Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cisagov/skeleton-packer
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 5b8ae24b3cfc1c8927912b65c41f366742e5e796
Choose a base ref
..
head repository: cisagov/skeleton-packer
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 384ad15e226af258f28bd96722b73caf4f586a2e
Choose a head ref
22 changes: 22 additions & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
# See https://ansible-lint.readthedocs.io/en/latest/configuring.html
# for a list of the configuration elements that can exist in this
# file.
enable_list:
# Useful checks that one must opt-into. See here for more details:
# https://ansible-lint.readthedocs.io/en/latest/rules.html
- fcqn-builtins
- no-log-password
- no-same-owner
exclude_paths:
# This exclusion is implicit, unless exclude_paths is defined
- .cache
# Seems wise to ignore this too
- .github
# ansible-lint doesn't like the role name in this playbook, but it's
# what molecule requires
- molecule/default/converge.yml
# These two are Molecule configuration files, not Ansible playbooks
- molecule/default/molecule-no-systemd.yml
- molecule/default/molecule-with-systemd.yml
use_default_rules: true
10 changes: 10 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -11,3 +11,13 @@ updates:
directory: "/"
schedule:
interval: "weekly"

- package-ecosystem: "terraform"
directory: "/terraform-build-user"
schedule:
interval: "weekly"

- package-ecosystem: "terraform"
directory: "/terraform-post-packer"
schedule:
interval: "weekly"
57 changes: 36 additions & 21 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -20,22 +20,23 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: cisagov/setup-env-github-action@develop
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v2
- id: setup-python
uses: actions/setup-python@v2
with:
python-version: 3.9
# GO_VERSION and GOCACHE are used by the cache task, so the Go
# installation must happen before that.
# We need the Go version and Go cache location for the actions/cache step,
# so the Go installation must happen before that.
- uses: actions/setup-go@v2
with:
go-version: '1.16'
- name: Store installed Go version
id: go-version
run: |
echo "GO_VERSION="\
"$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \
>> $GITHUB_ENV
echo "::set-output name=version::"\
"$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')"
- name: Lookup Go cache directory
id: go-cache
run: |
@@ -44,9 +45,9 @@ jobs:
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
go${{ env.GO_VERSION }}-\
packer${{ env.PACKER_VERSION }}-\
tf${{ env.TERRAFORM_VERSION }}-"
go${{ steps.go-version.outputs.version }}-\
packer${{ steps.setup-env.outputs.packer-version }}-\
tf${{ steps.setup-env.outputs.terraform-version }}-"
with:
# Note that the .terraform directory IS NOT included in the
# cache because if we were caching, then we would need to use
@@ -68,6 +69,8 @@ jobs:
- name: Setup curl cache
run: mkdir -p ${{ env.CURL_CACHE_DIR }}
- name: Install Packer
env:
PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
run: |
PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
@@ -80,17 +83,23 @@ jobs:
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install shfmt
run: go install mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}
env:
PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install Terraform-docs
run: |
go install \
github.com/terraform-docs/terraform-docs@${TERRAFORM_DOCS_VERSION}
env:
PACKAGE_URL: github.com/terraform-docs/terraform-docs
PACKAGE_VERSION: ${{ steps.setup-env.outputs.terraform-docs-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install --upgrade --requirement requirements-test.txt
- name: Install Ansible roles
run: ansible-galaxy install --force --role-file src/requirements.yml
- name: Set up pre-commit hook environments
run: pre-commit install-hooks
- name: Run pre-commit on all files
@@ -101,7 +110,8 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: cisagov/setup-env-github-action@develop
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v2
- id: setup-python
uses: actions/setup-python@v2
@@ -111,7 +121,7 @@ jobs:
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
packer${{ env.PACKER_VERSION }}-"
packer${{ steps.setup-env.outputs.packer-version }}-"
with:
path: |
${{ env.PIP_CACHE_DIR }}
@@ -124,6 +134,8 @@ jobs:
- name: Setup curl cache
run: mkdir -p ${{ env.CURL_CACHE_DIR }}
- name: Install Packer
env:
PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
run: |
PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
@@ -151,7 +163,8 @@ jobs:
needs: [lint, test]
runs-on: ubuntu-latest
steps:
- uses: cisagov/setup-env-github-action@develop
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v2
- id: setup-python
uses: actions/setup-python@v2
@@ -161,8 +174,8 @@ jobs:
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
packer${{ env.PACKER_VERSION }}-\
tf-${{ env.TERRAFORM_VERSION }}-"
packer${{ steps.setup-env.outputs.packer-version }}-\
tf-${{ steps.setup-env.outputs.terraform-version }}-"
with:
path: |
${{ env.PIP_CACHE_DIR }}
@@ -174,6 +187,8 @@ jobs:
- name: Setup curl cache
run: mkdir -p ${{ env.CURL_CACHE_DIR }}
- name: Install Packer
env:
PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
run: |
PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
@@ -186,7 +201,7 @@ jobs:
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
@@ -221,7 +236,7 @@ jobs:
# This runs through the AMI creation process but does not
# actually create an AMI
run: |
packer build --timestamp-ui -var skip_create_ami=true \
packer build -timestamp-ui -var skip_create_ami=true \
src/packer.json
- name: Remove /usr/bin/python3 symlink to the installed Python
run: |
13 changes: 8 additions & 5 deletions .github/workflows/prerelease.yml
Original file line number Diff line number Diff line change
@@ -17,7 +17,8 @@ jobs:
prerelease:
runs-on: ubuntu-latest
steps:
- uses: cisagov/setup-env-github-action@develop
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v2
- id: setup-python
uses: actions/setup-python@v2
@@ -27,8 +28,8 @@ jobs:
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
packer${{ env.PACKER_VERSION }}-\
tf-${{ env.TERRAFORM_VERSION }}-"
packer${{ steps.setup-env.outputs.packer-version }}-\
tf-${{ steps.setup-env.outputs.terraform-version }}-"
with:
path: |
${{ env.PIP_CACHE_DIR }}
@@ -40,6 +41,8 @@ jobs:
- name: Setup curl cache
run: mkdir -p ${{ env.CURL_CACHE_DIR }}
- name: Install Packer
env:
PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
run: |
PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
@@ -52,7 +55,7 @@ jobs:
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
@@ -84,7 +87,7 @@ jobs:
GITHUB_IS_PRERELEASE: ${{ github.event.release.prerelease }}
GITHUB_RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_RELEASE_URL: ${{ github.event.release.html_url }}
run: packer build --timestamp-ui src/packer.json
run: packer build -timestamp-ui src/packer.json
- name: Remove /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3-default /usr/bin/python3
13 changes: 8 additions & 5 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -24,7 +24,8 @@ jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: cisagov/setup-env-github-action@develop
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v2
- id: setup-python
uses: actions/setup-python@v2
@@ -34,8 +35,8 @@ jobs:
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
packer${{ env.PACKER_VERSION }}-\
tf-${{ env.TERRAFORM_VERSION }}-"
packer${{ steps.setup-env.outputs.packer-version }}-\
tf-${{ steps.setup-env.outputs.terraform-version }}-"
with:
path: |
${{ env.PIP_CACHE_DIR }}
@@ -47,6 +48,8 @@ jobs:
- name: Setup curl cache
run: mkdir -p ${{ env.CURL_CACHE_DIR }}
- name: Install Packer
env:
PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
run: |
PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
@@ -59,7 +62,7 @@ jobs:
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
@@ -99,7 +102,7 @@ jobs:
GITHUB_IS_PRERELEASE: ${{ github.event.release.prerelease }}
GITHUB_RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_RELEASE_URL: ${{ github.event.release.html_url }}
run: packer build --timestamp-ui src/packer.json
run: packer build -timestamp-ui src/packer.json
- name: Remove /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3-default /usr/bin/python3
20 changes: 9 additions & 11 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -31,25 +31,25 @@ repos:

# Text file hooks
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.28.1
rev: v0.29.0
hooks:
- id: markdownlint
args:
- --config=.mdl_config.yaml
- repo: https://github.com/pre-commit/mirrors-prettier
rev: v2.3.2
rev: v2.4.1
hooks:
- id: prettier
- repo: https://github.com/adrienverge/yamllint
rev: v1.26.2
rev: v1.26.3
hooks:
- id: yamllint
args:
- --strict

# pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit
rev: v2.14.0
rev: v2.15.0
hooks:
- id: validate_manifest

@@ -90,7 +90,7 @@ repos:
name: bandit (everything else)
exclude: tests
- repo: https://github.com/psf/black
rev: 21.7b0
rev: 21.9b0
hooks:
- id: black
- repo: https://gitlab.com/pycqa/flake8
@@ -104,26 +104,24 @@ repos:
hooks:
- id: isort
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v0.910
rev: v0.910-1
hooks:
- id: mypy
- repo: https://github.com/asottile/pyupgrade
rev: v2.23.3
rev: v2.29.0
hooks:
- id: pyupgrade

# Ansible hooks
- repo: https://github.com/ansible-community/ansible-lint
# This is intentionally being held back because of issues in v5 per
# https://github.com/cisagov/skeleton-ansible-role/issues/69
rev: v4.3.7
rev: v5.2.1
hooks:
- id: ansible-lint
# files: molecule/default/playbook.yml

# Terraform hooks
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.50.0
rev: v1.52.0
hooks:
- id: terraform_fmt
- id: terraform_validate
5 changes: 3 additions & 2 deletions terraform-post-packer/main.tf
Original file line number Diff line number Diff line change
@@ -56,6 +56,7 @@ module "ami_launch_permission" {
aws.master = aws.master
}

account_name_regex = local.account_name_regex
ami_id = data.aws_ami.example.id
account_name_regex = local.account_name_regex
ami_id = data.aws_ami.example.id
extraorg_account_ids = var.extraorg_account_ids
}
2 changes: 1 addition & 1 deletion terraform-post-packer/outputs.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
output "accounts" {
value = module.ami_launch_permission.accounts
description = "A map whose keys are the account names allowed to launch the AMI and whose values are the account IDs and the AMI ID."
description = "A map whose keys are the IDs of the AWS accounts allowed to launch the AMI, and whose values are the aws_ami_launch_permission resources for the corresponding launch permissions."
}
11 changes: 11 additions & 0 deletions terraform-post-packer/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# ------------------------------------------------------------------------------
# OPTIONAL PARAMETERS
#
# These parameters have reasonable defaults.
# ------------------------------------------------------------------------------

variable "extraorg_account_ids" {
type = list(string)
description = "A list of AWS account IDs corresponding to \"extra\" accounts with which you want to share this AMI (e.g. [\"123456789012\"]). Normally this variable is used to share an AMI with accounts that are not a member of the same AWS Organization as the account that owns the AMI."
default = []
}