Add 'nginx_app_protect_manage_repo' feature flag and defaults (#108)

Co-authored-by: Jurgen Verhasselt <[email protected]>

Author: sjugge

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## 0.5.1 (Unreleased)
 
+FEATURES:
+
+Add a `nginx_app_protect_manage_repo` feature flag which can be used to disable NGINX App Protect repo management by this role.
+
 ENHANCEMENTS:
 
 *   Replace Ansible base with Ansible core. Ansible core will be the "core" Ansible release moving forward from Ansible `2.11`.

defaults/main.yml

@@ -35,6 +35,12 @@ nginx_app_protect_install_threat_campaigns: true
 #   nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key
 #   security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
 
+# Specify whether or not you want to manage the NGINX App Protect repositories.
+# Using 'true' will manage NGINX App Protect repositories.
+# Using 'false' will not manage the NGINX App Protect repositories, allowing them to be managed through other means.
+# Default is true
+nginx_app_protect_manage_repo: true
+
 # (Optional) Specify repository for NGINX Plus.
 # Defaults are the official NGINX repositories.
 # nginx_plus_repository: deb [arch=amd64] https://pkgs.nginx.com/plus/debian buster nginx-plus

tasks/install/install-alpine.yml

@@ -5,22 +5,25 @@
     insertafter: EOF
     line: "{{ nginx_plus_repository | default(nginx_plus_default_repository_alpine) }}"
     state: "{{ nginx_license_status | default ('present') }}"
+  when: nginx_app_protect_manage_repo | bool
 
 - name: (Alpine Linux) {{ nginx_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect repository
   lineinfile:
     path: /etc/apk/repositories
     insertafter: EOF
     line: "{{ nginx_app_protect_repository | default(nginx_app_protect_default_repository_alpine) }}"
     state: "{{ nginx_license_status | default ('present') }}"
+  when: nginx_app_protect_manage_repo | bool
 
 - name: (Alpine Linux) {{ nginx_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect security updates repository
   lineinfile:
     path: /etc/apk/repositories
     insertafter: EOF
     line: "{{ nginx_app_protect_security_updates_repository | default(nginx_app_protect_security_updates_default_repository_alpine) }}"
     state: "{{ nginx_license_status | default ('present') }}"
-  when: nginx_app_protect_install_signatures | bool
-        or nginx_app_protect_install_threat_campaigns | bool
+  when:
+    - (nginx_app_protect_install_signatures | bool) or (nginx_app_protect_install_threat_campaigns | bool)
+    - nginx_app_protect_manage_repo | bool
 
 - name: (Alpine Linux) Install NGINX App Protect
   apk:

tasks/install/install-debian.yml

@@ -45,6 +45,7 @@
     mode: 0644
     update_cache: false
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
+  when: nginx_app_protect_manage_repo | bool
 
 - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect repository
   apt_repository:
@@ -53,6 +54,7 @@
     mode: 0644
     update_cache: false
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
+  when: nginx_app_protect_manage_repo | bool
 
 - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect security updates repository
   apt_repository:
@@ -61,8 +63,9 @@
     mode: 0644
     update_cache: false
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
-  when: nginx_app_protect_install_signatures | bool
-        or nginx_app_protect_install_threat_campaigns | bool
+  when:
+    - (nginx_app_protect_install_signatures | bool) or (nginx_app_protect_install_threat_campaigns | bool)
+    - nginx_app_protect_manage_repo | bool
 
 - name: (Debian/Ubuntu) Install NGINX App Protect
   apt:

tasks/install/install-redhat.yml

@@ -20,6 +20,7 @@
     enabled: true
     gpgcheck: true
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
+  when: nginx_app_protect_manage_repo | bool
 
 - name: (CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect security updates repository
   yum_repository:
@@ -31,8 +32,9 @@
     enabled: true
     gpgcheck: true
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
-  when: nginx_app_protect_install_signatures | bool
-        or nginx_app_protect_install_threat_campaigns | bool
+  when:
+    - (nginx_app_protect_install_signatures | bool) or (nginx_app_protect_install_threat_campaigns | bool)
+    - nginx_app_protect_manage_repo | bool
 
 - name: (CentOS/RHEL) Install NGINX App Protect
   yum: