Refactor Ansible facts from dot to array notation (#237)

alessfg · web-flow · commit 3e4f94184964 · 2023-01-29T19:59:38.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ FEATURES:
 
 * Validate that various role variables have been set to one of the allowed values.
 * Refactor how this role checks if your distribution is supported NGINX App Protect. The role will no longer fail if the  target distribution is not supported, instead, you will get a warning. This should help with the occasional lag between new releases of distributions and/or NGINX App Protect and this role being updated to support those releases. In addition, the role will also now check if your distribution's architecture is supported.
+* Refactor Ansible facts from dot to array notation to keep in with the standards set by the other roles in the Ansible NGINX core collection.
 * Add support for Debian bullseye for NGINX App Protect WAF.
 * Add support for Oracle Linux 7.x & 8.x for NGINX App Protect WAF.
 * Add support for RHEL 8.7.
diff --git a/molecule/common/cleanup.yml b/molecule/common/cleanup.yml
@@ -26,7 +26,7 @@
         - name: (RHEL) Unregister system from RHEL subscription manager
           community.general.redhat_subscription:
             state: absent
-          when: ansible_distribution == "RedHat"
+          when: ansible_facts['distribution'] == "RedHat"
       rescue:
         - name: It's ok we're at startup
           ansible.builtin.meta: noop
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -16,7 +16,7 @@
         username: "{{ lookup('env', 'RHEL_USERNAME') }}"
         password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
       when:
-        - ansible_distribution == "RedHat"
+        - ansible_facts['distribution'] == "RedHat"
         - rhel_subscription | bool
   tasks:
     - name: Install NGINX App Protect WAF
diff --git a/molecule/dos/converge.yml b/molecule/dos/converge.yml
@@ -16,7 +16,7 @@
         username: "{{ lookup('env', 'RHEL_USERNAME') }}"
         password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
       when:
-        - ansible_distribution == "RedHat"
+        - ansible_facts['distribution'] == "RedHat"
         - rhel_subscription| bool
   tasks:
     - name: Install NGINX App Protect DoS
diff --git a/molecule/specific-version/converge.yml b/molecule/specific-version/converge.yml
@@ -13,12 +13,12 @@
   tasks:
     - name: Set NGINX App Protect WAF signature version fact
       ansible.builtin.set_fact:
-        nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
+        nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_facts['os_family'] | lower] }}{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
       when: specify_app_protect_signatures_version | bool
 
     - name: Set NGINX App Protect WAF threat campaigns version fact
       ansible.builtin.set_fact:
-        nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
+        nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_facts['os_family'] | lower] }}{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
       when: specify_app_protect_threat_campaigns_version | bool
 
     - name: Install NGINX App Protect WAF
diff --git a/molecule/specific-version/verify.yml b/molecule/specific-version/verify.yml
@@ -60,8 +60,8 @@
 
         - name: Verify installed NAP signatures version matches requested version # noqa jinja[spacing]
           ansible.builtin.assert:
-            that: "{{ (ansible_facts.packages['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}"
+            that: "{{ (ansible_facts['packages']['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_facts['os_family'] | lower] | regex_replace('^-|=','') + (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_facts['distribution_release'], '')) }}"
 
         - name: Verify installed NAP threat campaigns version matches requested version # noqa jinja[spacing]
           ansible.builtin.assert:
-            that: "{{ (ansible_facts.packages['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}"
+            that: "{{ (ansible_facts['packages']['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_facts['os_family'] | lower] | regex_replace('^-|=','') + (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_facts['distribution_release'], '')) }}"
diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml
@@ -34,7 +34,7 @@
         username: "{{ lookup('env', 'RHEL_USERNAME') }}"
         password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
       when:
-        - ansible_distribution == "RedHat"
+        - ansible_facts['distribution'] == "RedHat"
         - rhel_subscription| bool
   tasks:
     - name: Install NGINX App Protect WAF
@@ -54,5 +54,5 @@
       community.general.redhat_subscription:
         state: absent
       when:
-        - ansible_distribution == "RedHat"
+        - ansible_facts['distribution'] == "RedHat"
         - rhel_subscription | bool
diff --git a/tasks/common/config/configure-app-protect.yml b/tasks/common/config/configure-app-protect.yml
@@ -4,15 +4,15 @@
   block:
     - name: Ensure NGINX App Protect security policy directories exist
       ansible.builtin.file:
-        path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}"
+        path: "{{ item['dest'] | default('/etc/app_protect/conf') | dirname }}"
         state: directory
         mode: 0755
       loop: "{{ nginx_app_protect_security_policy_file }}"
 
     - name: Copy NGINX App Protect security policy files
       ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: "{{ item.dest | default('/etc/app_protect/conf') }}"
+        src: "{{ item['src'] }}"
+        dest: "{{ item['dest'] | default('/etc/app_protect/conf') }}"
         backup: true
         mode: 0644
       loop: "{{ nginx_app_protect_security_policy_file }}"
@@ -22,15 +22,15 @@
   block:
     - name: Ensure NGINX App Protect log policy directories exist
       ansible.builtin.file:
-        path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}"
+        path: "{{ item['dest'] | default('/etc/app_protect/conf') | dirname }}"
         state: directory
         mode: 0755
       loop: "{{ nginx_app_protect_log_policy_file }}"
 
     - name: Copy NGINX App Protect log policy files
       ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: "{{ item.dest | default('/etc/app_protect/conf') }}"
+        src: "{{ item['src'] }}"
+        dest: "{{ item['dest'] | default('/etc/app_protect/conf') }}"
         backup: true
         mode: 0644
       loop: "{{ nginx_app_protect_log_policy_file }}"
diff --git a/tasks/common/install/remove-license.yml b/tasks/common/install/remove-license.yml
@@ -4,11 +4,11 @@
     nginx_app_protect_license_status: absent
 
 - name: Delete NGINX App Protect WAF repository data
-  ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_facts['os_family'] | lower }}.yml"
   when: nginx_app_protect_waf_enable | bool
 
 - name: Delete NGINX App Protect DoS repository data
-  ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_facts['os_family'] | lower }}.yml"
   when: nginx_app_protect_dos_enable | bool
 
 - name: Delete NGINX App Protect license
diff --git a/tasks/common/install/setup-license.yml b/tasks/common/install/setup-license.yml
@@ -1,6 +1,6 @@
 ---
 - name: (Alpine Linux) Set up NGINX App Protect WAF/DoS license
-  when: ansible_os_family == "Alpine"
+  when: ansible_facts['os_family'] == "Alpine"
   block:
     - name: Install cryptography package
       ansible.builtin.package:
@@ -14,14 +14,14 @@
 
     - name: (Alpine Linux) Copy NGINX App Protect WAF/DoS certificate
       ansible.builtin.copy:
-        src: "{{ nginx_app_protect_license.certificate }}"
+        src: "{{ nginx_app_protect_license['certificate'] }}"
         dest: /etc/apk/cert.pem
         decrypt: true
         mode: 0444
 
     - name: (Alpine Linux) Copy NGINX App Protect WAF/DoS key
       ansible.builtin.copy:
-        src: "{{ nginx_app_protect_license.key }}"
+        src: "{{ nginx_app_protect_license['key'] }}"
         dest: /etc/apk/cert.key
         decrypt: true
         mode: 0444
@@ -45,7 +45,7 @@
         fail_msg: Something went wrong! Make sure your App Protect WAF/DoS license is valid!
 
 - name: (Debian/Red Hat OSs) Set up NGINX App Protect WAF/DoS license
-  when: ansible_os_family != "Alpine"
+  when: ansible_facts['os_family'] != "Alpine"
   block:
     - name: (Debian/Red Hat OSs) Create SSL directory
       ansible.builtin.file:
@@ -60,12 +60,12 @@
         decrypt: true
         mode: 0444
       loop:
-        - "{{ nginx_app_protect_license.certificate }}"
-        - "{{ nginx_app_protect_license.key }}"
+        - "{{ nginx_app_protect_license['certificate'] }}"
+        - "{{ nginx_app_protect_license['key'] }}"
 
     - name: (Debian/Red Hat OSs) Install cryptography package
       ansible.builtin.package:
-        name: "{{ (ansible_python.version.major == 3) | ternary('python3-cryptography', 'python2-cryptography') }}"
+        name: "{{ (ansible_python['version']['major'] == 3) | ternary('python3-cryptography', 'python2-cryptography') }}"
 
     - name: (Debian/Red Hat OSs) Check that NGINX App Protect WAF/DoS certificate is valid
       community.crypto.x509_certificate_info:
@@ -80,7 +80,7 @@
     - name: (Debian/Red Hat OSs) Check that NGINX App Protect WAF/DoS license is valid
       ansible.builtin.assert:
         that:
-          - cert.expired == false
-          - cert.public_key == key.public_key
+          - "{{ not cert['expired'] | bool }}"
+          - "{{ cert['public_key'] == key['public_key'] }}"
         success_msg: Your NGINX App Protect WAF/DoS license is valid!
         fail_msg: Something went wrong! Make sure your NGINX App Protect WAF/DoS license is valid!
diff --git a/tasks/common/keys/setup-keys.yml b/tasks/common/keys/setup-keys.yml
@@ -1,10 +1,10 @@
 ---
 - name: (Alpine Linux) Set up NGINX App Protect DoS signing key
-  when: ansible_os_family == "Alpine"
+  when: ansible_facts['os_family'] == "Alpine"
   block:
     - name: (Alpine Linux) Set up NGINX App Protect DoS signing key URL
       ansible.builtin.set_fact:
-        keysite: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_rsa_pub) }}"
+        keysite: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_rsa_pub) }}"
 
     - name: (Alpine Linux) Download NGINX App Protect DoS signing key
       ansible.builtin.get_url:
@@ -13,27 +13,27 @@
         mode: 0400
 
 - name: (Debian/Ubuntu) Set up NGINX App Protect and security updates signing key
-  when: ansible_os_family == "Debian"
+  when: ansible_facts['os_family'] == "Debian"
   block:
     - name: (Debian/Ubuntu) Add NGINX Plus signing key
       ansible.builtin.apt_key:
         keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
-        url: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}"
+        url: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_pgp) }}"
 
     - name: (Debian/Ubuntu) Add NGINX App Protect security updates signing key
       ansible.builtin.apt_key:
         keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
-        url: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
+        url: "{{ nginx_app_protect_waf_signing_key['waf_security_updates'] | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
       when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool)
 
 - name: (Amazon Linux/CentOS/RHEL) Set up NGINX App Protect and security updates signing key
-  when: ansible_os_family == "RedHat"
+  when: ansible_facts['os_family'] == "RedHat"
   block:
     - name: (CentOS/RHEL) Add NGINX Plus signing key
       ansible.builtin.rpm_key:
-        key: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}"
+        key: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_pgp) }}"
 
     - name: (Amazon Linux/CentOS/RHEL) Add NGINX App Protect security updates signing key
       ansible.builtin.rpm_key:
-        key: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
+        key: "{{ nginx_app_protect_waf_signing_key['waf_security_updates'] | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}"
       when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool)
diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml
@@ -4,28 +4,28 @@
     name: "{{ nginx_app_protect_alpine_dependencies }}"
     update_cache: true
     state: latest # noqa package-latest
-  when: ansible_os_family == "Alpine"
+  when: ansible_facts['os_family'] == "Alpine"
 
 - name: (Debian/Ubuntu) Install package dependencies
   ansible.builtin.apt:
     name: "{{ nginx_app_protect_debian_dependencies }}"
     update_cache: true
     state: latest # noqa package-latest
-  when: ansible_os_family == "Debian"
+  when: ansible_facts['os_family'] == "Debian"
 
 - name: (Amazon Linux) Set up Amazon Linux Extras repositories
   ansible.builtin.command: amazon-linux-extras enable {{ item }}
   changed_when: false
   loop: "{{ nginx_app_protect_amazon_extras }}"
-  when: ansible_distribution == "Amazon"
+  when: ansible_facts['distribution'] == "Amazon"
 
 - name: (Amazon Linux/CentOS/RHEL) Install package dependencies
-  when: ansible_os_family == "RedHat"
+  when: ansible_facts['os_family'] == "RedHat"
   block:
     - name: (Amazon Linux/CentOS/RHEL) Import EPEL GPG key
       ansible.builtin.rpm_key:
         state: present
-        key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version) }}
+        key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_facts['distribution'] == 'Amazon') | ternary('7', ansible_facts['distribution_major_version']) }}
 
     - name: (Amazon Linux/CentOS/RHEL) Install package dependencies
       ansible.builtin.yum:
@@ -34,7 +34,7 @@
         state: latest # noqa package-latest
 
 - name: (RHEL) Set up RHEL specific repositories
-  when: ansible_distribution == "RedHat"
+  when: ansible_facts['distribution'] == "RedHat"
   block:
     - name: (RHEL 7) Set up RHEL dependencies from OSS repositories
       ansible.builtin.yum_repository:
@@ -46,7 +46,7 @@
         gpgkey: https://ftp.heanet.ie/pub/centos/7/os/$basearch/RPM-GPG-KEY-CentOS-7
         state: "{{ nginx_app_protect_license_status | default('present') }}"
       when:
-        - ansible_distribution_major_version == "7"
+        - ansible_facts['distribution_major_version'] is version('7', '==')
         - not nginx_app_protect_use_rhel_subscription_repos | bool
 
     - name: (RHEL 7 DoS) Set up RHEL NGINX App Protect DoS dependencies from OSS repositories
@@ -59,7 +59,7 @@
         gpgkey: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
         state: "{{ nginx_app_protect_license_status | default('present') }}"
       when:
-        - ansible_distribution_major_version == "7"
+        - ansible_facts['distribution_major_version'] is version('7', '==')
         - not nginx_app_protect_use_rhel_subscription_repos | bool
         - nginx_app_protect_dos_enable | bool
 
@@ -75,14 +75,14 @@
           - rhel-7-server-extras-rpms
           - rhel-ha-for-rhel-7-server-rpms
       when:
-        - ansible_distribution_major_version == "7"
+        - ansible_facts['distribution_major_version'] is version('7', '==')
         - nginx_app_protect_use_rhel_subscription_repos | bool
 
     - name: (RHEL 8) Set up RHEL dependencies from RHEL official repositories
       community.general.rhsm_repository:
         name: codeready-builder-for-rhel-8-x86_64-rpms
       when:
-        - ansible_distribution_major_version == "8"
+        - ansible_facts['distribution_major_version'] is version('8', '==')
         - nginx_app_protect_use_rhel_subscription_repos | bool
 
 - name: (Oracle Linux) Set up Oracle Linux specific repositories
@@ -92,4 +92,4 @@
     option: enabled
     value: 1
     mode: 0644
-  when: ansible_distribution == "OracleLinux"
+  when: ansible_facts['distribution'] == "OracleLinux"
diff --git a/tasks/common/prerequisites/setup-selinux.yml b/tasks/common/prerequisites/setup-selinux.yml
@@ -75,7 +75,7 @@
 - name: Import SELinux NGINX App Protect module
   ansible.builtin.command: semodule -i {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.pp # noqa no-handler
   changed_when: false
-  when: nginx_app_protect_selinux_module.changed | bool
+  when: nginx_app_protect_selinux_module['changed'] | bool
 
 - name: Set SELinux mode to enforcing
   ansible.posix.selinux:
diff --git a/tasks/common/validate/validate.yml b/tasks/common/validate/validate.yml
@@ -29,10 +29,10 @@
 
 - name: Warn if installing NGINX App Protect on RHEL >7 without subscription details
   ansible.builtin.fail:
-    msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_distribution_version }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true.
+    msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true.
   when:
-    - ansible_distribution == "RedHat"
-    - ansible_distribution_major_version is version('7', '>')
+    - ansible_facts['distribution'] == "RedHat"
+    - ansible_facts['distribution_major_version'] is version('7', '>')
     - not nginx_app_protect_use_rhel_subscription_repos | bool
   ignore_errors: true # noqa ignore-errors
 
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -21,12 +21,12 @@
   tags: nginx_app_protect_setup_license
 
 - name: "{{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF"
-  ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_facts['os_family'] | lower }}.yml"
   when: nginx_app_protect_waf_enable | bool
   tags: nginx_app_protect_install_app_protect_waf
 
 - name: "{{ nginx_app_protect_dos_setup | capitalize }} NGINX App Protect DoS"
-  ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_facts['os_family'] | lower }}.yml"
   when: nginx_app_protect_dos_enable | bool
   tags: nginx_app_protect_install_app_protect_dos
 
diff --git a/tasks/waf/install-redhat.yml b/tasks/waf/install-redhat.yml
diff --git a/vars/main.yml b/vars/main.yml
