Skip to content

Commit

Permalink
Refactor Ansible facts from dot to array notation (#237)
Browse files Browse the repository at this point in the history
  • Loading branch information
alessfg authored Jan 29, 2023
1 parent 016fbe9 commit 3e4f941
Show file tree
Hide file tree
Showing 17 changed files with 67 additions and 66 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ FEATURES:

* Validate that various role variables have been set to one of the allowed values.
* Refactor how this role checks if your distribution is supported NGINX App Protect. The role will no longer fail if the target distribution is not supported, instead, you will get a warning. This should help with the occasional lag between new releases of distributions and/or NGINX App Protect and this role being updated to support those releases. In addition, the role will also now check if your distribution's architecture is supported.
* Refactor Ansible facts from dot to array notation to keep in with the standards set by the other roles in the Ansible NGINX core collection.
* Add support for Debian bullseye for NGINX App Protect WAF.
* Add support for Oracle Linux 7.x & 8.x for NGINX App Protect WAF.
* Add support for RHEL 8.7.
Expand Down
2 changes: 1 addition & 1 deletion molecule/common/cleanup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
- name: (RHEL) Unregister system from RHEL subscription manager
community.general.redhat_subscription:
state: absent
when: ansible_distribution == "RedHat"
when: ansible_facts['distribution'] == "RedHat"
rescue:
- name: It's ok we're at startup
ansible.builtin.meta: noop
2 changes: 1 addition & 1 deletion molecule/default/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
username: "{{ lookup('env', 'RHEL_USERNAME') }}"
password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
when:
- ansible_distribution == "RedHat"
- ansible_facts['distribution'] == "RedHat"
- rhel_subscription | bool
tasks:
- name: Install NGINX App Protect WAF
Expand Down
2 changes: 1 addition & 1 deletion molecule/dos/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
username: "{{ lookup('env', 'RHEL_USERNAME') }}"
password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
when:
- ansible_distribution == "RedHat"
- ansible_facts['distribution'] == "RedHat"
- rhel_subscription| bool
tasks:
- name: Install NGINX App Protect DoS
Expand Down
4 changes: 2 additions & 2 deletions molecule/specific-version/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,12 @@
tasks:
- name: Set NGINX App Protect WAF signature version fact
ansible.builtin.set_fact:
nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_facts['os_family'] | lower] }}{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
when: specify_app_protect_signatures_version | bool

- name: Set NGINX App Protect WAF threat campaigns version fact
ansible.builtin.set_fact:
nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_facts['os_family'] | lower] }}{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
when: specify_app_protect_threat_campaigns_version | bool

- name: Install NGINX App Protect WAF
Expand Down
4 changes: 2 additions & 2 deletions molecule/specific-version/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@

- name: Verify installed NAP signatures version matches requested version # noqa jinja[spacing]
ansible.builtin.assert:
that: "{{ (ansible_facts.packages['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}"
that: "{{ (ansible_facts['packages']['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_facts['os_family'] | lower] | regex_replace('^-|=','') + (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_facts['distribution_release'], '')) }}"

- name: Verify installed NAP threat campaigns version matches requested version # noqa jinja[spacing]
ansible.builtin.assert:
that: "{{ (ansible_facts.packages['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}"
that: "{{ (ansible_facts['packages']['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_facts['os_family'] | lower] | regex_replace('^-|=','') + (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_facts['distribution_release'], '')) }}"
4 changes: 2 additions & 2 deletions molecule/uninstall/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
username: "{{ lookup('env', 'RHEL_USERNAME') }}"
password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
when:
- ansible_distribution == "RedHat"
- ansible_facts['distribution'] == "RedHat"
- rhel_subscription| bool
tasks:
- name: Install NGINX App Protect WAF
Expand All @@ -54,5 +54,5 @@
community.general.redhat_subscription:
state: absent
when:
- ansible_distribution == "RedHat"
- ansible_facts['distribution'] == "RedHat"
- rhel_subscription | bool
12 changes: 6 additions & 6 deletions tasks/common/config/configure-app-protect.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
block:
- name: Ensure NGINX App Protect security policy directories exist
ansible.builtin.file:
path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}"
path: "{{ item['dest'] | default('/etc/app_protect/conf') | dirname }}"
state: directory
mode: 0755
loop: "{{ nginx_app_protect_security_policy_file }}"

- name: Copy NGINX App Protect security policy files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest | default('/etc/app_protect/conf') }}"
src: "{{ item['src'] }}"
dest: "{{ item['dest'] | default('/etc/app_protect/conf') }}"
backup: true
mode: 0644
loop: "{{ nginx_app_protect_security_policy_file }}"
Expand All @@ -22,15 +22,15 @@
block:
- name: Ensure NGINX App Protect log policy directories exist
ansible.builtin.file:
path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}"
path: "{{ item['dest'] | default('/etc/app_protect/conf') | dirname }}"
state: directory
mode: 0755
loop: "{{ nginx_app_protect_log_policy_file }}"

- name: Copy NGINX App Protect log policy files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest | default('/etc/app_protect/conf') }}"
src: "{{ item['src'] }}"
dest: "{{ item['dest'] | default('/etc/app_protect/conf') }}"
backup: true
mode: 0644
loop: "{{ nginx_app_protect_log_policy_file }}"
4 changes: 2 additions & 2 deletions tasks/common/install/remove-license.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
nginx_app_protect_license_status: absent

- name: Delete NGINX App Protect WAF repository data
ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_facts['os_family'] | lower }}.yml"
when: nginx_app_protect_waf_enable | bool

- name: Delete NGINX App Protect DoS repository data
ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_facts['os_family'] | lower }}.yml"
when: nginx_app_protect_dos_enable | bool

- name: Delete NGINX App Protect license
Expand Down
18 changes: 9 additions & 9 deletions tasks/common/install/setup-license.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
- name: (Alpine Linux) Set up NGINX App Protect WAF/DoS license
when: ansible_os_family == "Alpine"
when: ansible_facts['os_family'] == "Alpine"
block:
- name: Install cryptography package
ansible.builtin.package:
Expand All @@ -14,14 +14,14 @@

- name: (Alpine Linux) Copy NGINX App Protect WAF/DoS certificate
ansible.builtin.copy:
src: "{{ nginx_app_protect_license.certificate }}"
src: "{{ nginx_app_protect_license['certificate'] }}"
dest: /etc/apk/cert.pem
decrypt: true
mode: 0444

- name: (Alpine Linux) Copy NGINX App Protect WAF/DoS key
ansible.builtin.copy:
src: "{{ nginx_app_protect_license.key }}"
src: "{{ nginx_app_protect_license['key'] }}"
dest: /etc/apk/cert.key
decrypt: true
mode: 0444
Expand All @@ -45,7 +45,7 @@
fail_msg: Something went wrong! Make sure your App Protect WAF/DoS license is valid!

- name: (Debian/Red Hat OSs) Set up NGINX App Protect WAF/DoS license
when: ansible_os_family != "Alpine"
when: ansible_facts['os_family'] != "Alpine"
block:
- name: (Debian/Red Hat OSs) Create SSL directory
ansible.builtin.file:
Expand All @@ -60,12 +60,12 @@
decrypt: true
mode: 0444
loop:
- "{{ nginx_app_protect_license.certificate }}"
- "{{ nginx_app_protect_license.key }}"
- "{{ nginx_app_protect_license['certificate'] }}"
- "{{ nginx_app_protect_license['key'] }}"

- name: (Debian/Red Hat OSs) Install cryptography package
ansible.builtin.package:
name: "{{ (ansible_python.version.major == 3) | ternary('python3-cryptography', 'python2-cryptography') }}"
name: "{{ (ansible_python['version']['major'] == 3) | ternary('python3-cryptography', 'python2-cryptography') }}"

- name: (Debian/Red Hat OSs) Check that NGINX App Protect WAF/DoS certificate is valid
community.crypto.x509_certificate_info:
Expand All @@ -80,7 +80,7 @@
- name: (Debian/Red Hat OSs) Check that NGINX App Protect WAF/DoS license is valid
ansible.builtin.assert:
that:
- cert.expired == false
- cert.public_key == key.public_key
- "{{ not cert['expired'] | bool }}"
- "{{ cert['public_key'] == key['public_key'] }}"
success_msg: Your NGINX App Protect WAF/DoS license is valid!
fail_msg: Something went wrong! Make sure your NGINX App Protect WAF/DoS license is valid!
16 changes: 8 additions & 8 deletions tasks/common/keys/setup-keys.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
---
- name: (Alpine Linux) Set up NGINX App Protect DoS signing key
when: ansible_os_family == "Alpine"
when: ansible_facts['os_family'] == "Alpine"
block:
- name: (Alpine Linux) Set up NGINX App Protect DoS signing key URL
ansible.builtin.set_fact:
keysite: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_rsa_pub) }}"
keysite: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_rsa_pub) }}"

- name: (Alpine Linux) Download NGINX App Protect DoS signing key
ansible.builtin.get_url:
Expand All @@ -13,27 +13,27 @@
mode: 0400

- name: (Debian/Ubuntu) Set up NGINX App Protect and security updates signing key
when: ansible_os_family == "Debian"
when: ansible_facts['os_family'] == "Debian"
block:
- name: (Debian/Ubuntu) Add NGINX Plus signing key
ansible.builtin.apt_key:
keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
url: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}"
url: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_pgp) }}"

- name: (Debian/Ubuntu) Add NGINX App Protect security updates signing key
ansible.builtin.apt_key:
keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
url: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
url: "{{ nginx_app_protect_waf_signing_key['waf_security_updates'] | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool)

- name: (Amazon Linux/CentOS/RHEL) Set up NGINX App Protect and security updates signing key
when: ansible_os_family == "RedHat"
when: ansible_facts['os_family'] == "RedHat"
block:
- name: (CentOS/RHEL) Add NGINX Plus signing key
ansible.builtin.rpm_key:
key: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}"
key: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_pgp) }}"

- name: (Amazon Linux/CentOS/RHEL) Add NGINX App Protect security updates signing key
ansible.builtin.rpm_key:
key: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
key: "{{ nginx_app_protect_waf_signing_key['waf_security_updates'] | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool)
22 changes: 11 additions & 11 deletions tasks/common/prerequisites/install-dependencies.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,28 +4,28 @@
name: "{{ nginx_app_protect_alpine_dependencies }}"
update_cache: true
state: latest # noqa package-latest
when: ansible_os_family == "Alpine"
when: ansible_facts['os_family'] == "Alpine"

- name: (Debian/Ubuntu) Install package dependencies
ansible.builtin.apt:
name: "{{ nginx_app_protect_debian_dependencies }}"
update_cache: true
state: latest # noqa package-latest
when: ansible_os_family == "Debian"
when: ansible_facts['os_family'] == "Debian"

- name: (Amazon Linux) Set up Amazon Linux Extras repositories
ansible.builtin.command: amazon-linux-extras enable {{ item }}
changed_when: false
loop: "{{ nginx_app_protect_amazon_extras }}"
when: ansible_distribution == "Amazon"
when: ansible_facts['distribution'] == "Amazon"

- name: (Amazon Linux/CentOS/RHEL) Install package dependencies
when: ansible_os_family == "RedHat"
when: ansible_facts['os_family'] == "RedHat"
block:
- name: (Amazon Linux/CentOS/RHEL) Import EPEL GPG key
ansible.builtin.rpm_key:
state: present
key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version) }}
key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_facts['distribution'] == 'Amazon') | ternary('7', ansible_facts['distribution_major_version']) }}

- name: (Amazon Linux/CentOS/RHEL) Install package dependencies
ansible.builtin.yum:
Expand All @@ -34,7 +34,7 @@
state: latest # noqa package-latest

- name: (RHEL) Set up RHEL specific repositories
when: ansible_distribution == "RedHat"
when: ansible_facts['distribution'] == "RedHat"
block:
- name: (RHEL 7) Set up RHEL dependencies from OSS repositories
ansible.builtin.yum_repository:
Expand All @@ -46,7 +46,7 @@
gpgkey: https://ftp.heanet.ie/pub/centos/7/os/$basearch/RPM-GPG-KEY-CentOS-7
state: "{{ nginx_app_protect_license_status | default('present') }}"
when:
- ansible_distribution_major_version == "7"
- ansible_facts['distribution_major_version'] is version('7', '==')
- not nginx_app_protect_use_rhel_subscription_repos | bool

- name: (RHEL 7 DoS) Set up RHEL NGINX App Protect DoS dependencies from OSS repositories
Expand All @@ -59,7 +59,7 @@
gpgkey: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
state: "{{ nginx_app_protect_license_status | default('present') }}"
when:
- ansible_distribution_major_version == "7"
- ansible_facts['distribution_major_version'] is version('7', '==')
- not nginx_app_protect_use_rhel_subscription_repos | bool
- nginx_app_protect_dos_enable | bool

Expand All @@ -75,14 +75,14 @@
- rhel-7-server-extras-rpms
- rhel-ha-for-rhel-7-server-rpms
when:
- ansible_distribution_major_version == "7"
- ansible_facts['distribution_major_version'] is version('7', '==')
- nginx_app_protect_use_rhel_subscription_repos | bool

- name: (RHEL 8) Set up RHEL dependencies from RHEL official repositories
community.general.rhsm_repository:
name: codeready-builder-for-rhel-8-x86_64-rpms
when:
- ansible_distribution_major_version == "8"
- ansible_facts['distribution_major_version'] is version('8', '==')
- nginx_app_protect_use_rhel_subscription_repos | bool

- name: (Oracle Linux) Set up Oracle Linux specific repositories
Expand All @@ -92,4 +92,4 @@
option: enabled
value: 1
mode: 0644
when: ansible_distribution == "OracleLinux"
when: ansible_facts['distribution'] == "OracleLinux"
2 changes: 1 addition & 1 deletion tasks/common/prerequisites/setup-selinux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
- name: Import SELinux NGINX App Protect module
ansible.builtin.command: semodule -i {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.pp # noqa no-handler
changed_when: false
when: nginx_app_protect_selinux_module.changed | bool
when: nginx_app_protect_selinux_module['changed'] | bool

- name: Set SELinux mode to enforcing
ansible.posix.selinux:
Expand Down
6 changes: 3 additions & 3 deletions tasks/common/validate/validate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@

- name: Warn if installing NGINX App Protect on RHEL >7 without subscription details
ansible.builtin.fail:
msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_distribution_version }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true.
msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true.
when:
- ansible_distribution == "RedHat"
- ansible_distribution_major_version is version('7', '>')
- ansible_facts['distribution'] == "RedHat"
- ansible_facts['distribution_major_version'] is version('7', '>')
- not nginx_app_protect_use_rhel_subscription_repos | bool
ignore_errors: true # noqa ignore-errors

Expand Down
4 changes: 2 additions & 2 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@
tags: nginx_app_protect_setup_license

- name: "{{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_facts['os_family'] | lower }}.yml"
when: nginx_app_protect_waf_enable | bool
tags: nginx_app_protect_install_app_protect_waf

- name: "{{ nginx_app_protect_dos_setup | capitalize }} NGINX App Protect DoS"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_facts['os_family'] | lower }}.yml"
when: nginx_app_protect_dos_enable | bool
tags: nginx_app_protect_install_app_protect_dos

Expand Down
Loading

0 comments on commit 3e4f941

Please sign in to comment.