NAP 3.3 updates (#112)

aknot242 · web-flow · commit 214cdfcc4b46 · 2021-07-13T01:31:53.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 FEATURES:
 
 *   Add support for NGINX App Protect DoS (Denial of Service) product. The `nginx_app_protect_dos_enable` variable must be set to `true` in order to install NGINX App Protect DoS.
+*   Add support for NGINX App Protect WAF on Amazon Linux 2 (requires NGINX App Protect 3.3).
 *   Add a `nginx_app_protect_manage_repo` feature flag which can be used to disable NGINX App Protect repo management by this role.
 
 ENHANCEMENTS:
diff --git a/README.md b/README.md
@@ -65,7 +65,7 @@ The NGINX App Protect Ansible role supports all platforms supported by [NGINX Pl
 ```yaml
 Alpine:
   - 3.10
-name: Amazon Linux 2
+Amazon Linux 2:
   - any
 CentOS:
   - 7.4+
diff --git a/molecule/Dockerfile.j2 b/molecule/Dockerfile.j2
@@ -25,7 +25,7 @@ RUN \
     && dnf clean all; \
   elif [ $(command -v yum) ]; then \
     yum makecache fast \
-    && yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \
+    && yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl initscripts \
     && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \
     && yum clean all; \
   elif [ $(command -v zypper) ]; then \
diff --git a/molecule/advanced/molecule.yml b/molecule/advanced/molecule.yml
@@ -39,8 +39,8 @@ platforms:
       - nap
     networks:
       - name: molecule-test
-  - name: ubuntu-bionic
-    image: ubuntu:bionic
+  - name: debian-buster
+    image: debian:buster-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
@@ -50,8 +50,8 @@ platforms:
       - nap
     networks:
       - name: molecule-test
-  - name: ubuntu-focal
-    image: ubuntu:focal
+  - name: ubuntu-bionic
+    image: ubuntu:bionic
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
@@ -61,8 +61,8 @@ platforms:
       - nap
     networks:
       - name: molecule-test
-  - name: debian-buster
-    image: debian:buster-slim
+  - name: ubuntu-focal
+    image: ubuntu:focal
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
diff --git a/molecule/advanced/prepare.yml b/molecule/advanced/prepare.yml
@@ -17,22 +17,6 @@
         force: false
         mode: 0444
 
-- name: Install NGINX Plus on Alpine
-  hosts: nap
-  tasks:
-    - name: Set up NGINX Plus on Alpine for NAP 3.2 issue workaround (remove in versions > 3.2)
-      include_role:
-        name: nginxinc.nginx
-      vars:
-        nginx_enable: true
-        nginx_start: true
-        nginx_type: plus
-        nginx_remove_license: false
-        nginx_license:
-          certificate: ../../files/license/nginx-repo.crt
-          key: ../../files/license/nginx-repo.key
-      when: ansible_os_family == "Alpine"
-
 - name: Set up rsyslog server for verifying NAP syslog events
   hosts: nap
   tasks:
@@ -51,3 +35,19 @@
     - name: Start nginx on test workload
       raw: nohup nginx </dev/null >/dev/null 2>&1 & sleep 1
       changed_when: false
+
+- name: Install NGINX Plus on Alpine
+  hosts: nap
+  tasks:
+    - name: Set up NGINX Plus on Alpine for NAP 3.2/3.3 issue workaround (remove in versions > 3.3)
+      include_role:
+        name: nginxinc.nginx
+      vars:
+        nginx_enable: true
+        nginx_start: true
+        nginx_type: plus
+        nginx_remove_license: false
+        nginx_license:
+          certificate: ../../files/license/nginx-repo.crt
+          key: ../../files/license/nginx-repo.key
+      when: ansible_os_family == "Alpine"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -17,36 +17,43 @@ platforms:
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
+  - name: amazonlinux-2
+    image: amazonlinux:2
+    dockerfile: ../Dockerfile.j2
+    privileged: true
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/usr/sbin/init"
   - name: centos-7
     image: centos:7
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/usr/sbin/init"
-  - name: ubuntu-bionic
-    image: ubuntu:bionic
+  - name: debian-stretch
+    image: debian:stretch-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
-  - name: ubuntu-focal
-    image: ubuntu:focal
+  - name: debian-buster
+    image: debian:buster-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
-  - name: debian-stretch
-    image: debian:stretch-slim
+  - name: ubuntu-bionic
+    image: ubuntu:bionic
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
-  - name: debian-buster
-    image: debian:buster-slim
+  - name: ubuntu-focal
+    image: ubuntu:focal
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -20,7 +20,7 @@
 - name: Install NGINX Plus on Alpine
   hosts: all
   tasks:
-    - name: Set up NGINX Plus on Alpine for NAP 3.2 issue workaround (remove in versions > 3.2)
+    - name: Set up NGINX Plus on Alpine for NAP 3.2/3.3 issue workaround (remove in versions > 3.3)
       include_role:
         name: nginxinc.nginx
       vars:
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -9,7 +9,6 @@
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
-      when: ansible_os_family != "Alpine"
 
     - name: Check if NGINX App Protect WAF is installed
       package:
diff --git a/molecule/specific-version/molecule.yml b/molecule/specific-version/molecule.yml
@@ -8,7 +8,7 @@ driver:
 lint: |
   set -e
   yamllint .
-  ansible-lint . --force-color
+  ansible-lint --force-color
 platforms:
   - name: alpine-3.10
     image: alpine:3.10
@@ -24,29 +24,29 @@ platforms:
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/usr/sbin/init"
-  - name: ubuntu-bionic
-    image: ubuntu:bionic
+  - name: debian-stretch
+    image: debian:stretch-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
-  - name: ubuntu-focal
-    image: ubuntu:focal
+  - name: debian-buster
+    image: debian:buster-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
-  - name: debian-stretch
-    image: debian:stretch-slim
+  - name: ubuntu-bionic
+    image: ubuntu:bionic
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
-  - name: debian-buster
-    image: debian:buster-slim
+  - name: ubuntu-focal
+    image: ubuntu:focal
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
diff --git a/molecule/specific-version/prepare.yml b/molecule/specific-version/prepare.yml
@@ -20,7 +20,7 @@
 - name: Install NGINX Plus on Alpine
   hosts: all
   tasks:
-    - name: Set up NGINX Plus on Alpine for NAP 3.2 issue workaround (remove in versions > 3.2)
+    - name: Set up NGINX Plus on Alpine for NAP 3.2/3.3 issue workaround (remove in versions > 3.3)
       include_role:
         name: nginxinc.nginx
       vars:
diff --git a/tasks/common/keys/setup-keys.yml b/tasks/common/keys/setup-keys.yml
@@ -1,5 +1,5 @@
 ---
-- name: (Alpine Linux) Set up App Protect and security updates signing keys
+- name: (Alpine Linux) Set up NGINX App Protect and security updates signing key
   block:
     - name: (Alpine Linux) Download NGINX signing key
       get_url:
@@ -14,7 +14,7 @@
         mode: 0400
   when: ansible_os_family == "Alpine"
 
-- name: (Debian/Ubuntu) Set up App Protect and security updates signing keys
+- name: (Debian/Ubuntu) Set up NGINX App Protect and security updates signing key
   block:
     - name: (Debian/Ubuntu) Add NGINX Plus signing key
       apt_key:
@@ -25,13 +25,13 @@
         url: "{{ nginx_app_protect_signing_key.security_updates | default(nginx_app_protect_security_updates_default_signing_key_pgp) }}"
   when: ansible_os_family == "Debian"
 
-- name: (CentOS/RHEL) Set up App Protect and security updates signing keys
+- name: (Amazon Linux/CentOS/RHEL) Set up NGINX App Protect and security updates signing key
   block:
     - name: (CentOS/RHEL) Add NGINX Plus signing key
       rpm_key:
         key: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}"
 
-    - name: (CentOS/RHEL) Add NGINX App Protect security updates signing key
+    - name: (Amazon Linux/CentOS/RHEL) Add NGINX App Protect security updates signing key
       rpm_key:
         key: "{{ nginx_app_protect_signing_key.security_updates | default(nginx_app_protect_security_updates_default_signing_key_pgp) }}"
   when: ansible_os_family == "RedHat"
diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml
@@ -1,18 +1,25 @@
 ---
-- name: (Debian/Ubuntu) Install dependencies
+- name: (Alpine Linux) Install package dependencies
+  apk:
+    name: "{{ nginx_app_protect_alpine_dependencies }}"
+    update_cache: true
+  ignore_errors: "{{ ansible_check_mode }}"
+  when: ansible_os_family == "Alpine"
+
+- name: (Debian/Ubuntu) Install package dependencies
   apt:
     name: "{{ nginx_app_protect_debian_dependencies }}"
     update_cache: true
   when: ansible_os_family == "Debian"
 
-- name: (CentOS) Install dependencies
+- name: (CentOS) Install package dependencies
   yum:
     name: "{{ nginx_app_protect_centos_dependencies }}"
   when: ansible_distribution == "CentOS"
 
 - name: (RHEL) Install dependencies
   block:
-    - name: (RHEL) Install packages
+    - name: (RHEL) Install package dependencies
       yum:
         name: "{{ nginx_app_protect_rhel_dependencies }}"
 
@@ -28,10 +35,28 @@
         state: "{{ nginx_app_protect_license_status | default ('present') }}"
       when: not nginx_app_protect_use_rhel_subscription_repos | bool
 
-    - name: (RHEL) Install dependencies from your RHEL subscription
+    - name: (RHEL) Install package dependencies from your RHEL subscription
       yum:
         name:
           - rhel-7-server-optional-rpms
           - rhel-7-server-rpms
       when: nginx_app_protect_use_rhel_subscription_repos | bool
   when: ansible_distribution == "RedHat"
+
+- name: (Amazon Linux) Install dependencies
+  block:
+    - name: (Amazon Linux) Enable amazon-linux-extras packages
+      command: "amazon-linux-extras enable {{ item }}"
+      changed_when: false
+      loop: "{{ nginx_app_protect_amazon_extras_packages }}"
+
+    - name: (Amazon Linux) Clean Yum Metadata
+      command: yum clean metadata
+      changed_when: false
+      args:
+        warn: false
+
+    - name: (Amazon Linux) Install package dependencies
+      yum:
+        name: "{{ nginx_app_protect_amazon_dependencies }}"
+  when: ansible_distribution == "Amazon"
diff --git a/tasks/common/prerequisites/validate-supported-os.yml b/tasks/common/prerequisites/validate-supported-os.yml
@@ -6,7 +6,7 @@
         supported_os_waf: true
       when:
         - ansible_distribution | lower in item.key
-        - ansible_distribution_version | regex_search('\\d+\\.?\\d+') in item.value
+        - ansible_distribution_version | regex_search('\\d+\\.?\\d*') in item.value
       loop: "{{ query('dict', nginx_app_protect_waf_linux_families) }}"
 
     - name: (WAF) Set supported_os_waf to false if fact not defined
diff --git a/tasks/waf/install/install-redhat.yml b/tasks/waf/install/install-redhat.yml
@@ -1,8 +1,9 @@
 ---
-- name: (CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository
+- name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository
   yum_repository:
     name: nginx-plus
-    baseurl: "{{ nginx_plus_repository | default(nginx_plus_default_repository_redhat) }}"
+    baseurl: "{{ nginx_plus_repository |
+              default(lookup('vars', 'nginx_plus_default_repository_' + ((ansible_facts['distribution'] == 'Amazon') | ternary('amazon', 'redhat')))) }}"
     description: NGINX Plus repository
     sslclientcert: /etc/ssl/nginx/nginx-repo.crt
     sslclientkey: /etc/ssl/nginx/nginx-repo.key
@@ -11,10 +12,11 @@
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
   when: nginx_app_protect_manage_repo | bool
 
-- name: (CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF repository
+- name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF repository
   yum_repository:
     name: nginx-app-protect
-    baseurl: "{{ nginx_app_protect_repository | default(nginx_app_protect_default_repository_redhat) }}"
+    baseurl: "{{ nginx_app_protect_repository |
+              default(lookup('vars', 'nginx_app_protect_default_repository_' + ((ansible_facts['distribution'] == 'Amazon') | ternary('amazon', 'redhat')))) }}"
     description: NGINX App Protect repository
     sslclientcert: /etc/ssl/nginx/nginx-repo.crt
     sslclientkey: /etc/ssl/nginx/nginx-repo.key
@@ -23,10 +25,11 @@
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
   when: nginx_app_protect_manage_repo | bool
 
-- name: (CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF security updates repository
+- name: (Amazon Linux/CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect WAF security updates repository
   yum_repository:
     name: nginx-app-protect-security-updates
-    baseurl: "{{ nginx_app_protect_security_updates_repository | default(nginx_app_protect_security_updates_default_repository_redhat) }}"
+    baseurl: "{{ nginx_app_protect_security_updates_repository |
+              default(lookup('vars', 'nginx_app_protect_security_updates_default_repository_' + ((ansible_facts['distribution'] == 'Amazon') | ternary('amazon', 'redhat')))) }}"
     description: NGINX App Protect security updates repository
     sslclientcert: /etc/ssl/nginx/nginx-repo.crt
     sslclientkey: /etc/ssl/nginx/nginx-repo.key
@@ -37,7 +40,7 @@
     - (nginx_app_protect_install_signatures | bool) or (nginx_app_protect_install_threat_campaigns | bool)
     - nginx_app_protect_manage_repo | bool
 
-- name: (CentOS/RHEL) Install NGINX App Protect WAF
+- name: (Amazon Linux/CentOS/RHEL) Install NGINX App Protect WAF
   yum:
     name: "app-protect"
     state: "{{ nginx_app_protect_waf_state }}"
@@ -47,7 +50,7 @@
   when: nginx_license_status is not defined
   notify: (Handler - NGINX App Protect) Run NGINX
 
-- name: (CentOS/RHEL) Install NGINX App Protect WAF signatures {{ nginx_app_protect_signatures_version is defined | ternary(nginx_app_protect_signatures_version, '') }}
+- name: (Amazon Linux/CentOS/RHEL) Install NGINX App Protect WAF signatures {{ nginx_app_protect_signatures_version is defined | ternary(nginx_app_protect_signatures_version, '') }}
   yum:
     name: "app-protect-attack-signatures{{ nginx_app_protect_signatures_version | default('') }}"
     state: "{{ nginx_app_protect_waf_state }}"
@@ -59,7 +62,7 @@
     - nginx_license_status is not defined
   notify: (Handler - NGINX App Protect) Run NGINX
 
-- name: (CentOS/RHEL) Install NGINX App Protect WAF threat campaigns {{ nginx_app_protect_threat_campaigns_version is defined | ternary(nginx_app_protect_threat_campaigns_version, '') }}
+- name: (Amazon Linux/CentOS/RHEL) Install NGINX App Protect WAF threat campaigns {{ nginx_app_protect_threat_campaigns_version is defined | ternary(nginx_app_protect_threat_campaigns_version, '') }}
   yum:
     name: "app-protect-threat-campaigns{{ nginx_app_protect_threat_campaigns_version | default('') }}"
     state: "{{ nginx_app_protect_waf_state }}"
diff --git a/vars/main.yml b/vars/main.yml
