From 53eff6e15c84691f13c19ad3c37ed05f555bf5ad Mon Sep 17 00:00:00 2001 From: arnol377 Date: Tue, 10 Sep 2024 14:56:44 -0400 Subject: [PATCH] I think evertyhign works ;) --- .gitignore | 2 ++ .secrets/.terraform.lock.hcl | 24 ++++++++++++++++++ .terraform.lock.hcl | 32 ++++++++++++------------ ansible_parameters.tf | 27 ++++++--------------- docker.tf | 22 +++++++++++++---- github-runner.tf | 47 ++++++++++++++++++++++++++++++++++++ main.tf | 14 +++-------- windows.tf | 44 ++++++++++++++++++++++++++------- 8 files changed, 152 insertions(+), 60 deletions(-) create mode 100644 .secrets/.terraform.lock.hcl create mode 100644 github-runner.tf diff --git a/.gitignore b/.gitignore index d3e557e..801e4a2 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,5 @@ override.tf.json .terraformrc terraform.rc ghe-runner +**/terraform.tfstate +**/terraform.tfvars diff --git a/.secrets/.terraform.lock.hcl b/.secrets/.terraform.lock.hcl new file mode 100644 index 0000000..c154c76 --- /dev/null +++ b/.secrets/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.65.0" + hashes = [ + "h1:LTqvpg2APqTRPmQIkOAFwn7Q8rXTXazDXIBaYSfLIm4=", + "zh:036f8557c8c9b58656e1ec08ed5702e44bd338fda17dc4b2add40b234102e29a", + "zh:0ba0708ece98735540070899a916b7a90c5c887be31ffd693ee1359e40245978", + "zh:12d82a82ae0e3bc580f2be961078e89d129e12df7dd82a6ec610a2b945bba1a4", + "zh:1ed0ee17df8807aef64976e2a4276d2a3e1d54efeae2a86f596d12eccb94dc83", + "zh:36b7c61a83d24f612156b4648027ba8bd5727f0ed57183cbad0e6c93b7503aa2", + "zh:496d06a089b1bc8d60995e8dddfe1d87c605a208f377a60b17987e89381dafda", + "zh:4e9aba435994589befe4279927c71a461a52e6cd96b8f0437295c18c50f6baff", + "zh:71134031288a312db1804d4798b10f106a843c36aafd7b8fe8f4859156d7df93", + "zh:748d0dbdfbe8df4b516a09b23b3981c19cef9a255c1ca0187e84ab424e6bd845", + "zh:783541ff77f4e7c74c817e0e2989ebdb45dd6e2c9853a8cccbcf5f1976736a76", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:af3f080975d5ed79917b8238cc0ae3150da688bc89e12dcc3ee85134b29857d0", + "zh:ec542372c3ffbfc3df6966f77357f8af7319d4bd956ff8e9fde0bbd124352e34", + "zh:f3dc7b2b5b55173207c2fd35ed6bb8cc66b06af777e221060ca2f0c0afdecbb5", + "zh:f9631ecc21d6e5cf82ef6ef8d14c39e1dfb2a52cc8f0abb684311885ffdb79a1", + ] +} diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index d76d788..29a091e 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -2,25 +2,25 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.65.0" + version = "5.66.0" constraints = ">= 4.20.1" hashes = [ - "h1:LTqvpg2APqTRPmQIkOAFwn7Q8rXTXazDXIBaYSfLIm4=", - "zh:036f8557c8c9b58656e1ec08ed5702e44bd338fda17dc4b2add40b234102e29a", - "zh:0ba0708ece98735540070899a916b7a90c5c887be31ffd693ee1359e40245978", - "zh:12d82a82ae0e3bc580f2be961078e89d129e12df7dd82a6ec610a2b945bba1a4", - "zh:1ed0ee17df8807aef64976e2a4276d2a3e1d54efeae2a86f596d12eccb94dc83", - "zh:36b7c61a83d24f612156b4648027ba8bd5727f0ed57183cbad0e6c93b7503aa2", - "zh:496d06a089b1bc8d60995e8dddfe1d87c605a208f377a60b17987e89381dafda", - "zh:4e9aba435994589befe4279927c71a461a52e6cd96b8f0437295c18c50f6baff", - "zh:71134031288a312db1804d4798b10f106a843c36aafd7b8fe8f4859156d7df93", - "zh:748d0dbdfbe8df4b516a09b23b3981c19cef9a255c1ca0187e84ab424e6bd845", - "zh:783541ff77f4e7c74c817e0e2989ebdb45dd6e2c9853a8cccbcf5f1976736a76", + "h1:RHs4rOiKrKJqr8UhVW7yqfoMVwaofQ+9ChP41rAzc1A=", + "zh:071c908eb18627f4becdaf0a9fe95d7a61f69be365080aba2ef5e24f6314392b", + "zh:3dea2a474c6ad4be5b508de4e90064ec485e3fbcebb264cb6c4dec660e3ea8b5", + "zh:56c0b81e3bbf4e9ccb2efb984f8758e2bc563ce179ff3aecc1145df268b046d1", + "zh:5f34b75a9ef69cad8c79115ecc0697427d7f673143b81a28c3cf8d5decfd7f93", + "zh:65632bc2c408775ee44cb32a72e7c48376001a9a7b3adbc2c9b4d088a7d58650", + "zh:6d0550459941dfb39582fadd20bfad8816255a827bfaafb932d51d66030fcdd5", + "zh:7f1811ef179e507fdcc9776eb8dc3d650339f8b84dd084642cf7314c5ca26745", + "zh:8a793d816d7ef57e71758fe95bf830cfca70d121df70778b65cc11065ad004fd", + "zh:8c7cda08adba01b5ae8cc4e5fbf16761451f0fab01327e5f44fc47b7248ba653", + "zh:96d855f1771342771855c0fb2d47ff6a731e8f2fa5d242b18037c751fd63e6c3", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:af3f080975d5ed79917b8238cc0ae3150da688bc89e12dcc3ee85134b29857d0", - "zh:ec542372c3ffbfc3df6966f77357f8af7319d4bd956ff8e9fde0bbd124352e34", - "zh:f3dc7b2b5b55173207c2fd35ed6bb8cc66b06af777e221060ca2f0c0afdecbb5", - "zh:f9631ecc21d6e5cf82ef6ef8d14c39e1dfb2a52cc8f0abb684311885ffdb79a1", + "zh:b2a62669b72c2471820410b58d764102b11c24e326831ddcfae85c7d20795acf", + "zh:b4a6b251ac24c8f5522581f8d55238d249d0008d36f64475beefc3791f229e1d", + "zh:ca519fa7ee1cac30439c7e2d311a0ecea6a5dae2d175fe8440f30133688b6272", + "zh:fbcd54e7d65806b0038fc8a0fbdc717e1284298ff66e22aac39dcc5a22cc99e5", ] } diff --git a/ansible_parameters.tf b/ansible_parameters.tf index 53d790c..8e89b5e 100644 --- a/ansible_parameters.tf +++ b/ansible_parameters.tf @@ -8,36 +8,25 @@ locals { packer = { aap = { ami = { - pipeline_workflow_url = "" + pipeline_workflow_url = "https://automationcontroller.compute.csp1.census.gov/api/v2/workflow_job_templates/7208/launch" } } atx = { host = { - ansible_pswd = "" - ansible_user = "" - action = "" - ipv4 = "" - name = "" - osver = "" + ansible_user = "winamipipelineapi" + action = "add_host" + osver = "win2022" } api = { - usr_name = "" - usr_pswd = "" + usr_name = "winamipipelineapi" } - inventory = "" + inventory = "WIN-AMI-PIPELINE" } } - ansible_secrets = { - packer_atx_host_ansible_pswd = local.packer.atx.host.ansible_pswd - packer_atx_api_usr_pswd = local.packer.atx.api.usr_pswd - } - ansible_parameters = { packer_aap_ami_pipeline_workflow_url = local.packer.aap.ami.pipeline_workflow_url packer_atx_api_usr_name = local.packer.atx.api.usr_name - packer_atx_host_name = local.packer.atx.host.name - packer_atx_host_ipv4 = local.packer.atx.host.ipv4 packer_atx_host_osver = local.packer.atx.host.osver packer_atx_inventory = local.packer.atx.inventory packer_atx_host_action = local.packer.atx.host.action @@ -48,8 +37,8 @@ locals { # Managed Parameters: Parameters not listed in var.nonmanaged_parameters are fully managed by Terraform. resource "aws_ssm_parameter" "managed_parameters" { - for_each = tomap({ for k, v in local.ssm_parameters : k => v if !contains(var.nonmanaged_parameters, k) }) - name = "/image-pipeline/${var.project_name}/${each.key}" + for_each = tomap(local.ansible_parameters) + name = "/image-pipeline/windows-image-pipeline-demo/${each.key}" type = "StringList" value = each.value } diff --git a/docker.tf b/docker.tf index 4dd95a6..81b7df6 100644 --- a/docker.tf +++ b/docker.tf @@ -5,7 +5,7 @@ locals { ubuntu_images = [ "22.04_edge", "23.10", "24.10", "22.04_stable" ] - image_config = [ + image_config = concat([ for image in local.ubuntu_images : { enabled = true dest_path = null @@ -15,7 +15,19 @@ locals { source_tag = image tag = image } - ] + ], + [ + { + enabled = true + dest_path = null + name = "python" + source_image = "ubuntu/python" + source_registry = "public.ecr.aws" + source_tag = "3.12-24.04_stable" + tag = "3.12-24.04_stable" + } + + ]) } module "ecr-clone" { @@ -61,9 +73,9 @@ module "docker" { name = aws_s3_bucket.assets_bucket.bucket key = "image-pipeline-goss-testing.zip" } - docker_test_enabled = true - state = local.state_config - vpc_config = local.vpc_config + docker_build = true + state = local.state_config + vpc_config = local.vpc_config image = { # source image metadata source_image = "ubuntu" diff --git a/github-runner.tf b/github-runner.tf new file mode 100644 index 0000000..7e15ded --- /dev/null +++ b/github-runner.tf @@ -0,0 +1,47 @@ +module "github-runner" { + source = "HappyPathway/image-pipeline/aws" + project_name = "github-runner" + builder_image = "aws/codebuild/standard:7.0" + create_new_role = true + ssh_user = "ec2-user" + terraform_version = "1.8.5" + build_environment_variables = [ + for proxy_var in keys(local.proxy_env_vars) : + { + name = proxy_var, + value = lookup(local.proxy_env_vars, proxy_var), + type = "PLAINTEXT" + } + ] + packer_source_type = "S3" + packer_config = "docker-ubuntu-base-python-install.pkr.hcl" + packer_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "docker-image-pipeline.zip" + } + ansible_source_type = "S3" + ansible_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "image-pipeline-ansible-playbooks.zip" + } + playbook = "github-runner.yaml" + goss_profile = "github-runner" + goss_source_type = "S3" + goss_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "image-pipeline-goss-testing.zip" + } + docker_build = true + state = local.state_config + vpc_config = local.vpc_config + image = { + # source image metadata + source_image = "ubuntu" + source_tag = "24.04" + source_docker_repo = "docker-image-pipeline" + # destination image metadata + dest_image = "github-runner" + dest_tag = "latest" + dest_docker_repo = "docker-image-pipeline" + } +} diff --git a/main.tf b/main.tf index 3652db5..cdb6ed1 100644 --- a/main.tf +++ b/main.tf @@ -21,7 +21,9 @@ data "aws_iam_policy_document" "assets_bucket_policy_document" { identifiers = [ module.amazon_linux.iam_arn, module.rhel.iam_arn, - module.docker.iam_arn + module.docker.iam_arn, + module.windows.iam_arn, + module.github-runner.iam_arn ] } @@ -78,16 +80,6 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "state_bucket_encr } } -data "aws_iam_policy_document" "s3_access" { - statement { - effect = "Allow" - actions = ["s3:*"] - resources = [ - aws_s3_bucket.state_bucket.arn, - aws_s3_bucket.assets_bucket.arn - ] - } -} resource "aws_security_group" "allow_amznlinux_cdn" { name = "allow_amznlinux_cdn" diff --git a/windows.tf b/windows.tf index 209af90..5dc1401 100644 --- a/windows.tf +++ b/windows.tf @@ -4,18 +4,24 @@ resource "random_password" "winrm" { special = true } +locals { + winrm_credentials = { + username = "Administrator" + password = random_password.winrm.result + } +} + + + module "windows" { source = "HappyPathway/image-pipeline/aws" project_name = "windows-image-pipeline-demo" builder_image = "aws/codebuild/standard:7.0" create_new_role = true - playbook = "windows-baseline.yaml" + playbook = "aap_register.yaml" terraform_version = "1.8.5" - winrm_credentials = { - username = "Administrator" - password = random_password.winrm.result - } - userdata = "userdata/winrm.ps1" + winrm_credentials = local.winrm_credentials + userdata = "userdata/winrm.ps1" build_environment_variables = [ for proxy_var in keys(local.proxy_env_vars) : { name = proxy_var @@ -23,9 +29,21 @@ module "windows" { type = "PLAINTEXT" } ] - packer_repo = data.aws_codecommit_repository.windows - ansible_repo = data.aws_codecommit_repository.ansible - goss_repo = data.aws_codecommit_repository.goss + packer_source_type = "S3" + packer_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "windows-image-pipeline.zip" + } + ansible_source_type = "S3" + ansible_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "image-pipeline-ansible-playbooks.zip" + } + goss_source_type = "S3" + goss_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "image-pipeline-goss-testing.zip" + } goss_profile = "windows-base-test" state = local.state_config vpc_config = local.vpc_config @@ -35,3 +53,11 @@ module "windows" { } } +output "winrm_credentials" { + sensitive = true + value = { + username = "Administrator" + password = random_password.winrm.result + } +} +