmd: mkswap {{ swapfile_location }} + cmd: mkswap {{ swap_swapfile_location }} changed_when: swap_create_swapfile.rc == 0 register: swap_create_swapfile when: swap_allocate_swapfile is changed - name: Enable swapfile ansible.builtin.command: # noqa no-handler - cmd: swapon {{ swapfile_location }} + cmd: swapon {{ swap_swapfile_location }} changed_when: swap_enable_swapfile.rc == 0 register: swap_enable_swapfile when: swap_create_swapfile is changed @@ -35,5 +35,5 @@ fstype: swap name: none opts: sw - src: "{{ swapfile_location }}" + src: "{{ swap_swapfile_location }}" state: present diff --git a/ansible/roles/swap/tests/test.yml b/ansible/roles/swap/tests/test.yml index 7e1de880..54da1e0d 100644 --- a/ansible/roles/swap/tests/test.yml +++ b/ansible/roles/swap/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - swap diff --git a/ansible/roles/vdp_scanner/tests/test.yml b/ansible/roles/vdp_scanner/tests/test.yml index 4240c646..2304fe8e 100644 --- a/ansible/roles/vdp_scanner/tests/test.yml +++ b/ansible/roles/vdp_scanner/tests/test.yml @@ -1,6 +1,6 @@ --- -- hosts: localhost - name: Test the role +- name: Test the role + hosts: localhost remote_user: root roles: - vdp_scanner diff --git a/packer/ansible/aws.yml b/packer/ansible/aws.yml index d2c68dee..f1f63905 100644 --- a/packer/ansible/aws.yml +++ b/packer/ansible/aws.yml @@ -1,6 +1,6 @@ --- -- hosts: all - name: AWS-specific roles +- name: AWS-specific roles + hosts: all become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/base.yml b/packer/ansible/base.yml index 27736a82..1bb01787 100644 --- a/packer/ansible/base.yml +++ b/packer/ansible/base.yml @@ -1,6 +1,6 @@ --- -- hosts: all - name: Setup base image +- name: Setup base image + hosts: all become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/bod.yml b/packer/ansible/bod.yml index a94ed140..7eb83980 100644 --- a/packer/ansible/bod.yml +++ b/packer/ansible/bod.yml @@ -1,6 +1,6 @@ --- -- hosts: bod - name: Configure host for BOD 18-01 scanning and reporting +- name: Configure host for BOD 18-01 scanning and reporting + hosts: bod become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/bookworm.yml b/packer/ansible/bookworm.yml index 86c8e30b..625688e4 100644 --- a/packer/ansible/bookworm.yml +++ b/packer/ansible/bookworm.yml @@ -1,6 +1,6 @@ --- -- hosts: bastion,docker,nessus,nmap - name: Perform additional tasks to support Debian Bookworm +- name: Perform additional tasks to support Debian Bookworm + hosts: bastion,docker,nessus,nmap become: yes become_method: ansible.builtin.sudo tasks: diff --git a/packer/ansible/client_cert.yml b/packer/ansible/client_cert.yml index a50d0b34..2ba75eab 100644 --- a/packer/ansible/client_cert.yml +++ b/packer/ansible/client_cert.yml @@ -1,6 +1,6 @@ --- -- hosts: client_cert - name: Configure host for client cert auth updating +- name: Configure host for client cert auth updating + hosts: client_cert become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/code_gov.yml b/packer/ansible/code_gov.yml index 0b5c7452..fff2dc22 100644 --- a/packer/ansible/code_gov.yml +++ b/packer/ansible/code_gov.yml @@ -1,6 +1,6 @@ --- -- hosts: code_gov - name: Configure host for code.gov updating +- name: Configure host for code.gov updating + hosts: code_gov become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/create_credentials_directory.yml b/packer/ansible/create_credentials_directory.yml index 3b3ab0e6..b8d093da 100644 --- a/packer/ansible/create_credentials_directory.yml +++ b/packer/ansible/create_credentials_directory.yml @@ -1,6 +1,6 @@ --- -- hosts: cyhy_commander,cyhy_dashboard,cyhy_reporter,nessus - name: Create the directory used for cyhy-commander, cyhy-core, and Nessus credentials +- name: Create the directory used for cyhy-commander, cyhy-core, and Nessus credentials + hosts: cyhy_commander,cyhy_dashboard,cyhy_reporter,nessus become: yes become_method: ansible.builtin.sudo tasks: diff --git a/packer/ansible/create_cyhy_user.yml b/packer/ansible/create_cyhy_user.yml index 547b7699..c24bd271 100644 --- a/packer/ansible/create_cyhy_user.yml +++ b/packer/ansible/create_cyhy_user.yml @@ -1,8 +1,8 @@ --- # The bastion is the only instance that does not need a cyhy user for # operational functionality. -- hosts: all:!bastion - name: Create the cyhy user and set up SSH access +- name: Create the cyhy user and set up SSH access + hosts: all:!bastion become: yes become_method: ansible.builtin.sudo tasks: diff --git a/packer/ansible/cyhy_archive.yml b/packer/ansible/cyhy_archive.yml index 5f1aea84..69ebcf41 100644 --- a/packer/ansible/cyhy_archive.yml +++ b/packer/ansible/cyhy_archive.yml @@ -1,6 +1,6 @@ --- -- hosts: cyhy_archive - name: Install cyhy-archive helper script +- name: Install cyhy-archive helper script + hosts: cyhy_archive become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/cyhy_commander.yml b/packer/ansible/cyhy_commander.yml index 3ed58604..0b6197ab 100644 --- a/packer/ansible/cyhy_commander.yml +++ b/packer/ansible/cyhy_commander.yml @@ -1,6 +1,6 @@ --- -- hosts: cyhy_commander - name: Install and configure cyhy-commander +- name: Install and configure cyhy-commander + hosts: cyhy_commander become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/cyhy_dashboard.yml b/packer/ansible/cyhy_dashboard.yml index affa03c2..e35065cf 100644 --- a/packer/ansible/cyhy_dashboard.yml +++ b/packer/ansible/cyhy_dashboard.yml @@ -1,6 +1,6 @@ --- -- hosts: cyhy_dashboard - name: Install and configure the CyHy dashboard +- name: Install and configure the CyHy dashboard + hosts: cyhy_dashboard become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/cyhy_feeds.yml b/packer/ansible/cyhy_feeds.yml index 6f04d695..f06db130 100644 --- a/packer/ansible/cyhy_feeds.yml +++ b/packer/ansible/cyhy_feeds.yml @@ -1,6 +1,6 @@ --- -- hosts: cyhy_feeds - name: Install cyhy-feeds +- name: Install cyhy-feeds + hosts: cyhy_feeds become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/cyhy_reporter.yml b/packer/ansible/cyhy_reporter.yml index 3aa09035..058ad60c 100644 --- a/packer/ansible/cyhy_reporter.yml +++ b/packer/ansible/cyhy_reporter.yml @@ -1,6 +1,6 @@ --- -- hosts: cyhy_reporter - name: Install and configure cyhy-reports +- name: Install and configure cyhy-reports + hosts: cyhy_reporter become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/mongo.yml b/packer/ansible/mongo.yml index 3e61e8b0..e3f0f9c2 100644 --- a/packer/ansible/mongo.yml +++ b/packer/ansible/mongo.yml @@ -1,6 +1,6 @@ --- -- hosts: mongo - name: Install and configure MongoDB and xfsprogs +- name: Install and configure MongoDB and xfsprogs + hosts: mongo become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/nessus.yml b/packer/ansible/nessus.yml index fe9da7c9..de476924 100644 --- a/packer/ansible/nessus.yml +++ b/packer/ansible/nessus.yml @@ -1,6 +1,6 @@ --- -- hosts: nessus - name: Install and configure Nessus +- name: Install and configure Nessus + hosts: nessus become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/nmap.yml b/packer/ansible/nmap.yml index 6e40095c..7cc070d3 100644 --- a/packer/ansible/nmap.yml +++ b/packer/ansible/nmap.yml @@ -1,6 +1,6 @@ --- -- hosts: nmap - name: Install nmap +- name: Install nmap + hosts: nmap become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/python.yml b/packer/ansible/python.yml index 01795b09..a57dd097 100644 --- a/packer/ansible/python.yml +++ b/packer/ansible/python.yml @@ -1,6 +1,6 @@ --- -- hosts: all - name: Install Python and Pip +- name: Install Python and Pip + hosts: all become: yes become_method: ansible.builtin.sudo roles: @@ -20,8 +20,8 @@ # # Amazon Linux 2 is antiquated and requires Python 2 to function, and # the remove_python2 Ansible role is a no-op on that platform. -- hosts: bastion,docker,nessus,nmap - name: Remove Python 2 +- name: Remove Python 2 + hosts: bastion,docker,nessus,nmap become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/upgrade.yml b/packer/ansible/upgrade.yml index 028470c1..e74b8734 100644 --- a/packer/ansible/upgrade.yml +++ b/packer/ansible/upgrade.yml @@ -1,6 +1,6 @@ --- -- hosts: all - name: Set up backports, apt over HTTPS, and upgrade base image +- name: Set up backports, apt over HTTPS, and upgrade base image + hosts: all become: yes become_method: ansible.builtin.sudo roles: diff --git a/packer/ansible/vdp_scan.yml b/packer/ansible/vdp_scan.yml index 48b2a7a9..37e17022 100644 --- a/packer/ansible/vdp_scan.yml +++ b/packer/ansible/vdp_scan.yml @@ -1,6 +1,6 @@ --- -- hosts: vdp_scan - name: Configure host for BOD 20-01 VDP scanning +- name: Configure host for BOD 20-01 VDP scanning + hosts: vdp_scan become: yes become_method: ansible.builtin.sudo roles: diff --git a/setup-env b/setup-env index 77926bf8..3a22d439 100755 --- a/setup-env +++ b/setup-env @@ -9,60 +9,76 @@ USAGE=$( Configure a development environment for this repository. It does the following: + - Allows the user to specify the Python version to use for the virtual environment. + - Allows the user to specify a name for the virtual environment. - Verifies pyenv and pyenv-virtualenv are installed. - - Creates a Python virtual environment. + - Creates the Python virtual environment. - Configures the activation of the virtual enviroment for the repo directory. - Installs the requirements needed for development. - Installs git pre-commit hooks. - - Configures git upstream remote "lineage" repositories. + - Configures git remotes for upstream "lineage" repositories. Usage: - setup-env [options] [virt_env_name] + setup-env [--venv-name venv_name] [--python-version python_version] setup-env (-h | --help) Options: - -f --force Delete virtual enviroment if it already exists. - -h --help Show this message. - -i --install-hooks Install hook environments for all environments in the - pre-commit config file. + -f | --force Delete virtual enviroment if it already exists. + -h | --help Show this message. + -i | --install-hooks Install hook environments for all environments in the + pre-commit config file. + -l | --list-versions List available Python versions and select one interactively. + -v | --venv-name Specify the name of the virtual environment. + -p | --python-version Specify the Python version for the virtual environment. END_OF_LINE ) +# Display pyenv's installed Python versions +python_versions() { + pyenv versions --bare --skip-aliases --skip-envs +} + # Flag to force deletion and creation of virtual environment FORCE=0 -# Positional parameters -PARAMS="" +# Initialize the other flags +INSTALL_HOOKS=0 +LIST_VERSIONS=0 +PYTHON_VERSION="" +VENV_NAME="" -# Parse command line arguments -while (("$#")); do - case "$1" in - -f | --force) - FORCE=1 - shift - ;; - -h | --help) - echo "${USAGE}" - exit 0 - ;; - -i | --install-hooks) - INSTALL_HOOKS=1 - shift - ;; - -*) # unsupported flags - echo "Error: Unsupported flag $1" >&2 - exit 1 - ;; - *) # preserve positional arguments - PARAMS="$PARAMS $1" - shift - ;; - esac -done +# Define long options +LONGOPTS="force,help,install-hooks,list-versions,python-version:,venv-name:" + +# Define short options for getopt +SHORTOPTS="fhilp:v:" + +# Check for GNU getopt by matching a specific pattern ("getopt from util-linux") +# in its version output. This approach presumes the output format remains stable. +# Be aware that format changes could invalidate this check. +if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then + cat << 'END_OF_LINE' + + Please note, this script requires GNU getopt due to its enhanced + functionality and compatibility with certain script features that + are not supported by the POSIX getopt found in some systems, particularly + those with a non-GNU version of getopt. This distinction is crucial + as a system might have a non-GNU version of getopt installed by default, + which could lead to unexpected behavior. -# set positional arguments in their proper place -eval set -- "$PARAMS" + On macOS, we recommend installing brew (https://brew.sh/). Then installation + is as simple as `brew install gnu-getopt` and adding this to your + profile: + + export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" + + GNU getopt must be explicitly added to the PATH since it + is keg-only (https://docs.brew.sh/FAQ#what-does-keg-only-mean). + +END_OF_LINE + exit 1 +fi # Check to see if pyenv is installed if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && [ ! -f "$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv" ]; }; then @@ -70,7 +86,7 @@ if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && if [[ "$OSTYPE" == "darwin"* ]]; then cat << 'END_OF_LINE' - On the Mac, we recommend installing brew, https://brew.sh/. Then installation + On macOS, we recommend installing brew, https://brew.sh/. Then installation is as simple as `brew install pyenv pyenv-virtualenv` and adding this to your profile: @@ -81,7 +97,7 @@ END_OF_LINE fi cat << 'END_OF_LINE' - For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you don't want + For Linux, Windows Subsystem for Linux (WSL), or macOS (if you don't want to use "brew") you can use https://github.com/pyenv/pyenv-installer to install the necessary tools. Before running this ensure that you have installed the prerequisites for your platform according to the pyenv wiki page, @@ -100,16 +116,88 @@ END_OF_LINE exit 1 fi -set +o nounset +# Use GNU getopt to parse options +if ! PARSED=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS --name "$0" -- "$@"); then + echo "Error parsing options" + exit 1 +fi +eval set -- "$PARSED" + +while true; do + case "$1" in + -f | --force) + FORCE=1 + shift + ;; + -h | --help) + echo "$USAGE" + exit 0 + ;; + -i | --install-hooks) + INSTALL_HOOKS=1 + shift + ;; + -l | --list-versions) + LIST_VERSIONS=1 + shift + ;; + -p | --python-version) + PYTHON_VERSION="$2" + shift 2 + # Check the Python versions being passed in. + if [ -n "${PYTHON_VERSION+x}" ]; then + if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then + echo Using Python version "$PYTHON_VERSION" + else + echo Error: Python version "$PYTHON_VERSION" is not installed. + echo Installed Python versions are: + python_versions + exit 1 + fi + fi + ;; + -v | --venv-name) + VENV_NAME="$2" + shift 2 + ;; + --) + shift + break + ;; + *) + # Unreachable due to GNU getopt handling all options + echo "Programming error" + exit 64 + ;; + esac +done + # Determine the virtual environment name -if [ "$1" ]; then +if [ -n "$VENV_NAME" ]; then # Use the user-provided environment name - env_name=$1 + env_name="$VENV_NAME" else # Set the environment name to the last part of the working directory. env_name=${PWD##*/} fi -set -o nounset + +# List Python versions and select one interactively. +if [ $LIST_VERSIONS -ne 0 ]; then + echo Available Python versions: + python_versions + # Read the user's desired Python version. + # -r: treat backslashes as literal, -p: display prompt before input. + read -r -p "Enter the desired Python version: " PYTHON_VERSION + # Check the Python versions being passed in. + if [ -n "${PYTHON_VERSION+x}" ]; then + if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then + echo Using Python version "$PYTHON_VERSION" + else + echo Error: Python version "$PYTHON_VERSION" is not installed. + exit 1 + fi + fi +fi # Remove any lingering local configuration. if [ $FORCE -ne 0 ]; then @@ -118,7 +206,7 @@ if [ $FORCE -ne 0 ]; then elif [[ -f .python-version ]]; then cat << 'END_OF_LINE' An existing .python-version file was found. Either remove this file yourself - or re-run with --force option to have it deleted along with the associated + or re-run with the --force option to have it deleted along with the associated virtual environment. rm .python-version @@ -128,10 +216,18 @@ END_OF_LINE fi # Create a new virtual environment for this project -if ! pyenv virtualenv "${env_name}"; then +# +# If $PYTHON_VERSION is undefined then the current pyenv Python version will be used. +# +# We can't quote ${PYTHON_VERSION:=} below since if the variable is +# undefined then we want nothing to appear; this is the reason for the +# "shellcheck disable" line below. +# +# shellcheck disable=SC2086 +if ! pyenv virtualenv ${PYTHON_VERSION:=} "${env_name}"; then cat << END_OF_LINE An existing virtual environment named $env_name was found. Either delete this - environment yourself or re-run with --force option to have it deleted. + environment yourself or re-run with the --force option to have it deleted. pyenv virtualenv-delete ${env_name} diff --git a/terraform/bod_docker_ec2.tf b/terraform/bod_docker_ec2.tf index 4f174455..611eb302 100644 --- a/terraform/bod_docker_ec2.tf +++ b/terraform/bod_docker_ec2.tf @@ -163,18 +163,22 @@ module "bod_docker_ansible_provisioner" { ] dry_run = false envs = [ - "aws_region=${var.aws_region}", "bastion_host=${aws_instance.bod_bastion.public_ip}", - "dmarc_import_aws_region=${var.dmarc_import_aws_region}", - "dmarc_import_es_role=${var.dmarc_import_es_role_arn}", + "client_cert_update_ses_aws_region=${var.ses_aws_region}", + "client_cert_update_ses_send_email_role=${var.ses_role_arn}", + "code_gov_update_ses_aws_region=${var.ses_aws_region}", + "code_gov_update_ses_send_email_role=${var.ses_role_arn}", # This file will be used to add/override any settings in # docker-compose.yml (for cyhy-mailer). - "docker_compose_override_file_for_mailer=${var.docker_mailer_override_filename}", + "cyhy_mailer_docker_compose_override_file_for_mailer=${var.docker_mailer_override_filename}", + "cyhy_mailer_ses_aws_region=${var.ses_aws_region}", + "cyhy_mailer_ses_send_email_role=${var.ses_role_arn}", "host=${aws_instance.bod_docker.private_ip}", "host_groups=docker,bod_docker", + "orchestrator_aws_region=${var.aws_region}", + "orchestrator_dmarc_import_aws_region=${var.dmarc_import_aws_region}", + "orchestrator_dmarc_import_es_role=${var.dmarc_import_es_role_arn}", "production_workspace=${local.production_workspace}", - "ses_aws_region=${var.ses_aws_region}", - "ses_send_email_role=${var.ses_role_arn}", ] playbook = "../ansible/playbook.yml" } diff --git a/terraform/cyhy_mongo_ec2.tf b/terraform/cyhy_mongo_ec2.tf index efe50b8c..8c4696b0 100644 --- a/terraform/cyhy_mongo_ec2.tf +++ b/terraform/cyhy_mongo_ec2.tf @@ -183,19 +183,19 @@ module "cyhy_mongo_ansible_provisioner" { dry_run = false envs = [ "ANSIBLE_SSH_RETRIES=5", - "aws_region=${var.aws_region}", "bastion_host=${aws_instance.cyhy_bastion.public_ip}", "cyhy_archive_s3_bucket_name=${aws_s3_bucket.cyhy_archive.bucket}", "cyhy_archive_s3_bucket_region=${var.aws_region}", - "dmarc_import_aws_region=${var.dmarc_import_aws_region}", - "dmarc_import_es_role=${var.dmarc_import_es_role_arn}", + "cyhy_commander_jobs_per_nessus_host=${var.commander_config.jobs_per_nessus_host}", + "cyhy_commander_jobs_per_nmap_host=${var.commander_config.jobs_per_nmap_host}", + "cyhy_commander_nessus_hosts=${join(",", formatlist("vulnscan%d", range(1, var.nessus_instance_count + 1)))}", + "cyhy_commander_next_scan_limit=${var.commander_config.next_scan_limit}", + "cyhy_commander_nmap_hosts=${join(",", formatlist("portscan%d", range(1, var.nmap_instance_count + 1)))}", + "cyhy_feeds_aws_region=${var.aws_region}", + "cyhy_feeds_dmarc_import_aws_region=${var.dmarc_import_aws_region}", + "cyhy_feeds_dmarc_import_es_role=${var.dmarc_import_es_role_arn}", "host=${aws_instance.cyhy_mongo[count.index].private_ip}", "host_groups=mongo,cyhy_commander,cyhy_archive", - "jobs_per_nessus_host=${var.commander_config.jobs_per_nessus_host}", - "jobs_per_nmap_host=${var.commander_config.jobs_per_nmap_host}", - "nessus_hosts=${join(",", formatlist("vulnscan%d", range(1, var.nessus_instance_count + 1)))}", - "next_scan_limit=${var.commander_config.next_scan_limit}", - "nmap_hosts=${join(",", formatlist("portscan%d", range(1, var.nmap_instance_count + 1)))}", "production_workspace=${local.production_workspace}", ] playbook = "../ansible/playbook.yml" diff --git a/terraform/cyhy_nessus_ec2.tf b/terraform/cyhy_nessus_ec2.tf index 8a70916d..12485a89 100644 --- a/terraform/cyhy_nessus_ec2.tf +++ b/terraform/cyhy_nessus_ec2.tf @@ -173,7 +173,7 @@ module "cyhy_nessus_ansible_provisioner" { "host=${length(aws_instance.cyhy_nessus[*].private_ip) > 0 ? element(aws_instance.cyhy_nessus[*].private_ip, count.index) : ""}", "host_groups=cyhy_runner,nessus", "nessus_activation_code=${var.nessus_activation_codes[count.index]}", - "smtp_hostname=${aws_route53_record.cyhy_nessus_pub_A[count.index].name}", + "nessus_smtp_hostname=${aws_route53_record.cyhy_nessus_pub_A[count.index].name}", ] playbook = "../ansible/playbook.yml" } diff --git a/terraform/cyhy_reporter_ec2.tf b/terraform/cyhy_reporter_ec2.tf index 42b343c6..7e12a25f 100644 --- a/terraform/cyhy_reporter_ec2.tf +++ b/terraform/cyhy_reporter_ec2.tf @@ -125,12 +125,12 @@ module "cyhy_reporter_ansible_provisioner" { dry_run = false envs = [ "bastion_host=${aws_instance.cyhy_bastion.public_ip}", - "docker_compose_override_file_for_mailer=${var.reporter_mailer_override_filename}", + "cyhy_mailer_docker_compose_override_file_for_mailer=${var.reporter_mailer_override_filename}", + "cyhy_mailer_ses_aws_region=${var.ses_aws_region}", + "cyhy_mailer_ses_send_email_role=${var.ses_role_arn}", "host=${aws_instance.cyhy_reporter.private_ip}", "host_groups=docker,cyhy_reporter", "production_workspace=${local.production_workspace}", - "ses_aws_region=${var.ses_aws_region}", - "ses_send_email_role=${var.ses_role_arn}", ] playbook = "../ansible/playbook.yml" }