diff --git a/.github/workflows/requirements/requirements_molecule.txt b/.github/workflows/requirements/requirements_molecule.txt index 7b7532bb..7faf2b1c 100644 --- a/.github/workflows/requirements/requirements_molecule.txt +++ b/.github/workflows/requirements/requirements_molecule.txt @@ -1,6 +1,6 @@ ansible-core==2.12.3 Jinja2==3.0.3 -ansible-lint==5.4.0 +ansible-lint==6.0.1 yamllint==1.26.3 molecule[docker]==3.6.1 docker==5.0.3 diff --git a/handlers/main.yml b/handlers/main.yml index 6c96eaa7..1718c4a6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: (Handler - NGINX App Protect) Systemd daemon-reload - systemd: + ansible.builtin.systemd: daemon_reload: true - name: (Handler - NGINX App Protect) Restart NGINX - service: + ansible.builtin.service: name: nginx state: restarted enabled: true @@ -14,14 +14,14 @@ listen: (Handler - NGINX App Protect) Run NGINX - name: (Handler - NGINX App Protect) Check NGINX - command: nginx -t + ansible.builtin.command: nginx -t register: config_check ignore_errors: true changed_when: false listen: (Handler - NGINX App Protect) Run NGINX - name: (Handler - NGINX App Protect) Print NGINX error if syntax check fails - debug: + ansible.builtin.debug: var: config_check.stderr_lines failed_when: config_check.rc != 0 when: diff --git a/molecule/advanced/converge.yml b/molecule/advanced/converge.yml index 3bb4ca45..5277b23b 100644 --- a/molecule/advanced/converge.yml +++ b/molecule/advanced/converge.yml @@ -3,7 +3,7 @@ hosts: nap tasks: - name: Install NGINX App Protect WAF - include_role: + ansible.builtin.include_role: name: ansible-role-nginx-app-protect vars: nginx_app_protect_license: diff --git a/molecule/advanced/prepare.yml b/molecule/advanced/prepare.yml index e0c2a100..f771925d 100644 --- a/molecule/advanced/prepare.yml +++ b/molecule/advanced/prepare.yml @@ -4,14 +4,14 @@ gather_facts: false tasks: - name: Create ephemeral license certificate file from b64 decoded env var - copy: + ansible.builtin.copy: content: "{{ lookup('env','NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: 0444 - name: Create ephemeral license key file from b64 decoded env var - copy: + ansible.builtin.copy: content: "{{ lookup('env','NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key force: false @@ -21,7 +21,7 @@ hosts: nap tasks: - name: Set up rsyslog - include_role: + ansible.builtin.include_role: name: robertdebock.rsyslog vars: rsyslog_receiver: true @@ -33,5 +33,5 @@ gather_facts: false tasks: - name: Start nginx on test workload - raw: nohup nginx /dev/null 2>&1 & sleep 1 + ansible.builtin.raw: nohup nginx /dev/null 2>&1 & sleep 1 changed_when: false diff --git a/molecule/advanced/verify.yml b/molecule/advanced/verify.yml index d3580f59..3ceff688 100644 --- a/molecule/advanced/verify.yml +++ b/molecule/advanced/verify.yml @@ -3,7 +3,7 @@ hosts: nap tasks: - name: Check if NGINX Plus is installed - package: + ansible.builtin.package: name: nginx-plus state: present check_mode: true @@ -11,7 +11,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF is installed - package: + ansible.builtin.package: name: app-protect state: present check_mode: true @@ -19,7 +19,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF signatures is installed - package: + ansible.builtin.package: name: app-protect-attack-signatures state: present check_mode: true @@ -27,7 +27,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF threat campaigns is installed - package: + ansible.builtin.package: name: app-protect-threat-campaigns state: present check_mode: true diff --git a/molecule/common/cleanup.yml b/molecule/common/cleanup.yml index 2341f8f8..f667b33a 100644 --- a/molecule/common/cleanup.yml +++ b/molecule/common/cleanup.yml @@ -6,18 +6,18 @@ - name: Block block: - name: Wait for containers to be up - wait_for_connection: + ansible.builtin.wait_for_connection: delay: 1 timeout: 2 register: connection ignore_errors: true - name: Containers are not up, quit from here - fail: + ansible.builtin.fail: when: connection.failed - name: Gather facts - setup: + ansible.builtin.setup: gather_subset: - "!all" - "!any" @@ -29,4 +29,4 @@ when: ansible_distribution == "RedHat" rescue: - name: It's ok we're at startup - meta: noop + ansible.builtin.meta: noop diff --git a/molecule/common/prepare.yml b/molecule/common/prepare.yml index 31d674e7..4fe85b86 100644 --- a/molecule/common/prepare.yml +++ b/molecule/common/prepare.yml @@ -4,14 +4,14 @@ gather_facts: false tasks: - name: Create ephemeral license certificate file from b64 decoded env var - copy: + ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: 0444 - name: Create ephemeral license key file from b64 decoded env var - copy: + ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key force: false diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index a8bd50df..8c662d0a 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -5,7 +5,7 @@ rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - set_fact: + ansible.builtin.set_fact: rhel_subscription: true when: - lookup('env', 'RHEL_USERNAME') | length > 0 @@ -20,7 +20,7 @@ - rhel_subscription| bool tasks: - name: Install NGINX App Protect WAF - include_role: + ansible.builtin.include_role: name: ansible-role-nginx-app-protect vars: nginx_app_protect_license: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index a412c06a..8a6dd48e 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -3,7 +3,7 @@ hosts: all tasks: - name: Check if NGINX Plus is installed - package: + ansible.builtin.package: name: nginx-plus state: present check_mode: true @@ -11,7 +11,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF is installed - package: + ansible.builtin.package: name: app-protect state: present check_mode: true @@ -19,7 +19,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF signatures is installed - package: + ansible.builtin.package: name: app-protect-attack-signatures state: present check_mode: true @@ -27,7 +27,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF threat campaigns is installed - package: + ansible.builtin.package: name: app-protect-threat-campaigns state: present check_mode: true @@ -35,7 +35,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX service is running - service: + ansible.builtin.service: name: nginx state: started enabled: true @@ -44,19 +44,19 @@ failed_when: (service is changed) or (service is failed) - name: Store the statistics of /etc/app_protect/conf/test-security-policy.json in the 'security_policy' variable - stat: + ansible.builtin.stat: path: /etc/app_protect/conf/test-security-policy.json register: security_policy - name: Ensure /etc/app_protect/conf/test-security-policy.json exists - assert: + ansible.builtin.assert: that: security_policy.stat.exists | bool - name: Store the statistics of /etc/app_protect/conf/test-log-profile.json in the 'log_profile' variable - stat: + ansible.builtin.stat: path: /etc/app_protect/conf/test-log-profile.json register: log_profile - name: Ensure /etc/app_protect/conf/test-security-profile.json exists - assert: + ansible.builtin.assert: that: log_profile.stat.exists | bool diff --git a/molecule/dos/converge.yml b/molecule/dos/converge.yml index f556ae7c..cb8980f2 100644 --- a/molecule/dos/converge.yml +++ b/molecule/dos/converge.yml @@ -5,7 +5,7 @@ rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - set_fact: + ansible.builtin.set_fact: rhel_subscription: true when: - lookup('env', 'RHEL_USERNAME') | length > 0 @@ -20,7 +20,7 @@ - rhel_subscription| bool tasks: - name: Install NGINX App Protect DoS - include_role: + ansible.builtin.include_role: name: ansible-role-nginx-app-protect vars: nginx_app_protect_waf_enable: false diff --git a/molecule/dos/verify.yml b/molecule/dos/verify.yml index 0dc93832..acdc530a 100644 --- a/molecule/dos/verify.yml +++ b/molecule/dos/verify.yml @@ -3,7 +3,7 @@ hosts: all tasks: - name: Check if NGINX Plus is installed - package: + ansible.builtin.package: name: nginx-plus state: present check_mode: true @@ -11,7 +11,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect DoS is installed - package: + ansible.builtin.package: name: app-protect-dos state: present check_mode: true @@ -19,7 +19,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX service is running - service: + ansible.builtin.service: name: nginx state: started enabled: true diff --git a/molecule/specific-version/converge.yml b/molecule/specific-version/converge.yml index 6e7fa8ac..2af1c1fe 100644 --- a/molecule/specific-version/converge.yml +++ b/molecule/specific-version/converge.yml @@ -12,17 +12,17 @@ redhat: "-2020.08.20" tasks: - name: Set NGINX App Protect WAF signature version fact - set_fact: + ansible.builtin.set_fact: nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}" when: specify_app_protect_signatures_version| bool - name: Set NGINX App Protect WAF threat campaigns version fact - set_fact: + ansible.builtin.set_fact: nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}" when: specify_app_protect_threat_campaigns_version| bool - name: Install NGINX App Protect WAF - include_role: + ansible.builtin.include_role: name: ansible-role-nginx-app-protect vars: nginx_app_protect_license: diff --git a/molecule/specific-version/verify.yml b/molecule/specific-version/verify.yml index 733db42f..12a772de 100644 --- a/molecule/specific-version/verify.yml +++ b/molecule/specific-version/verify.yml @@ -12,7 +12,7 @@ redhat: "-2020.08.20" tasks: - name: Check if NGINX Plus is installed - package: + ansible.builtin.package: name: nginx-plus state: present check_mode: true @@ -20,7 +20,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF is installed - package: + ansible.builtin.package: name: app-protect state: present check_mode: true @@ -28,7 +28,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF signatures is installed - package: + ansible.builtin.package: name: app-protect-attack-signatures state: present check_mode: true @@ -36,7 +36,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF threat campaigns is installed - package: + ansible.builtin.package: name: app-protect-threat-campaigns state: present check_mode: true @@ -44,7 +44,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX service is running - service: + ansible.builtin.service: name: nginx state: started enabled: true @@ -55,13 +55,13 @@ - name: Check NGINX App Protect WAF version block: - name: Check installed software - package_facts: + ansible.builtin.package_facts: manager: auto - name: Verify installed NAP signatures version matches requested version - assert: + ansible.builtin.assert: that: "{{ (ansible_facts.packages['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}" - name: Verify installed NAP threat campaigns version matches requested version - assert: + ansible.builtin.assert: that: "{{ (ansible_facts.packages['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}" diff --git a/molecule/uninstall/converge.yml b/molecule/uninstall/converge.yml index 732ce5a5..d937e716 100644 --- a/molecule/uninstall/converge.yml +++ b/molecule/uninstall/converge.yml @@ -3,7 +3,7 @@ hosts: all tasks: - name: Uninstall NGINX App Protect WAF and DoS - include_role: + ansible.builtin.include_role: name: ansible-role-nginx-app-protect vars: nginx_app_protect_waf_enable: true diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml index 4f994393..4bb1c33d 100644 --- a/molecule/uninstall/prepare.yml +++ b/molecule/uninstall/prepare.yml @@ -4,14 +4,14 @@ gather_facts: false tasks: - name: Create ephemeral license certificate file from b64 decoded env var - copy: + ansible.builtin.copy: content: "{{ lookup('env','NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: 0444 - name: Create ephemeral license key file from b64 decoded env var - copy: + ansible.builtin.copy: content: "{{ lookup('env','NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key force: false @@ -23,7 +23,7 @@ rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - set_fact: + ansible.builtin.set_fact: rhel_subscription: true when: - lookup('env', 'RHEL_USERNAME') | length > 0 @@ -38,7 +38,7 @@ - rhel_subscription| bool tasks: - name: Install NGINX App Protect WAF - include_role: + ansible.builtin.include_role: name: ansible-role-nginx-app-protect vars: nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}" diff --git a/molecule/uninstall/verify.yml b/molecule/uninstall/verify.yml index 588c9222..4680ecb7 100644 --- a/molecule/uninstall/verify.yml +++ b/molecule/uninstall/verify.yml @@ -3,7 +3,7 @@ hosts: all tasks: - name: Check if NGINX Plus is installed - package: + ansible.builtin.package: name: nginx-plus state: present check_mode: true @@ -11,7 +11,7 @@ failed_when: (install is changed) or (install is failed) - name: Check if NGINX App Protect WAF is uninstalled - package: + ansible.builtin.package: name: app-protect state: absent check_mode: true @@ -19,7 +19,7 @@ failed_when: (uninstall is changed) or (uninstall is failed) - name: Check if NGINX App Protect WAF Compiler is uninstalled - package: + ansible.builtin.package: name: app-protect-compiler state: absent check_mode: true @@ -27,7 +27,7 @@ failed_when: (uninstall is changed) or (uninstall is failed) - name: Check if NGINX App Protect WAF Engine is uninstalled - package: + ansible.builtin.package: name: app-protect-engine state: absent check_mode: true @@ -35,7 +35,7 @@ failed_when: (uninstall is changed) or (uninstall is failed) - name: Check if NGINX App Protect WAF Plugin is uninstalled - package: + ansible.builtin.package: name: app-protect-plugin state: absent check_mode: true @@ -43,7 +43,7 @@ failed_when: (uninstall is changed) or (uninstall is failed) - name: Check if NGINX App Protect WAF Plus Module is uninstalled - package: + ansible.builtin.package: name: nginx-plus-module-appprotect state: absent check_mode: true @@ -51,7 +51,7 @@ failed_when: (uninstall is changed) or (uninstall is failed) - name: Check if NGINX App Protect WAF signatures is uninstalled - package: + ansible.builtin.package: name: app-protect-attack-signatures state: absent check_mode: true @@ -59,7 +59,7 @@ failed_when: (uninstall is changed) or (uninstall is failed) - name: Check if NGINX App Protect WAF threat campaigns is uninstalled - package: + ansible.builtin.package: name: app-protect-threat-campaigns state: absent check_mode: true @@ -67,7 +67,7 @@ failed_when: (uninstall is changed) or (uninstall is failed) - name: Check if NGINX App Protect DoS is uninstalled - package: + ansible.builtin.package: name: app-protect-dos state: absent check_mode: true @@ -75,7 +75,7 @@ failed_when: (uninstall is changed) or (uninstall is failed) - name: Check if NGINX App Protect DoS Plus Module is uninstalled - package: + ansible.builtin.package: name: nginx-plus-module-appprotectdos state: absent check_mode: true diff --git a/tasks/common/config/configure-app-protect.yml b/tasks/common/config/configure-app-protect.yml index d5700a94..2f370909 100644 --- a/tasks/common/config/configure-app-protect.yml +++ b/tasks/common/config/configure-app-protect.yml @@ -2,14 +2,14 @@ - name: Copy NGINX App Protect security policy files block: - name: Ensure NGINX App Protect security policy directories exist - file: + ansible.builtin.file: path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}" state: directory mode: 0755 loop: "{{ nginx_app_protect_security_policy_file }}" - name: Copy NGINX App Protect security policy files - copy: + ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest | default('/etc/app_protect/conf') }}" backup: true @@ -20,14 +20,14 @@ - name: Copy NGINX App Protect log policy files block: - name: Ensure NGINX App Protect log policy directories exist - file: + ansible.builtin.file: path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}" state: directory mode: 0755 loop: "{{ nginx_app_protect_log_policy_file }}" - name: Copy NGINX App Protect log policy files - copy: + ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest | default('/etc/app_protect/conf') }}" backup: true diff --git a/tasks/common/install/remove-license.yml b/tasks/common/install/remove-license.yml index 573f9b4e..0a8dfb72 100644 --- a/tasks/common/install/remove-license.yml +++ b/tasks/common/install/remove-license.yml @@ -1,17 +1,17 @@ --- - name: Set NGINX App Protect license state - set_fact: + ansible.builtin.set_fact: nginx_app_protect_license_status: absent - name: Delete NGINX App Protect WAF repository data - include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml" when: nginx_app_protect_waf_enable | bool - name: Delete NGINX App Protect DoS repository data - include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml" when: nginx_app_protect_dos_enable | bool - name: Delete NGINX App Protect license - file: + ansible.builtin.file: path: /etc/ssl/nginx state: absent diff --git a/tasks/common/install/service-modification.yml b/tasks/common/install/service-modification.yml index cd0b39cd..436e6568 100644 --- a/tasks/common/install/service-modification.yml +++ b/tasks/common/install/service-modification.yml @@ -2,13 +2,13 @@ - name: Modify NGINX Plus service block: - name: Create override for NGINX Plus service - file: + ansible.builtin.file: path: /etc/systemd/system/nginx.service.d state: directory mode: 0755 - name: Increase timeout for NGINX Plus service - template: + ansible.builtin.template: src: nginx.service.override.conf.j2 dest: /etc/systemd/system/nginx.service.d/override.conf owner: root diff --git a/tasks/common/install/setup-license.yml b/tasks/common/install/setup-license.yml index d85dfcdc..395452aa 100644 --- a/tasks/common/install/setup-license.yml +++ b/tasks/common/install/setup-license.yml @@ -1,12 +1,12 @@ --- - name: (Debian/Red Hat OSs) Create SSL directory - file: + ansible.builtin.file: path: /etc/ssl/nginx state: directory mode: 0755 - name: (Debian/Red Hat OSs) Copy NGINX App Protect certificate and license key - copy: + ansible.builtin.copy: src: "{{ item }}" dest: /etc/ssl/nginx decrypt: true diff --git a/tasks/common/keys/setup-keys.yml b/tasks/common/keys/setup-keys.yml index bce5c7c2..5cc5cd3e 100644 --- a/tasks/common/keys/setup-keys.yml +++ b/tasks/common/keys/setup-keys.yml @@ -2,12 +2,12 @@ - name: (Debian/Ubuntu) Set up NGINX App Protect and security updates signing key block: - name: (Debian/Ubuntu) Add NGINX Plus signing key - apt_key: + ansible.builtin.apt_key: keyring: /usr/share/keyrings/nginx-archive-keyring.gpg url: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}" - name: (Debian/Ubuntu) Add NGINX App Protect security updates signing key - apt_key: + ansible.builtin.apt_key: keyring: /usr/share/keyrings/nginx-archive-keyring.gpg url: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}" when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool) @@ -16,11 +16,11 @@ - name: (Amazon Linux/CentOS/RHEL) Set up NGINX App Protect and security updates signing key block: - name: (CentOS/RHEL) Add NGINX Plus signing key - rpm_key: + ansible.builtin.rpm_key: key: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}" - name: (Amazon Linux/CentOS/RHEL) Add NGINX App Protect security updates signing key - rpm_key: + ansible.builtin.rpm_key: key: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}" when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool) when: ansible_os_family == "RedHat" diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml index f3cd08ee..65fbd2ee 100644 --- a/tasks/common/prerequisites/install-dependencies.yml +++ b/tasks/common/prerequisites/install-dependencies.yml @@ -1,13 +1,13 @@ --- - name: (Debian/Ubuntu) Install package dependencies - apt: + ansible.builtin.apt: name: "{{ nginx_app_protect_debian_dependencies }}" update_cache: true state: latest # noqa package-latest when: ansible_os_family == "Debian" - name: (Amazon Linux) Set up Amazon Linux Extras repositories - command: "amazon-linux-extras enable {{ item }}" + ansible.builtin.command: "amazon-linux-extras enable {{ item }}" changed_when: false loop: "{{ nginx_app_protect_amazon_extras }}" when: ansible_distribution == "Amazon" @@ -15,12 +15,12 @@ - name: (Amazon Linux/CentOS/RHEL) Install package dependencies block: - name: (Amazon Linux/CentOS/RHEL) Import EPEL GPG key - rpm_key: + ansible.builtin.rpm_key: state: present key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ((ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version)) }} - name: (Amazon Linux/CentOS/RHEL) Install package dependencies - yum: + ansible.builtin.yum: name: "{{ nginx_app_protect_redhat_dependencies }}" update_cache: true state: latest # noqa package-latest @@ -29,7 +29,7 @@ - name: (RHEL) Set up RHEL specific repositories block: - name: (RHEL 7) Set up RHEL dependencies from OSS repositories - yum_repository: + ansible.builtin.yum_repository: name: centos description: NGINX App Protect dependencies baseurl: https://ftp.heanet.ie/pub/centos/7/os/$basearch/ @@ -42,7 +42,7 @@ - not nginx_app_protect_use_rhel_subscription_repos | bool - name: (RHEL 7 DoS) Set up RHEL NGINX App Protect DoS dependencies from OSS repositories - yum_repository: + ansible.builtin.yum_repository: name: extras description: NGINX App Protect DoS dependencies mirrorlist: http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=extras diff --git a/tasks/common/prerequisites/validate-supported-os.yml b/tasks/common/prerequisites/validate-supported-os.yml index 1c73cf30..ec46e930 100644 --- a/tasks/common/prerequisites/validate-supported-os.yml +++ b/tasks/common/prerequisites/validate-supported-os.yml @@ -2,7 +2,7 @@ - name: (WAF) Set supported_os_waf when platform and major/minor version are in the WAF supported platforms dictionary block: - name: (WAF) Set fact to true if item present in dictionary - set_fact: + ansible.builtin.set_fact: supported_os_waf: true when: - ansible_distribution | lower in item.key @@ -10,12 +10,12 @@ loop: "{{ query('dict', nginx_app_protect_waf_linux_families) }}" - name: (WAF) Set supported_os_waf to false if fact not defined - set_fact: + ansible.builtin.set_fact: supported_os_waf: false when: supported_os_waf is not defined - name: (WAF) Abort if the OS / version combination is not supported - fail: + ansible.builtin.fail: msg: NGINX App Protect WAF is not supported on OS family {{ ansible_distribution }} version {{ ansible_distribution_version }} when: not supported_os_waf when: nginx_app_protect_waf_enable | bool and nginx_app_protect_waf_state != "absent" @@ -23,7 +23,7 @@ - name: (DoS) Set supported_os_dos when platform and major/minor version are in the DoS supported platforms dictionary block: - name: (DoS) Set fact to true if item present in dictionary - set_fact: + ansible.builtin.set_fact: supported_os_dos: true when: - ansible_distribution | lower in item.key @@ -31,18 +31,18 @@ loop: "{{ query('dict', nginx_app_protect_dos_linux_families) }}" - name: (DoS) Set supported_os_dos to false if fact not defined - set_fact: + ansible.builtin.set_fact: supported_os_dos: false when: supported_os_dos is not defined - name: (DoS) Abort if the OS / version combination is not supported - fail: + ansible.builtin.fail: msg: NGINX App Protect DoS is not supported on OS family {{ ansible_distribution }} version {{ ansible_distribution_version }} when: not supported_os_dos when: nginx_app_protect_dos_enable | bool and nginx_app_protect_dos_state != "absent" - name: Abort if installing on RHEL > 7 without subscription details - fail: + ansible.builtin.fail: msg: NGINX App Protect cannot be installed on OS family {{ ansible_distribution }} version {{ ansible_distribution_version }} without setting the 'nginx_app_protect_use_rhel_subscription_repos' variable when: - ansible_distribution == "RedHat" diff --git a/tasks/dos/install-debian.yml b/tasks/dos/install-debian.yml index ac62b729..ec88b86f 100644 --- a/tasks/dos/install-debian.yml +++ b/tasks/dos/install-debian.yml @@ -1,6 +1,6 @@ --- - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus license - blockinfile: + ansible.builtin.blockinfile: path: /etc/apt/apt.conf.d/90nginx create: true block: | @@ -12,7 +12,7 @@ mode: 0444 - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect DoS license - blockinfile: + ansible.builtin.blockinfile: path: /etc/apt/apt.conf.d/90app-protect-dos create: true block: | @@ -24,7 +24,7 @@ mode: 0444 - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository - apt_repository: + ansible.builtin.apt_repository: filename: nginx-plus repo: "{{ nginx_plus_repository | default(nginx_plus_default_repository_debian) }}" state: "{{ nginx_app_protect_license_status | default((nginx_app_protect_dos_setup == 'uninstall') | ternary('absent', 'present')) }}" @@ -33,7 +33,7 @@ when: nginx_app_protect_dos_manage_repo | bool - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect DoS repository - apt_repository: + ansible.builtin.apt_repository: filename: nginx-app-protect-dos repo: "{{ nginx_app_protect_dos_repository | default(nginx_app_protect_dos_default_repository_debian) }}" state: "{{ nginx_app_protect_license_status | default((nginx_app_protect_dos_setup == 'uninstall') | ternary('absent', 'present')) }}" @@ -42,7 +42,7 @@ when: nginx_app_protect_dos_manage_repo | bool - name: (Debian/Ubuntu) {{ nginx_app_protect_dos_setup | capitalize }} NGINX App Protect DoS - apt: + ansible.builtin.apt: name: "app-protect-dos{{ (nginx_app_protect_dos_state == 'absent') | ternary(',nginx-plus-module-appprotectdos', '') }}" state: "{{ nginx_app_protect_dos_state }}" update_cache: true diff --git a/tasks/dos/install-redhat.yml b/tasks/dos/install-redhat.yml index 58ee7381..7e404f24 100644 --- a/tasks/dos/install-redhat.yml +++ b/tasks/dos/install-redhat.yml @@ -1,6 +1,6 @@ --- - name: (CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository - yum_repository: + ansible.builtin.yum_repository: name: nginx-plus description: NGINX Plus repository baseurl: "{{ nginx_plus_repository | default(nginx_plus_default_repository_redhat) }}" @@ -13,7 +13,7 @@ when: nginx_app_protect_dos_manage_repo | bool - name: (CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect DoS repository - yum_repository: + ansible.builtin.yum_repository: name: nginx-app-protect-dos description: NGINX App Protect DoS repository baseurl: "{{ nginx_app_protect_dos_repository | default(nginx_app_protect_dos_default_repository_redhat) }}" @@ -26,7 +26,7 @@ when: nginx_app_protect_dos_manage_repo | bool - name: (CentOS/RHEL) {{ nginx_app_protect_dos_setup | capitalize }} NGINX App Protect DoS - yum: + ansible.builtin.yum: name: app-protect-dos{{ (nginx_app_protect_dos_state == 'absent') | ternary(',nginx-plus-module-appprotectdos', '') }} state: "{{ nginx_app_protect_dos_state }}" update_cache: true diff --git a/tasks/main.yml b/tasks/main.yml index 5bc2ce0d..65bc12ce 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,11 +1,11 @@ --- - name: Check if OS is supported for NGINX App Protect WAF or DoS install - include_tasks: "{{ role_path }}/tasks/common/prerequisites/validate-supported-os.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/prerequisites/validate-supported-os.yml" when: nginx_app_protect_waf_state != "absent" or nginx_app_protect_dos_state != "absent" - name: Fail if variables for 'nginx_app_protect_security_policy_file_enable' are not defined - assert: + ansible.builtin.assert: that: - "{{ item }} is defined" - "{{ item }} | length > 0" @@ -15,7 +15,7 @@ when: nginx_app_protect_security_policy_file_enable | bool - name: Fail if variables for 'nginx_app_protect_log_policy_file_enable' are not defined - assert: + ansible.builtin.assert: that: - "{{ item }} is defined" - "{{ item }} | length > 0" @@ -25,42 +25,42 @@ when: nginx_app_protect_log_policy_file_enable | bool - name: Install prerequisites - include_tasks: "{{ role_path }}/tasks/common/prerequisites/install-dependencies.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/prerequisites/install-dependencies.yml" when: nginx_app_protect_waf_enable | bool or nginx_app_protect_dos_enable | bool tags: nginx_app_protect_prerequisites - name: Set up signing keys - include_tasks: "{{ role_path }}/tasks/common/keys/setup-keys.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/keys/setup-keys.yml" when: nginx_app_protect_waf_enable | bool or nginx_app_protect_dos_enable | bool tags: nginx_app_protect_key - name: Set up NGINX App Protect license - include_tasks: "{{ role_path }}/tasks/common/install/setup-license.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/install/setup-license.yml" when: nginx_app_protect_setup_license | bool tags: nginx_app_protect_setup_license - name: "{{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF" - include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml" when: nginx_app_protect_waf_enable | bool tags: nginx_app_protect_install_app_protect_waf - name: "{{ nginx_app_protect_dos_setup | capitalize }} NGINX App Protect DoS" - include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml" when: nginx_app_protect_dos_enable | bool tags: nginx_app_protect_install_app_protect_dos - name: Modify NGINX Plus service - include_tasks: "{{ role_path }}/tasks/common/install/service-modification.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/install/service-modification.yml" - name: Remove NGINX App Protect license - include_tasks: "{{ role_path }}/tasks/common/install/remove-license.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/install/remove-license.yml" when: nginx_app_protect_remove_license | bool tags: nginx_app_protect_remove_license - name: Configure NGINX App Protect - include_tasks: "{{ role_path }}/tasks/common/config/configure-app-protect.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/config/configure-app-protect.yml" when: nginx_app_protect_security_policy_file_enable | bool or nginx_app_protect_log_policy_file_enable | bool tags: nginx_app_protect_configure diff --git a/tasks/waf/install-debian.yml b/tasks/waf/install-debian.yml index 85b711c2..8ead036b 100644 --- a/tasks/waf/install-debian.yml +++ b/tasks/waf/install-debian.yml @@ -1,6 +1,6 @@ --- - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus license verification - blockinfile: + ansible.builtin.blockinfile: path: /etc/apt/apt.conf.d/90nginx create: true block: | @@ -12,7 +12,7 @@ mode: 0444 - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF license verification - blockinfile: + ansible.builtin.blockinfile: path: /etc/apt/apt.conf.d/90app-protect create: true block: | @@ -24,7 +24,7 @@ mode: 0444 - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF security updates license verification - blockinfile: + ansible.builtin.blockinfile: path: /etc/apt/apt.conf.d/90app-protect-security-updates create: true block: | @@ -38,7 +38,7 @@ or nginx_app_protect_waf_install_threat_campaigns | bool - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository - apt_repository: + ansible.builtin.apt_repository: filename: nginx-plus repo: "{{ nginx_plus_repository | default(nginx_plus_default_repository_debian) }}" update_cache: false @@ -47,7 +47,7 @@ when: nginx_app_protect_waf_manage_repo | bool - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF repository - apt_repository: + ansible.builtin.apt_repository: filename: nginx-app-protect repo: "{{ nginx_app_protect_waf_repository | default(nginx_app_protect_waf_default_repository_debian) }}" update_cache: false @@ -56,7 +56,7 @@ when: nginx_app_protect_waf_manage_repo | bool - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF security updates repository - apt_repository: + ansible.builtin.apt_repository: filename: app-protect-security-updates repo: "{{ nginx_app_protect_waf_security_updates_repository | default(nginx_app_protect_waf_security_updates_default_repository_debian) }}" update_cache: false @@ -67,7 +67,7 @@ - nginx_app_protect_waf_manage_repo | bool - name: (Debian/Ubuntu) {{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF - apt: + ansible.builtin.apt: name: app-protect{{ (nginx_app_protect_waf_state == 'absent') | ternary(',app-protect-compiler,app-protect-engine,app-protect-plugin,nginx-plus-module-appprotect', '') }} state: "{{ nginx_app_protect_waf_state }}" update_cache: true @@ -76,7 +76,7 @@ notify: (Handler - NGINX App Protect) Run NGINX - name: (Debian/Ubuntu) {{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF signatures {{ nginx_app_protect_waf_signatures_version is defined | ternary(nginx_app_protect_waf_signatures_version, '') }} - apt: + ansible.builtin.apt: name: app-protect-attack-signatures{{ nginx_app_protect_waf_signatures_version | default('') }} state: "{{ nginx_app_protect_waf_state }}" update_cache: true @@ -88,7 +88,7 @@ notify: (Handler - NGINX App Protect) Run NGINX - name: (Debian/Ubuntu) {{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF threat campaigns {{ nginx_app_protect_waf_threat_campaigns_version is defined | ternary(nginx_app_protect_waf_threat_campaigns_version, '') }} - apt: + ansible.builtin.apt: name: app-protect-threat-campaigns{{ nginx_app_protect_waf_threat_campaigns_version | default('') }} state: "{{ nginx_app_protect_waf_state }}" update_cache: true diff --git a/tasks/waf/install-redhat.yml b/tasks/waf/install-redhat.yml index b1a3df7d..32fc5ab3 100644 --- a/tasks/waf/install-redhat.yml +++ b/tasks/waf/install-redhat.yml @@ -1,6 +1,6 @@ --- - name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository - yum_repository: + ansible.builtin.yum_repository: name: nginx-plus description: NGINX Plus repository baseurl: "{{ nginx_plus_repository | @@ -14,7 +14,7 @@ when: nginx_app_protect_waf_manage_repo | bool - name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF repository - yum_repository: + ansible.builtin.yum_repository: name: nginx-app-protect description: NGINX App Protect WAF repository baseurl: "{{ nginx_app_protect_waf_repository | @@ -28,7 +28,7 @@ when: nginx_app_protect_waf_manage_repo | bool - name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF security updates repository - yum_repository: + ansible.builtin.yum_repository: name: nginx-app-protect-security-updates description: NGINX App Protect WAF security updates repository baseurl: "{{ nginx_app_protect_waf_security_updates_repository | @@ -44,7 +44,7 @@ - nginx_app_protect_waf_manage_repo | bool - name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF - yum: + ansible.builtin.yum: name: app-protect{{ (nginx_app_protect_waf_state == 'absent') | ternary(',app-protect-compiler,app-protect-engine,app-protect-plugin,nginx-plus-module-appprotect', '') }} state: "{{ nginx_app_protect_waf_state }}" update_cache: true @@ -53,7 +53,7 @@ notify: (Handler - NGINX App Protect) Run NGINX - name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF signatures {{ nginx_app_protect_waf_signatures_version is defined | ternary(nginx_app_protect_signatures_version, '') }} - yum: + ansible.builtin.yum: name: app-protect-attack-signatures{{ nginx_app_protect_waf_signatures_version | default('') }} state: "{{ nginx_app_protect_waf_state }}" update_cache: true @@ -65,7 +65,7 @@ notify: (Handler - NGINX App Protect) Run NGINX - name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF threat campaigns {{ nginx_app_protect_waf_threat_campaigns_version is defined | ternary(nginx_app_protect_threat_campaigns_version, '') }} - yum: + ansible.builtin.yum: name: app-protect-threat-campaigns{{ nginx_app_protect_waf_threat_campaigns_version | default('') }} state: "{{ nginx_app_protect_waf_state }}" update_cache: true