fix for pre-commit action

Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>

.github/workflows/pre-commit.yml

@@ -12,6 +12,8 @@ jobs:
     name: pre-commit
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v5
-    - uses: pre-commit/action@v3.0.0
+    - uses: pre-commit/action@v3.0.1
+
+...

.gitignore

@@ -7,6 +7,6 @@ choose_demo_example_aws.yml
 .ansible.cfg
 *.gz
 *artifact*.json
-**/roles/*
+roles/*
-!**/roles/requirements.yml
+!roles/requirements.yml
 .deployment_id

.pre-commit-config.yaml

@@ -4,7 +4,10 @@ repos:
     rev: v4.4.0
     hooks:
       - id: end-of-file-fixer
+        exclude: rhel[89]STIG/.*$
+
       - id: trailing-whitespace
+        exclude: rhel[89]STIG/.*$
 
       - id: check-yaml
         exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
@@ -26,4 +29,5 @@ repos:
     rev: 23.11.0
     hooks:
       - id: black
+        exclude: rhel[89]STIG/.*$
 ...

CHANGELOG.md

@@ -1,12 +0,0 @@
-# Changelog
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [v-0.0.1](https://github.com/ansible/product-demos/-/tree/v-0.0.1) - 2024-01-12
-
-### Added
-
-- Initial release  ([1af584b4ea6d77812bfcb2f6474fee6ee1b13666](https://github.com/ansible/product-demos/-/commit/1af584b4ea6d77812bfcb2f6474fee6ee1b13666))

CONTRIBUTING.md

@@ -18,6 +18,7 @@ This document aims to outline the requirements for the various forms of contribu
 - PRs should be rebased against the `main` branch to avoid conflicts.
 - PRs should not impact more than a single directory/demo section.
 - PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`.
+- PR titles should describe the work done in the PR.  Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123").
 
 ## Adding a New Demo
 1) Create a new branch based on main. (eg. `git checkout -b <branch name>`)
@@ -31,7 +32,7 @@ This document aims to outline the requirements for the various forms of contribu
    1) You can copy paste an existing one and edit it.
    2) Ensure you edit the name, playbook path, survey etc.
 5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml)
-6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link), specify your branch name within the project configuration.
+6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration.
 
 > NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
 
@@ -43,13 +44,10 @@ This document aims to outline the requirements for the various forms of contribu
     ---
     user_message: ''
 
-    controller_components:
-    - job_templates
-
     controller_templates:
     ...
     ```
-   - `controller_components` can be any of the roles defined [here](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
+   - Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
    - Add variables for each component listed
 3) Include a README.md in the subdirectory
 
@@ -72,76 +70,3 @@ Copy the token value and execute the following command:
 ```bash
 export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>
 ```
-
-## Release Process
-
-We follow a structured release process for this project. Here are the steps involved:
-
-1. **Create a Release Branch:**
-   - Start by creating a new release branch from the `main` branch.
-
-   ```bash
-   git checkout -b release/v-<version>
-   ```
-
-2. **Update Changelog:**
-   - Open the `CHANGELOG.md` file to manually add your change to the appropriate section.
-   - Our changelog follows the [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format and includes the following categories of changes:
-
-     - `Added` for new features.
-     - `Changed` for changes in existing functionality.
-     - `Deprecated` for features that will be removed in upcoming releases.
-     - `Fixed` for bug fixes.
-     - `Removed` for deprecated features that were removed.
-     - `Security` for security-related changes.
-
-   - Add a new entry under the relevant category. Include a brief summary of the change and the merge request commit tag.
-
-     ```markdown
-     ## [Unreleased]
-
-     ### Added
-
-     - New feature or enhancement ([Merge Request Commit](https://github.com/ansible/product-demos/-/commit/<commit-hash>))
-     ```
-
-   - Replace `<commit-hash>` with the actual commit hash from the merge request.
-
-3. **Commit Changes:**
-   - Commit the changes made to the `CHANGELOG.md` file.
-
-   ```bash
-   git add CHANGELOG.md
-   git commit -m "Update CHANGELOG for release <version>"
-   ```
-
-4. **Create a Pull Request:**
-   - Open a pull request from the release branch to the `main` branch.
-
-5. **Review and Merge:**
-   - Review the pull request and merge it into the `main` branch.
-
-6. **Tag the Release:**
-   - Once the pull request is merged, tag the release with the version number.
-
-   ```bash
-   git tag -a v-<version> -m "Release <version>"
-   git push origin v-<version>
-   ```
-
-7. **Publish the Release:**
-   - After the successful completion of the pull request and merging into the `main` branch, an automatic GitHub Action will be triggered to publish the release.
-
-     The GitHub Action will perform the following steps:
-     - Parse the `CHANGELOG.md` file.
-     - Generate a release note based on the changes.
-     - Attach relevant files (such as `LICENSE`, `CHANGELOG.md`, and the generated `CHANGELOG.txt`) to the GitHub Release.
-
-     No manual intervention is required for this step; the GitHub Action will handle the release process automatically.
-
-8. **Cleanup:**
-   - Delete the release branch.
-
-   ```bash
-   git branch -d release/v-<version>
-   ```

GOALS.md

@@ -0,0 +1,29 @@
+# GOALS
+
+## Why does the Ansible Product Demos (APD) project exist?
+
+The Ansible Product Demos (APD) project is a field-driven repository of common, reusable AAP config-as-code content meant to be used for demos and proof-of-concept scenarios.
+
+## Who is the audience for APD?
+
+The main audience for APD are people in a technical pre-sales role who want to demo AAP capabilities to customers.
+
+Pre-sales personas include:
+- Account Solution Architects - Run simple demos for customers
+- Automation Specialists - Run more complex demos, or use APD as example content for hackathons, PoCs, etc.
+
+A long-term goal is to ensure all APD content is solid enough to allow a customer to install the demos in their environment and use the workflows and job templates with confidence.
+
+Customer personas include:
+- Customers evaluating AAP who want pre-built content to explore
+
+## What are the project goals?
+
+### Primary Goals
+- Build a curated set of demos that are widely impactful and reusable
+- Keep existent content well-maintained and up-to-date
+- Support a target environment of demo.redhat.com for Red Hat technical sellers and partners
+
+### Secondary Goals
+- target environment of a customer environment where installation and configuration may be slightly different than demo.redhat.com
+- Create additional impactful demos that can be reused across multiple customer accounts

README.md

@@ -19,7 +19,7 @@ If you would like to contribute to this project please refer to [contribution gu
 
 ## Using this project
 
-This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox]([red.ht/aap-product-demos](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link)) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples).
+This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox](https://demo.redhat.com/catalog?search=product+demos&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples).
 
 > NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
 

cloud/README.md

@@ -10,7 +10,7 @@
     - [Configure Credentials](#configure-credentials)
     - [Add Workshop Credential Password](#add-workshop-credential-password)
     - [Remove Inventory Variables](#remove-inventory-variables)
-    - [Getting your Puiblic Key for Create Keypair Job](#getting-your-puiblic-key-for-create-keypair-job)
+    - [Getting your Public Key for Create Keypair Job](#getting-your-public-key-for-create-keypair-job)
   - [Suggested Usage](#suggested-usage)
   - [Known Issues](#known-issues)
 
@@ -49,11 +49,11 @@ After running the setup job template, there are a few steps required to make the
 
 1) Remove Workshop Inventory variables on the Details page of the inventory. Required until [RFE](https://github.com/ansible/workshops/issues/1597]) is complete
 
-### Getting your Puiblic Key for Create Keypair Job
+### Getting your Public Key for Create Keypair Job
 
 1) Connect to the command line of your Controller server. This is easiest to do by opening the VS Code Web Editor from the landing page where you found the Controller login details.
 2) Open a Terminal Window in the VS Code Web Editor.
-3) SSH to one of your linux nodes (eg. `ssh node1`). This should log you into the node as `ec2-user`
+3) SSH to one of your linux nodes (eg. `ssh aws_rhel9`). This should log you into the node as `ec2-user`
 4) `cat .ssh/authorized_keys` and copy the key listed including the  `ssh-rsa` prefix
 
 

cloud/create_vpc.yml

@@ -122,3 +122,12 @@
           Name: "{{ aws_rt_name }}"
           owner: "{{ aws_owner_tag }}"
           purpose: "{{ aws_purpose_tag }}"
+
+    - name: Set VPC stats
+      ansible.builtin.set_stats:
+        data:
+          __aws_region: '{{ create_vm_aws_region }}'
+          __aws_vpc_id: '{{ aws_vpc.vpc.id }}'
+          __aws_vpc_cidr: '{{ aws_vpc_cidr_block }}'
+          __aws_subnet_id: '{{ aws_subnet.subnet.id }}'
+          __aws_subnet_cidr: '{{ aws_subnet_cidr }}'

cloud/setup.yml

@@ -3,122 +3,6 @@ _deployment_id: "{{ lookup('file', playbook_dir + '/.deployment_id') }}"
 
 user_message:
 
-controller_execution_environments:
-  - name: Cloud Services Execution Environment
-    image: quay.io/scottharwell/cloud-ee:latest
-
-controller_projects:
-  - name: Ansible Cloud Content Lab - AWS
-    organization: Default
-    scm_type: git
-    wait: true
-    scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git
-    default_environment: Cloud Services Execution Environment
-  - name: Shadowman Lab - Azure
-    organization: Default
-    scm_type: git
-    wait: true
-    scm_url: https://github.com/shadowman-lab/Ansible-Azure.git
-    default_environment: Cloud Services Execution Environment
-
-controller_credentials:
-  - name: AWS
-    credential_type: Amazon Web Services
-    organization: Default
-    update_secrets: false
-    state: exists
-    inputs:
-      username: REPLACEME
-      password: REPLACEME
-
-  - name: AZURE
-    credential_type: Microsoft Azure Resource Manager
-    organization: Default
-    update_secrets: false
-    state: exists
-    inputs:
-      client: REPLACEME
-      password: REPLACEME
-      tenant: REPLACEME
-      subscription: REPLACEME
-
-#  - name: Azure
-#    credential_type: Microsoft Azure Resource Manager
-#    organization: Default
-#    update_secrets: false
-#    inputs:
-#      subscription: REPLACEME
-
-controller_inventory_sources:
-  - name: AWS Inventory
-    organization: Default
-    source: ec2
-    inventory: Demo Inventory
-    credential: AWS
-    overwrite: true
-    source_vars:
-      hostnames:
-        - tag:Name
-      compose:
-        ansible_host: public_ip_address
-        ansible_user: 'ec2-user'
-      groups:
-        cloud_aws: true
-        os_linux: tags.blueprint.startswith('rhel')
-      keyed_groups:
-        - key: platform
-          prefix: os
-        - key: tags.blueprint
-          prefix: blueprint
-        - key: tags.owner
-          prefix: owner
-
-  - name: Azure Inventory
-    organization: Default
-    source: azure_rm
-    inventory: Demo Inventory
-    credential: AZURE
-    overwrite: true
-    #source_vars:
-    #  hostnames:
-    #    - tag:Name
-    #  compose:
-    #    ansible_host: public_ip_address
-    #    ansible_user: 'ec2-user'
-    #  groups:
-    #    cloud_aws: true
-    #    os_linux: tags.blueprint.startswith('rhel')
-    #  keyed_groups:
-    #    - key: platform
-    #     prefix: os
-    #    - key: tags.blueprint
-    #      prefix: blueprint
-    #    - key: tags.owner
-    #      prefix: owner
-
-#  - name: Azure Inventory
-#    organization: Default
-#    source: azure_rm
-#   inventory: Demo Inventory
-#    credential: Azure
-#    execution_environment: Ansible Engine 2.9 execution environment
-#    overwrite: true
-#    source_vars:
-#      hostnames:
-#        - tags.Name
-#        - default
-#      keyed_groups:
-#        - key: os_profile.system
-#          prefix: os
-#      conditional_groups:
-#        cloud_azure: true
-
-controller_groups:
-  - name: cloud_aws
-    inventory: Demo Inventory
-    variables:
-      ansible_user: ec2-user
-
 controller_templates:
   - name: Cloud / AWS / Create Peer Infrastructure
     job_type: run
@@ -180,140 +64,6 @@ controller_templates:
     extra_vars:
       aws_region: us-east-1
 
-  - name: Cloud / AWS / Create VPC
-    job_type: run
-    organization: Default
-    credentials:
-      - AWS
-    project: Ansible official demo project
-    playbook: cloud/create_vpc.yml
-    inventory: Demo Inventory
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    survey_enabled: true
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: AWS Region
-          type: multiplechoice
-          variable: create_vm_aws_region
-          required: true
-          choices:
-            - us-east-1
-            - us-east-2
-            - us-west-1
-            - us-west-2
-        - question_name: Owner
-          type: text
-          variable: aws_owner_tag
-          required: true
-
-  - name: Cloud / AWS / Create VM
-    job_type: run
-    organization: Default
-    credentials:
-      - AWS
-      - Demo Credential
-    project: Ansible Cloud Content Lab - AWS
-    playbook: playbooks/create_vm.yml
-    inventory: Demo Inventory
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    survey_enabled: true
-    allow_simultaneous: true
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: AWS Region
-          type: multiplechoice
-          variable: create_vm_aws_region
-          required: true
-          choices:
-            - us-east-1
-            - us-east-2
-            - us-west-1
-            - us-west-2
-        - question_name: Name
-          type: text
-          variable: create_vm_vm_name
-          required: true
-        - question_name: Owner
-          type: text
-          variable: create_vm_vm_owner
-          required: true
-        - question_name: Deployment
-          type: text
-          variable: create_vm_vm_deployment
-          required: true
-        - question_name: Environment
-          type: multiplechoice
-          variable: create_vm_vm_environment
-          required: true
-          choices:
-            - Dev
-            - QA
-            - Prod
-        - question_name: Blueprint
-          type: multiplechoice
-          variable: vm_blueprint
-          required: true
-          choices:
-            - windows_core
-            - windows_full
-            - rhel9
-            - rhel8
-            - rhel7
-            - al2023
-        - question_name: Subnet
-          type: text
-          variable: create_vm_aws_vpc_subnet_name
-          required: true
-          default: aws-test-subnet
-        - question_name: Security Group
-          type: text
-          variable: create_vm_aws_securitygroup_name
-          required: true
-          default: aws-test-sg
-        - question_name: SSH Keypair
-          type: text
-          variable: create_vm_aws_keypair_name
-          required: true
-          default: aws-test-key
-        - question_name: AWS Instance Type (defaults to blueprint value)
-          type: text
-          variable: create_vm_aws_instance_size
-          required: false
-        - question_name: AWS Image Filter (defaults to blueprint value)
-          type: text
-          variable: create_vm_aws_image_filter
-          required: false
-
-  - name: Cloud / AWS / Delete VM
-    job_type: run
-    organization: Default
-    credentials:
-      - AWS
-      - Demo Credential
-    project: Ansible Cloud Content Lab - AWS
-    playbook: playbooks/delete_inventory_vm.yml
-    inventory: Demo Inventory
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    survey_enabled: true
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: Name or Pattern
-          type: text
-          variable: _hosts
-          required: true
-
   - name: Cloud / AWS / VPC Report
     job_type: run
     organization: Default
@@ -372,45 +122,6 @@ controller_templates:
             - us-west-1
             - us-west-2
 
-  - name: Cloud / AWS / Create Keypair
-    job_type: run
-    organization: Default
-    credentials:
-      - AWS
-    project: Ansible official demo project
-    playbook: cloud/aws_key.yml
-    inventory: Demo Inventory
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    survey_enabled: true
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: AWS Region
-          type: multiplechoice
-          variable: create_vm_aws_region
-          required: true
-          choices:
-            - us-east-1
-            - us-east-2
-            - us-west-1
-            - us-west-2
-        - question_name: Keypair Name
-          type: text
-          variable: aws_key_name
-          required: true
-          default: aws-test-key
-        - question_name: Keypair Public Key
-          type: textarea
-          variable: aws_public_key
-          required: true
-        - question_name: Owner
-          type: text
-          variable: aws_keypair_owner
-          required: true
-
   - name: Cloud / AWS / Snapshot EC2
     job_type: run
     organization: Default
@@ -496,40 +207,6 @@ controller_templates:
           variable: _hosts
           required: true
 
-  - name: "Cloud / Azure / Create Instance"
-    job_type: run
-    inventory: "Demo Inventory"
-    project: "Shadowman Lab - Azure"
-    playbook: "azure_create_instance.yml"
-    credentials:
-      - AWS
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-
-  - name: "Cloud / Azure / Create Storage Account"
-    job_type: run
-    inventory: "Demo Inventory"
-    project: "Shadowman Lab - Azure"
-    playbook: "azure_create_instance.yml"
-    credentials:
-      - AWS
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    survey_enabled: true
-    extra_vars:
-      storage_account_names: demorh
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: Resource Group Name
-          type: text
-          variable: resource_group_name
-          required: false
-
-
 controller_workflows:
   - name: Deploy Cloud Stack in AWS
     description: A workflow to deploy a cloud stack
@@ -598,6 +275,7 @@ controller_workflows:
           - Deploy RHEL8 Blueprint
           - Deploy RHEL9 Blueprint
           - Deploy Windows Core Blueprint
+          - Deploy Report Server
       - identifier: Deploy Windows GUI Blueprint
         unified_job_template: Cloud / AWS / Create VM
         extra_data:
@@ -634,6 +312,15 @@ controller_workflows:
           - Update Inventory
         failure_nodes:
           - Ticket - Instance Failed
+      - identifier: Deploy Report Server
+        unified_job_template: Cloud / AWS / Create VM
+        extra_data:
+          create_vm_vm_name: reports
+          vm_blueprint: rhel9
+        success_nodes:
+          - Update Inventory
+        failure_nodes:
+          - Ticket - Instance Failed
       - identifier: Ticket - VPC Failed
         unified_job_template: 'SUBMIT FEEDBACK'
         extra_data:

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml

@@ -137,14 +137,14 @@
     - (cmd_result.stdout|join('\n')).find('ip dns server') != -1
     - iosxeSTIG_stigrule_215823_Manage
 # R-215823 CISC-ND-000470
-- name : stigrule_215823_disable_identd
+# - name : stigrule_215823_disable_identd
-  ignore_errors: "{{ ignore_all_errors }}"
+#   ignore_errors: "{{ ignore_all_errors }}"
-  notify: "save configuration"
+#   notify: "save configuration"
-  ios_config:
+#   ios_config:
-    defaults: yes
+#     defaults: yes
-    lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
+#     lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
-  when:
+#   when:
-    - iosxeSTIG_stigrule_215823_Manage
+#     - iosxeSTIG_stigrule_215823_Manage
 # R-215823 CISC-ND-000470
 - name : stigrule_215823_disable_finger
   ignore_errors: "{{ ignore_all_errors }}"
@@ -378,9 +378,9 @@
 - name : stigrule_215837_host
   ignore_errors: "{{ ignore_all_errors }}"
   notify: "save configuration"
-  ios_logging:
+  ios_config:
-    dest: host
+    lines:
-    name: "{{ iosxeSTIG_stigrule_215837_host_Name }}"
+      - "logging {{ iosxeSTIG_stigrule_215837_host_Name }}"
   when: iosxeSTIG_stigrule_215837_Manage
 # R-215837 CISC-ND-001000
 # Please configure name IP address to a valid one.
@@ -397,16 +397,18 @@
 - name : stigrule_215838_ntp_server_1
   ignore_errors: "{{ ignore_all_errors }}"
   notify: "save configuration"
-  ios_ntp:
+  cisco.ios.ios_config:
-    server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
+    lines:
+      - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
   when: iosxeSTIG_stigrule_215838_Manage
 # R-215838 CISC-ND-001030
 # Replace ntp servers' IP address before enabling.
 - name : stigrule_215838_ntp_server_2
   ignore_errors: "{{ ignore_all_errors }}"
   notify: "save configuration"
-  ios_ntp:
+  cisco.ios.ios_config:
-    server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
+    lines:
+      - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
   when: iosxeSTIG_stigrule_215838_Manage
 # R-215840 CISC-ND-001050
 # service timestamps log datetime localtime is set in 215817.

collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py

@@ -1,5 +1,4 @@
-from __future__ import absolute_import, division, print_function
+from __future__ import (absolute_import, division, print_function)
-
 __metaclass__ = type
 
 from ansible.plugins.callback import CallbackBase
@@ -12,82 +11,76 @@ import os
 import xml.etree.ElementTree as ET
 import xml.dom.minidom
 
-
 class CallbackModule(CallbackBase):
     CALLBACK_VERSION = 2.0
-    CALLBACK_TYPE = "xml"
+    CALLBACK_TYPE = 'xml'
-    CALLBACK_NAME = "stig_xml"
+    CALLBACK_NAME = 'stig_xml'
 
     CALLBACK_NEEDS_WHITELIST = True
 
     def _get_STIG_path(self):
-        cwd = os.path.abspath(".")
+        cwd = os.path.abspath('.')
         for dirpath, dirs, files in os.walk(cwd):
-            if os.path.sep + "files" in dirpath and ".xml" in files[0]:
+            if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
                 return os.path.join(cwd, dirpath, files[0])
 
     def __init__(self):
         super(CallbackModule, self).__init__()
         self.rules = {}
-        self.stig_path = os.environ.get("STIG_PATH")
+        self.stig_path = os.environ.get('STIG_PATH')
-        self.XML_path = os.environ.get("XML_PATH")
+        self.XML_path = os.environ.get('XML_PATH')
         if self.stig_path is None:
             self.stig_path = self._get_STIG_path()
-        self._display.display("Using STIG_PATH: {}".format(self.stig_path))
+        self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
         if self.XML_path is None:
             self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
-        self._display.display("Using XML_PATH: {}".format(self.XML_path))
+        self._display.display('Using XML_PATH: {}'.format(self.XML_path))
 
         print("Writing: {}".format(self.XML_path))
         STIG_name = os.path.basename(self.stig_path)
-        ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
+        ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
-        self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
+        self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
-        self.tr.set(
+        self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
-            "id",
-            "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
-        )
         endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
-        self.tr.set("end-time", endtime)
+        self.tr.set('end-time', endtime)
-        tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
+        tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
         tg.text = platform.node()
 
     def _get_rev(self, nid):
-        with open(self.stig_path, "r") as f:
+        with open(self.stig_path, 'r') as f:
-            r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
+            r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
             m = re.search(r, f.read())
         if m:
-            rev = m.group("rev")
+            rev = m.group('rev')
         else:
-            rev = "0"
+            rev = '0'
         return rev
 
     def v2_runner_on_ok(self, result):
         name = result._task.get_name()
-        m = re.search("stigrule_(?P<id>\d+)", name)
+        m = re.search('stigrule_(?P<id>\d+)', name)
         if m:
-            nid = m.group("id")
+            nid = m.group('id')
         else:
             return
         rev = self._get_rev(nid)
         key = "{}r{}".format(nid, rev)
-        if self.rules.get(key, "Unknown") != False:
+        if self.rules.get(key, 'Unknown') != False:
             self.rules[key] = result.is_changed()
 
     def v2_playbook_on_stats(self, stats):
         for rule, changed in self.rules.items():
-            state = "fail" if changed else "pass"
+            state = 'fail' if changed else 'pass'
-            rr = ET.SubElement(
+            rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
-                self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
+            rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
-            )
+            rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
-            rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
-            rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
             rs.text = state
         passing = len(self.rules) - sum(self.rules.values())
-        sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
+        sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
-        sc.set("maximum", str(len(self.rules)))
+        sc.set('maximum', str(len(self.rules)))
-        sc.set("system", "urn:xccdf:scoring:flat-unweighted")
+        sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
         sc.text = str(passing)
-        with open(self.XML_path, "wb") as f:
+        with open(self.XML_path, 'wb') as f:
             out = ET.tostring(self.tr)
-            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
             f.write(pretty)

collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml

@@ -142,9 +142,6 @@ rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
 rhel8STIG_stigrule_230348_Manage: True
 rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
 rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
-# R-230349 RHEL-08-020041
-rhel8STIG_stigrule_230349_Manage: True
-rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux'
 # R-230352 RHEL-08-020060
 rhel8STIG_stigrule_230352_Manage: True
 rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
@@ -232,9 +229,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname'
 # R-230395 RHEL-08-030063
 rhel8STIG_stigrule_230395_Manage: True
 rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
-# R-230396 RHEL-08-030070
-rhel8STIG_stigrule_230396_Manage: True
-rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root'
 # R-230398 RHEL-08-030090
 # A duplicate of 230396
 # duplicate of 230396
@@ -569,3 +563,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0
 # R-244554 RHEL-08-040286
 rhel8STIG_stigrule_244554_Manage: True
 rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2'
+# R-256974 RHEL-08-010358
+rhel8STIG_stigrule_256974_Manage: True
+rhel8STIG_stigrule_256974_mailx_State: installed

collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml

@@ -4,7 +4,7 @@
 - name: stigrule_230225_banner
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)banner\s+'
+    regexp: '(?i)^\s*banner\s+'
     line: "{{ rhel8STIG_stigrule_230225_banner_Line }}"
   notify: ssh_restart
   when:
@@ -82,7 +82,7 @@
 - name: stigrule_230244_ClientAliveCountMax
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)ClientAliveCountMax\s+'
+    regexp: '(?i)^\s*ClientAliveCountMax\s+'
     line: "{{ rhel8STIG_stigrule_230244_ClientAliveCountMax_Line }}"
   notify: ssh_restart
   when:
@@ -249,7 +249,7 @@
 - name: stigrule_230288_StrictModes
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)StrictModes\s+'
+    regexp: '(?i)^\s*StrictModes\s+'
     line: "{{ rhel8STIG_stigrule_230288_StrictModes_Line }}"
   notify: ssh_restart
   when:
@@ -259,7 +259,7 @@
 - name: stigrule_230290_IgnoreUserKnownHosts
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)IgnoreUserKnownHosts\s+'
+    regexp: '(?i)^\s*IgnoreUserKnownHosts\s+'
     line: "{{ rhel8STIG_stigrule_230290_IgnoreUserKnownHosts_Line }}"
   notify: ssh_restart
   when:
@@ -269,7 +269,7 @@
 - name: stigrule_230291_KerberosAuthentication
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)KerberosAuthentication\s+'
+    regexp: '(?i)^\s*KerberosAuthentication\s+'
     line: "{{ rhel8STIG_stigrule_230291_KerberosAuthentication_Line }}"
   notify: ssh_restart
   when:
@@ -279,7 +279,7 @@
 - name: stigrule_230296_PermitRootLogin
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)PermitRootLogin\s+'
+    regexp: '(?i)^\s*PermitRootLogin\s+'
     line: "{{ rhel8STIG_stigrule_230296_PermitRootLogin_Line }}"
   notify: ssh_restart
   when:
@@ -395,7 +395,7 @@
 - name: stigrule_230330_PermitUserEnvironment
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)PermitUserEnvironment\s+'
+    regexp: '(?i)^\s*PermitUserEnvironment\s+'
     line: "{{ rhel8STIG_stigrule_230330_PermitUserEnvironment_Line }}"
   notify: ssh_restart
   when:
@@ -436,14 +436,6 @@
     create: yes
   when:
     - rhel8STIG_stigrule_230348_Manage
-# R-230349 RHEL-08-020041
-- name: stigrule_230349__etc_bashrc
-  lineinfile:
-    path: /etc/bashrc
-    line: "{{ rhel8STIG_stigrule_230349__etc_bashrc_Line }}"
-    create: yes
-  when:
-    - rhel8STIG_stigrule_230349_Manage
 # R-230352 RHEL-08-020060
 - name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
   ini_file:
@@ -602,7 +594,7 @@
 - name: stigrule_230382_PrintLastLog
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)PrintLastLog\s+'
+    regexp: '(?i)^\s*PrintLastLog\s+'
     line: "{{ rhel8STIG_stigrule_230382_PrintLastLog_Line }}"
   notify: ssh_restart
   when:
@@ -726,16 +718,6 @@
   notify: auditd_restart
   when:
     - rhel8STIG_stigrule_230395_Manage
-# R-230396 RHEL-08-030070
-- name: stigrule_230396__etc_audit_auditd_conf
-  lineinfile:
-    path: /etc/audit/auditd.conf
-    regexp: '^log_group = '
-    line: "{{ rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line }}"
-    create: yes
-  notify: auditd_restart
-  when:
-    - rhel8STIG_stigrule_230396_Manage
 # R-230402 RHEL-08-030121
 - name : stigrule_230402__etc_audit_rules_d_audit_rules_e2
   lineinfile:
@@ -1348,7 +1330,7 @@
 - name: stigrule_230527_RekeyLimit
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)RekeyLimit\s+'
+    regexp: '(?i)^\s*RekeyLimit\s+'
     line: "{{ rhel8STIG_stigrule_230527_RekeyLimit_Line }}"
   notify: ssh_restart
   when:
@@ -1569,7 +1551,7 @@
 - name: stigrule_230555_X11Forwarding
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)X11Forwarding\s+'
+    regexp: '(?i)^\s*X11Forwarding\s+'
     line: "{{ rhel8STIG_stigrule_230555_X11Forwarding_Line }}"
   notify: ssh_restart
   when:
@@ -1579,7 +1561,7 @@
 - name: stigrule_230556_X11UseLocalhost
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)X11UseLocalhost\s+'
+    regexp: '(?i)^\s*X11UseLocalhost\s+'
     line: "{{ rhel8STIG_stigrule_230556_X11UseLocalhost_Line }}"
   notify: ssh_restart
   when:
@@ -1635,7 +1617,7 @@
 - name: stigrule_244525_ClientAliveInterval
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)ClientAliveInterval\s+'
+    regexp: '(?i)^\s*ClientAliveInterval\s+'
     line: "{{ rhel8STIG_stigrule_244525_ClientAliveInterval_Line }}"
   notify: ssh_restart
   when:
@@ -1651,7 +1633,7 @@
 - name: stigrule_244528_GSSAPIAuthentication
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)GSSAPIAuthentication\s+'
+    regexp: '(?i)^\s*GSSAPIAuthentication\s+'
     line: "{{ rhel8STIG_stigrule_244528_GSSAPIAuthentication_Line }}"
   notify: ssh_restart
   when:
@@ -1798,3 +1780,9 @@
     create: yes
   when:
     - rhel8STIG_stigrule_244554_Manage
+# R-256974 RHEL-08-010358
+- name: stigrule_256974_mailx
+  yum:
+    name: mailx
+    state: "{{ rhel8STIG_stigrule_256974_mailx_State }}"
+  when: rhel8STIG_stigrule_256974_Manage

collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py

@@ -0,0 +1,86 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.plugins.callback import CallbackBase
+from time import gmtime, strftime
+import platform
+import tempfile
+import re
+import sys
+import os
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+
+class CallbackModule(CallbackBase):
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = 'xml'
+    CALLBACK_NAME = 'stig_xml'
+
+    CALLBACK_NEEDS_WHITELIST = True
+
+    def _get_STIG_path(self):
+        cwd = os.path.abspath('.')
+        for dirpath, dirs, files in os.walk(cwd):
+            if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
+                return os.path.join(cwd, dirpath, files[0])
+
+    def __init__(self):
+        super(CallbackModule, self).__init__()
+        self.rules = {}
+        self.stig_path = os.environ.get('STIG_PATH')
+        self.XML_path = os.environ.get('XML_PATH')
+        if self.stig_path is None:
+            self.stig_path = self._get_STIG_path()
+        self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
+        if self.XML_path is None:
+            self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
+        self._display.display('Using XML_PATH: {}'.format(self.XML_path))
+
+        print("Writing: {}".format(self.XML_path))
+        STIG_name = os.path.basename(self.stig_path)
+        ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
+        self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
+        self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
+        endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
+        self.tr.set('end-time', endtime)
+        tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
+        tg.text = platform.node()
+
+    def _get_rev(self, nid):
+        with open(self.stig_path, 'r') as f:
+            r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
+            m = re.search(r, f.read())
+        if m:
+            rev = m.group('rev')
+        else:
+            rev = '0'
+        return rev
+
+    def v2_runner_on_ok(self, result):
+        name = result._task.get_name()
+        m = re.search('stigrule_(?P<id>\d+)', name)
+        if m:
+            nid = m.group('id')
+        else:
+            return
+        rev = self._get_rev(nid)
+        key = "{}r{}".format(nid, rev)
+        if self.rules.get(key, 'Unknown') != False:
+            self.rules[key] = result.is_changed()
+
+    def v2_playbook_on_stats(self, stats):
+        for rule, changed in self.rules.items():
+            state = 'fail' if changed else 'pass'
+            rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
+            rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
+            rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
+            rs.text = state
+        passing = len(self.rules) - sum(self.rules.values())
+        sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
+        sc.set('maximum', str(len(self.rules)))
+        sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
+        sc.text = str(passing)
+        with open(self.XML_path, 'wb') as f:
+            out = ET.tostring(self.tr)
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
+            f.write(pretty)

collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml

@@ -0,0 +1,30 @@
+- name: dconf_update
+  command: dconf update
+- name: auditd_restart
+  command: /usr/sbin/service auditd restart
+- name: ssh_restart
+  service:
+    name: sshd
+    state: restarted
+- name: rsyslog_restart
+  service:
+    name: rsyslog
+    state: restarted
+- name: sysctl_load_settings
+  command: sysctl --system
+- name: daemon_reload
+  systemd:
+    daemon_reload: true
+- name: networkmanager_reload
+  service:
+    name: NetworkManager
+    state: reloaded
+- name: logind_restart
+  service:
+    name: systemd-logind
+    state: restarted
+- name: with_faillock_enable
+  command: authselect enable-feature with-faillock
+- name: do_reboot
+  reboot:
+    pre_reboot_delay: 60

collections/ansible_collections/demo/openshift/roles/eda_controller/.yamllint

@@ -0,0 +1,13 @@
+---
+extends: default
+
+rules:
+  comments:
+    require-starting-space: false
+    min-spaces-from-content: 1
+  comments-indentation: disable
+  indentation:
+    indent-sequences: consistent
+  line-length:
+    max: 120
+    allow-non-breakable-inline-mappings: true

collections/ansible_collections/demo/openshift/roles/eda_controller/defaults/main.yml

@@ -0,0 +1,16 @@
+---
+# --------------------------------------------------------
+# Ansible Automation Platform Controller URL
+# --------------------------------------------------------
+# eda_controller_aap_controller_url: [Required]
+
+# --------------------------------------------------------
+# Workload: eda_controller
+# --------------------------------------------------------
+eda_controller_project: "aap"
+eda_controller_project_app_name: "eda-controller"
+
+# eda_controller_admin_password: "{{ common_password }}"
+
+eda_controller_cluster_rolebinding_name: eda_default
+eda_controller_cluster_rolebinding_role: cluster-admin

collections/ansible_collections/demo/openshift/roles/eda_controller/meta/main.yml

@@ -0,0 +1,14 @@
+---
+galaxy_info:
+  role_name: eda_controller
+  author: Mitesh Sharma (mitsharm@redhat.com)
+  description: |
+    Installs EDA on OpenShift
+  license: GPLv3
+  min_ansible_version: "2.9"
+  platforms: []
+  galaxy_tags:
+    - eda
+    - openshift
+    - aap
+dependencies: []

collections/ansible_collections/demo/openshift/roles/eda_controller/readme.adoc

@@ -0,0 +1,6 @@
+== eda_controller
+
+This role installs EDA on OpenShift, mostly copied from https://github.com/redhat-cop/agnosticd/.
+
+== Dependencies
+Role: automation_controller_platform

collections/ansible_collections/demo/openshift/roles/eda_controller/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Setup environment vars
+  block:
+    - name: Create secret and Install EDA
+      kubernetes.core.k8s:
+        state: present
+        definition: "{{ lookup('template', __definition) }}"
+      loop:
+        - eda_admin_secret.j2
+        - eda_controller.j2
+      loop_control:
+        loop_var: __definition
+
+    - name: Retrieve created route
+      kubernetes.core.k8s_info:
+        api_version: "route.openshift.io/v1"
+        kind: Route
+        name: "{{ eda_controller_project_app_name }}"
+        namespace: "{{ eda_controller_project }}"
+      register: r_eda_route
+      until: r_eda_route.resources[0].spec.host is defined
+      retries: 30
+      delay: 45
+
+    - name: Get eda-controller route hostname
+      ansible.builtin.set_fact:
+        eda_controller_hostname: "{{ r_eda_route.resources[0].spec.host }}"
+
+    - name: Wait for eda_controller to be running
+      ansible.builtin.uri:
+        url: https://{{ eda_controller_hostname }}/api/eda/v1/users/me/awx-tokens/
+        user: "admin"
+        password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') }}"
+        method: GET
+        force_basic_auth: true
+        validate_certs: false
+        body_format: json
+        status_code: 200
+      register: r_result
+      until: not r_result.failed
+      retries: 60
+      delay: 45
+
+    - name: Create Rolebinding for Rulebook Activations
+      kubernetes.core.k8s:
+        state: present
+        definition: "{{ lookup('template', 'cluster_rolebinding.j2') }}"
+
+    - name: Display EDA Controller URL
+      ansible.builtin.debug:
+        msg:
+          - "EDA Controller URL: https://{{ eda_controller_hostname }}"
+          - "EDA Controller Admin Login: admin"
+          - "EDA Controller Admin Password: <same as the Controller Admin password>"

collections/ansible_collections/demo/openshift/roles/eda_controller/templates/cluster_rolebinding.j2

@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ eda_controller_cluster_rolebinding_name }}
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: {{ eda_controller_project }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ eda_controller_cluster_rolebinding_role }}

collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_admin_secret.j2

@@ -0,0 +1,15 @@
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ eda_controller_project_app_name }}-admin-password
+  namespace: {{ eda_controller_project }}
+  labels:
+    app.kubernetes.io/component: eda
+    app.kubernetes.io/managed-by: eda-operator
+    app.kubernetes.io/name: {{ eda_controller_project_app_name }}
+    app.kubernetes.io/operator-version: '2.4'
+    app.kubernetes.io/part-of: {{ eda_controller_project_app_name }}
+data:
+  password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') | b64encode }}"
+type: Opaque

collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_controller.j2

@@ -0,0 +1,26 @@
+---
+apiVersion: eda.ansible.com/v1alpha1
+kind: EDA
+metadata:
+  name: {{ eda_controller_project_app_name }}
+  namespace: {{ eda_controller_project }}
+spec:
+  route_tls_termination_mechanism: Edge
+  ingress_type: Route
+  loadbalancer_port: 80
+  no_log: true
+  image_pull_policy: IfNotPresent
+  ui:
+    replicas: 1
+  set_self_labels: true
+  api:
+    gunicorn_workers: 2
+    replicas: 1
+  redis:
+    replicas: 1
+  admin_user: admin
+  loadbalancer_protocol: http
+  worker:
+    replicas: 3
+  automation_server_url: '{{ lookup('ansible.builtin.env', 'CONTROLLER_HOST') }}'
+  admin_password_secret: {{ eda_controller_project_app_name }}-admin-password

collections/requirements.yml

@@ -1,6 +1,6 @@
 ---
 # This file is mainly used by product-demos CI,
-# See cloin/ee-builds/product-demos-ee/requirements.yml 
+# See cloin/ee-builds/product-demos-ee/requirements.yml
 # for configuring collections and collection versions.
 collections:
   - name: ansible.controller

common/README.md

@@ -0,0 +1,3 @@
+# Common Prerequisites
+
+Demos from some categories (cloud, linux, windows, etc.) have become dependent on controller resources defined in other demo categories.  The setup.yml file in this directory is used to configure these common prerequisites so that they are available before setup for a demo category is called.

common/setup.yml

@@ -0,0 +1,283 @@
+---
+controller_execution_environments:
+  - name: product-demos
+    image: quay.io/acme_corp/product-demos-ee:latest
+  - name: Cloud Services Execution Environment
+    image: quay.io/scottharwell/cloud-ee:latest
+
+controller_organizations:
+  - name: Default
+    default_environment: product-demos
+
+controller_projects:
+  - name: Ansible Cloud Content Lab - AWS
+    organization: Default
+    scm_type: git
+    wait: true
+    scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git
+    default_environment: Cloud Services Execution Environment
+
+controller_credentials:
+  - name: AWS
+    credential_type: Amazon Web Services
+    organization: Default
+    update_secrets: false
+    state: exists
+    inputs:
+      username: REPLACEME
+      password: REPLACEME
+
+controller_inventory_sources:
+  - name: AWS Inventory
+    organization: Default
+    source: ec2
+    inventory: Demo Inventory
+    credential: AWS
+    overwrite: true
+    source_vars:
+      hostnames:
+        - tag:Name
+      compose:
+        ansible_host: public_ip_address
+        ansible_user: 'ec2-user'
+      groups:
+        cloud_aws: true
+        os_linux: tags.blueprint.startswith('rhel')
+        os_windows: tags.blueprint.startswith('win')
+      keyed_groups:
+        - key: platform
+          prefix: os
+        - key: tags.blueprint
+          prefix: blueprint
+        - key: tags.owner
+          prefix: owner
+        - key: tags.purpose
+          prefix: purpose
+        - key: tags.deployment
+          prefix: deployment
+
+controller_groups:
+  - name: cloud_aws
+    inventory: Demo Inventory
+    variables:
+      ansible_user: ec2-user
+  - name: os_windows
+    inventory: Demo Inventory
+    variables:
+      ansible_connection: winrm
+      ansible_winrm_transport: credssp
+
+controller_templates:
+  - name: SUBMIT FEEDBACK
+    job_type: run
+    inventory: Demo Inventory
+    project: Ansible official demo project
+    playbook: feedback.yml
+    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Name/Email/Contact
+          type: text
+          variable: email
+          required: true
+        - question_name: Issue or Feedback
+          type: textarea
+          variable: feedback
+          required: true
+
+  - name: Cloud / AWS / Create VPC
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible official demo project
+    playbook: cloud/create_vpc.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: create_vm_aws_region
+          required: true
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Owner
+          type: text
+          variable: aws_owner_tag
+          required: true
+
+  - name: Cloud / AWS / Create Keypair
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible official demo project
+    playbook: cloud/aws_key.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: create_vm_aws_region
+          required: true
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Keypair Name
+          type: text
+          variable: aws_key_name
+          required: true
+          default: aws-test-key
+        - question_name: Keypair Public Key
+          type: textarea
+          variable: aws_public_key
+          required: true
+        - question_name: Owner
+          type: text
+          variable: aws_keypair_owner
+          required: true
+
+  - name: Cloud / AWS / Create VM
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+      - Demo Credential
+    project: Ansible Cloud Content Lab - AWS
+    playbook: playbooks/create_vm.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    allow_simultaneous: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: create_vm_aws_region
+          required: true
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Name
+          type: text
+          variable: create_vm_vm_name
+          required: true
+        - question_name: Owner
+          type: text
+          variable: create_vm_vm_owner
+          required: true
+        - question_name: Deployment
+          type: text
+          variable: create_vm_vm_deployment
+          required: true
+        - question_name: Purpose
+          type: text
+          variable: create_vm_vm_purpose
+          required: true
+          default: demo
+        - question_name: Environment
+          type: multiplechoice
+          variable: create_vm_vm_environment
+          required: true
+          choices:
+            - Dev
+            - QA
+            - Prod
+        - question_name: Blueprint
+          type: multiplechoice
+          variable: vm_blueprint
+          required: true
+          choices:
+            - windows_core
+            - windows_full
+            - rhel9
+            - rhel8
+            - rhel7
+            - al2023
+        - question_name: Subnet
+          type: text
+          variable: create_vm_aws_vpc_subnet_name
+          required: true
+          default: aws-test-subnet
+        - question_name: Security Group
+          type: text
+          variable: create_vm_aws_securitygroup_name
+          required: true
+          default: aws-test-sg
+        - question_name: SSH Keypair
+          type: text
+          variable: create_vm_aws_keypair_name
+          required: true
+          default: aws-test-key
+        - question_name: AWS Instance Type (defaults to blueprint value)
+          type: text
+          variable: create_vm_aws_instance_size
+          required: false
+        - question_name: AWS Image Filter (defaults to blueprint value)
+          type: text
+          variable: create_vm_aws_image_filter
+          required: false
+
+  - name: Cloud / AWS / Delete VM
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+      - Demo Credential
+    project: Ansible Cloud Content Lab - AWS
+    playbook: playbooks/delete_inventory_vm.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Name or Pattern
+          type: text
+          variable: _hosts
+          required: true
+
+controller_notifications:
+  - name: Telemetry
+    organization: Default
+    notification_type: webhook
+    notification_configuration:
+      url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec
+      http_method: POST
+      headers: {}
+
+controller_settings:
+  - name: SESSION_COOKIE_AGE
+    value: 180000

linux/README.md

@@ -60,7 +60,7 @@ Edit the `Linux / System Roles` job to include the list of roles that you wish t
 
 **Linux / Temporary Sudo** - Use this job to show how to grant sudo access with automated cleanup to a server. The user must exist on the system. Using the student user is a good example (ie. student1)
 
-**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `node1`. This may be overridden with `extra_vars` on the Job Template.
+**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `reports`. This may be overridden with `extra_vars` on the Job Template.
 
 **Linux / Run Shell Script** - Use this job to demonstrate running shell commands or an existing shell script across a group of systems as root. This can be preferred over using Ad-Hoc commands due to the ability to control usage with RBAC. This is helpful in showing the scalable of execution of an existing shell script. It is always recommended to convert shell scripts to playbooks over time. Example usage would be getting the public key used in the environment with the command `cat .ssh/authorized_keys`.
 

linux/compliance-enforce.yml

@@ -12,5 +12,5 @@
 
     - name: Run Compliance Profile
       ansible.builtin.include_role:
-        name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}"
+        name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
 ...

linux/patching.yml

@@ -3,7 +3,7 @@
   hosts: "{{ _hosts | default(omit) }}"
   become: true
   vars:
-    report_server: node1
+    report_server: reports
 
   tasks:
     # Install yum-utils if it's not there

linux/setup.yml

@@ -377,6 +377,9 @@ controller_templates:
       # used by the CJIS profile role
       service_firewalld_enabled: false
       firewalld_sshd_port_enabled: false
+      # used by the PCI-DSS profile role
+      firewalld_loopback_traffic_restricted: false
+      firewalld_loopback_traffic_trusted: false
     survey_enabled: true
     survey:
       name: ''
@@ -396,7 +399,7 @@ controller_templates:
             - cui
             - hipaa
             - ospp
-            - pci_dss
+            - pci-dss
             - stig
 
   - name: "LINUX / Multi-profile Compliance Report"

network/report.yml

@@ -35,7 +35,7 @@
   hosts: "{{ report_server }}"
   become: true
   vars:
-    report_server: node1
+    report_server: reports
     web_path: /var/www/html/reports/
 
   tasks:

openshift/eda/install.yml

@@ -0,0 +1,8 @@
+---
+- name: Deploy EDA Controller attached to the same AAP
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Include role
+      ansible.builtin.include_role:
+        name: demo.openshift.eda_controller

openshift/inventory.kubevirt.yml

@@ -5,19 +5,19 @@ connections:
   - namespaces:
       - openshift-cnv
 compose:
-  ansible_user: "'cloud-user' if 'rhel' in annotations['vm.kubevirt.io/os']"
+  ansible_user: "'cloud-user' if 'rhel' in vmi_annotations['vm.kubevirt.io/os']"
-  annotations: "annotations | ansible.utils.replace_keys(target=[
+  vmi_annotations: "vmi_annotations | ansible.utils.replace_keys(target=[
                 {'before':'vm.kubevirt.io/os', 'after':'os'},
                 {'before':'vm.kubevirt.io/flavor', 'after':'flavor'},
                 {'before':'vm.kubevirt.io/workload', 'after':'workload'},
                 {'before':'kubevirt.io/vm-generation', 'after':'vm-generation'},
                 {'before':'kubevirt.io/latest-observed-api-version', 'after':'latest-observed-api-version'},
                 {'before':'kubevirt.io/storage-observed-api-version', 'after':'storage-observed-api-version' }] )"
-  labels: "labels | ansible.utils.replace_keys(target=[
+  labels: "vmi_labels | ansible.utils.replace_keys(target=[
                 {'before':'kubevirt.io/nodeName', 'after':'nodeName'},
                 {'before':'kubevirt.io/size', 'after':'size'},
                 {'before':'kubevirt.io/domain', 'after':'domain' }] )"
 keyed_groups:
-  - key: annotations.os
+  - key: vmi_annotations.os
     prefix: "cnv"
     separator: "_"

openshift/setup.yml

@@ -7,29 +7,6 @@ controller_components:
   - job_templates
   - workflow_job_templates
 
-controller_credential_types:
-  # Ideally, we would not need to use this and could just re-use the OCP credential for the inventory plugin
-  - name: OCPV inventory credential
-    kind: cloud
-    inputs:
-      fields:
-        - id: host
-          type: string
-          label: OpenShift or Kubernetes API Endpoint
-          secret: false
-        - id: bearer_token
-          type: string
-          label: API authentication bearer token
-          secret: true
-        - id: verify_ssl
-          type: boolean
-          label: Verify SSL
-    injectors:
-      env:
-        K8S_AUTH_HOST: "{% raw %}{  { host  }}{% endraw %}"
-        K8S_AUTH_API_KEY: "{% raw %}{  { bearer_token  }}{% endraw %}"
-        K8S_AUTH_VERIFY_SSL: "{% raw %}{  { verify_ssl  }}{% endraw %}"
-
 controller_credentials:
   - name: OpenShift Credential
     organization: Default
@@ -40,26 +17,30 @@ controller_credentials:
       bearer_token: CHANGEME
       verify_ssl: false
 
-  - name: OCP-V Inventory Credential
-    organization: Default
-    credential_type: OCPV inventory credential
-    state: exists
-    inputs:
-      host: CHANGEME
-      bearer_token: CHANGEME
-      verify_ssl: false
-
 controller_inventory_sources:
   - name: OpenShift CNV Inventory
     inventory: Demo Inventory
     source: scm
     source_project: Ansible official demo project
     source_path: openshift/inventory.kubevirt.yml
-    credential: OCP-V Inventory Credential
+    credential: OpenShift Credential
-    update_on_launch: true
+    update_on_launch: false
 
 controller_templates:
-  - name: OpenShift / CNV / Install
+  - name: OpenShift / EDA / Install Controller
+    job_type: run
+    inventory: "Demo Inventory"
+    project: "Ansible official demo project"
+    playbook: "openshift/eda/install.yml"
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    credentials:
+      - "OpenShift Credential"
+      - "Controller Credential"
+
+  - name: OpenShift / CNV / Install Operator
     job_type: run
     inventory: "Demo Inventory"
     project: "Ansible official demo project"
@@ -125,7 +106,7 @@ controller_templates:
     notification_templates_error: Telemetry
     survey_enabled: true
     extra_vars:
-      state: absent
+      instance_state: absent
     survey:
       name: ''
       description: ''

roles/requirements.yml

@@ -1,46 +1,46 @@
 ---
 roles:
   # RHEL 7 compliance roles from ComplianceAsCode
-  - name: redhatofficial.rhel7_cis
+  - name: redhatofficial.rhel7-cis
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel7_cjis
+  - name: redhatofficial.rhel7-cjis
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel7_cui
+  - name: redhatofficial.rhel7-cui
-    version: 0.1.67
+    version: 0.1.72
-  - name: redhatofficial.rhel7_hipaa
+  - name: redhatofficial.rhel7-hipaa
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel7_ospp
+  - name: redhatofficial.rhel7-ospp
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel7_pci_dss
+  - name: redhatofficial.rhel7-pci-dss
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel7_stig
+  - name: redhatofficial.rhel7-stig
-    version: 0.1.69
+    version: 0.1.72
   # RHEL 8 compliance roles from ComplianceAsCode
-  - name: redhatofficial.rhel8_cis
+  - name: redhatofficial.rhel8-cis
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel8_cjis
+  - name: redhatofficial.rhel8-cjis
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel8_cui
+  - name: redhatofficial.rhel8-cui
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel8_hipaa
+  - name: redhatofficial.rhel8-hipaa
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel8_ospp
+  - name: redhatofficial.rhel8-ospp
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel8_pci_dss
+  - name: redhatofficial.rhel8-pci-dss
-    version: 0.1.69
+    version: 0.1.72
-  - name: redhatofficial.rhel8_stig
+  - name: redhatofficial.rhel8-stig
-    version: 0.1.69
+    version: 0.1.72
   # RHEL 9 compliance roles from ComplianceAsCode
-  - name: redhatofficial.rhel9_cis
+  - name: redhatofficial.rhel9-cis
-    version: 0.1.68
+    version: 0.1.72
-  - name: redhatofficial.rhel9_cui
+  - name: redhatofficial.rhel9-cui
-    version: 0.1.64
+    version: 0.1.72
-  - name: redhatofficial.rhel9_hipaa
+  - name: redhatofficial.rhel9-hipaa
-    version: 0.1.68
+    version: 0.1.72
-  - name: redhatofficial.rhel9_ospp
+  - name: redhatofficial.rhel9-ospp
-    version: 0.1.68
+    version: 0.1.72
-  - name: redhatofficial.rhel9_pci_dss
+  - name: redhatofficial.rhel9-pci-dss
-    version: 0.1.68
+    version: 0.1.72
-  - name: redhatofficial.rhel9_stig
+  - name: redhatofficial.rhel9-stig
-    version: 0.1.64
+    version: 0.1.72
 ...

setup_demo.yml

@@ -1,63 +1,33 @@
 ---
-- name: Setup demo
+- name: Setup common prerequisites
   hosts: localhost
   gather_facts: false
-  tasks:
-    - name: Default Components
-      ansible.builtin.include_role:
-        name: infra.controller_configuration.dispatch
-      vars:  # noqa var-naming[no-role-prefix]
-        controller_execution_environments:
-          - name: product-demos
-            image: quay.io/acme_corp/product-demos-ee:latest
-        controller_organizations:
-          - name: Default
-            default_environment: product-demos
-        controller_notifications:
-          - name: Telemetry
-            organization: Default
-            notification_type: webhook
-            notification_configuration:
-              url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec
-              http_method: POST
-              headers: {}
-        controller_templates:
-          - name: "SUBMIT FEEDBACK"
-            job_type: run
-            inventory: "Demo Inventory"
-            project: "Ansible official demo project"
-            playbook: "feedback.yml"
-            execution_environment: Default execution environment
-            notification_templates_started: Telemetry
-            notification_templates_success: Telemetry
-            notification_templates_error: Telemetry
-            survey_enabled: true
-            survey:
-              name: ''
-              description: ''
-              spec:
-                - question_name: Name/Email/Contact
-                  type: text
-                  variable: email
-                  required: true
-                - question_name: Issue or Feedback
-                  type: textarea
-                  variable: feedback
-                  required: true
-        controller_settings:
-          - name: "SESSION_COOKIE_AGE"
-            value: 180000
 
+  # vars_files should be scoped to a play so variables defined in the
+  # files should not be available in subsequent plays, so certain
+  # resources won't be retried
+  vars_files:
+    - common/setup.yml
+
+  tasks:
     - name: Create reusable deployment ID
       ansible.builtin.set_fact:
         _deployment_id: '{{ lookup("ansible.builtin.password", "{{ playbook_dir }}/.deployment_id", chars=["ascii_lowercase", "digits"], length=5) }}'
 
-    - name: "Include configuration for {{ demo }}"
+    - name: Create common demo resources
+      ansible.builtin.include_role:
+        name: infra.controller_configuration.dispatch
+
+- name: Setup demo
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Include configuration for {{ demo }}
       ansible.builtin.include_vars: "{{ demo }}/setup.yml"
 
     - name: Demo Components
       ansible.builtin.include_role:
-        name: "infra.controller_configuration.dispatch"
+        name: infra.controller_configuration.dispatch
 
     - name: Log Demo
       ansible.builtin.uri:
@@ -70,3 +40,5 @@
       ansible.builtin.debug:
         msg: "{{ user_message }}"
       when: user_message is defined
+
+...

windows/patching.yml

@@ -2,7 +2,7 @@
 - name: Windows updates
   hosts: "{{ _hosts | default('os_windows') }}"
   vars:
-    report_server: win1
+    report_server: aws_win1
 
   tasks:
     - name: Patch windows server