diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 57ab5402..f604e211 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -6,106 +6,106 @@ name: linux_benchmark_pipeline # Triggers the workflow on push or pull request # events but only for the devel branch on: - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false - -## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - -# Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - -# Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} -# verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - -# Remove test system - User secrets to keep if necessary + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + ENABLE_DEBUG: false + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + ### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + shell: bash + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 5b30b648..951a53cb 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -7,15 +7,15 @@ name: update galaxy # Controls when the action will run. # Triggers the workflow on merge request events to the main branch on: - push: - branches: - - main + push: + branches: + - main jobs: update_role: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main diff --git a/.yamllint b/.yamllint index ec469292..5dc8a985 100644 --- a/.yamllint +++ b/.yamllint @@ -1,33 +1,25 @@ --- +# Based on ansible-lint config extends: default -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - empty-lines: - max: 1 - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: false + braces: {max-spaces-inside: 1, level: error} + brackets: {max-spaces-inside: 1, level: error} + colons: {max-spaces-after: -1, level: error} + commas: {max-spaces-after: -1, level: error} + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: {max: 3, level: error} + hyphens: {level: error} + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: {type: unix} + trailing-spaces: disable + truthy: disable diff --git a/Changelog.md b/Changelog.md index 1f1679df..c7d7c264 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,10 @@ # Changes to rhel8CIS +## 1.5.6 + +- updates to yamllint to increase galaxy score - doesnt honour local files or exclusions +- removed blank lines from all + ## 1.5.5 - improved conditional for 1.1.2.1 diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 4c3d0995..dcc89356 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -5,26 +5,25 @@ gather_facts: true vars: - role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" - ansible_user: root - system_is_container: true - rhel8cis_selinux_disable: true - rhel8cis_rule_5_3_4: false - rhel8cis_rule_1_1_10: false - rhel8cis_rsyslog_ansiblemanaged: false - rhel8cis_rule_3_4_1_3: false - rhel8cis_rule_3_4_1_4: false - rhel8cis_rule_4_1_1_1: false - rhel8cis_rule_4_1_1_2: false - rhel8cis_rule_4_1_1_3: false - rhel8cis_rule_4_1_1_4: false - rhel8cis_rule_4_2_1_2: false - rhel8cis_rule_4_2_1_4: false - rhel8cis_rule_5_1_1: false + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + ansible_user: root + system_is_container: true + rhel8cis_selinux_disable: true + rhel8cis_rule_5_3_4: false + rhel8cis_rule_1_1_10: false + rhel8cis_rsyslog_ansiblemanaged: false + rhel8cis_rule_3_4_1_3: false + rhel8cis_rule_3_4_1_4: false + rhel8cis_rule_4_1_1_1: false + rhel8cis_rule_4_1_1_2: false + rhel8cis_rule_4_1_1_3: false + rhel8cis_rule_4_1_1_4: false + rhel8cis_rule_4_2_1_2: false + rhel8cis_rule_4_2_1_4: false + rhel8cis_rule_5_1_1: false pre_tasks: tasks: - - name: "Include tasks" - ansible.builtin.include_role: - name: "{{ role_name }}" - + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 086feb9a..0b9047b9 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -3,32 +3,31 @@ # https://molecule.readthedocs.io/en/latest/ driver: - name: docker + name: docker platforms: - - name: ubi8 - image: registry.access.redhat.com/ubi8/ubi-init - pre_build_image: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro - privileged: true - command: "/usr/sbin/init" - capabilities: - - SYS_ADMIN + - name: ubi8 + image: registry.access.redhat.com/ubi8/ubi-init + pre_build_image: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + command: "/usr/sbin/init" + capabilities: + - SYS_ADMIN provisioner: - name: ansible - config_options: - defaults: - interpreter_python: auto_silent - callbacks_enabled: profile_tasks, timer + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer lint: | - set -e - yamllint . - ansible-lint - flake8 + set -e + yamllint . + ansible-lint + flake8 verifier: - name: ansible - + name: ansible diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 5c57ab4c..936d5a87 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -4,10 +4,10 @@ gather_facts: false vars: - role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" tasks: - - name: "Include verify tasks" - ansible.builtin.include_role: - name: "{{ role_name }}" - tasks_from: verify + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify diff --git a/molecule/localhost/converge.yml b/molecule/localhost/converge.yml index 9a78fb97..b6c339c0 100644 --- a/molecule/localhost/converge.yml +++ b/molecule/localhost/converge.yml @@ -6,13 +6,12 @@ gather_facts: true vars: - ansible_user: "{{ lookup('env', 'USER') }}" - role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" - rhel8cis_rule_5_3_4: false + ansible_user: "{{ lookup('env', 'USER') }}" + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + rhel8cis_rule_5_3_4: false pre_tasks: tasks: - - name: "Include tasks" - ansible.builtin.include_role: - name: "{{ role_name }}" - + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" diff --git a/molecule/localhost/molecule.yml b/molecule/localhost/molecule.yml index 94547051..6b499446 100644 --- a/molecule/localhost/molecule.yml +++ b/molecule/localhost/molecule.yml @@ -3,28 +3,27 @@ # https://molecule.readthedocs.io/en/latest/ driver: - name: delegated - options: - managed: false - ansible_connection_options: - ansible_connection: local + name: delegated + options: + managed: false + ansible_connection_options: + ansible_connection: local platforms: - - name: localhost + - name: localhost provisioner: - name: ansible - config_options: - defaults: - interpreter_python: auto_silent - stdout_callback: yaml - callbacks_enabled: profile_tasks, timer + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + stdout_callback: yaml + callbacks_enabled: profile_tasks, timer lint: | - set -e - yamllint . - ansible-lint - flake8 + set -e + yamllint . + ansible-lint + flake8 verifier: - name: ansible - + name: ansible diff --git a/molecule/localhost/verify.yml b/molecule/localhost/verify.yml index 58afa467..31cc8590 100644 --- a/molecule/localhost/verify.yml +++ b/molecule/localhost/verify.yml @@ -5,10 +5,10 @@ become: true vars: - role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" tasks: - - name: "Include verify tasks" - ansible.builtin.include_role: - name: "{{ role_name }}" - tasks_from: verify + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify diff --git a/molecule/wsl/converge.yml b/molecule/wsl/converge.yml index 0f5f3e62..51286009 100644 --- a/molecule/wsl/converge.yml +++ b/molecule/wsl/converge.yml @@ -6,22 +6,21 @@ gather_facts: true vars: - ansible_user: "{{ lookup('env', 'USER') }}" - system_is_container: true - rhel8cis_selinux_disable: true - role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" - rhel8cis_rule_5_3_4: false - rhel8cis_rule_1_1_10: false - rhel8cis_rsyslog_ansiblemanaged: false - rhel8cis_rule_3_4_1_3: false - rhel8cis_rule_3_4_1_4: false - rhel8cis_rule_4_2_1_2: false - rhel8cis_rule_4_2_1_4: false - rhel8cis_rule_5_1_1: false + ansible_user: "{{ lookup('env', 'USER') }}" + system_is_container: true + rhel8cis_selinux_disable: true + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + rhel8cis_rule_5_3_4: false + rhel8cis_rule_1_1_10: false + rhel8cis_rsyslog_ansiblemanaged: false + rhel8cis_rule_3_4_1_3: false + rhel8cis_rule_3_4_1_4: false + rhel8cis_rule_4_2_1_2: false + rhel8cis_rule_4_2_1_4: false + rhel8cis_rule_5_1_1: false pre_tasks: tasks: - - name: "Include tasks" - ansible.builtin.include_role: - name: "{{ role_name }}" - + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" diff --git a/molecule/wsl/molecule.yml b/molecule/wsl/molecule.yml index 9360997d..20cb713c 100644 --- a/molecule/wsl/molecule.yml +++ b/molecule/wsl/molecule.yml @@ -3,27 +3,26 @@ # https://molecule.readthedocs.io/en/latest/ driver: - name: delegated - options: - managed: false - ansible_connection_options: - ansible_connection: local + name: delegated + options: + managed: false + ansible_connection_options: + ansible_connection: local platforms: - - name: localhost + - name: localhost provisioner: - name: ansible - config_options: - defaults: - interpreter_python: auto_silent - callbacks_enabled: profile_tasks, timer + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer lint: | - set -e - yamllint . - ansible-lint - flake8 + set -e + yamllint . + ansible-lint + flake8 verifier: - name: ansible - + name: ansible diff --git a/molecule/wsl/verify.yml b/molecule/wsl/verify.yml index 5c57ab4c..936d5a87 100644 --- a/molecule/wsl/verify.yml +++ b/molecule/wsl/verify.yml @@ -4,10 +4,10 @@ gather_facts: false vars: - role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" tasks: - - name: "Include verify tasks" - ansible.builtin.include_role: - name: "{{ role_name }}" - tasks_from: verify + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify