cisagov
diff --git a/‎.github/workflows/build.yml
Lines changed: 7 additions & 3 deletions b/‎.github/workflows/build.yml
Lines changed: 7 additions & 3 deletions
diff --git a/‎.github/workflows/prerelease.yml
Lines changed: 8 additions & 2 deletions b/‎.github/workflows/prerelease.yml
Lines changed: 8 additions & 2 deletions
diff --git a/‎.github/workflows/release.yml
Lines changed: 8 additions & 2 deletions b/‎.github/workflows/release.yml
Lines changed: 8 additions & 2 deletions
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md
Lines changed: 144 additions & 30 deletions b/‎README.md
Lines changed: 144 additions & 30 deletions
diff --git a/‎ami_arm64.pkr.hcl
Lines changed: 8 additions & 0 deletions b/‎ami_arm64.pkr.hcl
Lines changed: 8 additions & 0 deletions
diff --git a/‎ami_x86_64.pkr.hcl
Lines changed: 8 additions & 0 deletions b/‎ami_x86_64.pkr.hcl
Lines changed: 8 additions & 0 deletions
diff --git a/‎bump-version
Lines changed: 1 addition & 1 deletion b/‎bump-version
Lines changed: 1 addition & 1 deletion
diff --git a/‎requirements.txt
Lines changed: 1 addition & 0 deletions b/‎requirements.txt
Lines changed: 1 addition & 0 deletions
@@ -227,6 +227,7 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   build:
+    environment: dev-a
     # The AMI build process is an expensive test (in terms of time) so
     # let's not run it unless the other jobs succeed.
     needs:
@@ -291,7 +292,7 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
-          role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME_STAGING }}
+          role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME }}
           role-duration-seconds: 3600
       # When called by Packer, Ansible will find /usr/bin/python3 and
       # use it; therefore, we must ensure that /usr/bin/python3 points
@@ -307,13 +308,16 @@ jobs:
       - name: Install Packer plugins
         run: packer init .
       - name: Create machine image
-        # This runs through the AMI creation process but does not
-        # actually create an AMI
         run: |
           packer build -only amazon-ebs.${{ matrix.architecture }} \
             -timestamp-ui \
+<<<<<<< HEAD
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \
             -var skip_create_ami=true \
+=======
+            -var github_ref_name=${{ github.ref_name }} \
+            -var github_sha=${{ github.sha }} \
+>>>>>>> b702664447def7d112564cadeda1ebe32e064c2d
             .
       - name: Remove /usr/bin/python3 symlink to the installed Python
         run: |
 
@@ -37,6 +37,7 @@ jobs:
         name: Dump context
         uses: crazy-max/ghaction-dump-context@v2
   prerelease:
+    environment: staging-a
     needs:
       - diagnostics
     permissions:
@@ -90,15 +91,15 @@ jobs:
           python -m pip install --upgrade pip
           pip install --upgrade \
                       --requirement requirements.txt
-      - name: Install ansible roles
+      - name: Install Ansible roles
         run: ansible-galaxy install --force --role-file ansible/requirements.yml
       - name: Assume AWS build role
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
-          role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME_STAGING }}
+          role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME }}
           role-duration-seconds: 3600
       # When called by Packer, Ansible will find /usr/bin/python3 and
       # use it; therefore, we must ensure that /usr/bin/python3 points
@@ -123,7 +124,12 @@ jobs:
         run: |
           packer build -only amazon-ebs.${{ matrix.architecture }} \
             -timestamp-ui \
+<<<<<<< HEAD
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \
+=======
+            -var github_ref_name=${{ github.ref_name }} \
+            -var github_sha=${{ github.sha }} \
+>>>>>>> b702664447def7d112564cadeda1ebe32e064c2d
             -var is_prerelease=${{ github.event.release.prerelease }} \
             -var release_tag=${{ github.event.release.tag_name }} \
             -var release_url=${{ github.event.release.html_url }} \
 
@@ -44,6 +44,7 @@ jobs:
         name: Dump context
         uses: crazy-max/ghaction-dump-context@v2
   release:
+    environment: production
     needs:
       - diagnostics
     permissions:
@@ -97,7 +98,7 @@ jobs:
           python -m pip install --upgrade pip
           pip install --upgrade \
                       --requirement requirements.txt
-      - name: Install ansible roles
+      - name: Install Ansible roles
         run: ansible-galaxy install --force --role-file ansible/requirements.yml
       # Do not copy the AMI to other regions until we have figured out a
       # workable mechanism for creating and managing AMI KMS keys in other
@@ -113,7 +114,7 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
-          role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME_PRODUCTION }}
+          role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME }}
           role-duration-seconds: 3600
       # When called by Packer, Ansible will find /usr/bin/python3 and
       # use it; therefore, we must ensure that /usr/bin/python3 points
@@ -138,7 +139,12 @@ jobs:
         run: |
           packer build -only amazon-ebs.${{ matrix.architecture }} \
             -timestamp-ui \
+<<<<<<< HEAD
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \
+=======
+            -var github_ref_name=${{ github.ref_name }} \
+            -var github_sha=${{ github.sha }} \
+>>>>>>> b702664447def7d112564cadeda1ebe32e064c2d
             -var is_prerelease=${{ github.event.release.prerelease }} \
             -var release_tag=${{ github.event.release.tag_name }} \
             -var release_url=${{ github.event.release.html_url }} \
 
@@ -19,4 +19,5 @@ dist
 .terraform.lock.hcl
 terraform.tfstate
 terraform.tfstate.backup
+*.tfconfig
 *.tfvars
@@ -28,15 +28,63 @@ next steps.  Note that you will need to know where your team stores their
 remote profile data in order to use
 [`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync).
 
-To create the build user, follow these instructions:
+### Creating a build user ###
 
-```console
-cd terraform-build-user
-terraform init --upgrade=true
-terraform apply
-```
+You will need to create a build user for each environment that you use.  The
+following steps show how to create a build user for an environment named "dev".
+You will need to repeat this process for any additional environments.
+
+1. Change into the `terraform-build-user` directory:
+
+   ```console
+   cd terraform-build-user
+   ```
+
+1. Create a backend configuration file named `dev.tfconfig` containing the
+name of the bucket where "dev" environment Terraform state is stored - this file
+is required to initialize the Terraform backend in each environment:
+
+    ```hcl
+    bucket = "my-dev-terraform-state-bucket"
+    ```
+
+1. Initialize the Terraform backend for the "dev" environment using your backend
+   configuration file:
+
+    ```console
+    terraform init -backend-config=dev.tfconfig
+    ```
 
-Once the user is created you will need to update the
+    > [!NOTE]
+    > When performing this step for additional environments (i.e. not your first
+    > environment), use the `-reconfigure` flag:
+    >
+    > ```console
+    > terraform init -backend-config=other-env.tfconfig -reconfigure
+    > ```
+
+1. Create a Terraform variables file named `dev.tfvars` containing all
+required variables (currently only `terraform_state_bucket`):
+
+    ```hcl
+    terraform_state_bucket = "my-dev-terraform-state-bucket"
+    ```
+
+1. Create a Terraform workspace for the "dev" environment:
+
+    ```console
+   terraform workspace new dev
+   ```
+
+1. Initialize and upgrade the Terraform workspace, then apply the configuration
+   to create the build user in the "dev" environment:
+
+    ```console
+    terraform init -upgrade=true
+    terraform apply -var-file=dev.tfvars
+    ```
+
+Once the build user is created you will need to update the
 [repository's secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)
 with the new encrypted environment variables. This should be done using the
 [`terraform-to-secrets`](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-)
@@ -55,7 +103,7 @@ IMPORTANT: The account where your images will be built must have a VPC and
 a public subnet both tagged with the name "AMI Build", otherwise `packer`
 will not be able to build images.
 
-## Building the Image ##
+## Building the image ##
 
 ### Using GitHub Actions ###
 
@@ -66,21 +114,23 @@ will not be able to build images.
 GitHub Actions can build this project in three different modes depending on
 how the build was triggered from GitHub.
 
-1. **Non-release test**: After a normal commit or pull request GitHub Actions
-   will build the project, and run tests and validation on the
-   Packer template. It will **not** build an image.
-1. **Pre-release deploy**: Publish a GitHub release
-   with the "This is a pre-release" checkbox checked. An image will be built
-   and deployed using the [`prerelease`](.github/workflows/prerelease.yml)
-   workflow. This should be configured to deploy the image to a single region
-   using a non-production account (e.g. "staging").
-1. **Production release deploy**: Publish a GitHub release with
-   the "This is a pre-release" checkbox unchecked. An image will be built
-   and deployed using the [`release`](.github/workflows/release.yml)
-   workflow. This should be configured to deploy the image to multiple regions
-   using a production account.
-
-### Using Your Local Environment ###
+1. **Development release**: After a normal commit and also on a pull request,
+   GitHub Actions will run tests and validation on the Packer template, and then
+   build the project.  An image will be built and deployed using the
+   [`build`](.github/workflows/build.yml) workflow.  This should be configured
+   to deploy the image to a single region using a development account.
+1. **Pre-release**: Publish a GitHub release with the "This is a pre-release"
+   checkbox checked.  An image will be built and deployed using the
+   [`prerelease`](.github/workflows/prerelease.yml) workflow.  This should be
+   configured to deploy the image to a single region using a non-production
+   account (e.g. "staging").
+1. **Production release**: Publish a GitHub release with the "This is a
+   pre-release" checkbox unchecked.  An image will be built and deployed using
+   the [`release`](.github/workflows/release.yml) workflow.  This should be
+   configured to deploy the image to multiple regions using a production
+   account.
+
+### Using your local environment ###
 
 Packer will use your
 [standard AWS environment](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)
@@ -139,21 +189,73 @@ region_kms_keys = {
 AWS_PROFILE=cool-images-ec2amicreate-openvpn-packer packer build --timestamp-ui -var-file release.pkrvars.hcl .
 ```
 
-### Giving Other AWS Accounts Permission to Launch the Image ###
+### Giving other AWS accounts permission to launch the image ###
 
 After the AMI has been successfully created, you may want to allow other
+<<<<<<< HEAD
 accounts in your AWS organization permission to launch it.  For this project,
 we want to allow the "Shared Services" account to launch the
 most-recently-created AMI.  To do that, follow these instructions, noting that
 "ENVIRONMENT_TYPE" below should be replaced with where the AMI was created
 (e.g "production", "staging", etc.):
+=======
+accounts in your AWS organization permission to launch it.  The following steps
+show how to do this for an environment named "dev". You will need to repeat this
+process for any additional environments.
+>>>>>>> b702664447def7d112564cadeda1ebe32e064c2d
 
-```console
-cd terraform-post-packer
-terraform workspace select ENVIRONMENT_TYPE
-terraform init --upgrade=true
-terraform apply
-```
+> [!NOTE]
+> Refer to the `ami_share_account_name_regex` variable if you want to customize
+> which accounts in your AWS organization to share your AMI with.
+
+1. Change into the `terraform-post-packer` directory:
+
+   ```console
+   cd terraform-post-packer
+   ```
+
+1. Create a backend configuration file named `dev.tfconfig` containing the
+name of the bucket where "dev" environment Terraform state is stored - this file
+is required to initialize the Terraform backend in each environment:
+
+    ```hcl
+    bucket = "my-dev-terraform-state-bucket"
+    ```
+
+1. Initialize the Terraform backend for the "dev" environment using your backend
+   configuration file:
+
+    ```console
+    terraform init -backend-config=dev.tfconfig
+    ```
+
+    > [!NOTE]
+    > When performing this step for additional environments (i.e. not your first
+    > environment), use the `-reconfigure` flag:
+    >
+    > ```console
+    > terraform init -backend-config=other-env.tfconfig -reconfigure
+    > ```
+
+1. If not already created, create a Terraform workspace for the "dev" environment:
+
+    ```console
+   terraform workspace new dev
+   ```
+
+   Otherwise, switch to the existing "dev" workspace:
+
+    ```console
+   terraform workspace select dev
+   ```
+
+1. Initialize and upgrade the Terraform workspace, then apply the configuration
+   to share the AMI with accounts in the "dev" environment:
+
+    ```console
+    terraform init -upgrade=true
+    terraform apply
+    ```
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements ##
@@ -185,6 +287,8 @@ No modules.
 | build\_bucket | The S3 bucket containing the CDM tool installers. | `string` | `""` | no |
 | build\_region | The region in which to retrieve the base AMI from and build the new AMI. | `string` | `"us-east-1"` | no |
 | build\_region\_kms | The ID or ARN of the KMS key to use for AMI encryption. | `string` | `"alias/cool-amis"` | no |
+| github\_ref\_name | The GitHub short ref name to use for the tags applied to the created AMI. | `string` | `""` | no |
+| github\_sha | The GitHub commit SHA to use for the tags applied to the created AMI. | `string` | `""` | no |
 | is\_prerelease | The pre-release status to use for the tags applied to the created AMI. | `bool` | `false` | no |
 | region\_kms\_keys | A map of regions to copy the created AMI to and the KMS keys to use for encryption in that region. The keys for this map must match the values provided to the aws\_regions variable. Example: {"us-east-1": "alias/example-kms"} | `map(string)` | `{}` | no |
 | release\_tag | The GitHub release tag to use for the tags applied to the created AMI. | `string` | `""` | no |
@@ -196,6 +300,16 @@ No modules.
 No outputs.
 <!-- END_TF_DOCS -->
 
+<<<<<<< HEAD
+=======
+## New repositories from a skeleton ##
+
+Please see our [Project Setup guide](https://github.com/cisagov/development-guide/tree/develop/project_setup)
+for step-by-step instructions on how to start a new repository from
+a skeleton. This will save you time and effort when configuring a
+new repository!
+
+>>>>>>> b702664447def7d112564cadeda1ebe32e064c2d
 ## Contributing ##
 
 We welcome contributions!  Please see [`CONTRIBUTING.md`](CONTRIBUTING.md) for
 
@@ -25,9 +25,17 @@ source "amazon-ebs" "arm64" {
   tags = {
     Application        = "OpenVPN"
     Architecture       = "arm64"
+<<<<<<< HEAD
     Base_AMI_Name      = data.amazon-ami.ubuntu_noble_arm64.name
     GitHub_Release_URL = var.release_url
     OS_Version         = "Ubuntu Noble Numbat"
+=======
+    Base_AMI_Name      = data.amazon-ami.debian_bookworm_arm64.name
+    GitHub_Ref_Name    = var.github_ref_name
+    GitHub_Release_URL = var.release_url
+    GitHub_SHA         = var.github_sha
+    OS_Version         = "Debian Bookworm"
+>>>>>>> b702664447def7d112564cadeda1ebe32e064c2d
     Pre_Release        = var.is_prerelease
     Release            = var.release_tag
     Team               = "VM Fusion - Development"
 
@@ -25,9 +25,17 @@ source "amazon-ebs" "x86_64" {
   tags = {
     Application        = "OpenVPN"
     Architecture       = "x86_64"
+<<<<<<< HEAD
     Base_AMI_Name      = data.amazon-ami.ubuntu_noble_x86_64.name
     GitHub_Release_URL = var.release_url
     OS_Version         = "Ubuntu Noble Numbat"
+=======
+    Base_AMI_Name      = data.amazon-ami.debian_bookworm_x86_64.name
+    GitHub_Ref_Name    = var.github_ref_name
+    GitHub_Release_URL = var.release_url
+    GitHub_SHA         = var.github_sha
+    OS_Version         = "Debian Bookworm"
+>>>>>>> b702664447def7d112564cadeda1ebe32e064c2d
     Pre_Release        = var.is_prerelease
     Release            = var.release_tag
     Team               = "VM Fusion - Development"
 
@@ -125,7 +125,7 @@ if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_l
   invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}"
 fi
 
-if [ "$with_prerelease" = true ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then
+if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then
   invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}"
 fi
 
 
@@ -41,6 +41,7 @@ ansible>=10,<11
 ansible-core>=2.17
 boto3
 docopt
+# The bump-version script requires at least version 3 of semver.
 semver>=3
 setuptools
 wheel