nginxinc
diff --git a/‎CHANGELOG.md
Lines changed: 6 additions & 0 deletions b/‎CHANGELOG.md
Lines changed: 6 additions & 0 deletions
diff --git a/‎defaults/main.yml
Lines changed: 8 additions & 6 deletions b/‎defaults/main.yml
Lines changed: 8 additions & 6 deletions
diff --git a/‎molecule/default/converge.yml
Lines changed: 8 additions & 1 deletion b/‎molecule/default/converge.yml
Lines changed: 8 additions & 1 deletion
diff --git a/‎molecule/default/files/test-log-profile.json
Lines changed: 10 additions & 0 deletions b/‎molecule/default/files/test-log-profile.json
Lines changed: 10 additions & 0 deletions
diff --git a/‎molecule/default/files/test-security-policy.json
Lines changed: 8 additions & 0 deletions b/‎molecule/default/files/test-security-policy.json
Lines changed: 8 additions & 0 deletions
diff --git a/‎molecule/default/verify.yml
Lines changed: 18 additions & 0 deletions b/‎molecule/default/verify.yml
Lines changed: 18 additions & 0 deletions
diff --git a/‎molecule/dos/molecule.yml
Lines changed: 0 additions & 5 deletions b/‎molecule/dos/molecule.yml
Lines changed: 0 additions & 5 deletions
diff --git a/‎molecule/dos/prepare.yml
Lines changed: 0 additions & 21 deletions b/‎molecule/dos/prepare.yml
Lines changed: 0 additions & 21 deletions
diff --git a/‎molecule/dos/requirements.yml
Lines changed: 0 additions & 4 deletions b/‎molecule/dos/requirements.yml
Lines changed: 0 additions & 4 deletions
diff --git a/‎tasks/common/config/configure-app-protect.yml
Lines changed: 36 additions & 0 deletions b/‎tasks/common/config/configure-app-protect.yml
Lines changed: 36 additions & 0 deletions
@@ -1,5 +1,11 @@
 # Changelog
 
+## 0.7.0 (Unreleased)
+
+BREAKING CHANGES:
+
+Refactor how `nginx_app_protect_*_policy_file*` variables work. You can now specify a list of both `security` and `log` policies for both NGINX App Protect WAF and NGINX App Protect DoS.
+
 ## 0.6.2 (October 25, 2021)
 
 ENHANCEMENTS:
 
@@ -92,12 +92,14 @@ nginx_app_protect_timeout: 180
 # Creates basic configuration files and enables NGINX App Protect WAF on the target host
 nginx_app_protect_configure: false
 
-# Copy local NGINX App Protect WAF security policy to host
+# Copy local NGINX App Protect security policy to host
 nginx_app_protect_security_policy_file_enable: false
-nginx_app_protect_security_policy_file_src: files/config/security-policy.json
-nginx_app_protect_security_policy_file_dest: /etc/app_protect/conf/security-policy.json
+nginx_app_protect_security_policy_file:
+  - src: files/config/security-policy.json
+    dest: /etc/app_protect/conf/security-policy.json
 
-# Copy local NGINX App Protect WAF log policy to host
+# Copy local NGINX App Protect log policy to host
 nginx_app_protect_log_policy_file_enable: false
-nginx_app_protect_log_policy_file_src: files/config/log-policy.json
-nginx_app_protect_log_policy_file_dest: /etc/app_protect/conf/log-policy.json
+nginx_app_protect_log_policy_file:
+  - src: files/config/log-policy.json
+    dest: /etc/app_protect/conf/log-policy.json
@@ -13,4 +13,11 @@
         nginx_app_protect_install_signatures: true
         nginx_app_protect_install_threat_campaigns: true
         nginx_app_protect_configure: true
-        nginx_app_protect_conf_template_enable: false
+        nginx_app_protect_security_policy_file_enable: true
+        nginx_app_protect_security_policy_file:
+          - src: files/test-security-policy.json
+            dest: /etc/app_protect/conf/test-security-policy.json
+        nginx_app_protect_log_policy_file_enable: true
+        nginx_app_protect_log_policy_file:
+          - src: files/test-log-profile.json
+            dest: /etc/app_protect/conf/test-log-profile.json
@@ -0,0 +1,10 @@
+{
+    "filter": {
+        "request_type": "all"
+    },
+    "content": {
+        "format": "splunk",
+        "max_request_size": "any",
+        "max_message_size": "10k"
+    }
+}
@@ -0,0 +1,8 @@
+{
+    "policy" : {
+        "name": "app_protect_default_policy",
+        "template": {
+            "name": "POLICY_TEMPLATE_NGINX_BASE"
+        }
+    }
+}
@@ -43,3 +43,21 @@
       register: service
       failed_when: (service is changed) or (service is failed)
       when: ansible_os_family != "Alpine"
+
+    - name: Store the statistics of /etc/app_protect/conf/test-security-policy.json in the 'security_policy' variable
+      stat:
+        path: /etc/app_protect/conf/test-security-policy.json
+      register: security_policy
+
+    - name: Ensure /etc/app_protect/conf/test-security-policy.json exists
+      assert:
+        that: security_policy.stat.exists | bool
+
+    - name: Store the statistics of /etc/app_protect/conf/test-log-profile.json in the 'log_profile' variable
+      stat:
+        path: /etc/app_protect/conf/test-log-profile.json
+      register: log_profile
+
+    - name: Ensure /etc/app_protect/conf/test-security-profile.json exists
+      assert:
+        that: log_profile.stat.exists | bool
@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/dos/requirements.yml
 driver:
   name: docker
 lint: |
@@ -41,6 +37,5 @@ platforms:
 provisioner:
   name: ansible
   playbooks:
-    prepare: prepare.yml
     converge: converge.yml
     verify: verify.yml
@@ -16,24 +16,3 @@
         dest: ../../files/license/nginx-repo.key
         force: false
         mode: 0444
-
-- name: Install NGINX Plus R24 to avoid dependency issues
-  hosts: all
-  tasks:
-    - name: Set repo if Debian
-      set_fact:
-        version: "=24-2~{{ ansible_distribution_release }}"
-      when: ansible_os_family == "Debian"
-    - name: Set repo if Red Hat
-      set_fact:
-        version: "-24-2.{{ (ansible_distribution =='Amazon') | ternary('amzn2', ('el' + ansible_distribution_major_version | string)) }}.ngx"
-      when: ansible_os_family == "RedHat"
-    - name: Install NGINX Plus R24 to avoid dependency issues
-      include_role:
-        name: nginxinc.nginx
-      vars:
-        nginx_type: plus
-        nginx_version: "{{ version }}"
-        nginx_license:
-          certificate: ../../files/license/nginx-repo.crt
-          key: ../../files/license/nginx-repo.key
@@ -0,0 +1,36 @@
+---
+- name: Copy NGINX App Protect security policy files
+  block:
+    - name: Ensure NGINX App Protect security policy directories exist
+      file:
+        path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}"
+        state: directory
+        mode: 0755
+      loop: "{{ nginx_app_protect_security_policy_file }}"
+
+    - name: Copy NGINX App Protect security policy files
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest | default('/etc/app_protect/conf') }}"
+        backup: true
+        mode: 0644
+      loop: "{{ nginx_app_protect_security_policy_file }}"
+  when: nginx_app_protect_security_policy_file_enable | bool
+
+- name: Copy NGINX App Protect log policy files
+  block:
+    - name: Ensure NGINX App Protect log policy directories exist
+      file:
+        path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}"
+        state: directory
+        mode: 0755
+      loop: "{{ nginx_app_protect_log_policy_file }}"
+
+    - name: Copy NGINX App Protect log policy files
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest | default('/etc/app_protect/conf') }}"
+        backup: true
+        mode: 0644
+      loop: "{{ nginx_app_protect_log_policy_file }}"
+  when: nginx_app_protect_log_policy_file_enable  | bool