ptoal/product-demos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ptoal:wtome/windows-bsod
Branches Tags
ptoal:main ptoal:fix_ci ptoal:cnv_fixes2 ptoal:jce/cloud-cleanup ptoal:jce/firewalld-fix ptoal:fix_aws_groups ptoal:windows_change_pass ptoal:jce/multi-arch-ee ptoal:abandon-galaxy ptoal:wtome-devspaces ptoal:jce/devcontainer ptoal:jce/ansible-cfg ptoal:jce/disa-update ptoal:jce/apd-org ptoal:jce/session-timeout ptoal:jce/az-fix ptoal:collection ptoal:wtome/2.5 ptoal:usr_app ptoal:wtome/windows-bsod ptoal:jce/goals ptoal:small_fixes ptoal:azure-finops ptoal:csv-inventory ptoal:gitlab_ver ptoal:creds-exist ptoal:rhpd_test ptoal:rhc ptoal:master
ptoal:test ptoal:TEST
..
compare: ptoal:azure-finops
Branches Tags
ptoal:main ptoal:fix_ci ptoal:cnv_fixes2 ptoal:jce/cloud-cleanup ptoal:jce/firewalld-fix ptoal:fix_aws_groups ptoal:windows_change_pass ptoal:jce/multi-arch-ee ptoal:abandon-galaxy ptoal:wtome-devspaces ptoal:jce/devcontainer ptoal:jce/ansible-cfg ptoal:jce/disa-update ptoal:jce/apd-org ptoal:jce/session-timeout ptoal:jce/az-fix ptoal:collection ptoal:wtome/2.5 ptoal:usr_app ptoal:wtome/windows-bsod ptoal:jce/goals ptoal:small_fixes ptoal:azure-finops ptoal:csv-inventory ptoal:gitlab_ver ptoal:creds-exist ptoal:rhpd_test ptoal:rhc ptoal:master
ptoal:test ptoal:TEST

3 Commits
wtome/wind ... azure-fino

Author SHA1 Message Date
willtome
b9de62447f add create storage account 2024-06-20 14:08:11 -04:00
willtome
fc5bd80353 update project source 2024-06-20 13:49:17 -04:00
willtome
6c8507d21b add azure inventory 2024-06-20 13:45:05 -04:00
42 changed files with 1139 additions and 12556 deletions
Expand all files Collapse all files

8
.github/workflows/pre-commit.yml vendored
View File

@@ -12,8 +12,6 @@ jobs:
name: pre-commit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: pre-commit/action@v3.0.1
...
- uses: actions/checkout@v3
- uses: actions/setup-python@v3
- uses: pre-commit/action@v3.0.0

4
.gitignore vendored
View File

@@ -7,6 +7,6 @@ choose_demo_example_aws.yml
.ansible.cfg
*.gz
*artifact*.json
roles/*
!roles/requirements.yml
**/roles/*
!**/roles/requirements.yml
.deployment_id

4
.pre-commit-config.yaml
View File

@@ -4,10 +4,7 @@ repos:
rev: v4.4.0
hooks:
- id: end-of-file-fixer
exclude: rhel[89]STIG/.*$
- id: trailing-whitespace
exclude: rhel[89]STIG/.*$
- id: check-yaml
exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
@@ -29,5 +26,4 @@ repos:
rev: 23.11.0
hooks:
- id: black
exclude: rhel[89]STIG/.*$
...

12
CHANGELOG.md Normal file
View File

@@ -0,0 +1,12 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [v-0.0.1](https://github.com/ansible/product-demos/-/tree/v-0.0.1) - 2024-01-12
### Added
- Initial release ([1af584b4ea6d77812bfcb2f6474fee6ee1b13666](https://github.com/ansible/product-demos/-/commit/1af584b4ea6d77812bfcb2f6474fee6ee1b13666))

81
CONTRIBUTING.md
View File

@@ -18,7 +18,6 @@ This document aims to outline the requirements for the various forms of contribu
- PRs should be rebased against the `main` branch to avoid conflicts.
- PRs should not impact more than a single directory/demo section.
- PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`.
- PR titles should describe the work done in the PR. Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123").
## Adding a New Demo
1) Create a new branch based on main. (eg. `git checkout -b <branch name>`)
@@ -32,7 +31,7 @@ This document aims to outline the requirements for the various forms of contribu
1) You can copy paste an existing one and edit it.
2) Ensure you edit the name, playbook path, survey etc.
5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml)
6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration.
6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link), specify your branch name within the project configuration.
> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
@@ -44,10 +43,13 @@ This document aims to outline the requirements for the various forms of contribu
---
user_message: ''
controller_components:
- job_templates
controller_templates:
...
```
- Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
- `controller_components` can be any of the roles defined [here](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
- Add variables for each component listed
3) Include a README.md in the subdirectory
@@ -70,3 +72,76 @@ Copy the token value and execute the following command:
```bash
export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>
```
## Release Process
We follow a structured release process for this project. Here are the steps involved:
1. **Create a Release Branch:**
- Start by creating a new release branch from the `main` branch.
```bash
git checkout -b release/v-<version>
```
2. **Update Changelog:**
- Open the `CHANGELOG.md` file to manually add your change to the appropriate section.
- Our changelog follows the [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format and includes the following categories of changes:
- `Added` for new features.
- `Changed` for changes in existing functionality.
- `Deprecated` for features that will be removed in upcoming releases.
- `Fixed` for bug fixes.
- `Removed` for deprecated features that were removed.
- `Security` for security-related changes.
- Add a new entry under the relevant category. Include a brief summary of the change and the merge request commit tag.
```markdown
## [Unreleased]
### Added
- New feature or enhancement ([Merge Request Commit](https://github.com/ansible/product-demos/-/commit/<commit-hash>))
```
- Replace `<commit-hash>` with the actual commit hash from the merge request.
3. **Commit Changes:**
- Commit the changes made to the `CHANGELOG.md` file.
```bash
git add CHANGELOG.md
git commit -m "Update CHANGELOG for release <version>"
```
4. **Create a Pull Request:**
- Open a pull request from the release branch to the `main` branch.
5. **Review and Merge:**
- Review the pull request and merge it into the `main` branch.
6. **Tag the Release:**
- Once the pull request is merged, tag the release with the version number.
```bash
git tag -a v-<version> -m "Release <version>"
git push origin v-<version>
```
7. **Publish the Release:**
- After the successful completion of the pull request and merging into the `main` branch, an automatic GitHub Action will be triggered to publish the release.
The GitHub Action will perform the following steps:
- Parse the `CHANGELOG.md` file.
- Generate a release note based on the changes.
- Attach relevant files (such as `LICENSE`, `CHANGELOG.md`, and the generated `CHANGELOG.txt`) to the GitHub Release.
No manual intervention is required for this step; the GitHub Action will handle the release process automatically.
8. **Cleanup:**
- Delete the release branch.
```bash
git branch -d release/v-<version>
```

2
README.md
View File

@@ -19,7 +19,7 @@ If you would like to contribute to this project please refer to [contribution gu
## Using this project
This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox](https://demo.redhat.com/catalog?search=product+demos&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples).
This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox]([red.ht/aap-product-demos](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link)) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples).
> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.

6
cloud/README.md
View File

@@ -10,7 +10,7 @@
- [Configure Credentials](#configure-credentials)
- [Add Workshop Credential Password](#add-workshop-credential-password)
- [Remove Inventory Variables](#remove-inventory-variables)
- [Getting your Public Key for Create Keypair Job](#getting-your-public-key-for-create-keypair-job)
- [Getting your Puiblic Key for Create Keypair Job](#getting-your-puiblic-key-for-create-keypair-job)
- [Suggested Usage](#suggested-usage)
- [Known Issues](#known-issues)
@@ -49,11 +49,11 @@ After running the setup job template, there are a few steps required to make the
1) Remove Workshop Inventory variables on the Details page of the inventory. Required until [RFE](https://github.com/ansible/workshops/issues/1597]) is complete
### Getting your Public Key for Create Keypair Job
### Getting your Puiblic Key for Create Keypair Job
1) Connect to the command line of your Controller server. This is easiest to do by opening the VS Code Web Editor from the landing page where you found the Controller login details.
2) Open a Terminal Window in the VS Code Web Editor.
3) SSH to one of your linux nodes (eg. `ssh aws_rhel9`). This should log you into the node as `ec2-user`
3) SSH to one of your linux nodes (eg. `ssh node1`). This should log you into the node as `ec2-user`
4) `cat .ssh/authorized_keys` and copy the key listed including the `ssh-rsa` prefix

9
cloud/create_vpc.yml
View File

@@ -122,12 +122,3 @@
Name: "{{ aws_rt_name }}"
owner: "{{ aws_owner_tag }}"
purpose: "{{ aws_purpose_tag }}"
- name: Set VPC stats
ansible.builtin.set_stats:
data:
__aws_region: '{{ create_vm_aws_region }}'
__aws_vpc_id: '{{ aws_vpc.vpc.id }}'
__aws_vpc_cidr: '{{ aws_vpc_cidr_block }}'
__aws_subnet_id: '{{ aws_subnet.subnet.id }}'
__aws_subnet_cidr: '{{ aws_subnet_cidr }}'

333
cloud/setup.yml
View File

@@ -3,6 +3,122 @@ _deployment_id: "{{ lookup('file', playbook_dir + '/.deployment_id') }}"
user_message:
controller_execution_environments:
- name: Cloud Services Execution Environment
image: quay.io/scottharwell/cloud-ee:latest
controller_projects:
- name: Ansible Cloud Content Lab - AWS
organization: Default
scm_type: git
wait: true
scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git
default_environment: Cloud Services Execution Environment
- name: Shadowman Lab - Azure
organization: Default
scm_type: git
wait: true
scm_url: https://github.com/shadowman-lab/Ansible-Azure.git
default_environment: Cloud Services Execution Environment
controller_credentials:
- name: AWS
credential_type: Amazon Web Services
organization: Default
update_secrets: false
state: exists
inputs:
username: REPLACEME
password: REPLACEME
- name: AZURE
credential_type: Microsoft Azure Resource Manager
organization: Default
update_secrets: false
state: exists
inputs:
client: REPLACEME
password: REPLACEME
tenant: REPLACEME
subscription: REPLACEME
# - name: Azure
# credential_type: Microsoft Azure Resource Manager
# organization: Default
# update_secrets: false
# inputs:
# subscription: REPLACEME
controller_inventory_sources:
- name: AWS Inventory
organization: Default
source: ec2
inventory: Demo Inventory
credential: AWS
overwrite: true
source_vars:
hostnames:
- tag:Name
compose:
ansible_host: public_ip_address
ansible_user: 'ec2-user'
groups:
cloud_aws: true
os_linux: tags.blueprint.startswith('rhel')
keyed_groups:
- key: platform
prefix: os
- key: tags.blueprint
prefix: blueprint
- key: tags.owner
prefix: owner
- name: Azure Inventory
organization: Default
source: azure_rm
inventory: Demo Inventory
credential: AZURE
overwrite: true
#source_vars:
# hostnames:
# - tag:Name
# compose:
# ansible_host: public_ip_address
# ansible_user: 'ec2-user'
# groups:
# cloud_aws: true
# os_linux: tags.blueprint.startswith('rhel')
# keyed_groups:
# - key: platform
# prefix: os
# - key: tags.blueprint
# prefix: blueprint
# - key: tags.owner
# prefix: owner
# - name: Azure Inventory
# organization: Default
# source: azure_rm
# inventory: Demo Inventory
# credential: Azure
# execution_environment: Ansible Engine 2.9 execution environment
# overwrite: true
# source_vars:
# hostnames:
# - tags.Name
# - default
# keyed_groups:
# - key: os_profile.system
# prefix: os
# conditional_groups:
# cloud_azure: true
controller_groups:
- name: cloud_aws
inventory: Demo Inventory
variables:
ansible_user: ec2-user
controller_templates:
- name: Cloud / AWS / Create Peer Infrastructure
job_type: run
@@ -64,6 +180,140 @@ controller_templates:
extra_vars:
aws_region: us-east-1
- name: Cloud / AWS / Create VPC
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/create_vpc.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Owner
type: text
variable: aws_owner_tag
required: true
- name: Cloud / AWS / Create VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/create_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
allow_simultaneous: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Name
type: text
variable: create_vm_vm_name
required: true
- question_name: Owner
type: text
variable: create_vm_vm_owner
required: true
- question_name: Deployment
type: text
variable: create_vm_vm_deployment
required: true
- question_name: Environment
type: multiplechoice
variable: create_vm_vm_environment
required: true
choices:
- Dev
- QA
- Prod
- question_name: Blueprint
type: multiplechoice
variable: vm_blueprint
required: true
choices:
- windows_core
- windows_full
- rhel9
- rhel8
- rhel7
- al2023
- question_name: Subnet
type: text
variable: create_vm_aws_vpc_subnet_name
required: true
default: aws-test-subnet
- question_name: Security Group
type: text
variable: create_vm_aws_securitygroup_name
required: true
default: aws-test-sg
- question_name: SSH Keypair
type: text
variable: create_vm_aws_keypair_name
required: true
default: aws-test-key
- question_name: AWS Instance Type (defaults to blueprint value)
type: text
variable: create_vm_aws_instance_size
required: false
- question_name: AWS Image Filter (defaults to blueprint value)
type: text
variable: create_vm_aws_image_filter
required: false
- name: Cloud / AWS / Delete VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/delete_inventory_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name or Pattern
type: text
variable: _hosts
required: true
- name: Cloud / AWS / VPC Report
job_type: run
organization: Default
@@ -122,6 +372,45 @@ controller_templates:
- us-west-1
- us-west-2
- name: Cloud / AWS / Create Keypair
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/aws_key.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Keypair Name
type: text
variable: aws_key_name
required: true
default: aws-test-key
- question_name: Keypair Public Key
type: textarea
variable: aws_public_key
required: true
- question_name: Owner
type: text
variable: aws_keypair_owner
required: true
- name: Cloud / AWS / Snapshot EC2
job_type: run
organization: Default
@@ -207,6 +496,40 @@ controller_templates:
variable: _hosts
required: true
- name: "Cloud / Azure / Create Instance"
job_type: run
inventory: "Demo Inventory"
project: "Shadowman Lab - Azure"
playbook: "azure_create_instance.yml"
credentials:
- AWS
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
- name: "Cloud / Azure / Create Storage Account"
job_type: run
inventory: "Demo Inventory"
project: "Shadowman Lab - Azure"
playbook: "azure_create_instance.yml"
credentials:
- AWS
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
extra_vars:
storage_account_names: demorh
survey:
name: ''
description: ''
spec:
- question_name: Resource Group Name
type: text
variable: resource_group_name
required: false
controller_workflows:
- name: Deploy Cloud Stack in AWS
description: A workflow to deploy a cloud stack
@@ -275,7 +598,6 @@ controller_workflows:
- Deploy RHEL8 Blueprint
- Deploy RHEL9 Blueprint
- Deploy Windows Core Blueprint
- Deploy Report Server
- identifier: Deploy Windows GUI Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
@@ -312,15 +634,6 @@ controller_workflows:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Deploy Report Server
unified_job_template: Cloud / AWS / Create VM
extra_data:
create_vm_vm_name: reports
vm_blueprint: rhel9
success_nodes:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Ticket - VPC Failed
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:

32
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml
View File

@@ -137,14 +137,14 @@
- (cmd_result.stdout|join('\n')).find('ip dns server') != -1
- iosxeSTIG_stigrule_215823_Manage
# R-215823 CISC-ND-000470
# - name : stigrule_215823_disable_identd
# ignore_errors: "{{ ignore_all_errors }}"
# notify: "save configuration"
# ios_config:
# defaults: yes
# lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
# when:
# - iosxeSTIG_stigrule_215823_Manage
- name : stigrule_215823_disable_identd
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_config:
defaults: yes
lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
when:
- iosxeSTIG_stigrule_215823_Manage
# R-215823 CISC-ND-000470
- name : stigrule_215823_disable_finger
ignore_errors: "{{ ignore_all_errors }}"
@@ -378,9 +378,9 @@
- name : stigrule_215837_host
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_config:
lines:
- "logging {{ iosxeSTIG_stigrule_215837_host_Name }}"
ios_logging:
dest: host
name: "{{ iosxeSTIG_stigrule_215837_host_Name }}"
when: iosxeSTIG_stigrule_215837_Manage
# R-215837 CISC-ND-001000
# Please configure name IP address to a valid one.
@@ -397,18 +397,16 @@
- name : stigrule_215838_ntp_server_1
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
cisco.ios.ios_config:
lines:
- "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
ios_ntp:
server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
when: iosxeSTIG_stigrule_215838_Manage
# R-215838 CISC-ND-001030
# Replace ntp servers' IP address before enabling.
- name : stigrule_215838_ntp_server_2
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
cisco.ios.ios_config:
lines:
- "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
ios_ntp:
server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
when: iosxeSTIG_stigrule_215838_Manage
# R-215840 CISC-ND-001050
# service timestamps log datetime localtime is set in 215817.

67
collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py
View File

@@ -1,4 +1,5 @@
from __future__ import (absolute_import, division, print_function)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
@@ -11,76 +12,82 @@ import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
cwd = os.path.abspath(".")
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
if os.path.sep + "files" in dirpath and ".xml" in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
self._display.display("Using XML_PATH: {}".format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
with open(self.stig_path, "r") as f:
r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
rev = m.group("rev")
else:
rev = '0'
rev = "0"
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
m = re.search("stigrule_(?P<id>\d+)", name)
if m:
nid = m.group('id')
nid = m.group("id")
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
if self.rules.get(key, "Unknown") != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
with open(self.XML_path, "wb") as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
f.write(pretty)

9
collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml
View File

@@ -142,6 +142,9 @@ rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
rhel8STIG_stigrule_230348_Manage: True
rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
# R-230349 RHEL-08-020041
rhel8STIG_stigrule_230349_Manage: True
rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux'
# R-230352 RHEL-08-020060
rhel8STIG_stigrule_230352_Manage: True
rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
@@ -229,6 +232,9 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname'
# R-230395 RHEL-08-030063
rhel8STIG_stigrule_230395_Manage: True
rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
# R-230396 RHEL-08-030070
rhel8STIG_stigrule_230396_Manage: True
rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root'
# R-230398 RHEL-08-030090
# A duplicate of 230396
# duplicate of 230396
@@ -563,6 +569,3 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0
# R-244554 RHEL-08-040286
rhel8STIG_stigrule_244554_Manage: True
rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2'
# R-256974 RHEL-08-010358
rhel8STIG_stigrule_256974_Manage: True
rhel8STIG_stigrule_256974_mailx_State: installed

1047
collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml → collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

50
collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml
View File

@@ -4,7 +4,7 @@
- name: stigrule_230225_banner
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*banner\s+'
regexp: '^\s*(?i)banner\s+'
line: "{{ rhel8STIG_stigrule_230225_banner_Line }}"
notify: ssh_restart
when:
@@ -82,7 +82,7 @@
- name: stigrule_230244_ClientAliveCountMax
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*ClientAliveCountMax\s+'
regexp: '^\s*(?i)ClientAliveCountMax\s+'
line: "{{ rhel8STIG_stigrule_230244_ClientAliveCountMax_Line }}"
notify: ssh_restart
when:
@@ -249,7 +249,7 @@
- name: stigrule_230288_StrictModes
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*StrictModes\s+'
regexp: '^\s*(?i)StrictModes\s+'
line: "{{ rhel8STIG_stigrule_230288_StrictModes_Line }}"
notify: ssh_restart
when:
@@ -259,7 +259,7 @@
- name: stigrule_230290_IgnoreUserKnownHosts
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*IgnoreUserKnownHosts\s+'
regexp: '^\s*(?i)IgnoreUserKnownHosts\s+'
line: "{{ rhel8STIG_stigrule_230290_IgnoreUserKnownHosts_Line }}"
notify: ssh_restart
when:
@@ -269,7 +269,7 @@
- name: stigrule_230291_KerberosAuthentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*KerberosAuthentication\s+'
regexp: '^\s*(?i)KerberosAuthentication\s+'
line: "{{ rhel8STIG_stigrule_230291_KerberosAuthentication_Line }}"
notify: ssh_restart
when:
@@ -279,7 +279,7 @@
- name: stigrule_230296_PermitRootLogin
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*PermitRootLogin\s+'
regexp: '^\s*(?i)PermitRootLogin\s+'
line: "{{ rhel8STIG_stigrule_230296_PermitRootLogin_Line }}"
notify: ssh_restart
when:
@@ -395,7 +395,7 @@
- name: stigrule_230330_PermitUserEnvironment
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*PermitUserEnvironment\s+'
regexp: '^\s*(?i)PermitUserEnvironment\s+'
line: "{{ rhel8STIG_stigrule_230330_PermitUserEnvironment_Line }}"
notify: ssh_restart
when:
@@ -436,6 +436,14 @@
create: yes
when:
- rhel8STIG_stigrule_230348_Manage
# R-230349 RHEL-08-020041
- name: stigrule_230349__etc_bashrc
lineinfile:
path: /etc/bashrc
line: "{{ rhel8STIG_stigrule_230349__etc_bashrc_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230349_Manage
# R-230352 RHEL-08-020060
- name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
ini_file:
@@ -594,7 +602,7 @@
- name: stigrule_230382_PrintLastLog
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*PrintLastLog\s+'
regexp: '^\s*(?i)PrintLastLog\s+'
line: "{{ rhel8STIG_stigrule_230382_PrintLastLog_Line }}"
notify: ssh_restart
when:
@@ -718,6 +726,16 @@
notify: auditd_restart
when:
- rhel8STIG_stigrule_230395_Manage
# R-230396 RHEL-08-030070
- name: stigrule_230396__etc_audit_auditd_conf
lineinfile:
path: /etc/audit/auditd.conf
regexp: '^log_group = '
line: "{{ rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line }}"
create: yes
notify: auditd_restart
when:
- rhel8STIG_stigrule_230396_Manage
# R-230402 RHEL-08-030121
- name : stigrule_230402__etc_audit_rules_d_audit_rules_e2
lineinfile:
@@ -1330,7 +1348,7 @@
- name: stigrule_230527_RekeyLimit
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*RekeyLimit\s+'
regexp: '^\s*(?i)RekeyLimit\s+'
line: "{{ rhel8STIG_stigrule_230527_RekeyLimit_Line }}"
notify: ssh_restart
when:
@@ -1551,7 +1569,7 @@
- name: stigrule_230555_X11Forwarding
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*X11Forwarding\s+'
regexp: '^\s*(?i)X11Forwarding\s+'
line: "{{ rhel8STIG_stigrule_230555_X11Forwarding_Line }}"
notify: ssh_restart
when:
@@ -1561,7 +1579,7 @@
- name: stigrule_230556_X11UseLocalhost
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*X11UseLocalhost\s+'
regexp: '^\s*(?i)X11UseLocalhost\s+'
line: "{{ rhel8STIG_stigrule_230556_X11UseLocalhost_Line }}"
notify: ssh_restart
when:
@@ -1617,7 +1635,7 @@
- name: stigrule_244525_ClientAliveInterval
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*ClientAliveInterval\s+'
regexp: '^\s*(?i)ClientAliveInterval\s+'
line: "{{ rhel8STIG_stigrule_244525_ClientAliveInterval_Line }}"
notify: ssh_restart
when:
@@ -1633,7 +1651,7 @@
- name: stigrule_244528_GSSAPIAuthentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*GSSAPIAuthentication\s+'
regexp: '^\s*(?i)GSSAPIAuthentication\s+'
line: "{{ rhel8STIG_stigrule_244528_GSSAPIAuthentication_Line }}"
notify: ssh_restart
when:
@@ -1780,9 +1798,3 @@
create: yes
when:
- rhel8STIG_stigrule_244554_Manage
# R-256974 RHEL-08-010358
- name: stigrule_256974_mailx
yum:
name: mailx
state: "{{ rhel8STIG_stigrule_256974_mailx_State }}"
when: rhel8STIG_stigrule_256974_Manage

86
collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py
View File

@@ -1,86 +0,0 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
from time import gmtime, strftime
import platform
import tempfile
import re
import sys
import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
else:
rev = '0'
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
if m:
nid = m.group('id')
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
f.write(pretty)

1011
collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml
View File

File diff suppressed because it is too large Load Diff

7020
collections/ansible_collections/demo/compliance/roles/rhel9STIG/files/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

30
collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml
View File

@@ -1,30 +0,0 @@
- name: dconf_update
command: dconf update
- name: auditd_restart
command: /usr/sbin/service auditd restart
- name: ssh_restart
service:
name: sshd
state: restarted
- name: rsyslog_restart
service:
name: rsyslog
state: restarted
- name: sysctl_load_settings
command: sysctl --system
- name: daemon_reload
systemd:
daemon_reload: true
- name: networkmanager_reload
service:
name: NetworkManager
state: reloaded
- name: logind_restart
service:
name: systemd-logind
state: restarted
- name: with_faillock_enable
command: authselect enable-feature with-faillock
- name: do_reboot
reboot:
pre_reboot_delay: 60

3055
collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml
View File

File diff suppressed because it is too large Load Diff

13
collections/ansible_collections/demo/openshift/roles/eda_controller/.yamllint
View File

@@ -1,13 +0,0 @@
---
extends: default
rules:
comments:
require-starting-space: false
min-spaces-from-content: 1
comments-indentation: disable
indentation:
indent-sequences: consistent
line-length:
max: 120
allow-non-breakable-inline-mappings: true

16
collections/ansible_collections/demo/openshift/roles/eda_controller/defaults/main.yml
View File

@@ -1,16 +0,0 @@
---
# --------------------------------------------------------
# Ansible Automation Platform Controller URL
# --------------------------------------------------------
# eda_controller_aap_controller_url: [Required]
# --------------------------------------------------------
# Workload: eda_controller
# --------------------------------------------------------
eda_controller_project: "aap"
eda_controller_project_app_name: "eda-controller"
# eda_controller_admin_password: "{{ common_password }}"
eda_controller_cluster_rolebinding_name: eda_default
eda_controller_cluster_rolebinding_role: cluster-admin

14
collections/ansible_collections/demo/openshift/roles/eda_controller/meta/main.yml
View File

@@ -1,14 +0,0 @@
---
galaxy_info:
role_name: eda_controller
author: Mitesh Sharma (mitsharm@redhat.com)
description: |
Installs EDA on OpenShift
license: GPLv3
min_ansible_version: "2.9"
platforms: []
galaxy_tags:
- eda
- openshift
- aap
dependencies: []

6
collections/ansible_collections/demo/openshift/roles/eda_controller/readme.adoc
View File

@@ -1,6 +0,0 @@
== eda_controller
This role installs EDA on OpenShift, mostly copied from https://github.com/redhat-cop/agnosticd/.
== Dependencies
Role: automation_controller_platform

54
collections/ansible_collections/demo/openshift/roles/eda_controller/tasks/main.yml
View File

@@ -1,54 +0,0 @@
---
- name: Setup environment vars
block:
- name: Create secret and Install EDA
kubernetes.core.k8s:
state: present
definition: "{{ lookup('template', __definition) }}"
loop:
- eda_admin_secret.j2
- eda_controller.j2
loop_control:
loop_var: __definition
- name: Retrieve created route
kubernetes.core.k8s_info:
api_version: "route.openshift.io/v1"
kind: Route
name: "{{ eda_controller_project_app_name }}"
namespace: "{{ eda_controller_project }}"
register: r_eda_route
until: r_eda_route.resources[0].spec.host is defined
retries: 30
delay: 45
- name: Get eda-controller route hostname
ansible.builtin.set_fact:
eda_controller_hostname: "{{ r_eda_route.resources[0].spec.host }}"
- name: Wait for eda_controller to be running
ansible.builtin.uri:
url: https://{{ eda_controller_hostname }}/api/eda/v1/users/me/awx-tokens/
user: "admin"
password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') }}"
method: GET
force_basic_auth: true
validate_certs: false
body_format: json
status_code: 200
register: r_result
until: not r_result.failed
retries: 60
delay: 45
- name: Create Rolebinding for Rulebook Activations
kubernetes.core.k8s:
state: present
definition: "{{ lookup('template', 'cluster_rolebinding.j2') }}"
- name: Display EDA Controller URL
ansible.builtin.debug:
msg:
- "EDA Controller URL: https://{{ eda_controller_hostname }}"
- "EDA Controller Admin Login: admin"
- "EDA Controller Admin Password: <same as the Controller Admin password>"

13
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/cluster_rolebinding.j2
View File

@@ -1,13 +0,0 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ eda_controller_cluster_rolebinding_name }}
subjects:
- kind: ServiceAccount
name: default
namespace: {{ eda_controller_project }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ eda_controller_cluster_rolebinding_role }}

15
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_admin_secret.j2
View File

@@ -1,15 +0,0 @@
---
kind: Secret
apiVersion: v1
metadata:
name: {{ eda_controller_project_app_name }}-admin-password
namespace: {{ eda_controller_project }}
labels:
app.kubernetes.io/component: eda
app.kubernetes.io/managed-by: eda-operator
app.kubernetes.io/name: {{ eda_controller_project_app_name }}
app.kubernetes.io/operator-version: '2.4'
app.kubernetes.io/part-of: {{ eda_controller_project_app_name }}
data:
password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') | b64encode }}"
type: Opaque

26
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_controller.j2
View File

@@ -1,26 +0,0 @@
---
apiVersion: eda.ansible.com/v1alpha1
kind: EDA
metadata:
name: {{ eda_controller_project_app_name }}
namespace: {{ eda_controller_project }}
spec:
route_tls_termination_mechanism: Edge
ingress_type: Route
loadbalancer_port: 80
no_log: true
image_pull_policy: IfNotPresent
ui:
replicas: 1
set_self_labels: true
api:
gunicorn_workers: 2
replicas: 1
redis:
replicas: 1
admin_user: admin
loadbalancer_protocol: http
worker:
replicas: 3
automation_server_url: '{{ lookup('ansible.builtin.env', 'CONTROLLER_HOST') }}'
admin_password_secret: {{ eda_controller_project_app_name }}-admin-password

2
collections/requirements.yml
View File

@@ -1,6 +1,6 @@
---
# This file is mainly used by product-demos CI,
# See cloin/ee-builds/product-demos-ee/requirements.yml
# See cloin/ee-builds/product-demos-ee/requirements.yml
# for configuring collections and collection versions.
collections:
- name: ansible.controller

3
common/README.md
View File

@@ -1,3 +0,0 @@
# Common Prerequisites
Demos from some categories (cloud, linux, windows, etc.) have become dependent on controller resources defined in other demo categories. The setup.yml file in this directory is used to configure these common prerequisites so that they are available before setup for a demo category is called.

283
common/setup.yml
View File

@@ -1,283 +0,0 @@
---
controller_execution_environments:
- name: product-demos
image: quay.io/acme_corp/product-demos-ee:latest
- name: Cloud Services Execution Environment
image: quay.io/scottharwell/cloud-ee:latest
controller_organizations:
- name: Default
default_environment: product-demos
controller_projects:
- name: Ansible Cloud Content Lab - AWS
organization: Default
scm_type: git
wait: true
scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git
default_environment: Cloud Services Execution Environment
controller_credentials:
- name: AWS
credential_type: Amazon Web Services
organization: Default
update_secrets: false
state: exists
inputs:
username: REPLACEME
password: REPLACEME
controller_inventory_sources:
- name: AWS Inventory
organization: Default
source: ec2
inventory: Demo Inventory
credential: AWS
overwrite: true
source_vars:
hostnames:
- tag:Name
compose:
ansible_host: public_ip_address
ansible_user: 'ec2-user'
groups:
cloud_aws: true
os_linux: tags.blueprint.startswith('rhel')
os_windows: tags.blueprint.startswith('win')
keyed_groups:
- key: platform
prefix: os
- key: tags.blueprint
prefix: blueprint
- key: tags.owner
prefix: owner
- key: tags.purpose
prefix: purpose
- key: tags.deployment
prefix: deployment
controller_groups:
- name: cloud_aws
inventory: Demo Inventory
variables:
ansible_user: ec2-user
- name: os_windows
inventory: Demo Inventory
variables:
ansible_connection: winrm
ansible_winrm_transport: credssp
controller_templates:
- name: SUBMIT FEEDBACK
job_type: run
inventory: Demo Inventory
project: Ansible official demo project
playbook: feedback.yml
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name/Email/Contact
type: text
variable: email
required: true
- question_name: Issue or Feedback
type: textarea
variable: feedback
required: true
- name: Cloud / AWS / Create VPC
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/create_vpc.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Owner
type: text
variable: aws_owner_tag
required: true
- name: Cloud / AWS / Create Keypair
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/aws_key.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Keypair Name
type: text
variable: aws_key_name
required: true
default: aws-test-key
- question_name: Keypair Public Key
type: textarea
variable: aws_public_key
required: true
- question_name: Owner
type: text
variable: aws_keypair_owner
required: true
- name: Cloud / AWS / Create VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/create_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
allow_simultaneous: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Name
type: text
variable: create_vm_vm_name
required: true
- question_name: Owner
type: text
variable: create_vm_vm_owner
required: true
- question_name: Deployment
type: text
variable: create_vm_vm_deployment
required: true
- question_name: Purpose
type: text
variable: create_vm_vm_purpose
required: true
default: demo
- question_name: Environment
type: multiplechoice
variable: create_vm_vm_environment
required: true
choices:
- Dev
- QA
- Prod
- question_name: Blueprint
type: multiplechoice
variable: vm_blueprint
required: true
choices:
- windows_core
- windows_full
- rhel9
- rhel8
- rhel7
- al2023
- question_name: Subnet
type: text
variable: create_vm_aws_vpc_subnet_name
required: true
default: aws-test-subnet
- question_name: Security Group
type: text
variable: create_vm_aws_securitygroup_name
required: true
default: aws-test-sg
- question_name: SSH Keypair
type: text
variable: create_vm_aws_keypair_name
required: true
default: aws-test-key
- question_name: AWS Instance Type (defaults to blueprint value)
type: text
variable: create_vm_aws_instance_size
required: false
- question_name: AWS Image Filter (defaults to blueprint value)
type: text
variable: create_vm_aws_image_filter
required: false
- name: Cloud / AWS / Delete VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/delete_inventory_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name or Pattern
type: text
variable: _hosts
required: true
controller_notifications:
- name: Telemetry
organization: Default
notification_type: webhook
notification_configuration:
url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec
http_method: POST
headers: {}
controller_settings:
- name: SESSION_COOKIE_AGE
value: 180000

2
linux/README.md
View File

@@ -60,7 +60,7 @@ Edit the `Linux / System Roles` job to include the list of roles that you wish t
**Linux / Temporary Sudo** - Use this job to show how to grant sudo access with automated cleanup to a server. The user must exist on the system. Using the student user is a good example (ie. student1)
**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `reports`. This may be overridden with `extra_vars` on the Job Template.
**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `node1`. This may be overridden with `extra_vars` on the Job Template.
**Linux / Run Shell Script** - Use this job to demonstrate running shell commands or an existing shell script across a group of systems as root. This can be preferred over using Ad-Hoc commands due to the ability to control usage with RBAC. This is helpful in showing the scalable of execution of an existing shell script. It is always recommended to convert shell scripts to playbooks over time. Example usage would be getting the public key used in the environment with the command `cat .ssh/authorized_keys`.

2
linux/compliance-enforce.yml
View File

@@ -12,5 +12,5 @@
- name: Run Compliance Profile
ansible.builtin.include_role:
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}"
...

2
linux/patching.yml
View File

@@ -3,7 +3,7 @@
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
report_server: reports
report_server: node1
tasks:
# Install yum-utils if it's not there

5
linux/setup.yml
View File

@@ -377,9 +377,6 @@ controller_templates:
# used by the CJIS profile role
service_firewalld_enabled: false
firewalld_sshd_port_enabled: false
# used by the PCI-DSS profile role
firewalld_loopback_traffic_restricted: false
firewalld_loopback_traffic_trusted: false
survey_enabled: true
survey:
name: ''
@@ -399,7 +396,7 @@ controller_templates:
- cui
- hipaa
- ospp
- pci-dss
- pci_dss
- stig
- name: "LINUX / Multi-profile Compliance Report"

2
network/report.yml
View File

@@ -35,7 +35,7 @@
hosts: "{{ report_server }}"
become: true
vars:
report_server: reports
report_server: node1
web_path: /var/www/html/reports/
tasks:

8
openshift/eda/install.yml
View File

@@ -1,8 +0,0 @@
---
- name: Deploy EDA Controller attached to the same AAP
hosts: localhost
gather_facts: false
tasks:
- name: Include role
ansible.builtin.include_role:
name: demo.openshift.eda_controller

8
openshift/inventory.kubevirt.yml
View File

@@ -5,19 +5,19 @@ connections:
- namespaces:
- openshift-cnv
compose:
ansible_user: "'cloud-user' if 'rhel' in vmi_annotations['vm.kubevirt.io/os']"
vmi_annotations: "vmi_annotations | ansible.utils.replace_keys(target=[
ansible_user: "'cloud-user' if 'rhel' in annotations['vm.kubevirt.io/os']"
annotations: "annotations | ansible.utils.replace_keys(target=[
{'before':'vm.kubevirt.io/os', 'after':'os'},
{'before':'vm.kubevirt.io/flavor', 'after':'flavor'},
{'before':'vm.kubevirt.io/workload', 'after':'workload'},
{'before':'kubevirt.io/vm-generation', 'after':'vm-generation'},
{'before':'kubevirt.io/latest-observed-api-version', 'after':'latest-observed-api-version'},
{'before':'kubevirt.io/storage-observed-api-version', 'after':'storage-observed-api-version' }] )"
labels: "vmi_labels | ansible.utils.replace_keys(target=[
labels: "labels | ansible.utils.replace_keys(target=[
{'before':'kubevirt.io/nodeName', 'after':'nodeName'},
{'before':'kubevirt.io/size', 'after':'size'},
{'before':'kubevirt.io/domain', 'after':'domain' }] )"
keyed_groups:
- key: vmi_annotations.os
- key: annotations.os
prefix: "cnv"
separator: "_"

53
openshift/setup.yml
View File

@@ -7,6 +7,29 @@ controller_components:
- job_templates
- workflow_job_templates
controller_credential_types:
# Ideally, we would not need to use this and could just re-use the OCP credential for the inventory plugin
- name: OCPV inventory credential
kind: cloud
inputs:
fields:
- id: host
type: string
label: OpenShift or Kubernetes API Endpoint
secret: false
- id: bearer_token
type: string
label: API authentication bearer token
secret: true
- id: verify_ssl
type: boolean
label: Verify SSL
injectors:
env:
K8S_AUTH_HOST: "{% raw %}{ { host }}{% endraw %}"
K8S_AUTH_API_KEY: "{% raw %}{ { bearer_token }}{% endraw %}"
K8S_AUTH_VERIFY_SSL: "{% raw %}{ { verify_ssl }}{% endraw %}"
controller_credentials:
- name: OpenShift Credential
organization: Default
@@ -17,30 +40,26 @@ controller_credentials:
bearer_token: CHANGEME
verify_ssl: false
- name: OCP-V Inventory Credential
organization: Default
credential_type: OCPV inventory credential
state: exists
inputs:
host: CHANGEME
bearer_token: CHANGEME
verify_ssl: false
controller_inventory_sources:
- name: OpenShift CNV Inventory
inventory: Demo Inventory
source: scm
source_project: Ansible official demo project
source_path: openshift/inventory.kubevirt.yml
credential: OpenShift Credential
update_on_launch: false
credential: OCP-V Inventory Credential
update_on_launch: true
controller_templates:
- name: OpenShift / EDA / Install Controller
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "openshift/eda/install.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
credentials:
- "OpenShift Credential"
- "Controller Credential"
- name: OpenShift / CNV / Install Operator
- name: OpenShift / CNV / Install
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
@@ -106,7 +125,7 @@ controller_templates:
notification_templates_error: Telemetry
survey_enabled: true
extra_vars:
instance_state: absent
state: absent
survey:
name: ''
description: ''

80
roles/requirements.yml
View File

@@ -1,46 +1,46 @@
---
roles:
# RHEL 7 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel7-cis
version: 0.1.72
- name: redhatofficial.rhel7-cjis
version: 0.1.72
- name: redhatofficial.rhel7-cui
version: 0.1.72
- name: redhatofficial.rhel7-hipaa
version: 0.1.72
- name: redhatofficial.rhel7-ospp
version: 0.1.72
- name: redhatofficial.rhel7-pci-dss
version: 0.1.72
- name: redhatofficial.rhel7-stig
version: 0.1.72
- name: redhatofficial.rhel7_cis
version: 0.1.69
- name: redhatofficial.rhel7_cjis
version: 0.1.69
- name: redhatofficial.rhel7_cui
version: 0.1.67
- name: redhatofficial.rhel7_hipaa
version: 0.1.69
- name: redhatofficial.rhel7_ospp
version: 0.1.69
- name: redhatofficial.rhel7_pci_dss
version: 0.1.69
- name: redhatofficial.rhel7_stig
version: 0.1.69
# RHEL 8 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel8-cis
version: 0.1.72
- name: redhatofficial.rhel8-cjis
version: 0.1.72
- name: redhatofficial.rhel8-cui
version: 0.1.72
- name: redhatofficial.rhel8-hipaa
version: 0.1.72
- name: redhatofficial.rhel8-ospp
version: 0.1.72
- name: redhatofficial.rhel8-pci-dss
version: 0.1.72
- name: redhatofficial.rhel8-stig
version: 0.1.72
- name: redhatofficial.rhel8_cis
version: 0.1.69
- name: redhatofficial.rhel8_cjis
version: 0.1.69
- name: redhatofficial.rhel8_cui
version: 0.1.69
- name: redhatofficial.rhel8_hipaa
version: 0.1.69
- name: redhatofficial.rhel8_ospp
version: 0.1.69
- name: redhatofficial.rhel8_pci_dss
version: 0.1.69
- name: redhatofficial.rhel8_stig
version: 0.1.69
# RHEL 9 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel9-cis
version: 0.1.72
- name: redhatofficial.rhel9-cui
version: 0.1.72
- name: redhatofficial.rhel9-hipaa
version: 0.1.72
- name: redhatofficial.rhel9-ospp
version: 0.1.72
- name: redhatofficial.rhel9-pci-dss
version: 0.1.72
- name: redhatofficial.rhel9-stig
version: 0.1.72
- name: redhatofficial.rhel9_cis
version: 0.1.68
- name: redhatofficial.rhel9_cui
version: 0.1.64
- name: redhatofficial.rhel9_hipaa
version: 0.1.68
- name: redhatofficial.rhel9_ospp
version: 0.1.68
- name: redhatofficial.rhel9_pci_dss
version: 0.1.68
- name: redhatofficial.rhel9_stig
version: 0.1.64
...

74
setup_demo.yml
View File

@@ -1,33 +1,63 @@
---
- name: Setup common prerequisites
hosts: localhost
gather_facts: false
# vars_files should be scoped to a play so variables defined in the
# files should not be available in subsequent plays, so certain
# resources won't be retried
vars_files:
- common/setup.yml
tasks:
- name: Create reusable deployment ID
ansible.builtin.set_fact:
_deployment_id: '{{ lookup("ansible.builtin.password", "{{ playbook_dir }}/.deployment_id", chars=["ascii_lowercase", "digits"], length=5) }}'
- name: Create common demo resources
ansible.builtin.include_role:
name: infra.controller_configuration.dispatch
- name: Setup demo
hosts: localhost
gather_facts: false
tasks:
- name: Include configuration for {{ demo }}
- name: Default Components
ansible.builtin.include_role:
name: infra.controller_configuration.dispatch
vars: # noqa var-naming[no-role-prefix]
controller_execution_environments:
- name: product-demos
image: quay.io/acme_corp/product-demos-ee:latest
controller_organizations:
- name: Default
default_environment: product-demos
controller_notifications:
- name: Telemetry
organization: Default
notification_type: webhook
notification_configuration:
url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec
http_method: POST
headers: {}
controller_templates:
- name: "SUBMIT FEEDBACK"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "feedback.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name/Email/Contact
type: text
variable: email
required: true
- question_name: Issue or Feedback
type: textarea
variable: feedback
required: true
controller_settings:
- name: "SESSION_COOKIE_AGE"
value: 180000
- name: Create reusable deployment ID
ansible.builtin.set_fact:
_deployment_id: '{{ lookup("ansible.builtin.password", "{{ playbook_dir }}/.deployment_id", chars=["ascii_lowercase", "digits"], length=5) }}'
- name: "Include configuration for {{ demo }}"
ansible.builtin.include_vars: "{{ demo }}/setup.yml"
- name: Demo Components
ansible.builtin.include_role:
name: infra.controller_configuration.dispatch
name: "infra.controller_configuration.dispatch"
- name: Log Demo
ansible.builtin.uri:
@@ -40,5 +70,3 @@
ansible.builtin.debug:
msg: "{{ user_message }}"
when: user_message is defined
...

2
windows/patching.yml
View File

@@ -2,7 +2,7 @@
- name: Windows updates
hosts: "{{ _hosts | default('os_windows') }}"
vars:
report_server: aws_win1
report_server: win1
tasks:
- name: Patch windows server

146
windows/setup.yml
View File

@@ -7,20 +7,6 @@ controller_projects:
organization: Default
scm_type: git
scm_url: 'https://github.com/ansible/awx-facts-playbooks.git'
- name: ansible-windows-0-day-bsod-recovery-fix
organization: Default
scm_type: git
scm_url: https://github.com/oatakan/ansible-windows-0-day-bsod-recovery.git
scm_branch: main
- name: aap-openshift-inventory-source
organization: Default
scm_type: git
scm_url: https://github.com/oatakan/ansible-openshift-virtualization-inventory-source.git
scm_branch: main
controller_execution_environments:
- name: ansible-base-ee-dev
image: quay.io/oatakan/ansible-base-ee-dev:latest
controller_templates:
- name: "WINDOWS / Install IIS"
@@ -320,135 +306,3 @@ controller_templates:
type: text
variable: HOSTS
required: false
- name: WINDOWS / BSOD / Provision Infrastructure
description: Provisions the required infrastructure
organization: Default
project: ansible-windows-0-day-bsod-recovery-fix
playbook: provision_infra_multi.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
provider: kubevirt
scenario: winpe
infra_template_name: windows-2022-standard
execution_environment: ansible-base-ee-dev
ask_credential_on_launch: true
ask_variables_on_launch: true
- name: WINDOWS / BSOD / Remove Infrastructure
description: Removes the provisioned systems
organization: Default
project: ansible-windows-0-day-bsod-recovery-fix
playbook: remove_infra_multi.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
provider: kubevirt
scenario: winpe
execution_environment: ansible-base-ee-dev
ask_credential_on_launch: true
ask_inventory_on_launch: true
ask_limit_on_launch: true
ask_variables_on_launch: true
- name: WINDOWS / BSOD / Generate WinPE
description: Generates WinPE image on the provisioned Windows system
organization: Default
project: ansible-windows-0-day-bsod-recovery-fix
playbook: generate_winpe.yml
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
create_winpe_destination_file_location: iso_upload
create_winpe_enable_autostart: true
create_winpe_enable_powershell_modules: false
create_winpe_enable_script_debug: false
create_winpe_load_drivers: false
execution_environment: ansible-base-ee-dev
ask_credential_on_launch: true
ask_inventory_on_launch: true
ask_limit_on_launch: true
ask_variables_on_launch: true
- name: WINDOWS / BSOD / Upload WinPE ISO
description: Uploads the generated WinPE ISO to VMware/OpenShift Virtualization
organization: Default
project: ansible-windows-0-day-bsod-recovery-fix
playbook: upload_winpe_iso.yml
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
provider: vmware
execution_environment: ansible-base-ee-dev
ask_credential_on_launch: true
ask_inventory_on_launch: true
ask_limit_on_launch: true
ask_variables_on_launch: true
controller_workflows:
- name: WINDOWS / BSOD / Generate WinPE Image Scenario
description: >
This workflow provisions a Windows system, generates a WinPE image,
uploads it to OpenShift Virtualization, and then removes the provisioned VM.
It demonstrates the process of creating and deploying a WinPE image
in an OpenShift Virtualization Environment.
organization: Default
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
infra_template_name: windows-2022-standard
simplified_workflow_nodes:
- identifier: Provision Infrastructure
unified_job_template: WINDOWS / BSOD / Provision Infrastructure
credentials:
- OpenShift Credential
- Demo Credential
extra_data:
provider: kubevirt
scenario: winpe
infra_template_name: windows-2022-standard
success_nodes:
- Generate WinPE
- identifier: Generate WinPE
unified_job_template: WINDOWS / BSOD / Generate WinPE
inventory: Demo Inventory
credentials:
- OpenShift Credential
- Demo Credential
limit: label_app_name_winpe
extra_data:
create_winpe_destination_file_location: iso_upload
create_winpe_enable_autostart: true
create_winpe_enable_powershell_modules: false
create_winpe_enable_script_debug: false
create_winpe_load_drivers: true
success_nodes:
- Upload WinPE ISO
- identifier: Upload WinPE ISO
unified_job_template: WINDOWS / BSOD / Upload WinPE ISO
inventory: Demo Inventory
credentials:
- OpenShift Credential
- Demo Credential
limit: label_app_name_winpe
extra_data:
provider: kubevirt
success_nodes:
- Remove Infrastructure
- identifier: Remove Infrastructure
unified_job_template: WINDOWS / BSOD / Remove Infrastructure
inventory: Demo Inventory
credentials:
- OpenShift Credential
- Demo Credential
limit: label_app_name_winpe
extra_data:
provider: kubevirt