ansible-lockdown
diff --git a/‎.ansible-lint
+1 b/‎.ansible-lint
+1
diff --git a/‎.config/.gitleaks-report.json
-1 b/‎.config/.gitleaks-report.json
-1
diff --git a/‎.config/.secrets.baseline
-119 b/‎.config/.secrets.baseline
-119
diff --git a/‎.github/workflows/devel_pipeline_validation.yml
+54-34 b/‎.github/workflows/devel_pipeline_validation.yml
+54-34
@@ -11,6 +11,7 @@ skip_list:
     - 'name[casing]'
     - 'name[template]'
     - 'key-order[task]'
+    - 'yaml[line-length]'
     - '204'
     - '305'
     - '303'
 
@@ -13,13 +13,21 @@
             - '**.j2'
             - '**.ps1'
             - '**.cfg'
+    # Allow manual running of workflow
+    workflow_dispatch:
+
+  # Allow permissions for AWS auth
+  permissions:
+    id-token: write
+    contents: read
+    pull-requests: read
 
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
       welcome:
-        runs-on: ubuntu-latest
+        runs-on: self-hosted
 
         steps:
             - uses: actions/first-interaction@main
@@ -32,76 +40,94 @@
       # This workflow contains a single job that tests the playbook
       playbook-test:
         # The type of runner that the job will run on
-        runs-on: ubuntu-latest
+        runs-on: self-hosted
         env:
           ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
           # Imported as a variable by terraform
           TF_VAR_repository: ${{ github.event.repository.name }}
+          AWS_REGION: "us-east-1"
+          ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
         defaults:
           run:
             shell: bash
             working-directory: .github/workflows/github_linux_IaC
+            # working-directory: .github/workflows
 
         steps:
-          - name: Clone ${{ github.event.repository.name }}
+
+          - name: Git clone the lockdown repository to test
             uses: actions/checkout@v4
             with:
               ref: ${{ github.event.pull_request.head.sha }}
 
+          - name: If a variable for IAC_BRANCH is set use that branch
+            working-directory: .github/workflows
+            run: |
+              if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+                 echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+                 echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+              else
+                 echo IAC_BRANCH=main >> $GITHUB_ENV
+              fi
+
+
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4
             with:
               repository: ansible-lockdown/github_linux_IaC
               path: .github/workflows/github_linux_IaC
+              ref: ${{ env.IAC_BRANCH }}
 
-          - name: Add_ssh_key
-            working-directory: .github/workflows
-            env:
-                SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-                PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
-            run: |
-              mkdir .ssh
-              chmod 700 .ssh
-              echo $PRIVATE_KEY > .ssh/github_actions.pem
-              chmod 600 .ssh/github_actions.pem
+          # Uses dedicated restricted role and policy to enable this only for this task
+          # No credentials are part of github for AWS auth
+          - name: configure aws credentials
+            uses: aws-actions/configure-aws-credentials@main
+            with:
+              role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+              role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+              aws-region: ${{ env.AWS_REGION }}
 
           - name: DEBUG - Show IaC files
             if: env.ENABLE_DEBUG == 'true'
             run: |
               echo "OSVAR = $OSVAR"
               echo "benchmark_type = $benchmark_type"
+              echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID"
+              echo "VPC_ID" = $AWS_VPC_SECGRP_ID"
               pwd
               ls
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
 
-          - name: Terraform_Init
+          - name: Tofu init
             id: init
-            run: terraform init
+            run: tofu init
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Terraform_Validate
+          - name: Tofu validate
             id: validate
-            run: terraform validate
+            run: tofu validate
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Terraform_Apply
+          - name: Tofu apply
             id: apply
             env:
-              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
 
 ## Debug Section
           - name: DEBUG - Show Ansible hostfile
@@ -110,30 +136,24 @@
 
     # Aws deployments taking a while to come up insert sleep or playbook fails
 
-          - name: Sleep for 60 seconds
+          - name: Sleep to allow system to come up
             run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
         # Run the Ansible playbook
           - name: Run_Ansible_Playbook
-            uses: arillso/action.playbook@master
-            with:
-              playbook: site.yml
-              inventory: .github/workflows/github_linux_IaC/hosts.yml
-              galaxy_file: collections/requirements.yml
-              private_key: ${{ secrets.SSH_PRV_KEY }}
-      #          verbose: 3
             env:
               ANSIBLE_HOST_KEY_CHECKING: "false"
               ANSIBLE_DEPRECATION_WARNINGS: "false"
-              ANSIBLE_INJECT_FACT_VARS: "false"
+            run: |
+              /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
 
         # Remove test system - User secrets to keep if necessary
 
-          - name: Terraform_Destroy
+          - name: Tofu Destroy
             if: always() && env.ENABLE_DEBUG == 'false'
             env:
-              AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-              AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false