Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor Ansible facts from dot to array notation #237

Merged
merged 7 commits into from
Jan 29, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ FEATURES:

* Validate that various role variables have been set to one of the allowed values.
* Refactor how this role checks if your distribution is supported NGINX App Protect. The role will no longer fail if the target distribution is not supported, instead, you will get a warning. This should help with the occasional lag between new releases of distributions and/or NGINX App Protect and this role being updated to support those releases. In addition, the role will also now check if your distribution's architecture is supported.
* Refactor Ansible facts from dot to array notation to keep in with the standards set by the other roles in the Ansible NGINX core collection.
* Add support for Debian bullseye for NGINX App Protect WAF.
* Add support for Oracle Linux 7.x & 8.x for NGINX App Protect WAF.
* Add support for RHEL 8.7.
Expand Down
2 changes: 1 addition & 1 deletion molecule/common/cleanup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
- name: (RHEL) Unregister system from RHEL subscription manager
community.general.redhat_subscription:
state: absent
when: ansible_distribution == "RedHat"
when: ansible_facts['distribution'] == "RedHat"
rescue:
- name: It's ok we're at startup
ansible.builtin.meta: noop
2 changes: 1 addition & 1 deletion molecule/default/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
username: "{{ lookup('env', 'RHEL_USERNAME') }}"
password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
when:
- ansible_distribution == "RedHat"
- ansible_facts['distribution'] == "RedHat"
- rhel_subscription | bool
tasks:
- name: Install NGINX App Protect WAF
Expand Down
2 changes: 1 addition & 1 deletion molecule/dos/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
username: "{{ lookup('env', 'RHEL_USERNAME') }}"
password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
when:
- ansible_distribution == "RedHat"
- ansible_facts['distribution'] == "RedHat"
- rhel_subscription| bool
tasks:
- name: Install NGINX App Protect DoS
Expand Down
4 changes: 2 additions & 2 deletions molecule/specific-version/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,12 @@
tasks:
- name: Set NGINX App Protect WAF signature version fact
ansible.builtin.set_fact:
nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_facts['os_family'] | lower] }}{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
when: specify_app_protect_signatures_version | bool

- name: Set NGINX App Protect WAF threat campaigns version fact
ansible.builtin.set_fact:
nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_facts['os_family'] | lower] }}{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
when: specify_app_protect_threat_campaigns_version | bool

- name: Install NGINX App Protect WAF
Expand Down
4 changes: 2 additions & 2 deletions molecule/specific-version/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@

- name: Verify installed NAP signatures version matches requested version # noqa jinja[spacing]
ansible.builtin.assert:
that: "{{ (ansible_facts.packages['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}"
that: "{{ (ansible_facts['packages']['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_facts['os_family'] | lower] | regex_replace('^-|=','') + (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_facts['distribution_release'], '')) }}"

- name: Verify installed NAP threat campaigns version matches requested version # noqa jinja[spacing]
ansible.builtin.assert:
that: "{{ (ansible_facts.packages['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}"
that: "{{ (ansible_facts['packages']['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_facts['os_family'] | lower] | regex_replace('^-|=','') + (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_facts['distribution_release'], '')) }}"
4 changes: 2 additions & 2 deletions molecule/uninstall/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
username: "{{ lookup('env', 'RHEL_USERNAME') }}"
password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
when:
- ansible_distribution == "RedHat"
- ansible_facts['distribution'] == "RedHat"
- rhel_subscription| bool
tasks:
- name: Install NGINX App Protect WAF
Expand All @@ -54,5 +54,5 @@
community.general.redhat_subscription:
state: absent
when:
- ansible_distribution == "RedHat"
- ansible_facts['distribution'] == "RedHat"
- rhel_subscription | bool
12 changes: 6 additions & 6 deletions tasks/common/config/configure-app-protect.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
block:
- name: Ensure NGINX App Protect security policy directories exist
ansible.builtin.file:
path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}"
path: "{{ item['dest'] | default('/etc/app_protect/conf') | dirname }}"
state: directory
mode: 0755
loop: "{{ nginx_app_protect_security_policy_file }}"

- name: Copy NGINX App Protect security policy files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest | default('/etc/app_protect/conf') }}"
src: "{{ item['src'] }}"
dest: "{{ item['dest'] | default('/etc/app_protect/conf') }}"
backup: true
mode: 0644
loop: "{{ nginx_app_protect_security_policy_file }}"
Expand All @@ -22,15 +22,15 @@
block:
- name: Ensure NGINX App Protect log policy directories exist
ansible.builtin.file:
path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}"
path: "{{ item['dest'] | default('/etc/app_protect/conf') | dirname }}"
state: directory
mode: 0755
loop: "{{ nginx_app_protect_log_policy_file }}"

- name: Copy NGINX App Protect log policy files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest | default('/etc/app_protect/conf') }}"
src: "{{ item['src'] }}"
dest: "{{ item['dest'] | default('/etc/app_protect/conf') }}"
backup: true
mode: 0644
loop: "{{ nginx_app_protect_log_policy_file }}"
4 changes: 2 additions & 2 deletions tasks/common/install/remove-license.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
nginx_app_protect_license_status: absent

- name: Delete NGINX App Protect WAF repository data
ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_facts['os_family'] | lower }}.yml"
when: nginx_app_protect_waf_enable | bool

- name: Delete NGINX App Protect DoS repository data
ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_facts['os_family'] | lower }}.yml"
when: nginx_app_protect_dos_enable | bool

- name: Delete NGINX App Protect license
Expand Down
18 changes: 9 additions & 9 deletions tasks/common/install/setup-license.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
- name: (Alpine Linux) Set up NGINX App Protect WAF/DoS license
when: ansible_os_family == "Alpine"
when: ansible_facts['os_family'] == "Alpine"
block:
- name: Install cryptography package
ansible.builtin.package:
Expand All @@ -14,14 +14,14 @@

- name: (Alpine Linux) Copy NGINX App Protect WAF/DoS certificate
ansible.builtin.copy:
src: "{{ nginx_app_protect_license.certificate }}"
src: "{{ nginx_app_protect_license['certificate'] }}"
dest: /etc/apk/cert.pem
decrypt: true
mode: 0444

- name: (Alpine Linux) Copy NGINX App Protect WAF/DoS key
ansible.builtin.copy:
src: "{{ nginx_app_protect_license.key }}"
src: "{{ nginx_app_protect_license['key'] }}"
dest: /etc/apk/cert.key
decrypt: true
mode: 0444
Expand All @@ -45,7 +45,7 @@
fail_msg: Something went wrong! Make sure your App Protect WAF/DoS license is valid!

- name: (Debian/Red Hat OSs) Set up NGINX App Protect WAF/DoS license
when: ansible_os_family != "Alpine"
when: ansible_facts['os_family'] != "Alpine"
block:
- name: (Debian/Red Hat OSs) Create SSL directory
ansible.builtin.file:
Expand All @@ -60,12 +60,12 @@
decrypt: true
mode: 0444
loop:
- "{{ nginx_app_protect_license.certificate }}"
- "{{ nginx_app_protect_license.key }}"
- "{{ nginx_app_protect_license['certificate'] }}"
- "{{ nginx_app_protect_license['key'] }}"

- name: (Debian/Red Hat OSs) Install cryptography package
ansible.builtin.package:
name: "{{ (ansible_python.version.major == 3) | ternary('python3-cryptography', 'python2-cryptography') }}"
name: "{{ (ansible_python['version']['major'] == 3) | ternary('python3-cryptography', 'python2-cryptography') }}"

- name: (Debian/Red Hat OSs) Check that NGINX App Protect WAF/DoS certificate is valid
community.crypto.x509_certificate_info:
Expand All @@ -80,7 +80,7 @@
- name: (Debian/Red Hat OSs) Check that NGINX App Protect WAF/DoS license is valid
ansible.builtin.assert:
that:
- cert.expired == false
- cert.public_key == key.public_key
- "{{ not cert['expired'] | bool }}"
- "{{ cert['public_key'] == key['public_key'] }}"
success_msg: Your NGINX App Protect WAF/DoS license is valid!
fail_msg: Something went wrong! Make sure your NGINX App Protect WAF/DoS license is valid!
16 changes: 8 additions & 8 deletions tasks/common/keys/setup-keys.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
---
- name: (Alpine Linux) Set up NGINX App Protect DoS signing key
when: ansible_os_family == "Alpine"
when: ansible_facts['os_family'] == "Alpine"
block:
- name: (Alpine Linux) Set up NGINX App Protect DoS signing key URL
ansible.builtin.set_fact:
keysite: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_rsa_pub) }}"
keysite: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_rsa_pub) }}"

- name: (Alpine Linux) Download NGINX App Protect DoS signing key
ansible.builtin.get_url:
Expand All @@ -13,27 +13,27 @@
mode: 0400

- name: (Debian/Ubuntu) Set up NGINX App Protect and security updates signing key
when: ansible_os_family == "Debian"
when: ansible_facts['os_family'] == "Debian"
block:
- name: (Debian/Ubuntu) Add NGINX Plus signing key
ansible.builtin.apt_key:
keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
url: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}"
url: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_pgp) }}"

- name: (Debian/Ubuntu) Add NGINX App Protect security updates signing key
ansible.builtin.apt_key:
keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
url: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
url: "{{ nginx_app_protect_waf_signing_key['waf_security_updates'] | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool)

- name: (Amazon Linux/CentOS/RHEL) Set up NGINX App Protect and security updates signing key
when: ansible_os_family == "RedHat"
when: ansible_facts['os_family'] == "RedHat"
block:
- name: (CentOS/RHEL) Add NGINX Plus signing key
ansible.builtin.rpm_key:
key: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}"
key: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_pgp) }}"

- name: (Amazon Linux/CentOS/RHEL) Add NGINX App Protect security updates signing key
ansible.builtin.rpm_key:
key: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
key: "{{ nginx_app_protect_waf_signing_key['waf_security_updates'] | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool)
22 changes: 11 additions & 11 deletions tasks/common/prerequisites/install-dependencies.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,28 +4,28 @@
name: "{{ nginx_app_protect_alpine_dependencies }}"
update_cache: true
state: latest # noqa package-latest
when: ansible_os_family == "Alpine"
when: ansible_facts['os_family'] == "Alpine"

- name: (Debian/Ubuntu) Install package dependencies
ansible.builtin.apt:
name: "{{ nginx_app_protect_debian_dependencies }}"
update_cache: true
state: latest # noqa package-latest
when: ansible_os_family == "Debian"
when: ansible_facts['os_family'] == "Debian"

- name: (Amazon Linux) Set up Amazon Linux Extras repositories
ansible.builtin.command: amazon-linux-extras enable {{ item }}
changed_when: false
loop: "{{ nginx_app_protect_amazon_extras }}"
when: ansible_distribution == "Amazon"
when: ansible_facts['distribution'] == "Amazon"

- name: (Amazon Linux/CentOS/RHEL) Install package dependencies
when: ansible_os_family == "RedHat"
when: ansible_facts['os_family'] == "RedHat"
block:
- name: (Amazon Linux/CentOS/RHEL) Import EPEL GPG key
ansible.builtin.rpm_key:
state: present
key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version) }}
key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_facts['distribution'] == 'Amazon') | ternary('7', ansible_facts['distribution_major_version']) }}

- name: (Amazon Linux/CentOS/RHEL) Install package dependencies
ansible.builtin.yum:
Expand All @@ -34,7 +34,7 @@
state: latest # noqa package-latest

- name: (RHEL) Set up RHEL specific repositories
when: ansible_distribution == "RedHat"
when: ansible_facts['distribution'] == "RedHat"
block:
- name: (RHEL 7) Set up RHEL dependencies from OSS repositories
ansible.builtin.yum_repository:
Expand All @@ -46,7 +46,7 @@
gpgkey: https://ftp.heanet.ie/pub/centos/7/os/$basearch/RPM-GPG-KEY-CentOS-7
state: "{{ nginx_app_protect_license_status | default('present') }}"
when:
- ansible_distribution_major_version == "7"
- ansible_facts['distribution_major_version'] is version('7', '==')
- not nginx_app_protect_use_rhel_subscription_repos | bool

- name: (RHEL 7 DoS) Set up RHEL NGINX App Protect DoS dependencies from OSS repositories
Expand All @@ -59,7 +59,7 @@
gpgkey: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
state: "{{ nginx_app_protect_license_status | default('present') }}"
when:
- ansible_distribution_major_version == "7"
- ansible_facts['distribution_major_version'] is version('7', '==')
- not nginx_app_protect_use_rhel_subscription_repos | bool
- nginx_app_protect_dos_enable | bool

Expand All @@ -75,14 +75,14 @@
- rhel-7-server-extras-rpms
- rhel-ha-for-rhel-7-server-rpms
when:
- ansible_distribution_major_version == "7"
- ansible_facts['distribution_major_version'] is version('7', '==')
- nginx_app_protect_use_rhel_subscription_repos | bool

- name: (RHEL 8) Set up RHEL dependencies from RHEL official repositories
community.general.rhsm_repository:
name: codeready-builder-for-rhel-8-x86_64-rpms
when:
- ansible_distribution_major_version == "8"
- ansible_facts['distribution_major_version'] is version('8', '==')
- nginx_app_protect_use_rhel_subscription_repos | bool

- name: (Oracle Linux) Set up Oracle Linux specific repositories
Expand All @@ -92,4 +92,4 @@
option: enabled
value: 1
mode: 0644
when: ansible_distribution == "OracleLinux"
when: ansible_facts['distribution'] == "OracleLinux"
2 changes: 1 addition & 1 deletion tasks/common/prerequisites/setup-selinux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
- name: Import SELinux NGINX App Protect module
ansible.builtin.command: semodule -i {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.pp # noqa no-handler
changed_when: false
when: nginx_app_protect_selinux_module.changed | bool
when: nginx_app_protect_selinux_module['changed'] | bool

- name: Set SELinux mode to enforcing
ansible.posix.selinux:
Expand Down
6 changes: 3 additions & 3 deletions tasks/common/validate/validate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@

- name: Warn if installing NGINX App Protect on RHEL >7 without subscription details
ansible.builtin.fail:
msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_distribution_version }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true.
msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true.
when:
- ansible_distribution == "RedHat"
- ansible_distribution_major_version is version('7', '>')
- ansible_facts['distribution'] == "RedHat"
- ansible_facts['distribution_major_version'] is version('7', '>')
- not nginx_app_protect_use_rhel_subscription_repos | bool
ignore_errors: true # noqa ignore-errors

Expand Down
4 changes: 2 additions & 2 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@
tags: nginx_app_protect_setup_license

- name: "{{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_facts['os_family'] | lower }}.yml"
when: nginx_app_protect_waf_enable | bool
tags: nginx_app_protect_install_app_protect_waf

- name: "{{ nginx_app_protect_dos_setup | capitalize }} NGINX App Protect DoS"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_facts['os_family'] | lower }}.yml"
when: nginx_app_protect_dos_enable | bool
tags: nginx_app_protect_install_app_protect_dos

Expand Down
Loading