⚠️ CONFLICT! Lineage pull request for: skeleton

.github/workflows/build.yml

@@ -306,9 +306,7 @@ jobs:
           sudo apt-get install apparmor-utils
           sudo aa-disable /usr/sbin/unix_chkpwd
         if: ${{ startsWith(matrix.platform, 'fedora') }}
-      - env:
-          THIRD_PARTY_BUCKET: ${{ secrets.THIRD_PARTY_BUCKET }}
-        name: Run molecule tests
+      - name: Run molecule tests
         run: >-
           molecule test
           --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}

molecule/default/converge.yml

@@ -3,7 +3,10 @@
   hosts: all
   tasks:
     - name: Include ansible-role-nessus
-      ansible.builtin.include_role:
+      # We do prepend the name of the role to the role variables, but
+      # Molecule does its own role discovery with inconsistent naming.
+      # This is the reason for the noqa below.
+      ansible.builtin.include_role: # noqa var-naming[no-role-prefix]
         name: ansible-role-nessus
       vars:
-        nessus_package_bucket: "{{ lookup('env', 'THIRD_PARTY_BUCKET') }}"
+        nessus_package_bucket: "{{ lookup('aws_ssm', '/third_party_bucket_name') }}"

molecule/latest/converge.yml

@@ -9,5 +9,5 @@
       ansible.builtin.include_role: # noqa var-naming[no-role-prefix]
         name: ansible-role-nessus
       vars:
-        nessus_package_bucket: "{{ lookup('env', 'THIRD_PARTY_BUCKET') }}"
+        nessus_package_bucket: "{{ lookup('aws_ssm', '/third_party_bucket_name') }}"
         nessus_version: "10.8.3"

terraform/bucket_roles.tf

@@ -12,3 +12,12 @@ module "bucket_access" {
   s3_bucket   = var.nessus_bucket
   s3_objects  = [var.nessus_package_pattern]
 }
+
+# Attach third-party S3 bucket read-only policy to the role used by the test
+# user
+resource "aws_iam_role_policy_attachment" "thirdpartybucketread" {
+  provider = aws.images_provisionaccount
+
+  policy_arn = module.bucket_access.policy.arn
+  role       = module.user.role.name
+}

terraform/user.tf

@@ -1,24 +1,13 @@
-# Create the test user.  We do not require SSM Parameter Store access
-# for this role, so we can simply use cisagov/ci-iam-user-tf-module
-# instead of cisagov/molecule-iam-user-tf-module.
+# Create the test user
 module "user" {
-  source = "github.com/cisagov/ci-iam-user-tf-module"
+  source = "github.com/cisagov/molecule-iam-user-tf-module"
 
   providers = {
-    aws    = aws.users
-    aws.ci = aws.images_provisionaccount
+    aws                         = aws.users
+    aws.images-provisionaccount = aws.images_provisionaccount
+    aws.images-ssm              = aws.images_ssm
   }
 
-  role_description = "A role that can be assumed to allow for CI testing of ansible-role-nessus via Molecule."
-  role_name        = "Test-ansible-role-nessus"
-  user_name        = "test-ansible-role-nessus"
-}
-
-# Attach third-party S3 bucket read-only policy to the role used by the test
-# user
-resource "aws_iam_role_policy_attachment" "thirdpartybucketread" {
-  provider = aws.images_provisionaccount
-
-  policy_arn = module.bucket_access.policy.arn
-  role       = module.user.role.name
+  entity         = "ansible-role-nessus"
+  ssm_parameters = ["/third_party_bucket_name"]
 }