--- name: Main pipeline on: # yamllint disable-line rule:truthy pull_request_target: types: [opened, reopened, synchronize] branches: - main - latest paths: - '**.yml' - '**.sh' - '**.j2' - '**.ps1' - '**.cfg' # Allow permissions for AWS auth permissions: id-token: write contents: read pull-requests: read # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: self-hosted env: ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} # Imported as a variable by terraform TF_VAR_repository: ${{ github.event.repository.name }} AWS_REGION : "us-east-1" ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} defaults: run: shell: bash working-directory: .github/workflows/github_linux_IaC # working-directory: .github/workflows steps: - name: Git clone the lockdown repository to test uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - name: If a variable for IAC_BRANCH is set use that branch working-directory: .github/workflows run: | if [ ${{ vars.IAC_BRANCH }} != '' ]; then echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" else echo IAC_BRANCH=main >> $GITHUB_ENV fi # Pull in terraform code for linux servers - name: Clone GitHub IaC plan uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC ref: ${{ env.IAC_BRANCH }} # Uses dedicated restricted role and policy to enable this only for this task # No credentials are part of github for AWS auth - name: configure aws credentials uses: aws-actions/configure-aws-credentials@main with: role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} role-session-name: ${{ secrets.AWS_ROLE_SESSION }} aws-region: ${{ env.AWS_REGION }} - name: DEBUG - Show IaC files if: env.ENABLE_DEBUG == 'true' run: | echo "OSVAR = $OSVAR" echo "benchmark_type = $benchmark_type" echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" echo "VPC_ID" = $AWS_VPC_SECGRP_ID" pwd ls env: # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} - name: Tofu init id: init run: tofu init env: # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Tofu validate id: validate run: tofu validate env: # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Tofu apply id: apply env: OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false ## Debug Section - name: DEBUG - Show Ansible hostfile if: env.ENABLE_DEBUG == 'true' run: cat hosts.yml # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep to allow system to come up run: sleep ${{ vars.BUILD_SLEEPTIME }} # Run the Ansible playbook - name: Run_Ansible_Playbook env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" run: | /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml # Remove test system - User secrets to keep if necessary - name: Tofu Destroy if: always() && env.ENABLE_DEBUG == 'false' env: OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false