diff --git a/CHANGELOG.md b/CHANGELOG.md index 9de4be60..e23f8055 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ BREAKING CHANGES: * Rename `nginx_app_protect__state` parameter to `nginx_app_protect__setup` parameters. * Rename multiple `nginx_app_protect_*` parameters and tags to `nginx_app_protect_waf_*` to aid in disambiguation. * Cleanup remaining Alpine Linux tasks. +* Remove `nginx_app_protect_configure` parameter since it has limited functionality given the `nginx_app_protect_*_policy_file_enable` parameters. ENHANCEMENTS: diff --git a/defaults/main.yml b/defaults/main.yml index 6c6af5c9..a99b9b89 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -99,9 +99,6 @@ nginx_app_protect_start: true nginx_app_protect_service_modify: true nginx_app_protect_timeout: 180 -# Creates basic configuration files and enables NGINX App Protect WAF on the target host -nginx_app_protect_configure: false - # Copy local NGINX App Protect security policy to host nginx_app_protect_security_policy_file_enable: false nginx_app_protect_security_policy_file: diff --git a/molecule/advanced/converge.yml b/molecule/advanced/converge.yml index 2e8a4a21..3bb4ca45 100644 --- a/molecule/advanced/converge.yml +++ b/molecule/advanced/converge.yml @@ -12,5 +12,4 @@ nginx_app_protect_remove_license: false nginx_app_protect_install_signatures: true nginx_app_protect_install_threat_campaigns: true - nginx_app_protect_configure: true nginx_app_protect_timeout: 180 diff --git a/tasks/main.yml b/tasks/main.yml index f2dfa00d..c9732044 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,28 +3,25 @@ include_tasks: "{{ role_path }}/tasks/common/prerequisites/validate-supported-os.yml" when: nginx_app_protect_waf_state != "absent" or nginx_app_protect_dos_state != "absent" -- name: Check for conflicting WAF config variables - block: - - name: Fail if variables for 'nginx_app_protect_security_policy_file_enable' are not defined - assert: - that: - - "{{ item }} is defined" - - "{{ item }} | length > 0" - loop: - - nginx_app_protect_security_policy_file.0.src - - nginx_app_protect_security_policy_file.0.dest - when: nginx_app_protect_security_policy_file_enable | bool +- name: Fail if variables for 'nginx_app_protect_security_policy_file_enable' are not defined + assert: + that: + - "{{ item }} is defined" + - "{{ item }} | length > 0" + loop: + - nginx_app_protect_security_policy_file.0.src + - nginx_app_protect_security_policy_file.0.dest + when: nginx_app_protect_security_policy_file_enable | bool - - name: Fail if variables for 'nginx_app_protect_log_policy_file_enable' are not defined - assert: - that: - - "{{ item }} is defined" - - "{{ item }} | length > 0" - loop: - - nginx_app_protect_log_policy_file.0.src - - nginx_app_protect_log_policy_file.0.dest - when: nginx_app_protect_log_policy_file_enable | bool - when: nginx_app_protect_configure | bool +- name: Fail if variables for 'nginx_app_protect_log_policy_file_enable' are not defined + assert: + that: + - "{{ item }} is defined" + - "{{ item }} | length > 0" + loop: + - nginx_app_protect_log_policy_file.0.src + - nginx_app_protect_log_policy_file.0.dest + when: nginx_app_protect_log_policy_file_enable | bool - name: Install prerequisites include_tasks: "{{ role_path }}/tasks/common/prerequisites/install-dependencies.yml" @@ -63,5 +60,6 @@ - name: Configure NGINX App Protect include_tasks: "{{ role_path }}/tasks/common/config/configure-app-protect.yml" - when: nginx_app_protect_configure | bool + when: nginx_app_protect_security_policy_file_enable | bool + or nginx_app_protect_log_policy_file_enable | bool tags: nginx_app_protect_configure