⚠️ CONFLICT! Lineage pull request for: skeleton

.github/CODEOWNERS

@@ -3,7 +3,7 @@
 # These owners will be the default owners for everything in the
 # repo. Unless a later match takes precedence, these owners will be
 # requested for review when someone opens a pull request.
-* @dav3r @jsf9k @mcdonnnj
+* @dav3r @jasonodoom @jsf9k @mcdonnnj
 
 # Let jsf9k own the sometimes-touchy AWS and Python playbooks, as well
 # as the packer.pkr.hcl file.
@@ -13,4 +13,4 @@
 
 # These folks own any files in the .github directory at the root of
 # the repository and any of its subdirectories.
-/.github/ @dav3r @felddy @jsf9k @mcdonnnj
+/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj

.github/dependabot.yml

@@ -19,6 +19,8 @@ updates:
       - dependency-name: actions/setup-python
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
+      # Managed by cisagov/skeleton-packer
+      - dependency-name: aws-actions/configure-aws-credentials
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -29,12 +31,14 @@ updates:
     directory: "/terraform-build-user"
     schedule:
       interval: "weekly"
+    # Managed by cisagov/skeleton-packer
     ignore:
       - dependency-name: "hashicorp/aws"
 
   - package-ecosystem: "terraform"
     directory: "/terraform-post-packer"
     schedule:
       interval: "weekly"
+    # Managed by cisagov/skeleton-packer
     ignore:
       - dependency-name: "hashicorp/aws"

.github/workflows/build.yml

@@ -24,11 +24,11 @@ jobs:
       - id: setup-python
         uses: actions/setup-python@v4
         with:
-          python-version: "3.10"
+          python-version: "3.11"
       # We need the Go version and Go cache location for the actions/cache step,
       # so the Go installation must happen before that.
       - id: setup-go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: "1.19"
       - name: Lookup Go cache directory
@@ -90,7 +90,7 @@ jobs:
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade pip setuptools wheel
           pip install --upgrade --requirement requirements-test.txt
       - name: Install Ansible roles
         run: ansible-galaxy install --force --role-file src/requirements.yml

.pre-commit-config.yaml

@@ -37,26 +37,26 @@ repos:
         args:
           - --config=.mdl_config.yaml
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.0-alpha.4
+    rev: v3.0.0-alpha.6
     hooks:
       - id: prettier
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.29.0
+    rev: v1.30.0
     hooks:
       - id: yamllint
         args:
           - --strict
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.21.0
+    rev: 0.22.0
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.0.2
+    rev: v3.2.1
     hooks:
       - id: validate_manifest
 
@@ -83,7 +83,7 @@ repos:
   # Python hooks
   # Run bandit on the "tests" tree with a configuration
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.4
+    rev: 1.7.5
     hooks:
       - id: bandit
         name: bandit (tests tree)
@@ -98,7 +98,7 @@ repos:
         name: bandit (everything else)
         exclude: tests
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 23.1.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -112,7 +112,7 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v0.991
+    rev: v1.1.1
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
@@ -129,7 +129,7 @@ repos:
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0
+    rev: v1.77.1
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

src/aws.yml

@@ -3,10 +3,18 @@
   name: AWS-specific roles
   become: yes
   become_method: sudo
-  roles:
-    - amazon_ssm_agent
-    - chrony_aws
-    - cloudwatch_agent
+  tasks:
+    - name: Install Amazon SSM Agent
+      ansible.builtin.include_role:
+        name: amazon_ssm_agent
+    - name: Install chrony and configure it for use within AWS
+      ansible.builtin.include_role:
+        name: chrony_aws
+    - name: Install and configure Amazon CloudWatch Agent
+      ansible.builtin.include_role:
+        name: cloudwatch_agent
     # The instance types used for almost all the instances expose EBS
     # volumes as NVMe block devices, so that's why we need nvme here.
-    - nvme
+    - name: Install prerequisites for working with NVMe block devices
+      ansible.builtin.include_role:
+        name: nvme

src/base.yml

@@ -3,9 +3,19 @@
   name: Setup base image
   become: yes
   become_method: sudo
-  roles:
-    - automated_security_updates
-    - banner
-    - clamav
-    - htop
-    - persist_journald
+  tasks:
+    - name: Install and configure automated security updates
+      ansible.builtin.include_role:
+        name: automated_security_updates
+    - name: Install and configure login banner
+      ansible.builtin.include_role:
+        name: banner
+    - name: Install and configure ClamAV
+      ansible.builtin.include_role:
+        name: clamav
+    - name: Install and configure htop
+      ansible.builtin.include_role:
+        name: htop
+    - name: Configure JournalD to preserve logs across reboots
+      ansible.builtin.include_role:
+        name: persist_journald

src/nessus.yml

@@ -3,8 +3,12 @@
   name: Install Nessus and configure system for more ephemeral ports
   become: yes
   become_method: sudo
-  roles:
-    - role: more_ephemeral_ports
-    - role: nessus
+  tasks:
+    - name: Configure number of ephemeral ports
+      ansible.builtin.include_role:
+        name: more_ephemeral_ports
+    - name: Install Nessus
+      ansible.builtin.include_role:
+        name: nessus
       vars:
         package_bucket: "{{ build_bucket }}"

src/python.yml

@@ -3,7 +3,17 @@
   name: Install pip3/python3 and remove pip2/python2
   become: yes
   become_method: sudo
-  roles:
-    - pip
-    - python
-    - remove_python2
+  tasks:
+    # If pip were to be installed first, then the OS _could_ pull
+    # different Python packages than what would be installed via the
+    # cisagov/ansible-role-python role; hence, the ordering below is
+    # more controlled.
+    - name: Install Python 3
+      ansible.builtin.include_role:
+        name: python
+    - name: Install pip3
+      ansible.builtin.include_role:
+        name: pip
+    - name: Uninstall Python 2
+      ansible.builtin.include_role:
+        name: remove_python2

src/requirements.yml

@@ -1,31 +1,31 @@
 ---
-- src: https://github.com/cisagov/ansible-role-amazon-ssm-agent
-  name: amazon_ssm_agent
-- src: https://github.com/cisagov/ansible-role-automated-security-updates
-  name: automated_security_updates
-- src: https://github.com/cisagov/ansible-role-banner
-  name: banner
-- src: https://github.com/cisagov/ansible-role-chrony-aws
-  name: chrony_aws
-- src: https://github.com/cisagov/ansible-role-clamav
-  name: clamav
-- src: https://github.com/cisagov/ansible-role-cloudwatch-agent
-  name: cloudwatch_agent
-- src: https://github.com/cisagov/ansible-role-htop
-  name: htop
-- src: https://github.com/cisagov/ansible-role-more-ephemeral-ports
-  name: more_ephemeral_ports
-- src: https://github.com/cisagov/ansible-role-nessus
-  name: nessus
-- src: https://github.com/cisagov/ansible-role-nvme
-  name: nvme
-- src: https://github.com/cisagov/ansible-role-persist-journald
-  name: persist_journald
-- src: https://github.com/cisagov/ansible-role-pip
-  name: pip
-- src: https://github.com/cisagov/ansible-role-python
-  name: python
-- src: https://github.com/cisagov/ansible-role-remove-python2
-  name: remove_python2
-- src: https://github.com/cisagov/ansible-role-upgrade
-  name: upgrade
+- name: amazon_ssm_agent
+  src: https://github.com/cisagov/ansible-role-amazon-ssm-agent
+- name: automated_security_updates
+  src: https://github.com/cisagov/ansible-role-automated-security-updates
+- name: banner
+  src: https://github.com/cisagov/ansible-role-banner
+- name: chrony_aws
+  src: https://github.com/cisagov/ansible-role-chrony-aws
+- name: clamav
+  src: https://github.com/cisagov/ansible-role-clamav
+- name: cloudwatch_agent
+  src: https://github.com/cisagov/ansible-role-cloudwatch-agent
+- name: htop
+  src: https://github.com/cisagov/ansible-role-htop
+- name: more_ephemeral_ports
+  src: https://github.com/cisagov/ansible-role-more-ephemeral-ports
+- name: nessus
+  src: https://github.com/cisagov/ansible-role-nessus
+- name: nvme
+  src: https://github.com/cisagov/ansible-role-nvme
+- name: persist_journald
+  src: https://github.com/cisagov/ansible-role-persist-journald
+- name: pip
+  src: https://github.com/cisagov/ansible-role-pip
+- name: python
+  src: https://github.com/cisagov/ansible-role-python
+- name: remove_python2
+  src: https://github.com/cisagov/ansible-role-remove-python2
+- name: upgrade
+  src: https://github.com/cisagov/ansible-role-upgrade

src/upgrade.yml

@@ -3,5 +3,7 @@
   name: Upgrade base image
   become: yes
   become_method: sudo
-  roles:
-    - upgrade
+  tasks:
+    - name: Upgrade all packages
+      ansible.builtin.include_role:
+        name: upgrade

src/version.txt

@@ -1 +1 @@
-__version__ = "0.1.6"
+__version__ = "0.1.7"