Merge pull request #33 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

.github/CODEOWNERS

@@ -3,11 +3,11 @@
 # These owners will be the default owners for everything in the
 # repo. Unless a later match takes precedence, these owners will be
 # requested for review when someone opens a pull request.
-* @dav3r @felddy @jsf9k @m1j09830 @mcdonnnj
+* @dav3r @felddy @jasonodoom @jsf9k @m1j09830 @mcdonnnj
 
 # These folks own any files in the .github directory at the root of
 # the repository and any of its subdirectories.
-/.github/ @dav3r @felddy @jsf9k @mcdonnnj
+/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
 
 # Let jsf9k own the sometimes-touchy AWS and Python playbooks, as well
 # as the packer.pkr.hcl file.

.github/dependabot.yml

@@ -19,6 +19,8 @@ updates:
       - dependency-name: actions/setup-python
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
+      # Managed by cisagov/skeleton-packer
+      - dependency-name: aws-actions/configure-aws-credentials
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -29,12 +31,14 @@ updates:
     directory: "/terraform-build-user"
     schedule:
       interval: "weekly"
-    # ignore:
-    #   - dependency-name: "hashicorp/aws"
+    # Managed by cisagov/skeleton-packer
+    ignore:
+      - dependency-name: "hashicorp/aws"
 
   - package-ecosystem: "terraform"
     directory: "/terraform-post-packer"
     schedule:
       interval: "weekly"
-    # ignore:
-    #   - dependency-name: "hashicorp/aws"
+    # Managed by cisagov/skeleton-packer
+    ignore:
+      - dependency-name: "hashicorp/aws"

.github/workflows/build.yml

@@ -24,11 +24,11 @@ jobs:
       - id: setup-python
         uses: actions/setup-python@v4
         with:
-          python-version: "3.10"
+          python-version: "3.11"
       # We need the Go version and Go cache location for the actions/cache step,
       # so the Go installation must happen before that.
       - id: setup-go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: "1.19"
       - name: Lookup Go cache directory
@@ -90,7 +90,7 @@ jobs:
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade pip setuptools wheel
           pip install --upgrade --requirement requirements-test.txt
       - name: Install Ansible roles
         run: ansible-galaxy install --force --role-file src/requirements.yml

.pre-commit-config.yaml

@@ -37,26 +37,26 @@ repos:
         args:
           - --config=.mdl_config.yaml
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.0-alpha.4
+    rev: v3.0.0-alpha.6
     hooks:
       - id: prettier
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.29.0
+    rev: v1.30.0
     hooks:
       - id: yamllint
         args:
           - --strict
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.21.0
+    rev: 0.22.0
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.0.2
+    rev: v3.2.1
     hooks:
       - id: validate_manifest
 
@@ -83,7 +83,7 @@ repos:
   # Python hooks
   # Run bandit on the "tests" tree with a configuration
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.4
+    rev: 1.7.5
     hooks:
       - id: bandit
         name: bandit (tests tree)
@@ -98,7 +98,7 @@ repos:
         name: bandit (everything else)
         exclude: tests
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 23.1.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -112,7 +112,7 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v0.991
+    rev: v1.1.1
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
@@ -129,7 +129,7 @@ repos:
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0
+    rev: v1.77.1
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

src/aws.yml

@@ -3,16 +3,26 @@
   name: AWS-specific roles
   become: yes
   become_method: sudo
-  roles:
-    - role: amazon_efs_utils
+  tasks:
+    - name: Install Amazon EFS utilities
+      ansible.builtin.include_role:
+        name: amazon_efs_utils
       vars:
         # Note that we use the same GID for the efs_users group on all
         # instances.  This helps us avoid UID/GID collisions with
         # files written to the EFS share.
         efs_users_gid: 2048
-    - amazon_ssm_agent
-    - chrony_aws
-    - cloudwatch_agent
+    - name: Install Amazon SSM Agent
+      ansible.builtin.include_role:
+        name: amazon_ssm_agent
+    - name: Install chrony and configure it for use within AWS
+      ansible.builtin.include_role:
+        name: chrony_aws
+    - name: Install and configure Amazon CloudWatch Agent
+      ansible.builtin.include_role:
+        name: cloudwatch_agent
     # The instance types used for almost all the instances expose EBS
     # volumes as NVMe block devices, so that's why we need nvme here.
-    - nvme
+    - name: Install prerequisites for working with NVMe block devices
+      ansible.builtin.include_role:
+        name: nvme

src/base.yml

@@ -3,9 +3,19 @@
   name: Setup base image
   become: yes
   become_method: sudo
-  roles:
-    - automated_security_updates
-    - banner
-    - clamav
-    - htop
-    - persist_journald
+  tasks:
+    - name: Install and configure automated security updates
+      ansible.builtin.include_role:
+        name: automated_security_updates
+    - name: Install and configure login banner
+      ansible.builtin.include_role:
+        name: banner
+    - name: Install and configure ClamAV
+      ansible.builtin.include_role:
+        name: clamav
+    - name: Install and configure htop
+      ansible.builtin.include_role:
+        name: htop
+    - name: Configure JournalD to preserve logs across reboots
+      ansible.builtin.include_role:
+        name: persist_journald

src/egress_assess.yml

@@ -3,8 +3,10 @@
   name: Install Auto-Egress-Assess tool
   become: yes
   become_method: sudo
-  roles:
-    - role: assessment_tool
+  tasks:
+    - name: Install tarrell13/Auto-Egress-Assess
+      ansible.builtin.include_role:
+        name: assessment_tool
       vars:
         archive_src: https://github.com/tarrell13/Auto-Egress-Assess/tarball/main
         install_dir: /tools/Auto-Egress-Assess

src/python.yml

@@ -3,7 +3,17 @@
   name: Install pip3/python3 and remove pip2/python2
   become: yes
   become_method: sudo
-  roles:
-    - pip
-    - python
-    - remove_python2
+  tasks:
+    # If pip were to be installed first, then the OS _could_ pull
+    # different Python packages than what would be installed via the
+    # cisagov/ansible-role-python role; hence, the ordering below is
+    # more controlled.
+    - name: Install Python 3
+      ansible.builtin.include_role:
+        name: python
+    - name: Install pip3
+      ansible.builtin.include_role:
+        name: pip
+    - name: Uninstall Python 2
+      ansible.builtin.include_role:
+        name: remove_python2

src/requirements.yml

@@ -1,35 +1,35 @@
 ---
-- src: https://github.com/cisagov/ansible-role-amazon-efs-utils
-  name: amazon_efs_utils
-- src: https://github.com/cisagov/ansible-role-amazon-ssm-agent
-  name: amazon_ssm_agent
-- src: https://github.com/cisagov/ansible-role-assessment-tool
-  name: assessment_tool
-- src: https://github.com/cisagov/ansible-role-automated-security-updates
-  name: automated_security_updates
-- src: https://github.com/cisagov/ansible-role-banner
-  name: banner
-- src: https://github.com/cisagov/ansible-role-chrony-aws
-  name: chrony_aws
-- src: https://github.com/cisagov/ansible-role-clamav
-  name: clamav
-- src: https://github.com/cisagov/ansible-role-cloudwatch-agent
-  name: cloudwatch_agent
-- src: https://github.com/cisagov/ansible-role-htop
-  name: htop
-- src: https://github.com/cisagov/ansible-role-nvme
-  name: nvme
-- src: https://github.com/cisagov/ansible-role-persist-journald
-  name: persist_journald
-- src: https://github.com/cisagov/ansible-role-pip
-  name: pip
-- src: https://github.com/cisagov/ansible-role-python
-  name: python
-- src: https://github.com/cisagov/ansible-role-remove-python2
-  name: remove_python2
-- src: https://github.com/cisagov/ansible-role-upgrade
-  name: upgrade
-- src: https://github.com/cisagov/ansible-role-vnc-server
-  name: vnc
-- src: https://github.com/cisagov/ansible-role-xfce-cool
-  name: xfce_cool
+- name: amazon_efs_utils
+  src: https://github.com/cisagov/ansible-role-amazon-efs-utils
+- name: amazon_ssm_agent
+  src: https://github.com/cisagov/ansible-role-amazon-ssm-agent
+- name: assessment_tool
+  src: https://github.com/cisagov/ansible-role-assessment-tool
+- name: automated_security_updates
+  src: https://github.com/cisagov/ansible-role-automated-security-updates
+- name: banner
+  src: https://github.com/cisagov/ansible-role-banner
+- name: chrony_aws
+  src: https://github.com/cisagov/ansible-role-chrony-aws
+- name: clamav
+  src: https://github.com/cisagov/ansible-role-clamav
+- name: cloudwatch_agent
+  src: https://github.com/cisagov/ansible-role-cloudwatch-agent
+- name: htop
+  src: https://github.com/cisagov/ansible-role-htop
+- name: nvme
+  src: https://github.com/cisagov/ansible-role-nvme
+- name: persist_journald
+  src: https://github.com/cisagov/ansible-role-persist-journald
+- name: pip
+  src: https://github.com/cisagov/ansible-role-pip
+- name: python
+  src: https://github.com/cisagov/ansible-role-python
+- name: remove_python2
+  src: https://github.com/cisagov/ansible-role-remove-python2
+- name: upgrade
+  src: https://github.com/cisagov/ansible-role-upgrade
+- name: vnc
+  src: https://github.com/cisagov/ansible-role-vnc-server
+- name: xfce_cool
+  src: https://github.com/cisagov/ansible-role-xfce-cool

src/upgrade.yml

@@ -3,5 +3,7 @@
   name: Upgrade base image
   become: yes
   become_method: sudo
-  roles:
-    - upgrade
+  tasks:
+    - name: Upgrade all packages
+      ansible.builtin.include_role:
+        name: upgrade

src/version.txt

@@ -1 +1 @@
-__version__ = "1.0.2"
+__version__ = "1.0.3"

src/vnc.yml

@@ -3,8 +3,10 @@
   name: Install VNC and configure VNC user
   become: yes
   become_method: sudo
-  roles:
-    - role: vnc
+  tasks:
+    - name: Install VNC
+      ansible.builtin.include_role:
+        name: vnc
       vars:
         # The user information and ssh keys for the VNC user
         password: "{{ lookup('aws_ssm', '/vnc/password') }}"
@@ -19,7 +21,6 @@
         # users on all instances.  This helps us avoid UID/GID
         # collisions with files written to the EFS share.
         user_uid: 2048
-  tasks:
     - name: Add VNC user to wheel group
       block:
         - name: Ensure wheel group exists

src/xfce.yml

@@ -3,8 +3,10 @@
   name: Install Xfce
   become: yes
   become_method: sudo
-  roles:
-    - role: xfce_cool
+  tasks:
+    - name: Install Xfce for the COOL
+      ansible.builtin.include_role:
+        name: xfce_cool
       vars:
         # The users for whom a symlink to the COOL file share should
         # be created