November24 updates to main #14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Main pipeline | |
on: # yamllint disable-line rule:truthy | |
pull_request_target: | |
types: [opened, reopened, synchronize] | |
branches: | |
- main | |
paths: | |
- '**.yml' | |
- '**.sh' | |
- '**.j2' | |
- '**.ps1' | |
- '**.cfg' | |
# Allow permissions for AWS auth | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
# A workflow run is made up of one or more jobs | |
# that can run sequentially or in parallel | |
jobs: | |
# This workflow contains a single job that tests the playbook | |
playbook-test: | |
# The type of runner that the job will run on | |
runs-on: self-hosted | |
env: | |
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} | |
# Imported as a variable by terraform | |
TF_VAR_repository: ${{ github.event.repository.name }} | |
AWS_REGION : "us-east-1" | |
ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} | |
defaults: | |
run: | |
shell: bash | |
working-directory: .github/workflows/github_linux_IaC | |
# working-directory: .github/workflows | |
steps: | |
- name: Git Clone the Lockdown Repository to test | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: If a variable for IAC_BRANCH is set use that branch | |
working-directory: .github/workflows | |
run: | | |
if [ ${{ vars.IAC_BRANCH }} != '' ]; then | |
echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV | |
echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" | |
else | |
echo IAC_BRANCH=main >> $GITHUB_ENV | |
fi | |
# Pull in terraform code for linux servers | |
- name: Clone GitHub IaC plan | |
uses: actions/checkout@v4 | |
with: | |
repository: ansible-lockdown/github_linux_IaC | |
path: .github/workflows/github_linux_IaC | |
ref: ${{ env.IAC_BRANCH }} | |
# Uses dedicated restricted role and policy to enable this only for this task | |
# No credentials are part of github for AWS auth | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@main | |
with: | |
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} | |
role-session-name: ${{ secrets.AWS_ROLE_SESSION }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: DEBUG - Show IaC files | |
if: env.ENABLE_DEBUG == 'true' | |
run: | | |
echo "OSVAR = $OSVAR" | |
echo "benchmark_type = $benchmark_type" | |
echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" | |
echo "VPC_ID" = $AWS_VPC_SECGRP_ID" | |
pwd | |
ls | |
env: | |
# Imported from GitHub variables this is used to load the relevant OS.tfvars file | |
OSVAR: ${{ vars.OSVAR }} | |
benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} | |
VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} | |
- name: Tofu Init | |
id: init | |
run: tofu init | |
env: | |
# Imported from GitHub variables this is used to load the relevant OS.tfvars file | |
OSVAR: ${{ vars.OSVAR }} | |
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
- name: Tofu Validate | |
id: validate | |
run: tofu validate | |
env: | |
# Imported from GitHub variables this is used to load the relevant OS.tfvars file | |
OSVAR: ${{ vars.OSVAR }} | |
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
- name: Tofu Apply | |
id: apply | |
env: | |
OSVAR: ${{ vars.OSVAR }} | |
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} | |
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} | |
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false | |
## Debug Section | |
- name: DEBUG - Show Ansible hostfile | |
if: env.ENABLE_DEBUG == 'true' | |
run: cat hosts.yml | |
# Aws deployments taking a while to come up insert sleep or playbook fails | |
- name: Sleep - Allow system to come up | |
run: sleep ${{ vars.BUILD_SLEEPTIME }} | |
# Run the Ansible playbook | |
- name: Run Ansible Playbook | |
env: | |
ANSIBLE_HOST_KEY_CHECKING: "false" | |
ANSIBLE_DEPRECATION_WARNINGS: "false" | |
run: | | |
/opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml | |
# Remove test system - User secrets to keep if necessary | |
- name: Tofu Destroy | |
if: always() && env.ENABLE_DEBUG == 'false' | |
env: | |
OSVAR: ${{ vars.OSVAR }} | |
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | |
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} | |
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} | |
run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false |