Check distribution and validate role variables (#236)

Author: alessfg

CHANGELOG.md

@@ -4,7 +4,8 @@
 
 FEATURES:
 
-* Refactor how this role checks if your distribution is supported NGINX App Protect. The role will no longer fail if the  target distribution is not supported, instead, you will get a warning. This should help with the occasional lag between new releases of distributions and/or NGINX App Protect and this role being updated to support those releases.
+* Validate that various role variables have been set to one of the allowed values.
+* Refactor how this role checks if your distribution is supported NGINX App Protect. The role will no longer fail if the  target distribution is not supported, instead, you will get a warning. This should help with the occasional lag between new releases of distributions and/or NGINX App Protect and this role being updated to support those releases. In addition, the role will also now check if your distribution's architecture is supported.
 * Add support for Debian bullseye for NGINX App Protect WAF.
 * Add support for Oracle Linux 7.x & 8.x for NGINX App Protect WAF.
 * Add support for RHEL 8.7.

tasks/common/prerequisites/validate-supported-os.yml

@@ -0,0 +1,75 @@
+---
+- name: (WAF) Check whether you are using a supported NGINX App Protect WAF distribution
+  ansible.builtin.assert:
+    that:
+      - "{{ ansible_facts['distribution'] | lower in nginx_app_protect_waf_distributions.keys() | list }}"
+      - "{{ (ansible_facts['distribution_version'] | regex_search('\\d+\\.?\\d*') in nginx_app_protect_waf_distributions[ansible_facts['distribution'] | lower]['versions'] | string)
+        if ansible_facts['distribution'] | lower in ['ubuntu'] else ansible_facts['distribution_major_version'] in nginx_app_protect_waf_distributions[ansible_facts['distribution'] | lower]['versions'] | string }}"
+      - "{{ ansible_facts['architecture'] in nginx_app_protect_waf_distributions[ansible_facts['distribution'] | lower]['architectures'] }}"
+    success_msg: Your distribution, {{ nginx_app_protect_waf_distributions[ansible_facts['distribution'] | lower]['name'] }} {{ ansible_facts['distribution_version'] }} ({{ ansible_facts['architecture'] }}), is supported by NGINX App Protect WAF.
+    fail_msg: Your distribution, {{ nginx_app_protect_waf_distributions[ansible_facts['distribution'] | lower]['name'] }} {{ ansible_facts['distribution_version'] }} ({{ ansible_facts['architecture'] }}), is not supported by NGINX App Protect WAF.
+  when:
+    - nginx_app_protect_waf_enable | bool
+    - nginx_app_protect_waf_state != "absent"
+  ignore_errors: true # noqa ignore-errors
+
+- name: (DoS) Check whether you are using a supported NGINX App Protect DoS distribution
+  ansible.builtin.assert:
+    that:
+      - "{{ ansible_facts['distribution'] | lower in nginx_app_protect_dos_distributions.keys() | list }}"
+      - "{{ (ansible_facts['distribution_version'] | regex_search('\\d+\\.?\\d*') in nginx_app_protect_dos_distributions[ansible_facts['distribution'] | lower]['versions'] | string)
+        if ansible_facts['distribution'] | lower in ['alpine', 'ubuntu'] else ansible_facts['distribution_major_version'] in nginx_app_protect_dos_distributions[ansible_facts['distribution'] | lower]['versions'] | string }}"
+      - "{{ ansible_facts['architecture'] in nginx_app_protect_dos_distributions[ansible_facts['distribution'] | lower]['architectures'] }}"
+    success_msg: Your distribution, {{ nginx_app_protect_dos_distributions[ansible_facts['distribution'] | lower]['name'] }} {{ ansible_facts['distribution_version'] }} ({{ ansible_facts['architecture'] }}), is supported by NGINX App Protect DoS.
+    fail_msg: Your distribution, {{ nginx_app_protect_dos_distributions[ansible_facts['distribution'] | lower]['name'] }} {{ ansible_facts['distribution_version'] }} ({{ ansible_facts['architecture'] }}), is not supported by NGINX App Protect DoS.
+  when:
+    - nginx_app_protect_dos_enable | bool
+    - nginx_app_protect_dos_state != "absent"
+  ignore_errors: true # noqa ignore-errors
+
+- name: Warn if installing NGINX App Protect on RHEL >7 without subscription details
+  ansible.builtin.fail:
+    msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_distribution_version }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true.
+  when:
+    - ansible_distribution == "RedHat"
+    - ansible_distribution_major_version is version('7', '>')
+    - not nginx_app_protect_use_rhel_subscription_repos | bool
+  ignore_errors: true # noqa ignore-errors
+
+- name: Check that 'nginx_app_protect_waf_setup' is an allowed value
+  ansible.builtin.assert:
+    that: nginx_app_protect_waf_setup in nginx_app_protect_setup_vars
+    fail_msg: The value you used for 'nginx_app_protect_waf_setup', {{ nginx_app_protect_waf_setup }}, is not allowed. The allowed values are [{{ nginx_app_protect_setup_vars | join(', ') }}].
+  when: nginx_app_protect_waf_enable | bool
+  ignore_errors: true # noqa ignore-errors
+
+- name: Check that 'nginx_app_protect_dos_setup' is an allowed value
+  ansible.builtin.assert:
+    that: nginx_app_protect_dos_setup in nginx_app_protect_setup_vars
+    fail_msg: The value you used for 'nginx_app_protect_dos_setup', {{ nginx_app_protect_waf_setup }}, is not allowed. The allowed values are [{{ nginx_app_protect_setup_vars | join(', ') }}].
+  when: nginx_app_protect_dos_enable | bool
+  ignore_errors: true # noqa ignore-errors
+
+- name: Check that the variables for 'nginx_app_protect_security_policy_file_enable' are defined
+  ansible.builtin.assert:
+    that:
+      - "{{ item }} is defined"
+      - "{{ item }} | length > 0"
+    fail_msg: If you want to publish a security policy file, don't forget to define at least one 'src' and 'dest' variables
+  loop:
+    - nginx_app_protect_security_policy_file.0.src
+    - nginx_app_protect_security_policy_file.0.dest
+  when: nginx_app_protect_security_policy_file_enable | bool
+  ignore_errors: true # noqa ignore-errors
+
+- name: Check that the variables for 'nginx_app_protect_log_policy_file_enable' are defined
+  ansible.builtin.assert:
+    that:
+      - "{{ item }} is defined"
+      - "{{ item }} | length > 0"
+    fail_msg: If you want to publish a log policy file, don't forget to define at least one 'src' and 'dest' variables
+  loop:
+    - nginx_app_protect_log_policy_file.0.src
+    - nginx_app_protect_log_policy_file.0.dest
+  when: nginx_app_protect_log_policy_file_enable | bool
+  ignore_errors: true # noqa ignore-errors

tasks/common/validate/validate.yml

@@ -1,37 +1,9 @@
 ---
-- name: Check whether you are using a supported NGINX App Protect distribution
-  ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/prerequisites/validate-supported-os.yml"
-  when: nginx_app_protect_waf_state != "absent"
-        or nginx_app_protect_dos_state != "absent"
-  tags: nginx_app_protect_check_support
+- name: Validate distribution and role variables
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/validate/validate.yml"
+  tags: nginx_app_protect_validate
 
-- name: Check if the variables for 'nginx_app_protect_security_policy_file_enable' are defined
-  ansible.builtin.assert:
-    that:
-      - "{{ item }} is defined"
-      - "{{ item }} | length > 0"
-    fail_msg: If you want to publish a security policy file, don't forget to define at least one 'src' and 'dest' variables
-  loop:
-    - nginx_app_protect_security_policy_file.0.src
-    - nginx_app_protect_security_policy_file.0.dest
-  when: nginx_app_protect_security_policy_file_enable | bool
-  ignore_errors: true # noqa ignore-errors
-  tags: nginx_app_protect_check_policy_file
-
-- name: Check if the variables for 'nginx_app_protect_log_policy_file_enable' are defined
-  ansible.builtin.assert:
-    that:
-      - "{{ item }} is defined"
-      - "{{ item }} | length > 0"
-    fail_msg: If you want to publish a log policy file, don't forget to define at least one 'src' and 'dest' variables
-  loop:
-    - nginx_app_protect_log_policy_file.0.src
-    - nginx_app_protect_log_policy_file.0.dest
-  when: nginx_app_protect_log_policy_file_enable | bool
-  ignore_errors: true # noqa ignore-errors
-  tags: nginx_app_protect_check_policy_file
-
-- name: Install prerequisites
+- name: Set up prerequisites
   ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/prerequisites/prerequisites.yml"
   when: nginx_app_protect_waf_enable | bool
         or nginx_app_protect_dos_enable | bool

tasks/main.yml

@@ -1,47 +1,8 @@
 ---
-# NGINX App Protect WAF platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts
-nginx_app_protect_waf_linux_families:
-  amazon: [
-    "2",
-  ]
-  centos: [
-    "7.4", "7.5", "7.6", "7.7", "7.8", "7.9",
-  ]
-  debian: [
-    "11",
-  ]
-  oraclelinux: [
-    "8.1", "8.2", "8.3", "8.4", "8.5", "8.6", "8.7",
-  ]
-  redhat: [
-    "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", "8.1", "8.2", "8.3", "8.4", "8.5", "8.6", "8.7",
-  ]
-  ubuntu: [
-    "18.04", "20.04",
-  ]
-
-# NGINX App Protect DoS platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts
-nginx_app_protect_dos_linux_families:
-  alpine: [
-    "3.15",
-  ]
-  centos: [
-    "7.4", "7.5", "7.6", "7.7", "7.8", "7.9",
-  ]
-  debian: [
-    "11",
-  ]
-  redhat: [
-    "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", "8.0", "8.1", "8.2", "8.3", "8.4", "8.5", "8.6", "8.7",
-  ]
-  ubuntu: [
-    "18.04", "20.04",
-  ]
-
-nginx_app_protect_setup_vars: [
-  install, uninstall, upgrade,
-]
+# Set the values allowed for various variables
+nginx_app_protect_setup_vars: [install, uninstall, upgrade]
 
+# Determine the current value of 'nginx_app_protect_*_state'
 nginx_app_protect_state_vals:
   install: present
   uninstall: absent
@@ -53,26 +14,67 @@ nginx_app_protect_waf_state: "{{ nginx_app_protect_state_vals[nginx_app_protect_
 nginx_app_protect_dos_default_setup: install
 nginx_app_protect_dos_state: "{{ nginx_app_protect_state_vals[nginx_app_protect_dos_setup] | default(nginx_app_protect_state_vals[nginx_app_protect_dos_default_setup]) }}"
 
+# NGINX App Protect WAF platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts
+nginx_app_protect_waf_distributions:
+  amazon:
+    name: Amazon Linux
+    versions: [2]
+    architectures: [x86_64]
+  centos:
+    name: CentOS
+    versions: [7]
+    architectures: [x86_64]
+  debian:
+    name: Debian
+    versions: [11]
+    architectures: [x86_64]
+  oraclelinux:
+    name: Oracle Linux
+    versions: [8]
+    architectures: [x86_64]
+  redhat:
+    name: Red Hat Enterprise Linux
+    versions: [7, 8]
+    architectures: [x86_64]
+  ubuntu:
+    name: Ubuntu
+    versions: [18.04, 20.04]
+    architectures: [x86_64]
+
+# NGINX App Protect DoS platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts
+nginx_app_protect_dos_distributions:
+  alpine:
+    name: Alpine Linux
+    versions: [3.15]
+    architectures: [x86_64]
+  centos:
+    name: CentOS
+    versions: [7]
+    architectures: [x86_64]
+  debian:
+    name: Debian
+    versions: [11]
+    architectures: [x86_64]
+  redhat:
+    name: Red Hat Enterprise Linux
+    versions: [7, 8]
+    architectures: [x86_64]
+  ubuntu:
+    name: Ubuntu
+    versions: [18.04, 20.04]
+    architectures: [x86_64]
+
 # Alpine Linux dependencies
-nginx_app_protect_alpine_dependencies: [
-  boost, ca-certificates, coreutils, libelf, openssl, pcre2, zeromq,
-]
+nginx_app_protect_alpine_dependencies: [boost, ca-certificates, coreutils, libelf, openssl, pcre2, zeromq]
 
 # Amazon Linux 2 extras
-nginx_app_protect_amazon_extras: [
-  selinux-ng,
-]
+nginx_app_protect_amazon_extras: [selinux-ng]
 
 # Debian dependencies
-nginx_app_protect_debian_dependencies: [
-  apt-transport-https, ca-certificates,
-]
+nginx_app_protect_debian_dependencies: [apt-transport-https, ca-certificates]
 
 # Red Hat dependencies
-nginx_app_protect_redhat_dependencies: [
-  ca-certificates,
-  "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ((ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version)) }}.noarch.rpm",
-]
+nginx_app_protect_redhat_dependencies: [ca-certificates, "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ((ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version)) }}.noarch.rpm"]
 
 # Choose where to fetch the NGINX App Protect and Security Updates signing keys from.
 # Default settings are the official NGINX signing key hosts.