From 91ecfc1ca007896c48c91cec7a844083b9108c96 Mon Sep 17 00:00:00 2001 From: sean cavanaugh Date: Fri, 9 Aug 2024 14:24:35 -0400 Subject: [PATCH 01/14] Update setup.yml to use correct Cloud Report fix for https://github.com/ansible/product-demos/issues/108 don't merge yet... can re-add ability to host in different regions, but this is a much better report --- cloud/setup.yml | 51 ++++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/cloud/setup.yml b/cloud/setup.yml index 7c9c08be8..45c337e46 100644 --- a/cloud/setup.yml +++ b/cloud/setup.yml @@ -15,6 +15,13 @@ controller_projects: scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git default_environment: Cloud Services Execution Environment + - name: Ansible Cloud AWS Demos + organization: Default + scm_type: git + wait: true + scm_url: https://github.com/ansible-cloud/aws_demos.git + default_environment: Cloud Services Execution Environment + controller_credentials: - name: AWS credential_type: Amazon Web Services @@ -279,29 +286,29 @@ controller_templates: organization: Default credentials: - AWS - project: Ansible Cloud Content Lab - AWS - playbook: playbooks/create_reports.yml + project: Ansible Cloud AWS Demos + playbook: playbooks/cloud_report.yml inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - extra_vars: - aws_report: vpc - reports_aws_bucket_name: reports-pd-{{ _deployment_id }} - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 + # notification_templates_started: Telemetry + # notification_templates_success: Telemetry + # notification_templates_error: Telemetry + # extra_vars: + # aws_report: vpc + # reports_aws_bucket_name: reports-pd-{{ _deployment_id }} + # survey_enabled: true + # survey: + # name: '' + # description: '' + # spec: + # - question_name: AWS Region + # type: multiplechoice + # variable: create_vm_aws_region + # required: true + # choices: + # - us-east-1 + # - us-east-2 + # - us-west-1 + # - us-west-2 - name: Cloud / AWS / Tags Report job_type: run From 7455e7fa703a0e493eca2734cb7db2293b558042 Mon Sep 17 00:00:00 2001 From: Chris Edillon <67980205+jce-redhat@users.noreply.github.com> Date: Mon, 12 Aug 2024 15:11:51 -0400 Subject: [PATCH 02/14] Removed release process from contributor guidelines (#167) --- CHANGELOG.md | 12 -------- CONTRIBUTING.md | 81 ++----------------------------------------------- 2 files changed, 3 insertions(+), 90 deletions(-) delete mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index d0f5fca9a..000000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,12 +0,0 @@ -# Changelog - -All notable changes to this project will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - -## [v-0.0.1](https://github.com/ansible/product-demos/-/tree/v-0.0.1) - 2024-01-12 - -### Added - -- Initial release ([1af584b4ea6d77812bfcb2f6474fee6ee1b13666](https://github.com/ansible/product-demos/-/commit/1af584b4ea6d77812bfcb2f6474fee6ee1b13666)) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d787d2935..7f3bc6f09 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -18,6 +18,7 @@ This document aims to outline the requirements for the various forms of contribu - PRs should be rebased against the `main` branch to avoid conflicts. - PRs should not impact more than a single directory/demo section. - PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`. +- PR titles should describe the work done in the PR. Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123"). ## Adding a New Demo 1) Create a new branch based on main. (eg. `git checkout -b `) @@ -31,7 +32,7 @@ This document aims to outline the requirements for the various forms of contribu 1) You can copy paste an existing one and edit it. 2) Ensure you edit the name, playbook path, survey etc. 5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml) -6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link), specify your branch name within the project configuration. +6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration. > NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account. @@ -43,13 +44,10 @@ This document aims to outline the requirements for the various forms of contribu --- user_message: '' - controller_components: - - job_templates - controller_templates: ... ``` - - `controller_components` can be any of the roles defined [here](https://github.com/redhat-cop/controller_configuration/tree/devel/roles) + - Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles) - Add variables for each component listed 3) Include a README.md in the subdirectory @@ -72,76 +70,3 @@ Copy the token value and execute the following command: ```bash export ANSIBLE_GALAXY_SERVER_AH_TOKEN= ``` - -## Release Process - -We follow a structured release process for this project. Here are the steps involved: - -1. **Create a Release Branch:** - - Start by creating a new release branch from the `main` branch. - - ```bash - git checkout -b release/v- - ``` - -2. **Update Changelog:** - - Open the `CHANGELOG.md` file to manually add your change to the appropriate section. - - Our changelog follows the [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format and includes the following categories of changes: - - - `Added` for new features. - - `Changed` for changes in existing functionality. - - `Deprecated` for features that will be removed in upcoming releases. - - `Fixed` for bug fixes. - - `Removed` for deprecated features that were removed. - - `Security` for security-related changes. - - - Add a new entry under the relevant category. Include a brief summary of the change and the merge request commit tag. - - ```markdown - ## [Unreleased] - - ### Added - - - New feature or enhancement ([Merge Request Commit](https://github.com/ansible/product-demos/-/commit/)) - ``` - - - Replace `` with the actual commit hash from the merge request. - -3. **Commit Changes:** - - Commit the changes made to the `CHANGELOG.md` file. - - ```bash - git add CHANGELOG.md - git commit -m "Update CHANGELOG for release " - ``` - -4. **Create a Pull Request:** - - Open a pull request from the release branch to the `main` branch. - -5. **Review and Merge:** - - Review the pull request and merge it into the `main` branch. - -6. **Tag the Release:** - - Once the pull request is merged, tag the release with the version number. - - ```bash - git tag -a v- -m "Release " - git push origin v- - ``` - -7. **Publish the Release:** - - After the successful completion of the pull request and merging into the `main` branch, an automatic GitHub Action will be triggered to publish the release. - - The GitHub Action will perform the following steps: - - Parse the `CHANGELOG.md` file. - - Generate a release note based on the changes. - - Attach relevant files (such as `LICENSE`, `CHANGELOG.md`, and the generated `CHANGELOG.txt`) to the GitHub Release. - - No manual intervention is required for this step; the GitHub Action will handle the release process automatically. - -8. **Cleanup:** - - Delete the release branch. - - ```bash - git branch -d release/v- - ``` From 70d7c466049d54459aa0d5a2199e5c6225b3a048 Mon Sep 17 00:00:00 2001 From: Todd Ruch Date: Mon, 12 Aug 2024 15:18:11 -0400 Subject: [PATCH 03/14] Resolves NETWORK / DISA STIG job logging error (#164) --- .../compliance/roles/iosxeSTIG/tasks/main.yml | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml index 896cb1e34..a3aabd8ca 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml @@ -137,14 +137,14 @@ - (cmd_result.stdout|join('\n')).find('ip dns server') != -1 - iosxeSTIG_stigrule_215823_Manage # R-215823 CISC-ND-000470 -- name : stigrule_215823_disable_identd - ignore_errors: "{{ ignore_all_errors }}" - notify: "save configuration" - ios_config: - defaults: yes - lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}" - when: - - iosxeSTIG_stigrule_215823_Manage +# - name : stigrule_215823_disable_identd +# ignore_errors: "{{ ignore_all_errors }}" +# notify: "save configuration" +# ios_config: +# defaults: yes +# lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}" +# when: +# - iosxeSTIG_stigrule_215823_Manage # R-215823 CISC-ND-000470 - name : stigrule_215823_disable_finger ignore_errors: "{{ ignore_all_errors }}" @@ -378,9 +378,9 @@ - name : stigrule_215837_host ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_logging: - dest: host - name: "{{ iosxeSTIG_stigrule_215837_host_Name }}" + ios_config: + lines: + - "logging {{ iosxeSTIG_stigrule_215837_host_Name }}" when: iosxeSTIG_stigrule_215837_Manage # R-215837 CISC-ND-001000 # Please configure name IP address to a valid one. @@ -397,16 +397,18 @@ - name : stigrule_215838_ntp_server_1 ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_ntp: - server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}" + cisco.ios.ios_config: + lines: + - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}" when: iosxeSTIG_stigrule_215838_Manage # R-215838 CISC-ND-001030 # Replace ntp servers' IP address before enabling. - name : stigrule_215838_ntp_server_2 ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_ntp: - server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}" + cisco.ios.ios_config: + lines: + - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}" when: iosxeSTIG_stigrule_215838_Manage # R-215840 CISC-ND-001050 # service timestamps log datetime localtime is set in 215817. From 40515ac65b8366cd2dc69ac42f27080a256ed7d8 Mon Sep 17 00:00:00 2001 From: Chris Edillon <67980205+jce-redhat@users.noreply.github.com> Date: Fri, 16 Aug 2024 14:07:59 -0400 Subject: [PATCH 04/14] Create common prerequisites configuration (#169) --- cloud/create_vpc.yml | 9 ++ cloud/setup.yml | 249 ------------------------------------- common/README.md | 3 + common/setup.yml | 283 +++++++++++++++++++++++++++++++++++++++++++ setup_demo.yml | 68 +++-------- 5 files changed, 315 insertions(+), 297 deletions(-) create mode 100644 common/README.md create mode 100644 common/setup.yml diff --git a/cloud/create_vpc.yml b/cloud/create_vpc.yml index 4afd4e704..5fd25e8ff 100644 --- a/cloud/create_vpc.yml +++ b/cloud/create_vpc.yml @@ -122,3 +122,12 @@ Name: "{{ aws_rt_name }}" owner: "{{ aws_owner_tag }}" purpose: "{{ aws_purpose_tag }}" + + - name: Set VPC stats + ansible.builtin.set_stats: + data: + __aws_region: '{{ create_vm_aws_region }}' + __aws_vpc_id: '{{ aws_vpc.vpc.id }}' + __aws_vpc_cidr: '{{ aws_vpc_cidr_block }}' + __aws_subnet_id: '{{ aws_subnet.subnet.id }}' + __aws_subnet_cidr: '{{ aws_subnet_cidr }}' diff --git a/cloud/setup.yml b/cloud/setup.yml index 7c9c08be8..e04653f50 100644 --- a/cloud/setup.yml +++ b/cloud/setup.yml @@ -3,82 +3,6 @@ _deployment_id: "{{ lookup('file', playbook_dir + '/.deployment_id') }}" user_message: -controller_execution_environments: - - name: Cloud Services Execution Environment - image: quay.io/scottharwell/cloud-ee:latest - -controller_projects: - - name: Ansible Cloud Content Lab - AWS - organization: Default - scm_type: git - wait: true - scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git - default_environment: Cloud Services Execution Environment - -controller_credentials: - - name: AWS - credential_type: Amazon Web Services - organization: Default - update_secrets: false - state: exists - inputs: - username: REPLACEME - password: REPLACEME - -# - name: Azure -# credential_type: Microsoft Azure Resource Manager -# organization: Default -# update_secrets: false -# inputs: -# subscription: REPLACEME - -controller_inventory_sources: - - name: AWS Inventory - organization: Default - source: ec2 - inventory: Demo Inventory - credential: AWS - overwrite: true - source_vars: - hostnames: - - tag:Name - compose: - ansible_host: public_ip_address - ansible_user: 'ec2-user' - groups: - cloud_aws: true - os_linux: tags.blueprint.startswith('rhel') - keyed_groups: - - key: platform - prefix: os - - key: tags.blueprint - prefix: blueprint - - key: tags.owner - prefix: owner - -# - name: Azure Inventory -# organization: Default -# source: azure_rm -# inventory: Demo Inventory -# credential: Azure -# execution_environment: Ansible Engine 2.9 execution environment -# overwrite: true -# source_vars: -# hostnames: -# - tags.Name -# - default -# keyed_groups: -# - key: os_profile.system -# prefix: os -# conditional_groups: -# cloud_azure: true - -controller_groups: - - name: cloud_aws - inventory: Demo Inventory - variables: - ansible_user: ec2-user - controller_templates: - name: Cloud / AWS / Create Peer Infrastructure job_type: run @@ -140,140 +64,6 @@ controller_templates: extra_vars: aws_region: us-east-1 - - name: Cloud / AWS / Create VPC - job_type: run - organization: Default - credentials: - - AWS - project: Ansible official demo project - playbook: cloud/create_vpc.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Owner - type: text - variable: aws_owner_tag - required: true - - - name: Cloud / AWS / Create VM - job_type: run - organization: Default - credentials: - - AWS - - Demo Credential - project: Ansible Cloud Content Lab - AWS - playbook: playbooks/create_vm.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - allow_simultaneous: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Name - type: text - variable: create_vm_vm_name - required: true - - question_name: Owner - type: text - variable: create_vm_vm_owner - required: true - - question_name: Deployment - type: text - variable: create_vm_vm_deployment - required: true - - question_name: Environment - type: multiplechoice - variable: create_vm_vm_environment - required: true - choices: - - Dev - - QA - - Prod - - question_name: Blueprint - type: multiplechoice - variable: vm_blueprint - required: true - choices: - - windows_core - - windows_full - - rhel9 - - rhel8 - - rhel7 - - al2023 - - question_name: Subnet - type: text - variable: create_vm_aws_vpc_subnet_name - required: true - default: aws-test-subnet - - question_name: Security Group - type: text - variable: create_vm_aws_securitygroup_name - required: true - default: aws-test-sg - - question_name: SSH Keypair - type: text - variable: create_vm_aws_keypair_name - required: true - default: aws-test-key - - question_name: AWS Instance Type (defaults to blueprint value) - type: text - variable: create_vm_aws_instance_size - required: false - - question_name: AWS Image Filter (defaults to blueprint value) - type: text - variable: create_vm_aws_image_filter - required: false - - - name: Cloud / AWS / Delete VM - job_type: run - organization: Default - credentials: - - AWS - - Demo Credential - project: Ansible Cloud Content Lab - AWS - playbook: playbooks/delete_inventory_vm.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: Name or Pattern - type: text - variable: _hosts - required: true - - name: Cloud / AWS / VPC Report job_type: run organization: Default @@ -332,45 +122,6 @@ controller_templates: - us-west-1 - us-west-2 - - name: Cloud / AWS / Create Keypair - job_type: run - organization: Default - credentials: - - AWS - project: Ansible official demo project - playbook: cloud/aws_key.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Keypair Name - type: text - variable: aws_key_name - required: true - default: aws-test-key - - question_name: Keypair Public Key - type: textarea - variable: aws_public_key - required: true - - question_name: Owner - type: text - variable: aws_keypair_owner - required: true - - name: Cloud / AWS / Snapshot EC2 job_type: run organization: Default diff --git a/common/README.md b/common/README.md new file mode 100644 index 000000000..f023e319d --- /dev/null +++ b/common/README.md @@ -0,0 +1,3 @@ +# Common Prerequisites + +Demos from some categories (cloud, linux, windows, etc.) have become dependent on controller resources defined in other demo categories. The setup.yml file in this directory is used to configure these common prerequisites so that they are available before setup for a demo category is called. diff --git a/common/setup.yml b/common/setup.yml new file mode 100644 index 000000000..ca88c9530 --- /dev/null +++ b/common/setup.yml @@ -0,0 +1,283 @@ +--- +controller_execution_environments: + - name: product-demos + image: quay.io/acme_corp/product-demos-ee:latest + - name: Cloud Services Execution Environment + image: quay.io/scottharwell/cloud-ee:latest + +controller_organizations: + - name: Default + default_environment: product-demos + +controller_projects: + - name: Ansible Cloud Content Lab - AWS + organization: Default + scm_type: git + wait: true + scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git + default_environment: Cloud Services Execution Environment + +controller_credentials: + - name: AWS + credential_type: Amazon Web Services + organization: Default + update_secrets: false + state: exists + inputs: + username: REPLACEME + password: REPLACEME + +controller_inventory_sources: + - name: AWS Inventory + organization: Default + source: ec2 + inventory: Demo Inventory + credential: AWS + overwrite: true + source_vars: + hostnames: + - tag:Name + compose: + ansible_host: public_ip_address + ansible_user: 'ec2-user' + groups: + cloud_aws: true + os_linux: tags.blueprint.startswith('rhel') + os_windows: tags.blueprint.startswith('win') + keyed_groups: + - key: platform + prefix: os + - key: tags.blueprint + prefix: blueprint + - key: tags.owner + prefix: owner + - key: tags.purpose + prefix: purpose + - key: tags.deployment + prefix: deployment + +controller_groups: + - name: cloud_aws + inventory: Demo Inventory + variables: + ansible_user: ec2-user + - name: os_windows + inventory: Demo Inventory + variables: + ansible_connection: winrm + ansible_winrm_transport: credssp + +controller_templates: + - name: SUBMIT FEEDBACK + job_type: run + inventory: Demo Inventory + project: Ansible official demo project + playbook: feedback.yml + execution_environment: Default execution environment + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Name/Email/Contact + type: text + variable: email + required: true + - question_name: Issue or Feedback + type: textarea + variable: feedback + required: true + + - name: Cloud / AWS / Create VPC + job_type: run + organization: Default + credentials: + - AWS + project: Ansible official demo project + playbook: cloud/create_vpc.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: AWS Region + type: multiplechoice + variable: create_vm_aws_region + required: true + choices: + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + - question_name: Owner + type: text + variable: aws_owner_tag + required: true + + - name: Cloud / AWS / Create Keypair + job_type: run + organization: Default + credentials: + - AWS + project: Ansible official demo project + playbook: cloud/aws_key.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: AWS Region + type: multiplechoice + variable: create_vm_aws_region + required: true + choices: + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + - question_name: Keypair Name + type: text + variable: aws_key_name + required: true + default: aws-test-key + - question_name: Keypair Public Key + type: textarea + variable: aws_public_key + required: true + - question_name: Owner + type: text + variable: aws_keypair_owner + required: true + + - name: Cloud / AWS / Create VM + job_type: run + organization: Default + credentials: + - AWS + - Demo Credential + project: Ansible Cloud Content Lab - AWS + playbook: playbooks/create_vm.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + allow_simultaneous: true + survey: + name: '' + description: '' + spec: + - question_name: AWS Region + type: multiplechoice + variable: create_vm_aws_region + required: true + choices: + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + - question_name: Name + type: text + variable: create_vm_vm_name + required: true + - question_name: Owner + type: text + variable: create_vm_vm_owner + required: true + - question_name: Deployment + type: text + variable: create_vm_vm_deployment + required: true + - question_name: Purpose + type: text + variable: create_vm_vm_purpose + required: true + default: demo + - question_name: Environment + type: multiplechoice + variable: create_vm_vm_environment + required: true + choices: + - Dev + - QA + - Prod + - question_name: Blueprint + type: multiplechoice + variable: vm_blueprint + required: true + choices: + - windows_core + - windows_full + - rhel9 + - rhel8 + - rhel7 + - al2023 + - question_name: Subnet + type: text + variable: create_vm_aws_vpc_subnet_name + required: true + default: aws-test-subnet + - question_name: Security Group + type: text + variable: create_vm_aws_securitygroup_name + required: true + default: aws-test-sg + - question_name: SSH Keypair + type: text + variable: create_vm_aws_keypair_name + required: true + default: aws-test-key + - question_name: AWS Instance Type (defaults to blueprint value) + type: text + variable: create_vm_aws_instance_size + required: false + - question_name: AWS Image Filter (defaults to blueprint value) + type: text + variable: create_vm_aws_image_filter + required: false + + - name: Cloud / AWS / Delete VM + job_type: run + organization: Default + credentials: + - AWS + - Demo Credential + project: Ansible Cloud Content Lab - AWS + playbook: playbooks/delete_inventory_vm.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Name or Pattern + type: text + variable: _hosts + required: true + +controller_notifications: + - name: Telemetry + organization: Default + notification_type: webhook + notification_configuration: + url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec + http_method: POST + headers: {} + +controller_settings: + - name: SESSION_COOKIE_AGE + value: 180000 diff --git a/setup_demo.yml b/setup_demo.yml index 38baa4543..b9fd37d6c 100644 --- a/setup_demo.yml +++ b/setup_demo.yml @@ -1,63 +1,33 @@ --- -- name: Setup demo +- name: Setup common prerequisites hosts: localhost gather_facts: false - tasks: - - name: Default Components - ansible.builtin.include_role: - name: infra.controller_configuration.dispatch - vars: # noqa var-naming[no-role-prefix] - controller_execution_environments: - - name: product-demos - image: quay.io/acme_corp/product-demos-ee:latest - controller_organizations: - - name: Default - default_environment: product-demos - controller_notifications: - - name: Telemetry - organization: Default - notification_type: webhook - notification_configuration: - url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec - http_method: POST - headers: {} - controller_templates: - - name: "SUBMIT FEEDBACK" - job_type: run - inventory: "Demo Inventory" - project: "Ansible official demo project" - playbook: "feedback.yml" - execution_environment: Default execution environment - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: Name/Email/Contact - type: text - variable: email - required: true - - question_name: Issue or Feedback - type: textarea - variable: feedback - required: true - controller_settings: - - name: "SESSION_COOKIE_AGE" - value: 180000 + # vars_files should be scoped to a play so variables defined in the + # files should not be available in subsequent plays, so certain + # resources won't be retried + vars_files: + - common/setup.yml + + tasks: - name: Create reusable deployment ID ansible.builtin.set_fact: _deployment_id: '{{ lookup("ansible.builtin.password", "{{ playbook_dir }}/.deployment_id", chars=["ascii_lowercase", "digits"], length=5) }}' - - name: "Include configuration for {{ demo }}" + - name: Create common demo resources + ansible.builtin.include_role: + name: infra.controller_configuration.dispatch + +- name: Setup demo + hosts: localhost + gather_facts: false + tasks: + - name: Include configuration for {{ demo }} ansible.builtin.include_vars: "{{ demo }}/setup.yml" - name: Demo Components ansible.builtin.include_role: - name: "infra.controller_configuration.dispatch" + name: infra.controller_configuration.dispatch - name: Log Demo ansible.builtin.uri: @@ -70,3 +40,5 @@ ansible.builtin.debug: msg: "{{ user_message }}" when: user_message is defined + +... From 552acdcb6cc9a421f0303eed1a817f9b873755d7 Mon Sep 17 00:00:00 2001 From: Chris Edillon <67980205+jce-redhat@users.noreply.github.com> Date: Tue, 20 Aug 2024 13:30:48 -0400 Subject: [PATCH 05/14] Updated versions of compliance-related roles (#170) --- .gitignore | 4 +- .pre-commit-config.yaml | 4 + .../rhel8STIG/callback_plugins/stig_xml.py | 67 +- .../roles/rhel8STIG/defaults/main.yml | 9 +- ...l => U_RHEL_8_STIG_V1R13_Manual-xccdf.xml} | 1027 +-- .../compliance/roles/rhel8STIG/tasks/main.yml | 50 +- .../rhel9STIG/callback_plugins/stig_xml.py | 86 + .../roles/rhel9STIG/defaults/main.yml | 1011 +++ .../files/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml | 7020 +++++++++++++++++ .../roles/rhel9STIG/handlers/main.yml | 30 + .../compliance/roles/rhel9STIG/tasks/main.yml | 3055 +++++++ linux/compliance-enforce.yml | 2 +- linux/setup.yml | 5 +- roles/requirements.yml | 80 +- 14 files changed, 11852 insertions(+), 598 deletions(-) rename collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/{U_RHEL_8_STIG_V1R9_Manual-xccdf.xml => U_RHEL_8_STIG_V1R13_Manual-xccdf.xml} (84%) create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/files/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml diff --git a/.gitignore b/.gitignore index fc9639e33..da93076ac 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,6 @@ choose_demo_example_aws.yml .ansible.cfg *.gz *artifact*.json -**/roles/* -!**/roles/requirements.yml +roles/* +!roles/requirements.yml .deployment_id diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 196f849ee..7a17953b6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,10 @@ repos: rev: v4.4.0 hooks: - id: end-of-file-fixer + exclude: rhel[89]STIG/.*$ + - id: trailing-whitespace + exclude: rhel[89]STIG/.*$ - id: check-yaml exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$ @@ -26,4 +29,5 @@ repos: rev: 23.11.0 hooks: - id: black + exclude: rhel[89]STIG/.*$ ... diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py index 5474b8316..cfff078b2 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py @@ -1,5 +1,4 @@ -from __future__ import absolute_import, division, print_function - +from __future__ import (absolute_import, division, print_function) __metaclass__ = type from ansible.plugins.callback import CallbackBase @@ -12,82 +11,76 @@ import xml.etree.ElementTree as ET import xml.dom.minidom - class CallbackModule(CallbackBase): CALLBACK_VERSION = 2.0 - CALLBACK_TYPE = "xml" - CALLBACK_NAME = "stig_xml" + CALLBACK_TYPE = 'xml' + CALLBACK_NAME = 'stig_xml' CALLBACK_NEEDS_WHITELIST = True def _get_STIG_path(self): - cwd = os.path.abspath(".") + cwd = os.path.abspath('.') for dirpath, dirs, files in os.walk(cwd): - if os.path.sep + "files" in dirpath and ".xml" in files[0]: + if os.path.sep + 'files' in dirpath and '.xml' in files[0]: return os.path.join(cwd, dirpath, files[0]) def __init__(self): super(CallbackModule, self).__init__() self.rules = {} - self.stig_path = os.environ.get("STIG_PATH") - self.XML_path = os.environ.get("XML_PATH") + self.stig_path = os.environ.get('STIG_PATH') + self.XML_path = os.environ.get('XML_PATH') if self.stig_path is None: self.stig_path = self._get_STIG_path() - self._display.display("Using STIG_PATH: {}".format(self.stig_path)) + self._display.display('Using STIG_PATH: {}'.format(self.stig_path)) if self.XML_path is None: self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml" - self._display.display("Using XML_PATH: {}".format(self.XML_path)) + self._display.display('Using XML_PATH: {}'.format(self.XML_path)) print("Writing: {}".format(self.XML_path)) STIG_name = os.path.basename(self.stig_path) - ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2") - self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult") - self.tr.set( - "id", - "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name), - ) + ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2') + self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult') + self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name)) endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime()) - self.tr.set("end-time", endtime) - tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target") + self.tr.set('end-time', endtime) + tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target') tg.text = platform.node() def _get_rev(self, nid): - with open(self.stig_path, "r") as f: - r = "SV-{}r(?P\d+)_rule".format(nid) + with open(self.stig_path, 'r') as f: + r = 'SV-{}r(?P\d+)_rule'.format(nid) m = re.search(r, f.read()) if m: - rev = m.group("rev") + rev = m.group('rev') else: - rev = "0" + rev = '0' return rev def v2_runner_on_ok(self, result): name = result._task.get_name() - m = re.search("stigrule_(?P\d+)", name) + m = re.search('stigrule_(?P\d+)', name) if m: - nid = m.group("id") + nid = m.group('id') else: return rev = self._get_rev(nid) key = "{}r{}".format(nid, rev) - if self.rules.get(key, "Unknown") != False: + if self.rules.get(key, 'Unknown') != False: self.rules[key] = result.is_changed() def v2_playbook_on_stats(self, stats): for rule, changed in self.rules.items(): - state = "fail" if changed else "pass" - rr = ET.SubElement( - self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result" - ) - rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule)) - rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result") + state = 'fail' if changed else 'pass' + rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result') + rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule)) + rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result') rs.text = state passing = len(self.rules) - sum(self.rules.values()) - sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score") - sc.set("maximum", str(len(self.rules))) - sc.set("system", "urn:xccdf:scoring:flat-unweighted") + sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score') + sc.set('maximum', str(len(self.rules))) + sc.set('system', 'urn:xccdf:scoring:flat-unweighted') sc.text = str(passing) - with open(self.XML_path, "wb") as f: + with open(self.XML_path, 'wb') as f: out = ET.tostring(self.tr) - pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8") + pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8') f.write(pretty) diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml index f11ea0983..994d04ba5 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml @@ -142,9 +142,6 @@ rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true' rhel8STIG_stigrule_230348_Manage: True rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock' -# R-230349 RHEL-08-020041 -rhel8STIG_stigrule_230349_Manage: True -rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' # R-230352 RHEL-08-020060 rhel8STIG_stigrule_230352_Manage: True rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900' @@ -232,9 +229,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname' # R-230395 RHEL-08-030063 rhel8STIG_stigrule_230395_Manage: True rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED' -# R-230396 RHEL-08-030070 -rhel8STIG_stigrule_230396_Manage: True -rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root' # R-230398 RHEL-08-030090 # A duplicate of 230396 # duplicate of 230396 @@ -569,3 +563,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0 # R-244554 RHEL-08-040286 rhel8STIG_stigrule_244554_Manage: True rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2' +# R-256974 RHEL-08-010358 +rhel8STIG_stigrule_256974_Manage: True +rhel8STIG_stigrule_256974_mailx_State: installed diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml similarity index 84% rename from collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml rename to collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml index 31c877d32..78a900c30 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 9 Benchmark Date: 26 Jan 20233.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. +acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 13 Benchmark Date: 24 Jan 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>