add static policy file deployment feature (#38)

aknot242 · web-flow · commit 72536bb40392 · 2020-10-12T08:01:32.000-07:00
* add static policy file deployment feature

* moving var conflict check into block

* create a default source

* missing var

* vars were not expanded

* added change note

* flattening file variables, add deprecation notice

* added variable checks

* pr feedback updates
diff --git a/.ansible-lint b/.ansible-lint
@@ -1,2 +1,3 @@
 skip_list:
 - '106'
+- '204'
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,12 +1,18 @@
 # Changelog
 
+
 ## 0.3.3 (Unreleased)
 
 ENHANCEMENTS:
 
 *   Add survey to README.
 *   Improve README structure and use tables where relevant.
 *   Update Ansible (now Ansible base) to `2.10.2`, Ansible (now Ansible Community Distribution) to `2.10.0`, and yamllint to `1.25.0`.
+*   Ability to deploy static security policy files via the `nginx_app_protect_security_policy_file_enable` and `nginx_app_protect_security_policy_file_*` variables. NOTE: `nginx_app_protect_configure` must be set to true.
+*   Ability to deploy static log policy files via the `nginx_app_protect_log_policy_file_enable` and `nginx_app_protect_log_policy_file_*` variables. NOTE: `nginx_app_protect_configure` must be set to true.
+
+DEPRECATION WARNING:
+*   The ability to dynamically create App Protect security and log policies via Jinja2 templates will be removed in a future release, as they weren't used much due to relative inflexibility. The `nginx_app_protect_security_policy_file_enable`, `nginx_app_protect_security_policy_file_*`, `nginx_app_protect_log_policy_file_enable` and `nginx_app_protect_log_policy_file_*` variables should be used instead of the `nginx_app_protect_*_policy_template*` variables. These new variables have been introduced in this release.
 
 ## 0.3.2 (September 30, 2020)
 
@@ -100,4 +106,4 @@ BUG FIXES:
 
 Supports App Protect 2.0, which brings a number of features including support for Ubuntu 18.04.
 
-Release notes for NGINX App Protect 2.0: docs.nginx.com/nginx-app-protect/releases/#release-2-0
+Release notes for NGINX App Protect 2.0: docs.nginx.com/nginx-app-protect/releases/#release-2-0
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -52,7 +52,8 @@ nginx_app_protect_timeout: 180
 # Creates basic configuration files and enables NGINX App Protect on the target host
 nginx_app_protect_configure: false
 
-# Create a basic NGINX App Protect security policy file
+## DEPRECATED -- Use nginx_app_protect_security_policy_enable and nginx_app_protect_security_policy_file_* variables instead
+# Create a basic NGINX App Protect security policy file based on a template
 nginx_app_protect_security_policy_template_enable: true
 nginx_app_protect_security_policy_template:
   template_file: app-protect-security-policy.j2
@@ -61,7 +62,8 @@ nginx_app_protect_security_policy_template:
 # possible values: transparent, blocking
 nginx_app_protect_security_policy_enforcement_mode: transparent
 
-# Create a basic NGINX App Protect log policy file
+## DEPRECATED -- Use nginx_app_protect_log_policy_file_enable and nginx_app_protect_log_policy_file_* variables instead
+# Create a basic NGINX App Protect log policy file based on a template
 nginx_app_protect_log_policy_template_enable: true
 nginx_app_protect_log_policy_template:
   template_file: app-protect-log-policy.j2
@@ -81,3 +83,13 @@ nginx_app_protect_demo_workload_protocol: http://
 nginx_app_protect_demo_workload_host: 10.1.1.1:8080
 nginx_app_protect_log_policy_syslog_target: 127.0.0.1:514  # DEPRECATED -- use nginx_app_protect_log_policy_target instead
 nginx_app_protect_log_policy_target: "syslog:server={{ nginx_app_protect_log_policy_syslog_target }}"
+
+# Copy local NGINX App Protect security policy to host
+nginx_app_protect_security_policy_file_enable: false
+nginx_app_protect_security_policy_file_src: files/config/security-policy.json
+nginx_app_protect_security_policy_file_dest: /etc/nginx/security-policy.json
+
+# Copy local NGINX App Protect log policy to host
+nginx_app_protect_log_policy_file_enable: false
+nginx_app_protect_log_policy_file_src: files/config/log-policy.json
+nginx_app_protect_log_policy_file_dest: /etc/nginx/log-policy.json
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -38,3 +38,15 @@
       check_mode: true
       register: service
       failed_when: (service is changed) or (service is failed)
+
+    - name: Check that the security policy exists
+      stat:
+        path: /etc/nginx/app-protect-security-policy.json
+      register: stat_result
+      failed_when: not stat_result.stat.exists
+
+    - name: Check that the log policy exists
+      stat:
+        path: /etc/nginx/app-protect-log-policy.json
+      register: stat_result
+      failed_when: not stat_result.stat.exists
diff --git a/tasks/config/configure-app-protect.yml b/tasks/config/configure-app-protect.yml
@@ -8,6 +8,20 @@
         or nginx_app_protect_log_policy_template_enable | bool
         or nginx_app_protect_conf_template_enable | bool
 
+- name: Copy NGINX App Protect security policy file
+  copy:
+    src: "{{ nginx_app_protect_security_policy_file_src }}"
+    dest: "{{ nginx_app_protect_security_policy_file_dst }}"
+    mode: 0644
+  when: nginx_app_protect_security_policy_file_enable | bool
+
+- name: Copy NGINX App Protect log policy file
+  copy:
+    src: "{{ nginx_app_protect_log_policy_file_src }}"
+    dest: "{{ nginx_app_protect_log_policy_file_dst }}"
+    mode: 0644
+  when: nginx_app_protect_log_policy_file_enable | bool
+
 - name: Dynamically generate NGINX App Protect security policy file
   template:
     src: "{{ nginx_app_protect_security_policy_template.template_file }}"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -28,6 +28,35 @@
     msg: "NGINX App Protect is not supported on os family {{ ansible_facts['distribution'] }} version {{ ansible_facts['distribution_version'] }}"
   when: not supported_os
 
+- name: Check for conflicting config variables
+  block:
+    - name: Abort if there are conflicting security policy config variables
+      fail:
+        msg: "Conflicting variables: nginx_app_protect_security_policy_template_enable and nginx_app_protect_security_policy_file_enable cannot be truthy in the same play"
+      when: nginx_app_protect_security_policy_template_enable | bool and nginx_app_protect_security_policy_file_enable | bool
+
+    - name: Abort if there are conflicting log policy config variables
+      fail:
+        msg: "Conflicting variables: nginx_app_protect_log_policy_template_enable and nginx_app_protect_log_policy_file_enable cannot be truthy in the same play"
+      when: nginx_app_protect_log_policy_template_enable | bool and nginx_app_protect_log_policy_file_enable | bool
+
+    - name: Fail if variables for nginx_app_protect_security_policy_file_enable are not defined
+      assert:
+        that: ("{{ item }} is defined") and ("{{ item }} | length > 0")
+      loop:
+        - nginx_app_protect_security_policy_file_src
+        - nginx_app_protect_security_policy_file_dst
+      when: nginx_app_protect_security_policy_file_enable | bool
+
+    - name: Fail if variables for nginx_app_protect_log_policy_file_enable are not defined
+      assert:
+        that: ("{{ item }} is defined") and ("{{ item }} | length > 0")
+      loop:
+        - nginx_app_protect_log_policy_file_src
+        - nginx_app_protect_log_policy_file_dst
+      when: nginx_app_protect_log_policy_file_enable | bool
+  when: nginx_app_protect_configure | bool
+
 - name: Install NGINX App Protect
   block:
     - name: Install prerequisites

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`skip_list:`
`2`	`2`	`- '106'`
	`3`	`+- '204'`