Add Compliance Workflow (#219)

Co-authored-by: Matt Fernandez <matferna@matferna-mac.lab.cheeseburgia.com> Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
2025-05-01 15:46:06 -06:00
parent 3400e73675
commit 7cfb27600f
10 changed files with 221 additions and 13 deletions
--- a/cloud/README.md
+++ b/cloud/README.md
@@ -19,12 +19,11 @@ This category of demos shows examples of multi-cloud provisioning and management

 ### Jobs

- [**Cloud / Create Infra**](create_infra.yml) - Creates a VPC with required routing and firewall rules for provisioning VMs
- [**Cloud / Create Keypair**](aws_key.yml) - Creates a keypair for connecting to EC2 instances
- [**Cloud / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
- [**Cloud / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
- [**Cloud / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
- [**Cloud / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider.  By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
+- [**Cloud / AWS / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
+- [**Cloud / AWS / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
+- [**Cloud / AWS / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
+- [**Cloud / AWS / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider.  By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
+- [**Cloud / Resize EC2**](resize_ec2.yml) - Re-size an EC2 instance.

 ### Inventory

@@ -59,11 +58,13 @@ After running the setup job template, there are a few steps required to make the

 ## Suggested Usage

-**Cloud / Create Keypair** - The Create Keypair job creates an EC2 keypair which can be used when creating EC2 instances to enable SSH access.
+**Deploy Cloud Stack in AWS** - This workflow builds out many helpful and convient resources in AWS. Given an AWS region, key, and some organizational paremetres for tagging it builds a default VPC, keypair, five VMs (three RHEL and two Windows), and even provides a report for cloud stats. It is the typical starting point for using Ansible Product-Demos in AWS.

 **Cloud / Create VM** - The Create VM job builds a VM in the given provider based on the included `demo.cloud` collection. VM [blueprints](blueprints/) define variables for each provider that override the defaults in the collection. When creating VMs it is recommended to follow naming conventions that can be used as host patterns. (eg. VM names: `win1`, `win2`, `win3`.  Host Pattern: `win*` )

 **Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.

+**Cloud / AWS / Resize EC2** - Given an EC2 instance, change its size. This takes an AWS region, target host pattern, and a target instance size as parameters. As a final step, this job refreshes the AWS inventory so the re-created instance is accessible from AAP.
+
 ## Known Issues
 Azure does not work without a custom execution environment that includes the Azure dependencies.
--- a/cloud/resize_ec2.yml
+++ b/cloud/resize_ec2.yml
@@ -0,0 +1,10 @@
+---
+- name: Resize ec2 instances
+  hosts: "{{ _hosts | default(omit) }}"
+  gather_facts: false
+
+  tasks:
+    - name: Include snapshot role
+      ansible.builtin.include_role:
+        name: "demo.cloud.aws"
+        tasks_from: resize_ec2
--- a/collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml
+++ b/collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml
@@ -0,0 +1,45 @@
+---
+# parameters
+# instance_type: new instance type, e.g. t3.large
+- name: AWS | RESIZE VM
+  delegate_to: localhost
+  vars:
+    controller_dependency_check: false  # noqa: var-naming[no-role-prefix]
+    controller_inventory_sources:
+      - name: AWS Inventory
+        inventory: Demo Inventory
+        organization: Default
+        wait: true
+  block:
+    - name: AWS | RESIZE EC2 | assert required vars
+      ansible.builtin.assert:
+        that:
+          - instance_id is defined
+          - aws_region is defined
+        fail_msg: "instance_id, aws_region is required for resize operations"
+
+    - name: AWS | RESIZE EC2 | shutdown instance
+      amazon.aws.ec2_instance:
+        instance_ids: "{{ instance_id }}"
+        region: "{{ aws_region }}"
+        state: stopped
+        wait: true
+
+    - name: AWS | RESIZE EC2 | update instance type
+      amazon.aws.ec2_instance:
+        region: "{{ aws_region }}"
+        instance_ids: "{{ instance_id }}"
+        instance_type: "{{ instance_type }}"
+        wait: true
+
+    - name: AWS | RESIZE EC2 | start instance
+      amazon.aws.ec2_instance:
+        instance_ids: "{{ instance_id }}"
+        region: "{{ aws_region }}"
+        state: started
+        wait: true
+
+    - name: Synchronize inventory
+      run_once: true
+      ansible.builtin.include_role:
+        name: infra.controller_configuration.inventory_source_update
--- a/collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml
+++ b/collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml
@@ -31,3 +31,7 @@
 - name: Display link to inventory report
  ansible.builtin.debug:
    msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"
+
+- name: Display link with a new path
+  ansible.builtin.debug:
+    msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"
--- a/common/setup.yml
+++ b/common/setup.yml
@@ -60,7 +60,8 @@ controller_inventory_sources:
          prefix: purpose
        - key: tags.deployment
          prefix: deployment
-
+        - key: tags.Compliance
+          separator: ''
 controller_groups:
  - name: cloud_aws
    inventory: Demo Inventory
@@ -276,6 +277,44 @@ controller_templates:
          variable: _hosts
          required: true

+  - name: Cloud / AWS / Resize EC2
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+      - Controller Credential
+    project: Ansible Product Demos
+    playbook: cloud/resize_ec2.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: aws_region
+          required: true
+          default: us-east-1
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Specify target hosts
+          type: text
+          variable: _hosts
+          required: true
+
+        - question_name: Specify target instance type
+          type: text
+          variable: instance_type
+          default: t3a.medium
+          required: true
+
 controller_notifications:
  - name: Telemetry
    organization: Default
--- a/linux/compliance.yml
+++ b/linux/compliance.yml
--- a/linux/multi_profile_compliance.yml
+++ b/linux/multi_profile_compliance.yml
@@ -13,4 +13,3 @@
    - name: Run Compliance Profile
      ansible.builtin.include_role:
        name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
-...
--- a/linux/multi_profile_compliance_report.yml
+++ b/linux/multi_profile_compliance_report.yml
@@ -9,9 +9,17 @@
      - openscap-utils
      - scap-security-guide
    compliance_profile: ospp
+    # install httpd and use it to host compliance report
    use_httpd: true

  tasks:
+    - name: Assert memory meets minimum requirements
+      ansible.builtin.assert:
+        that:
+          - ansible_memfree_mb >= 1000
+          - ansible_memtotal_mb >= 2000
+        fail_msg: "OpenSCAP is a memory intensive operation, the specified enepoint does not meet minimum requirements. See https://access.redhat.com/articles/6999111 for details."
+
    - name: Get our facts straight
      ansible.builtin.set_fact:
        _profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}'
@@ -80,11 +88,28 @@
        group: root
        mode: 0644

+    - name: Debug output for report
+      ansible.builtin.debug:
+        msg: "http://{{ ansible_host }}/oscap-reports/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html"
+      when: use_httpd | bool
+
+    - name: Tag instance as {{ compliance_profile | upper }}_OUT_OF_COMPLIANCE  # noqa name[template]
+      delegate_to: localhost
+      amazon.aws.ec2_tag:
+        region: "{{ placement.region }}"
+        resource: "{{ instance_id }}"
+        state: present
+        tags:
+          Compliance: "{{ compliance_profile | upper }}_OUT_OF_COMPLIANCE"
+      when:
+        - _oscap.rc == 2
+        - instance_id is defined
+      become: false
+
  handlers:
    - name: Restart httpd
      ansible.builtin.service:
        name: httpd
        state: restarted
        enabled: true
-
 ...
--- a/linux/remediate_out_of_compliance.yml
+++ b/linux/remediate_out_of_compliance.yml
@@ -0,0 +1,13 @@
+---
+- name: Apply compliance profile as part of workflow.
+  hosts: "{{ compliance_profile | default('stig') | upper }}_OUT_OF_COMPLIANCE"
+  become: true
+  tasks:
+    - name: Check os type
+      ansible.builtin.assert:
+        that: "ansible_os_family == 'RedHat'"
+
+    - name: Run Compliance Profile
+      ansible.builtin.include_role:
+        name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
+...
--- a/linux/setup.yml
+++ b/linux/setup.yml
@@ -334,11 +334,33 @@ controller_templates:
            - full
          required: true

+  - name: "LINUX / Compliance Enforce"
+    job_type: run
+    inventory: "Demo Inventory"
+    project: "Ansible Product Demos"
+    playbook: "linux/remediate_out_of_compliance.yml"
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    credentials:
+      - "Demo Credential"
+    extra_vars:
+      sudo_remove_nopasswd: false
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: _hosts
+          required: true
+
  - name: "LINUX / DISA STIG"
    job_type: run
    inventory: "Demo Inventory"
    project: "Ansible Product Demos"
-    playbook: "linux/compliance.yml"
+    playbook: "linux/disa_stig.yml"
    notification_templates_started: Telemetry
    notification_templates_success: Telemetry
    notification_templates_error: Telemetry
@@ -360,12 +382,13 @@ controller_templates:
    job_type: run
    inventory: "Demo Inventory"
    project: "Ansible Product Demos"
-    playbook: "linux/compliance-enforce.yml"
+    playbook: "linux/multi_profile_compliance.yml"
    notification_templates_started: Telemetry
    notification_templates_success: Telemetry
    notification_templates_error: Telemetry
    credentials:
      - "Demo Credential"
+      - "AWS"
    extra_vars:
      # used by CIS profile role
      sudo_require_authentication: false
@@ -406,12 +429,13 @@ controller_templates:
    job_type: run
    inventory: "Demo Inventory"
    project: "Ansible Product Demos"
-    playbook: "linux/compliance-report.yml"
+    playbook: "linux/multi_profile_compliance_report.yml"
    notification_templates_started: Telemetry
    notification_templates_success: Telemetry
    notification_templates_error: Telemetry
    credentials:
      - "Demo Credential"
+      - "AWS"
    survey_enabled: true
    survey:
      name: ''
@@ -492,4 +516,52 @@ controller_templates:
          variable: application
          required: true

+controller_workflows:
+  - name: "Linux / Compliance Workflow"
+    description: A workflow to generate a SCAP report and run enforce on findings
+    organization: Default
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          default: aws_rhel*
+          variable: _hosts
+          required: true
+        - question_name: Compliance Profile
+          type: multiplechoice
+          variable: compliance_profile
+          required: true
+          choices:
+            - cis
+            - cjis
+            - cui
+            - hipaa
+            - ospp
+            - pci_dss
+            - stig
+        - question_name: Use httpd on the target host(s) to access reports locally?
+          type: multiplechoice
+          variable: use_httpd
+          required: true
+          choices:
+            - "true"
+            - "false"
+          default: "true"
+    simplified_workflow_nodes:
+      - identifier: Compliance Report
+        unified_job_template: "LINUX / Multi-profile Compliance Report"
+        success_nodes:
+          - Update Inventory
+      - identifier: Update Inventory
+        unified_job_template: AWS Inventory
+        success_nodes:
+          - Compliance Enforce
+      - identifier: Compliance Enforce
+        unified_job_template: "LINUX / Compliance Enforce"
 ...