-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathkitchen.disa.ec2.yml
70 lines (65 loc) · 2.22 KB
/
kitchen.disa.ec2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
---
platforms:
- name: rhel-8
driver:
name: ec2
subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %>
security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %>
metadata_options:
http_tokens: required
http_put_response_hop_limit: 1
instance_metadata_tags: enabled
instance_type: t2.small
associate_public_ip: true
interface: public
skip_cost_warning: true
privileged: true
instance_initiated_shutdown_behavior: terminate
provisioner:
name: ansible_playbook
hosts: all
require_chef_for_busser: false
require_ruby_for_busser: false
ansible_binary_path: /usr/local/bin
# require_pip3: true
ansible_verbose: true
roles_path: spec/ansible/disa/roles
galaxy_ignore_certs: true
#requirements_path: spec/ansible/disa/roles/requirements.yml
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
suites:
- name: disa-hardened
provisioner:
playbook: spec/ansible/disa/site.yml
driver:
tags:
Name: Hardened-<%= ENV['USER'] %>
CreatedBy: test-kitchen
lifecycle:
pre_converge:
- remote: |
# echo "+++ Refreshing DNF package cache +++"
# sudo dnf -y clean all
echo ""
echo "+++ Updating DNF Packages +++"
sudo dnf -y update --nogpgcheck --nobest
echo ""
echo "+++ Installing needed packages for workflow and utility +++\n\n"
sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim git wget gcc openssl-devel libffi-devel bzip2-devel
echo ""
echo "+++ Installing Python 3.9 and Ansible +++\n\n"
export PATH=/usr/local/bin:$PATH
sudo dnf -y install python3.9
sudo dnf -y install python3-pip
sudo update-alternatives --set python3 /usr/bin/python3.9
sudo python3 -m pip install ansible jmespath
echo ""
echo "+++ Updating the ec2-user to keep sudo working after hardening phase +++\n\n"
sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user
echo ""
echo "+++ updating ec2-user sudo config for hardening phase +++\n\n"
sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers
#https://github.com/neillturner/kitchen-ansible/issues/295
transport:
name: ssh
max_ssh_sessions: 2