OSS Review

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,123 @@
+name: Bug report
+description: Report a problem with the DreadGOAD CLI, Ansible roles, Terraform modules, or another part of the tooling.
+title: "[bug]: "
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug report.
+
+        Before you continue, please confirm:
+
+        - The issue is in the **DreadGOAD tooling** (CLI, Ansible, Terraform/Terragrunt, Packer, Warpgate, variant generator). Weak passwords and other intentional vulnerabilities inside the deployed labs are by design — please do not file those as bugs.
+        - If you believe you have found a **security vulnerability in the tooling itself**, do not open a public issue. Use [private vulnerability reporting](https://github.com/dreadnode/DreadGOAD/security/advisories/new) instead. See [SECURITY.md](https://github.com/dreadnode/DreadGOAD/blob/main/SECURITY.md).
+
+  - type: checkboxes
+    id: preflight
+    attributes:
+      label: Pre-flight checks
+      options:
+        - label: I have searched existing issues and this is not a duplicate.
+          required: true
+        - label: I have run `dreadgoad doctor` (or the equivalent) and read its output.
+          required: false
+        - label: This is a bug in the DreadGOAD tooling, not an intentional lab vulnerability.
+          required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: DreadGOAD version
+      description: "Output of `dreadgoad --version`, or the commit SHA of `main` you are on."
+      placeholder: "e.g. 1.2.3 (commit: abc1234, built: 2026-04-07)  -or-  main @ abc1234"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: provider
+    attributes:
+      label: Provider
+      description: Which infrastructure provider were you using?
+      options:
+        - VirtualBox
+        - VMware
+        - Proxmox
+        - AWS
+        - Azure
+        - Ludus
+        - Not provider-specific
+        - Other (please describe in the bug report)
+    validations:
+      required: true
+
+  - type: dropdown
+    id: lab
+    attributes:
+      label: Lab
+      description: Which lab were you deploying when you hit the issue?
+      options:
+        - GOAD
+        - GOAD-Light
+        - GOAD-Mini
+        - MINILAB
+        - SCCM
+        - NHA
+        - DRACARYS
+        - A generated variant
+        - Not lab-specific
+        - Other (please describe in the bug report)
+    validations:
+      required: true
+
+  - type: input
+    id: os
+    attributes:
+      label: Operator OS
+      description: The OS where you are running the DreadGOAD CLI / Ansible (not the lab VMs).
+      placeholder: "e.g. macOS 14.5 (arm64), Ubuntu 22.04, Windows 11 + WSL2"
+    validations:
+      required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: A clear description of the bug, including what you expected to happen and what actually happened.
+    validations:
+      required: true
+
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      description: |
+        The exact commands you ran. Please include the full command line, any relevant config snippets (`dreadgoad.yaml`, `globalsettings.ini`), and the working directory.
+      placeholder: |
+        1. `git clone https://github.com/dreadnode/DreadGOAD.git`
+        2. `cd cli && go build -o dreadgoad .`
+        3. `./dreadgoad provision --lab GOAD-Light --provider virtualbox`
+        4. ...
+      render: shell
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs
+      description: |
+        Paste the relevant CLI output, Ansible log lines, or Terraform error.
+
+        Tip: rerun with `--debug` for more detail. Logs are also written to `~/.ansible/logs/goad/`.
+      render: shell
+    validations:
+      required: false
+
+  - type: textarea
+    id: extra
+    attributes:
+      label: Anything else?
+      description: Screenshots, related issues, recent changes you made, ideas about the cause, etc.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability in the DreadGOAD tooling
+    url: https://github.com/dreadnode/DreadGOAD/security/advisories/new
+    about: "Report security issues in the CLI, Ansible collection, Terraform / Terragrunt modules, or other tooling privately. Do NOT use a public issue. Note: weak passwords and other intentional vulnerabilities inside the deployed labs are by design and should not be reported."
+  - name: Upstream GOAD documentation
+    url: https://orange-cyberdefense.github.io/GOAD/
+    about: "Background on the original GOAD project that DreadGOAD is forked from."
+  - name: DreadGOAD documentation
+    url: https://github.com/dreadnode/DreadGOAD/tree/main/docs
+    about: "Provider guides, lab descriptions, validation guide, and the full vulnerability catalog."

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,70 @@
+name: Feature request
+description: Suggest a new feature, improvement, or change to DreadGOAD.
+title: "[feature]: "
+labels: ["enhancement", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting an improvement to DreadGOAD.
+
+        Before you continue, please check the [existing issues](https://github.com/dreadnode/DreadGOAD/issues?q=is%3Aissue) to see whether something similar has already been proposed.
+
+  - type: checkboxes
+    id: preflight
+    attributes:
+      label: Pre-flight checks
+      options:
+        - label: I have searched existing issues and discussions for a similar request.
+          required: true
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      description: Which part of the project does this affect?
+      options:
+        - CLI (`dreadgoad`)
+        - Ansible collection / roles
+        - Terraform / Terragrunt modules
+        - Packer / Warpgate templates
+        - A specific lab (GOAD, GOAD-Light, MINILAB, SCCM, NHA, DRACARYS, ...)
+        - A specific extension (ELK, Exchange, Wazuh, Guacamole, ...)
+        - Variant generator
+        - Documentation
+        - CI / release tooling
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem does this solve?
+      description: Describe the use case and the pain point you are running into. "I'm always frustrated when..."
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: How would you like this to work? Be as concrete as you can — example commands, config snippets, or UI sketches all help.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Other approaches you considered and why you rejected them.
+    validations:
+      required: false
+
+  - type: textarea
+    id: extra
+    attributes:
+      label: Additional context
+      description: Links, references, related issues, or anything else useful.
+    validations:
+      required: false

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,77 @@
+<!--
+Thanks for contributing to DreadGOAD!
+
+Please fill in the sections below. Delete sections that don't apply, but try
+not to leave the template completely empty — context helps reviewers a lot.
+
+If this PR addresses a security vulnerability in the DreadGOAD tooling
+(NOT an intentional lab vulnerability), please coordinate via private
+vulnerability reporting first — see SECURITY.md.
+-->
+
+## Summary
+
+<!-- One or two sentences: what does this PR do, and why? -->
+
+## Type of change
+
+<!-- Check all that apply. -->
+
+- [ ] Bug fix (non-breaking change that fixes an issue)
+- [ ] New feature (non-breaking change that adds functionality)
+- [ ] Breaking change (fix or feature that would change existing behavior)
+- [ ] New lab, lab variant, or extension
+- [ ] New / updated provider support
+- [ ] Refactor / internal cleanup (no functional change)
+- [ ] Documentation
+- [ ] CI / build / release tooling
+- [ ] Dependency update
+
+## Area
+
+<!-- Check all that apply. -->
+
+- [ ] CLI (`cli/`)
+- [ ] Ansible collection (`ansible/`)
+- [ ] Terraform / Terragrunt (`infra/`, `modules/`)
+- [ ] Packer / Warpgate (`packer/`, `warpgate-templates/`)
+- [ ] Lab definitions (`ad/`)
+- [ ] Extensions (`extensions/`)
+- [ ] Variant generator / tools (`tools/`)
+- [ ] Documentation (`docs/`, `README.md`, etc.)
+- [ ] CI workflows (`.github/`)
+
+## Related issues
+
+<!-- Link any issues this PR closes or relates to, e.g. "Closes #123" -->
+
+## How was this tested?
+
+<!--
+Tell reviewers what you actually ran. The more concrete the better.
+Examples:
+  - `cd cli && go test ./...`
+  - `dreadgoad doctor`
+  - `dreadgoad provision --lab GOAD-Light --provider virtualbox`, then
+    `dreadgoad health-check` and `dreadgoad validate --quick`
+  - Re-ran the AWS warpgate AMI build end-to-end on us-east-1
+  - Linted Ansible with `ansible-lint ansible/`
+-->
+
+- Provider(s) tested:
+- Lab(s) tested:
+- Operator OS:
+
+## Screenshots / logs (optional)
+
+<!-- For UX changes, output changes, or anything visually interesting. -->
+
+## Checklist
+
+- [ ] I have read [CONTRIBUTING.md](../CONTRIBUTING.md).
+- [ ] My changes follow the existing code style of the area I touched.
+- [ ] I have added or updated tests where it makes sense (Go tests under `cli/`, Ansible syntax checks, etc.).
+- [ ] I have updated documentation (README, `docs/`, role README, command help text) where relevant.
+- [ ] I have checked that I am not committing real secrets, personal credentials, or internal hostnames. (Intentional lab credentials inside `ad/`, `ansible/`, and `extensions/` are expected and fine.)
+- [ ] If this PR changes user-facing CLI behavior, I have updated the relevant `--help` text and any docs that reference it.
+- [ ] If this PR introduces a breaking change, I have called it out in the **Summary** above.

ansible/galaxy.yml

@@ -19,7 +19,7 @@ tags:
 dependencies:
   amazon.aws: ">=9.0.0"
   ansible.windows: ">=2.5.0"
-  community.general: "*"
+  community.general: ">=9.0.0,<11.0.0"
   community.windows: ">=2.3.0"
   chocolatey.chocolatey: ">=1.5.3"
 repository: https://github.com/dreadnode/ansible-collection-goad

ansible/requirements.yml

@@ -3,6 +3,7 @@ collections:
   - name: ansible.windows
     version: ">=2.5.0"
   - name: community.general
+    version: ">=9.0.0,<11.0.0"
   - name: community.windows
     version: ">=2.3.0"
   - name: chocolatey.chocolatey
@@ -14,3 +15,4 @@ collections:
 
 roles:
   - name: geerlingguy.mysql
+    version: ">=4.0.0,<5.0.0"

cli/cmd/ami.go

@@ -127,8 +127,14 @@ func runAMIBuild(cmd *cobra.Command, args []string) error {
 
 	verbose := viper.GetBool("debug")
 
+	// Region precedence for `ami build`: --region flag > cfg.Region (from
+	// dreadgoad.yaml or DREADGOAD_REGION) > the template's own embedded region.
+	// The empty fallback (instead of a hardcoded default) is what allows the
+	// template's embedded region to win when neither --region nor cfg.Region
+	// is set; if either is set, it overrides the template even though the
+	// user didn't ask for this specific build.
 	bf := buildFlags{
-		region:          getFlagString(cmd, "region", cfg.Region, "us-west-1"),
+		region:          getFlagString(cmd, "region", cfg.Region, ""),
 		instanceType:    getFlagStringOpt(cmd, "instance-type"),
 		profile:         getFlagStringOpt(cmd, "profile"),
 		instanceProfile: getFlagStringOpt(cmd, "instance-profile"),
@@ -297,7 +303,17 @@ func getFlagBool(cmd *cobra.Command, name string) bool {
 }
 
 func newAWSClients(cmd *cobra.Command, cfg *config.Config) (*ami.AWSClients, error) {
-	region := getFlagString(cmd, "region", cfg.Region, "us-west-1")
+	// For ami list-resources / purge there is no warpgate template fallback,
+	// so a region is required. Local --region flag wins over cfg.Region;
+	// otherwise we error out via ResolveRegion rather than silently picking one.
+	region := getFlagStringOpt(cmd, "region")
+	if region == "" {
+		var err error
+		region, err = cfg.ResolveRegion()
+		if err != nil {
+			return nil, err
+		}
+	}
 	profile := getFlagStringOpt(cmd, "profile")
 	return ami.NewAWSClients(context.Background(), ami.ClientConfig{
 		Region:  region,

cli/cmd/config_cmd.go

@@ -25,7 +25,7 @@ var configShowCmd = &cobra.Command{
 			return err
 		}
 		fmt.Printf("Environment:    %s\n", cfg.Env)
-		fmt.Printf("Region:         %s\n", valueOrDefault(cfg.Region, "(from inventory)"))
+		fmt.Printf("Region:         %s\n", valueOrDefault(cfg.Region, "(unset — required for AWS commands)"))
 		fmt.Printf("Debug:          %v\n", cfg.Debug)
 		fmt.Printf("Max Retries:    %d\n", cfg.MaxRetries)
 		fmt.Printf("Retry Delay:    %ds\n", cfg.RetryDelay)
@@ -84,7 +84,7 @@ var configInitCmd = &cobra.Command{
 
 		content := `# DreadGOAD CLI Configuration
 env: staging
-# region: us-west-2  # Override AWS region (default: from inventory)
+# region: us-east-1  # AWS region (required for AWS commands; can also be set via DREADGOAD_REGION or --region)
 debug: false
 max_retries: 3
 retry_delay: 30

cli/cmd/env_cmd.go

@@ -51,7 +51,7 @@ func init() {
 	envCmd.AddCommand(envCreateCmd)
 	envCmd.AddCommand(envListCmd)
 
-	envCreateCmd.Flags().String("region", "us-east-1", "AWS region for the environment")
+	envCreateCmd.Flags().String("region", "", "AWS region for the environment (required; or set via dreadgoad.yaml / DREADGOAD_REGION / --region)")
 	envCreateCmd.Flags().String("vpc-cidr", "", "VPC CIDR block (default: auto-assigned)")
 	envCreateCmd.Flags().String("reference", "staging", "Reference environment to copy infrastructure from")
 	envCreateCmd.Flags().Bool("variant", false, "Generate randomized variant config")
@@ -70,17 +70,26 @@ func runEnvCreate(cmd *cobra.Command, args []string) error {
 	}
 
 	region, _ := cmd.Flags().GetString("region")
+	if region == "" {
+		region, err = cfg.ResolveRegion()
+		if err != nil {
+			return fmt.Errorf("env create requires a region: pass --region, set 'region' in dreadgoad.yaml, or export DREADGOAD_REGION")
+		}
+	}
 	vpcCIDR, _ := cmd.Flags().GetString("vpc-cidr")
 	reference, _ := cmd.Flags().GetString("reference")
 	useVariant, _ := cmd.Flags().GetBool("variant")
 	force, _ := cmd.Flags().GetBool("force")
 
-	deployment := cfg.Infra.Deployment
-	infraBase := filepath.Join(cfg.ProjectRoot, "infra", deployment)
-
 	if vpcCIDR == "" {
 		vpcCIDR = cfg.VpcCIDR(envName)
 	}
+
+	return scaffoldEnv(cfg, envName, region, vpcCIDR, reference, useVariant, force)
+}
+
+func scaffoldEnv(cfg *config.Config, envName, region, vpcCIDR, reference string, useVariant, force bool) error {
+	infraBase := filepath.Join(cfg.ProjectRoot, "infra", cfg.Infra.Deployment)
 	envDir := filepath.Join(infraBase, envName)
 	regionDir := filepath.Join(envDir, region)