diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0c2099a..00d2f82 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,7 +3,7 @@ # These owners will be the default owners for everything in the # repo. Unless a later match takes precedence, these owners will be # requested for review when someone opens a pull request. -* @dav3r @jsf9k @mcdonnnj +* @dav3r @jasonodoom @jsf9k @mcdonnnj # Let jsf9k own the sometimes-touchy AWS and Python playbooks, as well # as the packer.pkr.hcl file. @@ -13,4 +13,4 @@ # These folks own any files in the .github directory at the root of # the repository and any of its subdirectories. -/.github/ @dav3r @felddy @jsf9k @mcdonnnj +/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7145f3e..896e5cf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,6 +19,8 @@ updates: - dependency-name: actions/setup-python - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate + # Managed by cisagov/skeleton-packer + - dependency-name: aws-actions/configure-aws-credentials - package-ecosystem: "pip" directory: "/" @@ -29,6 +31,7 @@ updates: directory: "/terraform-build-user" schedule: interval: "weekly" + # Managed by cisagov/skeleton-packer ignore: - dependency-name: "hashicorp/aws" @@ -36,5 +39,6 @@ updates: directory: "/terraform-post-packer" schedule: interval: "weekly" + # Managed by cisagov/skeleton-packer ignore: - dependency-name: "hashicorp/aws" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index da84f64..dbb6c24 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,11 +24,11 @@ jobs: - id: setup-python uses: actions/setup-python@v4 with: - python-version: "3.10" + python-version: "3.11" # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: "1.19" - name: Lookup Go cache directory @@ -90,7 +90,7 @@ jobs: run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install dependencies run: | - python -m pip install --upgrade pip + python -m pip install --upgrade pip setuptools wheel pip install --upgrade --requirement requirements-test.txt - name: Install Ansible roles run: ansible-galaxy install --force --role-file src/requirements.yml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b4e2017..0092977 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,11 +37,11 @@ repos: args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.4 + rev: v3.0.0-alpha.6 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.29.0 + rev: v1.30.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.21.0 + rev: 0.22.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.0.2 + rev: v3.2.1 hooks: - id: validate_manifest @@ -83,7 +83,7 @@ repos: # Python hooks # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit - rev: 1.7.4 + rev: 1.7.5 hooks: - id: bandit name: bandit (tests tree) @@ -98,7 +98,7 @@ repos: name: bandit (everything else) exclude: tests - repo: https://github.com/psf/black - rev: 22.12.0 + rev: 23.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -112,7 +112,7 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.991 + rev: v1.1.1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade @@ -129,7 +129,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 + rev: v1.77.1 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/src/aws.yml b/src/aws.yml index 94bc526..5e8d4d7 100644 --- a/src/aws.yml +++ b/src/aws.yml @@ -3,10 +3,18 @@ name: AWS-specific roles become: yes become_method: sudo - roles: - - amazon_ssm_agent - - chrony_aws - - cloudwatch_agent + tasks: + - name: Install Amazon SSM Agent + ansible.builtin.include_role: + name: amazon_ssm_agent + - name: Install chrony and configure it for use within AWS + ansible.builtin.include_role: + name: chrony_aws + - name: Install and configure Amazon CloudWatch Agent + ansible.builtin.include_role: + name: cloudwatch_agent # The instance types used for almost all the instances expose EBS # volumes as NVMe block devices, so that's why we need nvme here. - - nvme + - name: Install prerequisites for working with NVMe block devices + ansible.builtin.include_role: + name: nvme diff --git a/src/base.yml b/src/base.yml index ca57017..e6d5386 100644 --- a/src/base.yml +++ b/src/base.yml @@ -3,9 +3,19 @@ name: Setup base image become: yes become_method: sudo - roles: - - automated_security_updates - - banner - - clamav - - htop - - persist_journald + tasks: + - name: Install and configure automated security updates + ansible.builtin.include_role: + name: automated_security_updates + - name: Install and configure login banner + ansible.builtin.include_role: + name: banner + - name: Install and configure ClamAV + ansible.builtin.include_role: + name: clamav + - name: Install and configure htop + ansible.builtin.include_role: + name: htop + - name: Configure JournalD to preserve logs across reboots + ansible.builtin.include_role: + name: persist_journald diff --git a/src/nessus.yml b/src/nessus.yml index 17aef92..ef697d3 100644 --- a/src/nessus.yml +++ b/src/nessus.yml @@ -3,8 +3,12 @@ name: Install Nessus and configure system for more ephemeral ports become: yes become_method: sudo - roles: - - role: more_ephemeral_ports - - role: nessus + tasks: + - name: Configure number of ephemeral ports + ansible.builtin.include_role: + name: more_ephemeral_ports + - name: Install Nessus + ansible.builtin.include_role: + name: nessus vars: package_bucket: "{{ build_bucket }}" diff --git a/src/python.yml b/src/python.yml index f9eab0c..a1980ae 100644 --- a/src/python.yml +++ b/src/python.yml @@ -3,7 +3,17 @@ name: Install pip3/python3 and remove pip2/python2 become: yes become_method: sudo - roles: - - pip - - python - - remove_python2 + tasks: + # If pip were to be installed first, then the OS _could_ pull + # different Python packages than what would be installed via the + # cisagov/ansible-role-python role; hence, the ordering below is + # more controlled. + - name: Install Python 3 + ansible.builtin.include_role: + name: python + - name: Install pip3 + ansible.builtin.include_role: + name: pip + - name: Uninstall Python 2 + ansible.builtin.include_role: + name: remove_python2 diff --git a/src/requirements.yml b/src/requirements.yml index ca7a0b1..a2e0df3 100644 --- a/src/requirements.yml +++ b/src/requirements.yml @@ -1,31 +1,31 @@ --- -- src: https://github.com/cisagov/ansible-role-amazon-ssm-agent - name: amazon_ssm_agent -- src: https://github.com/cisagov/ansible-role-automated-security-updates - name: automated_security_updates -- src: https://github.com/cisagov/ansible-role-banner - name: banner -- src: https://github.com/cisagov/ansible-role-chrony-aws - name: chrony_aws -- src: https://github.com/cisagov/ansible-role-clamav - name: clamav -- src: https://github.com/cisagov/ansible-role-cloudwatch-agent - name: cloudwatch_agent -- src: https://github.com/cisagov/ansible-role-htop - name: htop -- src: https://github.com/cisagov/ansible-role-more-ephemeral-ports - name: more_ephemeral_ports -- src: https://github.com/cisagov/ansible-role-nessus - name: nessus -- src: https://github.com/cisagov/ansible-role-nvme - name: nvme -- src: https://github.com/cisagov/ansible-role-persist-journald - name: persist_journald -- src: https://github.com/cisagov/ansible-role-pip - name: pip -- src: https://github.com/cisagov/ansible-role-python - name: python -- src: https://github.com/cisagov/ansible-role-remove-python2 - name: remove_python2 -- src: https://github.com/cisagov/ansible-role-upgrade - name: upgrade +- name: amazon_ssm_agent + src: https://github.com/cisagov/ansible-role-amazon-ssm-agent +- name: automated_security_updates + src: https://github.com/cisagov/ansible-role-automated-security-updates +- name: banner + src: https://github.com/cisagov/ansible-role-banner +- name: chrony_aws + src: https://github.com/cisagov/ansible-role-chrony-aws +- name: clamav + src: https://github.com/cisagov/ansible-role-clamav +- name: cloudwatch_agent + src: https://github.com/cisagov/ansible-role-cloudwatch-agent +- name: htop + src: https://github.com/cisagov/ansible-role-htop +- name: more_ephemeral_ports + src: https://github.com/cisagov/ansible-role-more-ephemeral-ports +- name: nessus + src: https://github.com/cisagov/ansible-role-nessus +- name: nvme + src: https://github.com/cisagov/ansible-role-nvme +- name: persist_journald + src: https://github.com/cisagov/ansible-role-persist-journald +- name: pip + src: https://github.com/cisagov/ansible-role-pip +- name: python + src: https://github.com/cisagov/ansible-role-python +- name: remove_python2 + src: https://github.com/cisagov/ansible-role-remove-python2 +- name: upgrade + src: https://github.com/cisagov/ansible-role-upgrade diff --git a/src/upgrade.yml b/src/upgrade.yml index e172d4d..744c01e 100644 --- a/src/upgrade.yml +++ b/src/upgrade.yml @@ -3,5 +3,7 @@ name: Upgrade base image become: yes become_method: sudo - roles: - - upgrade + tasks: + - name: Upgrade all packages + ansible.builtin.include_role: + name: upgrade diff --git a/src/version.txt b/src/version.txt index 0a8da88..f1380ee 100644 --- a/src/version.txt +++ b/src/version.txt @@ -1 +1 @@ -__version__ = "0.1.6" +__version__ = "0.1.7"