-
Notifications
You must be signed in to change notification settings - Fork 34
151 lines (134 loc) · 5.57 KB
/
devel_pipeline_validation_gpo.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
---
# This is a basic workflow to help you get started with Actions
name: GPO Devel Pipeline Validation
# Controls when the action will run.
# Triggers the workflow on push or pull request
# events but only for the devel branch
on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
# This section contains all the jobs below that are running in the workflow.
jobs:
# This will create messages for the first time contributors and direct them to the Discord server
welcome:
# The type of runner that the job will run on.
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
build-azure-windows-gpo:
# Use the AWS self-hosted runner
runs-on: self-hosted
env:
# Imported as a variable by OpenTofu.
ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
GPO_OSVAR: ${{ vars.GPO_OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_repository: ${{ github.event.repository.name }}
ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_windows_IaC
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: If a variable for IAC_BRANCH is set use that branch
working-directory: .github/workflows
run: |
if [ ${{ vars.IAC_BRANCH }} != '' ]; then
echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
else
echo IAC_BRANCH=main >> $GITHUB_ENV
fi
# Pull In OpenTofu Code For Windows Azure
- name: Clone IaC Repository
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
ref: ${{ env.IAC_BRANCH }}
# Sensitive Data Stored And Passed To OpenTofu
# Default Working Dir Defined In Defaults Above.
- name: Save Sensitive Info
run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
# Show the Os Var and Benchmark Type And Load
- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "GPO_OSVAR = $GPO_OSVAR"
echo "benchmark_type = $benchmark_type"
pwd
ls
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
GPO_OSVAR: ${{ vars.GPO_OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Initialize The OpenTofu Working Directory
- name: Tofu init
id: init
run: tofu init
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
GPO_OSVAR: ${{ vars.GPO_OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Validate The Syntax Of OpenTofu Files
- name: Tofu validate
id: validate
run: tofu validate
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
GPO_OSVAR: ${{ vars.GPO_OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Execute The Actions And Build Azure Server
- name: Tofo Apply
id: apply
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: tofu apply -var-file "${GPO_OSVAR}.tfvars" --auto-approve -input=false
# Debug Section
- name: DEBUG - Show Ansible Hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Run the Ansible Playbook
- name: Run_Ansible_Playbook
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
run: |
/opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml ../../../site.yml
# Destroy The Azure Test System
- name: Tofu Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
GPO_OSVAR: ${{ vars.GPO_OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: tofu destroy -var-file "${GPO_OSVAR}.tfvars" --auto-approve