ci: call cleanup role at the end of build image

.github/workflows/aws_ansible.yml

@@ -114,7 +114,7 @@ jobs:
           for i in {1..1}
           do
             echo "Iteration: $i"
-            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }}
+            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }} --skip-tags role-cleanup
           done
 
       - name: Stop and delete AWS instance

.github/workflows/gcp_ansible.yml

@@ -146,7 +146,7 @@ jobs:
           for i in {1..1}
           do
             echo "Iteration: $i"
-            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }}
+            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup
           done
 
       - name: Stop and delete GCP instance

.github/workflows/nightly_clean.yml

@@ -18,5 +18,5 @@ jobs:
     secrets: inherit
 
   aws:
-    uses: ./.github/workflows/aws_main.yml
+    uses: ./.github/workflows/aws_clean.yml
     secrets: inherit

CHANGELOG.md

@@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Bug Fixes
 
-- Upgrade base image to 0.1.5: clean all authorized_keys ([#139](https://github.com/Cosmian/cosmian_vm/pull/139))
+- Upgrade base image to 0.1.5: clean all authorized_keys and users ([#140](https://github.com/Cosmian/cosmian_vm/pull/140))
 
 ## [1.2.2] - 2024-06-13
 

ansible/README.md

@@ -6,7 +6,9 @@
 
 ## [0.1.5] - 2024-06-15
 
-- RHEL/Ubuntu: clean all authorized_keys ([#139](https://github.com/Cosmian/cosmian_vm/pull/139))
+- Clean RHEL/Ubuntu after builds: ([#140](https://github.com/Cosmian/cosmian_vm/pull/140))
+  - clean all authorized_keys
+  - clean users
 
 ## [0.1.4] - 2024-06-12
 

ansible/roles/cleanup/tasks/main.yml

@@ -37,3 +37,20 @@
 - name: Display authorized_keys authorized_keys
   ansible.builtin.debug:
     var: authorized_keys
+
+- name: Gather all existing users
+  ansible.builtin.getent:
+    database: passwd
+  register: users_list
+
+- name: Define essential users
+  ansible.builtin.set_fact:
+    essential_users:
+      - root
+
+- name: Remove non-essential users
+  ansible.builtin.user:
+    name: "{{ item }}"
+    state: absent
+    remove: true
+  with_items: "{{ users_list.entries | map(attribute='name') | difference(essential_users) }}"