diff --git a/cloud/README.md b/cloud/README.md index 93aeb38..3f65bc0 100644 --- a/cloud/README.md +++ b/cloud/README.md @@ -19,12 +19,11 @@ This category of demos shows examples of multi-cloud provisioning and management ### Jobs -- [**Cloud / Create Infra**](create_infra.yml) - Creates a VPC with required routing and firewall rules for provisioning VMs -- [**Cloud / Create Keypair**](aws_key.yml) - Creates a keypair for connecting to EC2 instances -- [**Cloud / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider -- [**Cloud / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted. -- [**Cloud / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot. -- [**Cloud / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider. By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched. +- [**Cloud / AWS / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider +- [**Cloud / AWS / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted. +- [**Cloud / AWS / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot. +- [**Cloud / AWS / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider. By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched. +- [**Cloud / Resize EC2**](resize_ec2.yml) - Re-size an EC2 instance. ### Inventory @@ -59,11 +58,13 @@ After running the setup job template, there are a few steps required to make the ## Suggested Usage -**Cloud / Create Keypair** - The Create Keypair job creates an EC2 keypair which can be used when creating EC2 instances to enable SSH access. +**Deploy Cloud Stack in AWS** - This workflow builds out many helpful and convient resources in AWS. Given an AWS region, key, and some organizational paremetres for tagging it builds a default VPC, keypair, five VMs (three RHEL and two Windows), and even provides a report for cloud stats. It is the typical starting point for using Ansible Product-Demos in AWS. **Cloud / Create VM** - The Create VM job builds a VM in the given provider based on the included `demo.cloud` collection. VM [blueprints](blueprints/) define variables for each provider that override the defaults in the collection. When creating VMs it is recommended to follow naming conventions that can be used as host patterns. (eg. VM names: `win1`, `win2`, `win3`. Host Pattern: `win*` ) **Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances. +**Cloud / AWS / Resize EC2** - Given an EC2 instance, change its size. This takes an AWS region, target host pattern, and a target instance size as parameters. As a final step, this job refreshes the AWS inventory so the re-created instance is accessible from AAP. + ## Known Issues Azure does not work without a custom execution environment that includes the Azure dependencies. diff --git a/cloud/resize_ec2.yml b/cloud/resize_ec2.yml new file mode 100644 index 0000000..ccf1e4c --- /dev/null +++ b/cloud/resize_ec2.yml @@ -0,0 +1,10 @@ +--- +- name: Resize ec2 instances + hosts: "{{ _hosts | default(omit) }}" + gather_facts: false + + tasks: + - name: Include snapshot role + ansible.builtin.include_role: + name: "demo.cloud.aws" + tasks_from: resize_ec2 diff --git a/collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml b/collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml new file mode 100644 index 0000000..2f596b7 --- /dev/null +++ b/collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml @@ -0,0 +1,45 @@ +--- +# parameters +# instance_type: new instance type, e.g. t3.large +- name: AWS | RESIZE VM + delegate_to: localhost + vars: + controller_dependency_check: false # noqa: var-naming[no-role-prefix] + controller_inventory_sources: + - name: AWS Inventory + inventory: Demo Inventory + organization: Default + wait: true + block: + - name: AWS | RESIZE EC2 | assert required vars + ansible.builtin.assert: + that: + - instance_id is defined + - aws_region is defined + fail_msg: "instance_id, aws_region is required for resize operations" + + - name: AWS | RESIZE EC2 | shutdown instance + amazon.aws.ec2_instance: + instance_ids: "{{ instance_id }}" + region: "{{ aws_region }}" + state: stopped + wait: true + + - name: AWS | RESIZE EC2 | update instance type + amazon.aws.ec2_instance: + region: "{{ aws_region }}" + instance_ids: "{{ instance_id }}" + instance_type: "{{ instance_type }}" + wait: true + + - name: AWS | RESIZE EC2 | start instance + amazon.aws.ec2_instance: + instance_ids: "{{ instance_id }}" + region: "{{ aws_region }}" + state: started + wait: true + + - name: Synchronize inventory + run_once: true + ansible.builtin.include_role: + name: infra.controller_configuration.inventory_source_update diff --git a/collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml b/collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml index 1bf8b5b..d46d0ec 100644 --- a/collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml @@ -31,3 +31,7 @@ - name: Display link to inventory report ansible.builtin.debug: msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html" + +- name: Display link with a new path + ansible.builtin.debug: + msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html" diff --git a/common/setup.yml b/common/setup.yml index 1854a12..3b7bf10 100644 --- a/common/setup.yml +++ b/common/setup.yml @@ -60,7 +60,8 @@ controller_inventory_sources: prefix: purpose - key: tags.deployment prefix: deployment - + - key: tags.Compliance + separator: '' controller_groups: - name: cloud_aws inventory: Demo Inventory @@ -276,6 +277,44 @@ controller_templates: variable: _hosts required: true + - name: Cloud / AWS / Resize EC2 + job_type: run + organization: Default + credentials: + - AWS + - Controller Credential + project: Ansible Product Demos + playbook: cloud/resize_ec2.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: AWS Region + type: multiplechoice + variable: aws_region + required: true + default: us-east-1 + choices: + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + - question_name: Specify target hosts + type: text + variable: _hosts + required: true + + - question_name: Specify target instance type + type: text + variable: instance_type + default: t3a.medium + required: true + controller_notifications: - name: Telemetry organization: Default diff --git a/linux/compliance.yml b/linux/disa_stig.yml similarity index 100% rename from linux/compliance.yml rename to linux/disa_stig.yml diff --git a/linux/compliance-enforce.yml b/linux/multi_profile_compliance.yml similarity index 99% rename from linux/compliance-enforce.yml rename to linux/multi_profile_compliance.yml index 36b87c4..2488b8f 100644 --- a/linux/compliance-enforce.yml +++ b/linux/multi_profile_compliance.yml @@ -13,4 +13,3 @@ - name: Run Compliance Profile ansible.builtin.include_role: name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}" -... diff --git a/linux/compliance-report.yml b/linux/multi_profile_compliance_report.yml similarity index 69% rename from linux/compliance-report.yml rename to linux/multi_profile_compliance_report.yml index a1f2274..7b82aa5 100644 --- a/linux/compliance-report.yml +++ b/linux/multi_profile_compliance_report.yml @@ -9,9 +9,17 @@ - openscap-utils - scap-security-guide compliance_profile: ospp + # install httpd and use it to host compliance report use_httpd: true tasks: + - name: Assert memory meets minimum requirements + ansible.builtin.assert: + that: + - ansible_memfree_mb >= 1000 + - ansible_memtotal_mb >= 2000 + fail_msg: "OpenSCAP is a memory intensive operation, the specified enepoint does not meet minimum requirements. See https://access.redhat.com/articles/6999111 for details." + - name: Get our facts straight ansible.builtin.set_fact: _profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}' @@ -80,11 +88,28 @@ group: root mode: 0644 + - name: Debug output for report + ansible.builtin.debug: + msg: "http://{{ ansible_host }}/oscap-reports/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html" + when: use_httpd | bool + + - name: Tag instance as {{ compliance_profile | upper }}_OUT_OF_COMPLIANCE # noqa name[template] + delegate_to: localhost + amazon.aws.ec2_tag: + region: "{{ placement.region }}" + resource: "{{ instance_id }}" + state: present + tags: + Compliance: "{{ compliance_profile | upper }}_OUT_OF_COMPLIANCE" + when: + - _oscap.rc == 2 + - instance_id is defined + become: false + handlers: - name: Restart httpd ansible.builtin.service: name: httpd state: restarted enabled: true - ... diff --git a/linux/remediate_out_of_compliance.yml b/linux/remediate_out_of_compliance.yml new file mode 100644 index 0000000..c7e052a --- /dev/null +++ b/linux/remediate_out_of_compliance.yml @@ -0,0 +1,13 @@ +--- +- name: Apply compliance profile as part of workflow. + hosts: "{{ compliance_profile | default('stig') | upper }}_OUT_OF_COMPLIANCE" + become: true + tasks: + - name: Check os type + ansible.builtin.assert: + that: "ansible_os_family == 'RedHat'" + + - name: Run Compliance Profile + ansible.builtin.include_role: + name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}" +... diff --git a/linux/setup.yml b/linux/setup.yml index 1624f57..9fad710 100644 --- a/linux/setup.yml +++ b/linux/setup.yml @@ -334,11 +334,33 @@ controller_templates: - full required: true + - name: "LINUX / Compliance Enforce" + job_type: run + inventory: "Demo Inventory" + project: "Ansible Product Demos" + playbook: "linux/remediate_out_of_compliance.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + credentials: + - "Demo Credential" + extra_vars: + sudo_remove_nopasswd: false + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: _hosts + required: true + - name: "LINUX / DISA STIG" job_type: run inventory: "Demo Inventory" project: "Ansible Product Demos" - playbook: "linux/compliance.yml" + playbook: "linux/disa_stig.yml" notification_templates_started: Telemetry notification_templates_success: Telemetry notification_templates_error: Telemetry @@ -360,12 +382,13 @@ controller_templates: job_type: run inventory: "Demo Inventory" project: "Ansible Product Demos" - playbook: "linux/compliance-enforce.yml" + playbook: "linux/multi_profile_compliance.yml" notification_templates_started: Telemetry notification_templates_success: Telemetry notification_templates_error: Telemetry credentials: - "Demo Credential" + - "AWS" extra_vars: # used by CIS profile role sudo_require_authentication: false @@ -406,12 +429,13 @@ controller_templates: job_type: run inventory: "Demo Inventory" project: "Ansible Product Demos" - playbook: "linux/compliance-report.yml" + playbook: "linux/multi_profile_compliance_report.yml" notification_templates_started: Telemetry notification_templates_success: Telemetry notification_templates_error: Telemetry credentials: - "Demo Credential" + - "AWS" survey_enabled: true survey: name: '' @@ -492,4 +516,52 @@ controller_templates: variable: application required: true +controller_workflows: + - name: "Linux / Compliance Workflow" + description: A workflow to generate a SCAP report and run enforce on findings + organization: Default + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + default: aws_rhel* + variable: _hosts + required: true + - question_name: Compliance Profile + type: multiplechoice + variable: compliance_profile + required: true + choices: + - cis + - cjis + - cui + - hipaa + - ospp + - pci_dss + - stig + - question_name: Use httpd on the target host(s) to access reports locally? + type: multiplechoice + variable: use_httpd + required: true + choices: + - "true" + - "false" + default: "true" + simplified_workflow_nodes: + - identifier: Compliance Report + unified_job_template: "LINUX / Multi-profile Compliance Report" + success_nodes: + - Update Inventory + - identifier: Update Inventory + unified_job_template: AWS Inventory + success_nodes: + - Compliance Enforce + - identifier: Compliance Enforce + unified_job_template: "LINUX / Compliance Enforce" ...