Remove deprecated variables (#114)

Author: alessfg

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## 0.6.0 (Unreleased)
 
+BREAKING CHANGES:
+
+Remove deprecated variables mentioned in the `0.5.0` release. These involve templating variables for both NGINX App Protect configs and policy/security files. Please instead use the [NGINX config role](https://github.com/nginxinc/ansible-role-nginx-config) for this (and much more) functionality.
+
 FEATURES:
 
 *   Add support for NGINX App Protect DoS (Denial of Service) product. The `nginx_app_protect_dos_enable` variable must be set to `true` in order to install NGINX App Protect DoS.
@@ -24,7 +28,7 @@ The NGINX App Protect repository has been updated. This might cause some issues
 
 DEPRECATION WARNINGS:
 
-*   **The ability to create an NGINX config including some basic App Protect directives will be removed in the upcoming `0.6.0` release at some stage after June 2021.** Please instead use the [NGINX config role](https://github.com/nginxinc/ansible-role-nginx-config) for this (and much more) functionality. This will include the removal of the following variables: `nginx_app_protect_conf_template_enable`, `nginx_app_protect_conf_template`, `nginx_app_protect_demo_workload_protocol`, `nginx_app_protect_demo_workload_host`, `nginx_app_protect_log_policy_syslog_target`, `nginx_app_protect_log_policy_target`.
+*   **The ability to create an NGINX config including some basic App Protect directives will be removed in the upcoming `0.6.0` release at some stage after June 2021.** Please use the [NGINX config role](https://github.com/nginxinc/ansible-role-nginx-config) instead for this (and much more) functionality. This will include the removal of the following variables: `nginx_app_protect_conf_template_enable`, `nginx_app_protect_conf_template`, `nginx_app_protect_demo_workload_protocol`, `nginx_app_protect_demo_workload_host`, `nginx_app_protect_log_policy_syslog_target`, `nginx_app_protect_log_policy_target`.
 
 *   **The ability to dynamically create App Protect security and log policies via Jinja2 templates will be removed in the `0.6.0` release at some stage after June 2021 due to relative inflexibility.** The `nginx_app_protect_security_policy_file_enable`, `nginx_app_protect_security_policy_file_*`, `nginx_app_protect_log_policy_file_enable` and `nginx_app_protect_log_policy_file_*` variables should be used instead of the following variables which are to be removed: `nginx_app_protect_security_policy_template_enable`, `nginx_app_protect_security_policy_template`, `nginx_app_protect_security_policy_enforcement_mode`, `nginx_app_protect_log_policy_template_enable`, `nginx_app_protect_log_policy_template`, `nginx_app_protect_log_policy_filter_request_type`.
 

defaults/main.yml

@@ -92,38 +92,6 @@ nginx_app_protect_timeout: 180
 # Creates basic configuration files and enables NGINX App Protect WAF on the target host
 nginx_app_protect_configure: false
 
-## DEPRECATED -- Use nginx_app_protect_security_policy_enable and nginx_app_protect_security_policy_file_* variables instead
-# Create a basic NGINX App Protect WAF security policy file based on a template
-nginx_app_protect_security_policy_template_enable: true
-nginx_app_protect_security_policy_template:
-  template_file: app-protect-security-policy.j2
-  out_file_name: app-protect-security-policy.json
-  out_file_location: /etc/app_protect/conf/
-# possible values: transparent, blocking
-nginx_app_protect_security_policy_enforcement_mode: transparent
-
-## DEPRECATED -- Use nginx_app_protect_log_policy_file_enable and nginx_app_protect_log_policy_file_* variables instead
-# Create a basic NGINX App Protect WAF log policy file based on a template
-nginx_app_protect_log_policy_template_enable: true
-nginx_app_protect_log_policy_template:
-  template_file: app-protect-log-policy.j2
-  out_file_name: app-protect-log-policy.json
-  out_file_location: /etc/app_protect/conf/
-# possible values: all, illegal, blocked
-nginx_app_protect_log_policy_filter_request_type: all
-
-## DEPRECATED -- Use nginxinc.nginx_config role instead (https://github.com/nginxinc/ansible-role-nginx-config)
-# Create a basic NGINX App Protect WAF config file
-nginx_app_protect_conf_template_enable: false
-nginx_app_protect_conf_template:
-  template_file: nginx.conf.j2
-  out_file_name: nginx.conf
-  out_file_location: /etc/nginx/
-nginx_app_protect_demo_workload_protocol: http://
-nginx_app_protect_demo_workload_host: 10.1.1.1:8080
-nginx_app_protect_log_policy_syslog_target: 127.0.0.1:514  # DEPRECATED -- use nginx_app_protect_log_policy_target instead
-nginx_app_protect_log_policy_target: "syslog:server={{ nginx_app_protect_log_policy_syslog_target }}"
-
 # Copy local NGINX App Protect WAF security policy to host
 nginx_app_protect_security_policy_file_enable: false
 nginx_app_protect_security_policy_file_src: files/config/security-policy.json

molecule/advanced/verify.yml

@@ -34,35 +34,3 @@
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
-
-    - name: Functional tests
-      block:
-        - name: Check if NGINX service is running
-          service:
-            name: nginx
-            state: started
-            enabled: true
-          check_mode: true
-          register: service
-          failed_when: (service is changed) or (service is failed)
-
-        - name: Check that a page returns a status 200 and fail if the words Hello World are not in the page contents
-          uri:
-            url: "http://localhost"
-            return_content: true
-          register: this
-          failed_when: "'Hello World' not in this.content"
-
-        - name: Check that a page returns a status 200 and fail if the words Request Rejected are not in the page contents
-          uri:
-            url: "http://localhost/?v=<script>"
-            return_content: true
-          register: this
-          failed_when: "'Request Rejected' not in this.content"
-
-        - name: Ensure /var/log/messages contains block event from above test
-          shell: grep -c "Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)" /var/log/messages || true
-          register: event
-          changed_when: false
-          failed_when: event.stdout == "0"
-      when: ansible_os_family != "Alpine"

molecule/default/verify.yml

@@ -43,15 +43,3 @@
       register: service
       failed_when: (service is changed) or (service is failed)
       when: ansible_os_family != "Alpine"
-
-    - name: Check that the security policy exists
-      stat:
-        path: /etc/app_protect/conf/app-protect-security-policy.json
-      register: stat_result
-      failed_when: not stat_result.stat.exists
-
-    - name: Check that the log policy exists
-      stat:
-        path: /etc/app_protect/conf/app-protect-log-policy.json
-      register: stat_result
-      failed_when: not stat_result.stat.exists

tasks/dos/install/install-redhat.yml

@@ -21,7 +21,6 @@
     gpgcheck: true
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
 
-
 - name: (CentOS/RHEL) Install NGINX App Protect DoS
   yum:
     name: "app-protect-dos"

tasks/waf/config/configure-app-protect-waf.yml

@@ -1,13 +1,4 @@
 ---
-- name: Ensure NGINX main directory exists
-  file:
-    path: "{{ nginx_app_protect_conf_template.out_file_location }}"
-    state: directory
-    mode: 0755
-  when: nginx_app_protect_security_policy_template_enable | bool
-        or nginx_app_protect_log_policy_template_enable | bool
-        or nginx_app_protect_conf_template_enable | bool
-
 - name: Copy NGINX App Protect WAF security policy file
   copy:
     src: "{{ nginx_app_protect_security_policy_file_src }}"
@@ -21,56 +12,3 @@
     dest: "{{ nginx_app_protect_log_policy_file_dst }}"
     mode: 0644
   when: nginx_app_protect_log_policy_file_enable | bool
-
-- name: Dynamically generate NGINX App Protect WAF security policy file
-  template:
-    src: "{{ nginx_app_protect_security_policy_template.template_file }}"
-    dest: "{{ nginx_app_protect_security_policy_template.out_file_location }}{{ nginx_app_protect_security_policy_template.out_file_name }}"
-    mode: 0644
-    backup: true
-  when: nginx_app_protect_security_policy_template_enable | bool
-  notify: (Handler - NGINX App Protect) Run NGINX
-
-- name: Dynamically generate NGINX App Protect WAF log policy file
-  template:
-    src: "{{ nginx_app_protect_log_policy_template.template_file }}"
-    dest: "{{ nginx_app_protect_log_policy_template.out_file_location }}{{ nginx_app_protect_log_policy_template.out_file_name }}"
-    mode: 0644
-    backup: true
-  when: nginx_app_protect_log_policy_template_enable | bool
-  notify: (Handler - NGINX App Protect) Run NGINX
-
-- name: (DEPRECATED) Backup existing nginx.conf
-  copy:
-    src: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}"
-    dest: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}.orig"
-    remote_src: true
-    mode: 0644
-  when: nginx_app_protect_conf_template_enable | bool
-  changed_when: false
-
-- name: (DEPRECATED) Dynamically generate nginx.conf file
-  template:
-    src: "{{ nginx_app_protect_conf_template.template_file }}"
-    dest: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}"
-    mode: 0644
-  when:
-    - nginx_app_protect_conf_template_enable | bool
-    - nginx_app_protect_waf_state != "absent"
-  notify: (Handler - NGINX App Protect) Run NGINX
-
-- name: (DEPRECATED) Remove NGINX App Protect WAF
-  block:
-    - name: (DEPRECATED) Comment out NGINX App Protect module reference in nginx.conf
-      replace:
-        path: /etc/nginx/nginx.conf
-        regexp: '^([ \t]*load_module.*ngx_http_app_protect_module.so;)'
-        replace: '# \1'
-
-    - name: (DEPRECATED) Comment out NGINX App Protect WAF directives in nginx.conf
-      replace:
-        path: /etc/nginx/nginx.conf
-        regexp: '^([ \t]*app_protect_)'
-        replace: '# \1'
-      notify: (Handler - NGINX App Protect) Run NGINX
-  when: nginx_app_protect_waf_state == "absent"

tasks/waf/install/install-debian.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus license
   blockinfile:
     path: /etc/apt/apt.conf.d/90nginx