diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f76d180e..857f3280 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -238,6 +238,14 @@ jobs: - lint - test runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + architecture: + # There is no ARM-based official Kali AMI in the AWS AMI + # Catalog. + # - arm64 + - x86_64 steps: - id: harden-runner name: Harden the runner @@ -315,7 +323,8 @@ jobs: # This runs through the AMI creation process but does not # actually create an AMI run: | - packer build -timestamp-ui \ + packer build -only amazon-ebs.${{ matrix.architecture }} \ + -timestamp-ui \ -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \ -var skip_create_ami=true \ src/packer.pkr.hcl diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 3eadd2ec..205d6fd7 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -33,6 +33,14 @@ jobs: needs: - diagnostics runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + architecture: + # There is no ARM-based official Kali AMI in the AWS AMI + # Catalog. + # - arm64 + - x86_64 steps: - id: harden-runner name: Harden the runner @@ -114,7 +122,8 @@ jobs: # take over an hour to create this AMI. AWS_MAX_ATTEMPTS: 480 run: | - packer build -timestamp-ui \ + packer build -only amazon-ebs.${{ matrix.architecture }} \ + -timestamp-ui \ -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \ -var is_prerelease=${{ github.event.release.prerelease }} \ -var release_tag=${{ github.event.release.tag_name }} \ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4410a981..13846c7d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,6 +40,14 @@ jobs: needs: - diagnostics runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + architecture: + # There is no ARM-based official Kali AMI in the AWS AMI + # Catalog. + # - arm64 + - x86_64 steps: - id: harden-runner name: Harden the runner @@ -130,7 +138,8 @@ jobs: # another. AWS_MAX_ATTEMPTS: 480 run: | - packer build -timestamp-ui \ + packer build -only amazon-ebs.${{ matrix.architecture }} \ + -timestamp-ui \ -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \ -var is_prerelease=${{ github.event.release.prerelease }} \ -var release_tag=${{ github.event.release.tag_name }} \ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 59e59895..5a5000f4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.39.0 + rev: v0.41.0 hooks: - id: markdownlint args: @@ -46,7 +46,7 @@ repos: # mirror does not pull tags for old major versions once a new major # version tag is published. additional_dependencies: - - prettier@3.2.5 + - prettier@3.3.1 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: @@ -56,14 +56,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.28.0 + rev: 0.28.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.6.2 + rev: v3.7.1 hooks: - id: validate_manifest @@ -98,7 +98,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.7.0-4 + rev: v3.8.0-1 hooks: - id: shfmt args: @@ -116,14 +116,14 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.9.0.6 + rev: v0.10.0.1 hooks: - id: shellcheck # Python hooks # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit - rev: 1.7.7 + rev: 1.7.8 hooks: - id: bandit name: bandit (tests tree) @@ -138,7 +138,7 @@ repos: name: bandit (everything else) exclude: tests - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.2.0 + rev: 24.4.2 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -152,24 +152,42 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.8.0 + rev: v1.10.0 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.15.1 + rev: v3.15.2 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.2.0 + rev: v24.6.0 hooks: - id: ansible-lint - # files: molecule/default/playbook.yml + additional_dependencies: + # On its own ansible-lint does not pull in ansible, only + # ansible-core. Therefore, if an Ansible module lives in + # ansible instead of ansible-core, the linter will complain + # that the module is unknown. In these cases it is + # necessary to add the ansible package itself as an + # additional dependency, with the same pinning as is done in + # requirements-test.txt of cisagov/skeleton-ansible-role. + # - ansible>=9,<10 + # ansible-core 2.16.3 through 2.16.6 suffer from the bug + # discussed in ansible/ansible#82702, which breaks any + # symlinked files in vars, tasks, etc. for any Ansible role + # installed via ansible-galaxy. Hence we never want to + # install those versions. + # + # Note that any changes made to this dependency must also be + # made in requirements.txt in cisagov/skeleton-packer and + # requirements-test.txt in cisagov/skeleton-ansible-role. + - ansible-core>=2.16.7 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.0 + rev: v1.90.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/requirements.txt b/requirements.txt index ec3e967b..bdf26b2a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -13,19 +13,15 @@ # often breaking changes across major versions. This is the reason # for the upper bound. ansible>=8,<10 -# TODO: Remove this pin when possible. See -# cisagov/skeleton-packer#312 for more details. -# -# ansible-core 2.16.3 and later suffer from the bug discussed in +# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in # ansible/ansible#82702, which breaks any symlinked files in vars, # tasks, etc. for any Ansible role installed via ansible-galaxy. +# Hence we never want to install those versions. # -# See also cisagov/skeleton-ansible-role#178 and -# cisagov/skeleton-generic#180. Note from these PRs that any changes -# made to this dependency must also be made in requirements-test.txt -# in cisagov/skeleton-ansible-role and .pre-commit-config.yaml in -# cisagov/skeleton-generic. -ansible-core<2.16.3 +# Note that any changes made to this dependency must also be made in +# requirements-test.txt in cisagov/skeleton-ansible-role and +# .pre-commit-config.yaml in cisagov/skeleton-generic. +ansible-core>=2.16.7 boto3 docopt semver diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl index e5774d8e..1eea087e 100644 --- a/src/packer.pkr.hcl +++ b/src/packer.pkr.hcl @@ -73,9 +73,23 @@ variable "skip_create_ami" { type = bool } -data "amazon-ami" "kali_linux" { +# There is no ARM-based official Kali AMI in the AWS AMI Catalog. +# data "amazon-ami" "kali_arm64" { +# filters = { +# architecture = "arm64" +# name = "kali-last-snapshot-arm64-2024.2.0-*" +# root-device-type = "ebs" +# virtualization-type = "hvm" +# } +# most_recent = true +# owners = ["679593333241"] +# region = var.build_region +# } + +data "amazon-ami" "kali_x86_64" { filters = { - name = "kali-last-snapshot-amd64-2023.4.0-*" + architecture = "x86_64" + name = "kali-last-snapshot-amd64-2024.2.0-*" root-device-type = "ebs" virtualization-type = "hvm" } @@ -86,7 +100,52 @@ data "amazon-ami" "kali_linux" { locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") } -source "amazon-ebs" "kali" { +# There is no ARM-based official Kali AMI in the AWS AMI Catalog. +# source "amazon-ebs" "arm64" { +# ami_name = "kali-hvm-${local.timestamp}-arm64-ebs" +# ami_regions = var.ami_regions +# associate_public_ip_address = true +# encrypt_boot = true +# instance_type = "t4g.small" +# kms_key_id = var.build_region_kms +# launch_block_device_mappings { +# delete_on_termination = true +# device_name = "/dev/xvda" +# encrypted = true +# volume_size = 30 +# volume_type = "gp3" +# } +# region = var.build_region +# region_kms_key_ids = var.region_kms_keys +# skip_create_ami = var.skip_create_ami +# source_ami = data.amazon-ami.kali_arm64.id +# ssh_username = "kali" +# subnet_filter { +# filters = { +# "tag:Name" = "AMI Build" +# } +# } +# tags = { +# Application = "Kali" +# Architecture = "arm64" +# Base_AMI_Name = data.amazon-ami.kali_arm64.name +# GitHub_Release_URL = var.release_url +# OS_Version = "Kali Linux" +# Pre_Release = var.is_prerelease +# Release = var.release_tag +# Team = "VM Fusion - Development" +# } +# # Many Linux distributions are now disallowing the use of RSA keys, +# # so it makes sense to use an ED25519 key instead. +# temporary_key_pair_type = "ed25519" +# vpc_filter { +# filters = { +# "tag:Name" = "AMI Build" +# } +# } +# } + +source "amazon-ebs" "x86_64" { ami_name = "kali-hvm-${local.timestamp}-x86_64-ebs" ami_regions = var.ami_regions associate_public_ip_address = true @@ -103,7 +162,7 @@ source "amazon-ebs" "kali" { region = var.build_region region_kms_key_ids = var.region_kms_keys skip_create_ami = var.skip_create_ami - source_ami = data.amazon-ami.kali_linux.id + source_ami = data.amazon-ami.kali_x86_64.id ssh_username = "kali" subnet_filter { filters = { @@ -112,7 +171,8 @@ source "amazon-ebs" "kali" { } tags = { Application = "Kali" - Base_AMI_Name = data.amazon-ami.kali_linux.name + Architecture = "x86_64" + Base_AMI_Name = data.amazon-ami.kali_x86_64.name GitHub_Release_URL = var.release_url OS_Version = "Kali Linux" Pre_Release = var.is_prerelease @@ -130,7 +190,11 @@ source "amazon-ebs" "kali" { } build { - sources = ["source.amazon-ebs.kali"] + sources = [ + # There is no ARM-based official Kali AMI in the AWS AMI Catalog. + # "source.amazon-ebs.arm64", + "source.amazon-ebs.x86_64", + ] provisioner "ansible" { playbook_file = "src/upgrade.yml" diff --git a/src/version.txt b/src/version.txt index f83e9cbd..b2a26e1e 100644 --- a/src/version.txt +++ b/src/version.txt @@ -1 +1 @@ -__version__ = "0.5.27" +__version__ = "0.5.28" diff --git a/terraform-post-packer/main.tf b/terraform-post-packer/main.tf index 9d0463b7..c75d8c6e 100644 --- a/terraform-post-packer/main.tf +++ b/terraform-post-packer/main.tf @@ -24,18 +24,64 @@ locals { account_name_regex = format("^env[[:digit:]]+ \\(%s\\)$", local.images_account_type) } -# The IDs of all cisagov/kali-packer AMIs -data "aws_ami_ids" "historical_amis" { +# There is no ARM-based official Kali AMI in the AWS AMI Catalog. +# The IDs of all ARM64 cisagov/kali-packer AMIs +# data "aws_ami_ids" "historical_amis_arm64" { +# owners = [data.aws_caller_identity.images.account_id] +# +# filter { +# name = "architecture" +# values = ["arm64"] +# } +# +# filter { +# name = "name" +# values = ["kali-hvm-*-arm64-ebs"] +# } +# +# filter { +# name = "root-device-type" +# values = ["ebs"] +# } +# +# filter { +# name = "virtualization-type" +# values = ["hvm"] +# } +# } + +# There is no ARM-based official Kali AMI in the AWS AMI Catalog. +# Assign launch permissions to the ARM64 AMIs +# module "ami_launch_permission_arm64" { +# # Really we only want the var.recent_ami_count most recent AMIs, but +# # we have to cover the case where there are fewer than that many +# # AMIs in existence. Hence the min()/length() tomfoolery. +# for_each = toset(slice(data.aws_ami_ids.historical_amis_arm64.ids, 0, min(var.recent_ami_count, length(data.aws_ami_ids.historical_amis_arm64.ids)))) +# +# source = "github.com/cisagov/ami-launch-permission-tf-module" +# +# providers = { +# aws = aws +# aws.master = aws.master +# } +# +# account_name_regex = local.account_name_regex +# ami_id = each.value +# extraorg_account_ids = var.extraorg_account_ids +# } + +# The IDs of all x86-64 cisagov/kali-packer AMIs +data "aws_ami_ids" "historical_amis_x86_64" { + owners = [data.aws_caller_identity.images.account_id] + filter { - name = "name" - values = [ - "kali-hvm-*-x86_64-ebs", - ] + name = "architecture" + values = ["x86_64"] } filter { - name = "virtualization-type" - values = ["hvm"] + name = "name" + values = ["kali-hvm-*-x86_64-ebs"] } filter { @@ -43,15 +89,29 @@ data "aws_ami_ids" "historical_amis" { values = ["ebs"] } - owners = [data.aws_caller_identity.images.account_id] + filter { + name = "virtualization-type" + values = ["hvm"] + } } -# Assign launch permissions to the AMI -module "ami_launch_permission" { +# This moved block allows us to rename the resources at +# aws_ami_ids.historical_amis to aws_ami_ids.historical_amis_x86_64 +# instead of destroying and recreating them with a new name. +# +# TODO: Consider removing this moved block when it is no longer +# needed. See cisagov/skeleton-packer#369 for more details. +moved { + from = aws_ami_ids.historical_amis + to = aws_ami_ids.historical_amis_x86_64 +} + +# Assign launch permissions to the x86-64 AMIs +module "ami_launch_permission_x86_64" { # Really we only want the var.recent_ami_count most recent AMIs, but # we have to cover the case where there are fewer than that many # AMIs in existence. Hence the min()/length() tomfoolery. - for_each = toset(slice(data.aws_ami_ids.historical_amis.ids, 0, min(var.recent_ami_count, length(data.aws_ami_ids.historical_amis.ids)))) + for_each = toset(slice(data.aws_ami_ids.historical_amis_x86_64.ids, 0, min(var.recent_ami_count, length(data.aws_ami_ids.historical_amis_x86_64.ids)))) source = "github.com/cisagov/ami-launch-permission-tf-module" @@ -64,3 +124,14 @@ module "ami_launch_permission" { ami_id = each.value extraorg_account_ids = var.extraorg_account_ids } + +# This moved block allows us to rename the resources at +# module.ami_launch_permission to module.ami_launch_permission_x86_64 +# instead of destroying and recreating them with a new name. +# +# TODO: Consider removing this moved block when it is no longer +# needed. See cisagov/skeleton-packer#369 for more details. +moved { + from = module.ami_launch_permission + to = module.ami_launch_permission_x86_64 +} diff --git a/terraform-post-packer/outputs.tf b/terraform-post-packer/outputs.tf index ef5a669d..19723e33 100644 --- a/terraform-post-packer/outputs.tf +++ b/terraform-post-packer/outputs.tf @@ -1,4 +1,10 @@ -output "launch_permissions" { - value = module.ami_launch_permission - description = "The cisagov/ami-launch-permission-tf-module for each AMI to which launch permission is being granted." +# There is no ARM-based official Kali AMI in the AWS AMI Catalog. +# output "launch_permissions_arm64" { +# value = module.ami_launch_permission_arm64 +# description = "The cisagov/ami-launch-permission-tf-module for each ARM64 AMI to which launch permission is being granted." +# } + +output "launch_permissions_x86_64" { + value = module.ami_launch_permission_x86_64 + description = "The cisagov/ami-launch-permission-tf-module for each x86_64 AMI to which launch permission is being granted." } diff --git a/terraform-post-packer/variables.tf b/terraform-post-packer/variables.tf index 22b2a336..1b28b610 100644 --- a/terraform-post-packer/variables.tf +++ b/terraform-post-packer/variables.tf @@ -12,6 +12,6 @@ variable "extraorg_account_ids" { variable "recent_ami_count" { default = 12 - description = "The number of most-recent AMIs for which to grant launch permission (e.g. \"3\"). If this variable is set to three, for example, then accounts will be granted permission to launch the three most recent AMIs (or all most recent AMIs, if there are only one or two of them in existence)." + description = "The number of most-recent AMIs (per architecture) for which to grant launch permission (e.g. \"3\"). If this variable is set to three, for example, then accounts will be granted permission to launch the three most recent AMIs (or all most recent AMIs, if there are only one or two of them in existence)." type = number }