diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3662ab0..bd2d742 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,11 +3,11 @@ # These owners will be the default owners for everything in the # repo. Unless a later match takes precedence, these owners will be # requested for review when someone opens a pull request. -* @dav3r @felddy @jsf9k @m1j09830 @mcdonnnj +* @dav3r @felddy @jasonodoom @jsf9k @m1j09830 @mcdonnnj # These folks own any files in the .github directory at the root of # the repository and any of its subdirectories. -/.github/ @dav3r @felddy @jsf9k @mcdonnnj +/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj # Let jsf9k own the sometimes-touchy AWS and Python playbooks, as well # as the packer.pkr.hcl file. diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 85bdce0..896e5cf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,6 +19,8 @@ updates: - dependency-name: actions/setup-python - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate + # Managed by cisagov/skeleton-packer + - dependency-name: aws-actions/configure-aws-credentials - package-ecosystem: "pip" directory: "/" @@ -29,12 +31,14 @@ updates: directory: "/terraform-build-user" schedule: interval: "weekly" - # ignore: - # - dependency-name: "hashicorp/aws" + # Managed by cisagov/skeleton-packer + ignore: + - dependency-name: "hashicorp/aws" - package-ecosystem: "terraform" directory: "/terraform-post-packer" schedule: interval: "weekly" - # ignore: - # - dependency-name: "hashicorp/aws" + # Managed by cisagov/skeleton-packer + ignore: + - dependency-name: "hashicorp/aws" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5823aa0..446c128 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,11 +24,11 @@ jobs: - id: setup-python uses: actions/setup-python@v4 with: - python-version: "3.10" + python-version: "3.11" # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: "1.19" - name: Lookup Go cache directory @@ -90,7 +90,7 @@ jobs: run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install dependencies run: | - python -m pip install --upgrade pip + python -m pip install --upgrade pip setuptools wheel pip install --upgrade --requirement requirements-test.txt - name: Install Ansible roles run: ansible-galaxy install --force --role-file src/requirements.yml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b4e2017..0092977 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,11 +37,11 @@ repos: args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.4 + rev: v3.0.0-alpha.6 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.29.0 + rev: v1.30.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.21.0 + rev: 0.22.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.0.2 + rev: v3.2.1 hooks: - id: validate_manifest @@ -83,7 +83,7 @@ repos: # Python hooks # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit - rev: 1.7.4 + rev: 1.7.5 hooks: - id: bandit name: bandit (tests tree) @@ -98,7 +98,7 @@ repos: name: bandit (everything else) exclude: tests - repo: https://github.com/psf/black - rev: 22.12.0 + rev: 23.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -112,7 +112,7 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.991 + rev: v1.1.1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade @@ -129,7 +129,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 + rev: v1.77.1 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/src/aws.yml b/src/aws.yml index f6dbb9b..c91189d 100644 --- a/src/aws.yml +++ b/src/aws.yml @@ -3,16 +3,26 @@ name: AWS-specific roles become: yes become_method: sudo - roles: - - role: amazon_efs_utils + tasks: + - name: Install Amazon EFS utilities + ansible.builtin.include_role: + name: amazon_efs_utils vars: # Note that we use the same GID for the efs_users group on all # instances. This helps us avoid UID/GID collisions with # files written to the EFS share. efs_users_gid: 2048 - - amazon_ssm_agent - - chrony_aws - - cloudwatch_agent + - name: Install Amazon SSM Agent + ansible.builtin.include_role: + name: amazon_ssm_agent + - name: Install chrony and configure it for use within AWS + ansible.builtin.include_role: + name: chrony_aws + - name: Install and configure Amazon CloudWatch Agent + ansible.builtin.include_role: + name: cloudwatch_agent # The instance types used for almost all the instances expose EBS # volumes as NVMe block devices, so that's why we need nvme here. - - nvme + - name: Install prerequisites for working with NVMe block devices + ansible.builtin.include_role: + name: nvme diff --git a/src/base.yml b/src/base.yml index ca57017..e6d5386 100644 --- a/src/base.yml +++ b/src/base.yml @@ -3,9 +3,19 @@ name: Setup base image become: yes become_method: sudo - roles: - - automated_security_updates - - banner - - clamav - - htop - - persist_journald + tasks: + - name: Install and configure automated security updates + ansible.builtin.include_role: + name: automated_security_updates + - name: Install and configure login banner + ansible.builtin.include_role: + name: banner + - name: Install and configure ClamAV + ansible.builtin.include_role: + name: clamav + - name: Install and configure htop + ansible.builtin.include_role: + name: htop + - name: Configure JournalD to preserve logs across reboots + ansible.builtin.include_role: + name: persist_journald diff --git a/src/egress_assess.yml b/src/egress_assess.yml index f5b3e5b..3b2b45c 100644 --- a/src/egress_assess.yml +++ b/src/egress_assess.yml @@ -3,8 +3,10 @@ name: Install Auto-Egress-Assess tool become: yes become_method: sudo - roles: - - role: assessment_tool + tasks: + - name: Install tarrell13/Auto-Egress-Assess + ansible.builtin.include_role: + name: assessment_tool vars: archive_src: https://github.com/tarrell13/Auto-Egress-Assess/tarball/main install_dir: /tools/Auto-Egress-Assess diff --git a/src/python.yml b/src/python.yml index f9eab0c..a1980ae 100644 --- a/src/python.yml +++ b/src/python.yml @@ -3,7 +3,17 @@ name: Install pip3/python3 and remove pip2/python2 become: yes become_method: sudo - roles: - - pip - - python - - remove_python2 + tasks: + # If pip were to be installed first, then the OS _could_ pull + # different Python packages than what would be installed via the + # cisagov/ansible-role-python role; hence, the ordering below is + # more controlled. + - name: Install Python 3 + ansible.builtin.include_role: + name: python + - name: Install pip3 + ansible.builtin.include_role: + name: pip + - name: Uninstall Python 2 + ansible.builtin.include_role: + name: remove_python2 diff --git a/src/requirements.yml b/src/requirements.yml index f9870af..853b9de 100644 --- a/src/requirements.yml +++ b/src/requirements.yml @@ -1,35 +1,35 @@ --- -- src: https://github.com/cisagov/ansible-role-amazon-efs-utils - name: amazon_efs_utils -- src: https://github.com/cisagov/ansible-role-amazon-ssm-agent - name: amazon_ssm_agent -- src: https://github.com/cisagov/ansible-role-assessment-tool - name: assessment_tool -- src: https://github.com/cisagov/ansible-role-automated-security-updates - name: automated_security_updates -- src: https://github.com/cisagov/ansible-role-banner - name: banner -- src: https://github.com/cisagov/ansible-role-chrony-aws - name: chrony_aws -- src: https://github.com/cisagov/ansible-role-clamav - name: clamav -- src: https://github.com/cisagov/ansible-role-cloudwatch-agent - name: cloudwatch_agent -- src: https://github.com/cisagov/ansible-role-htop - name: htop -- src: https://github.com/cisagov/ansible-role-nvme - name: nvme -- src: https://github.com/cisagov/ansible-role-persist-journald - name: persist_journald -- src: https://github.com/cisagov/ansible-role-pip - name: pip -- src: https://github.com/cisagov/ansible-role-python - name: python -- src: https://github.com/cisagov/ansible-role-remove-python2 - name: remove_python2 -- src: https://github.com/cisagov/ansible-role-upgrade - name: upgrade -- src: https://github.com/cisagov/ansible-role-vnc-server - name: vnc -- src: https://github.com/cisagov/ansible-role-xfce-cool - name: xfce_cool +- name: amazon_efs_utils + src: https://github.com/cisagov/ansible-role-amazon-efs-utils +- name: amazon_ssm_agent + src: https://github.com/cisagov/ansible-role-amazon-ssm-agent +- name: assessment_tool + src: https://github.com/cisagov/ansible-role-assessment-tool +- name: automated_security_updates + src: https://github.com/cisagov/ansible-role-automated-security-updates +- name: banner + src: https://github.com/cisagov/ansible-role-banner +- name: chrony_aws + src: https://github.com/cisagov/ansible-role-chrony-aws +- name: clamav + src: https://github.com/cisagov/ansible-role-clamav +- name: cloudwatch_agent + src: https://github.com/cisagov/ansible-role-cloudwatch-agent +- name: htop + src: https://github.com/cisagov/ansible-role-htop +- name: nvme + src: https://github.com/cisagov/ansible-role-nvme +- name: persist_journald + src: https://github.com/cisagov/ansible-role-persist-journald +- name: pip + src: https://github.com/cisagov/ansible-role-pip +- name: python + src: https://github.com/cisagov/ansible-role-python +- name: remove_python2 + src: https://github.com/cisagov/ansible-role-remove-python2 +- name: upgrade + src: https://github.com/cisagov/ansible-role-upgrade +- name: vnc + src: https://github.com/cisagov/ansible-role-vnc-server +- name: xfce_cool + src: https://github.com/cisagov/ansible-role-xfce-cool diff --git a/src/upgrade.yml b/src/upgrade.yml index e172d4d..744c01e 100644 --- a/src/upgrade.yml +++ b/src/upgrade.yml @@ -3,5 +3,7 @@ name: Upgrade base image become: yes become_method: sudo - roles: - - upgrade + tasks: + - name: Upgrade all packages + ansible.builtin.include_role: + name: upgrade diff --git a/src/version.txt b/src/version.txt index 7863915..976498a 100644 --- a/src/version.txt +++ b/src/version.txt @@ -1 +1 @@ -__version__ = "1.0.2" +__version__ = "1.0.3" diff --git a/src/vnc.yml b/src/vnc.yml index b4d925b..304be64 100644 --- a/src/vnc.yml +++ b/src/vnc.yml @@ -3,8 +3,10 @@ name: Install VNC and configure VNC user become: yes become_method: sudo - roles: - - role: vnc + tasks: + - name: Install VNC + ansible.builtin.include_role: + name: vnc vars: # The user information and ssh keys for the VNC user password: "{{ lookup('aws_ssm', '/vnc/password') }}" @@ -19,7 +21,6 @@ # users on all instances. This helps us avoid UID/GID # collisions with files written to the EFS share. user_uid: 2048 - tasks: - name: Add VNC user to wheel group block: - name: Ensure wheel group exists diff --git a/src/xfce.yml b/src/xfce.yml index 82e44b0..c00a240 100644 --- a/src/xfce.yml +++ b/src/xfce.yml @@ -3,8 +3,10 @@ name: Install Xfce become: yes become_method: sudo - roles: - - role: xfce_cool + tasks: + - name: Install Xfce for the COOL + ansible.builtin.include_role: + name: xfce_cool vars: # The users for whom a symlink to the COOL file share should # be created