Multiple optimizations (#26)

Author: alessfg

.travis.yml

@@ -1,13 +1,12 @@
 ---
-# safelist - build only on the following branches
+language: python
+services: docker
 branches:
   only:
     - main
-language: python
-services: docker
 jobs:
   include:
-    - name: "Lint role"
+    - name: Deploy NGINX App Protect
       env:
         scenario: default
 before_install:
@@ -17,11 +16,11 @@ before_install:
   - sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
 install:
   - pip install ansible==2.9.13
-  - pip install ansible-lint==4.3.4
+  - pip install ansible-lint==4.3.5
   - pip install yamllint==1.24.2
   - pip install molecule==3.0.8
   - pip install docker==4.3.1
 script:
-  - molecule test -s $scenario
+  - travis_wait 50 molecule test -s $scenario
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 0.3.0 (September 21, 2020)
+
+DEPRECATION WARNING:
+
+*   The ability to create an NGINX config including some basic App Protect directives has migrated to the NGINX config role available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX App Protect directives should be submitted in the new NGINX Config repository. New issues or PRs related to configuring NGINX App Protect directives submitted in this repository will not be worked on. The NGINX App Protect directives configuration functionalities included in this role will be removed in an upcoming release.
+
+FEATURES:
+
+*   A new variable has been introduced:
+    *   `nginx_app_protect_setup_license` -- Determine whether you want to use this role to upload your NGINX App Protect license to your target host.
+
+ENHANCEMENTS:
+
+*   Switch to using `ansible_facts` wherever possible.
+*   Simplified overall role structure by:
+    *   Reducing signing key setup tasks to a single file.
+    *   Merging all install steps to a single file.
+*   Added handlers to check for NGINX syntax validity and fail if any errors are detected.
+*   Update Ansible Lint to `4.3.5`.
+
 ## 0.2.2 (September 15, 2020)
 
 ENHANCEMENTS:
@@ -24,17 +44,17 @@ BREAKING CHANGES:
 *   All of the variables have been updated to prevent naming collisions when using other roles. Please see README.MD for new variable names.
 *   Example playbook has been removed by collection authors in favor of using the Molecule configuration as a 'known-working' implementation.
 
+FEATURES:
+
+*   Molecule 3 testing foundation is in the project, and linting is being performed by TravisCI. Now time to write tests!
+
 ENHANCEMENTS:
 
 *   Huge refactoring by @alessfg to better unify this role with the structures present in the other nginxinc Ansible roles.
-*   Update Ansible to 2.9.13 and Ansible Lint to 4.3.4.
+*   Update Ansible to `2.9.13` and Ansible Lint to `4.3.4`.
 *   Explicitly defined mode in relevant tasks for breaking changes in Ansible.
 *   Role refactored to separate install and configure operations in preparation for an upcoming role split.
 
-FEATURES:
-
-*   Molecule 3 testing foundation is in the project, and linting is being performed by TravisCI. Now time to write tests!
-
 BUG FIXES:
 
 *   The CentOS, RHEL, Debian and Ubuntu repositories have slightly changed to respond to a NAP repository deprecation activity. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.

README.md

@@ -26,8 +26,8 @@ Molecule is used to test the various functionalities of the role. Instructions o
 To run the Molecule tests, you must first add your NGINX repository certificate and key to the local environment. Run the following commands to export these files as base64-encoded variables and execute the Molecule tests:
 
 ``` bash
-export NGINX_CRT=$( cat <path to your certificate file> | base64)
-export NGINX_KEY=$( cat <path to your key file> | base64)
+export NGINX_CRT=$( cat <path to your certificate file> | base64 )
+export NGINX_KEY=$( cat <path to your key file> | base64 )
 molecule test
 ```
 
@@ -83,7 +83,7 @@ Example Playbook
 
 A working functional playbook example can be found in the **`molecule/default`** directory in the following file:
 
--   **[molecule/default/converge.yml](https://github.com/nginxinc/ansible-role-nginx-app_protect/blob/main/molecule/default/converge.yml):** Install and configure NGINX App Protect
+-   **[molecule/default/converge.yml](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/molecule/default/converge.yml):** Install and configure NGINX App Protect
 
 Other NGINX Roles
 -----------------

defaults/main.yml

@@ -7,69 +7,75 @@
 # Default is present.
 nginx_app_protect_state: present
 
-# # OPTIONAL: Installs a specific version of NGINX App Protect
+# (Optional) Installs a specific version of NGINX App Protect
+# Default is to install the latest release.
 # nginx_app_protect_version: 22
 
+# If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos.
+# Otherwise, it will source packages from CentOS' repositories.
+# Default is false.
+nginx_app_protect_use_rhel_subscription_repos: false
+
 # The installation of NGINX App Protect includes a base signature set, which may be out of date.
 # This option installs the latest NGINX App Protect signatures.
+# Default is true.
 nginx_app_protect_install_signatures: true
 
-# The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called Threat Campaigns.
-# This option installs the latest NGINX App Protect Threat Campaigns signatures.
-nginx_app_protect_install_threat_campaigns: false
-
-# Creates basic configuration files and enables NGINX App Protect on the target host
-nginx_app_protect_configure: false
+# The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called "threat campaigns".
+# This option installs the latest NGINX App Protect threat campaigns signatures.
+# Default is true.
+nginx_app_protect_install_threat_campaigns: true
 
-# Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete.
-nginx_app_protect_delete_license: true
+# (Optional) Choose where to fetch the NGINX App Protect and security updates signing keys from.
+# Default settings are the official NGINX signing key hosts.
+# nginx_app_protect_signing_key:
+#   nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key
+#   security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
 
-# If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos.
-# Otherwise, it will source packages from CentOS' repositories.
-nginx_app_protect_use_rhel_subscription_repos: false
+# Set up NGINX App Protect license (cert/key) before installation.
+# Default is true.
+nginx_app_protect_setup_license: true
 
-# Choose where to fetch the NGINX App Protect and Security Updates signing keys from.
-# Default settings are the official NGINX signing key hosts.
-nginx_app_protect_signing_keys:
-  nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key
-  app_protect: https://cs.nginx.com/static/keys/app-protect.key
-  security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
+# Removes NGINX App Protect license (cert/key) after installation for security purposes.
+# Default is true.
+nginx_app_protect_remove_license: true
 
 # Start/Restart NGINX service when App Protect related changes are complete.
 # Default is true.
 nginx_app_protect_start: true
 
-# Increase NGINX service timeout to accommodate ruleset loading from default 90s
-nginx_app_protect_timeout: 180
+# Increase NGINX service timeout to accommodate ruleset loading from default 90s.
+# Default is commented out.
+# nginx_app_protect_timeout: 180
 
-# App Protect Temporary Directory to use (Default: /tmp)
-nginx_app_protect_tempdir: /tmp
+# Creates basic configuration files and enables NGINX App Protect on the target host
+nginx_app_protect_configure: false
 
+# Create a basic NGINX App Protect security policy file
 nginx_app_protect_security_policy_template_enable: true
 nginx_app_protect_security_policy_template:
   template_file: app-protect-security-policy.j2
   out_file_name: app-protect-security-policy.json
   out_file_location: /etc/nginx/
+# possible values: transparent, blocking
+nginx_app_protect_security_policy_enforcement_mode: transparent
 
+# Create a basic NGINX App Protect log policy file
 nginx_app_protect_log_policy_template_enable: true
 nginx_app_protect_log_policy_template:
   template_file: app-protect-log-policy.j2
   out_file_name: app-protect-log-policy.json
   out_file_location: /etc/nginx/
+# possible values: all, illegal, blocked
+nginx_app_protect_log_policy_filter_request_type: all
 
+## DEPRECATED -- Use nginxinc.nginx_config role instead (https://github.com/nginxinc/ansible-role-nginx-config)
+# Create a basic NGINX App Protect config file
 nginx_app_protect_conf_template_enable: false
 nginx_app_protect_conf_template:
   template_file: nginx.conf.j2
   out_file_name: nginx.conf
   out_file_location: /etc/nginx/
-
-# possible values: transparent, blocking
-nginx_app_protect_security_policy_enforcement_mode: transparent
-
-# possible values: all, illegal, blocked
-nginx_app_protect_log_policy_filter_request_type: all
-
-nginx_app_protect_log_policy_syslog_target: 127.0.0.1:514
-
 nginx_app_protect_demo_workload_protocol: http://
 nginx_app_protect_demo_workload_host: 10.1.1.1:8080
+nginx_app_protect_log_policy_syslog_target: 127.0.0.1:514

handlers/main.yml

@@ -1,22 +1,27 @@
 ---
+- name: (Handler) Systemd daemon-reload
+  systemd:
+    daemon_reload: true
+
 - name: (Handler) Check NGINX
-  command: "nginx -t"
-  changed_when: false
+  command: nginx -t
+  register: config
+  ignore_errors: true
+  listen: (Handler) Run NGINX
 
-- name: (Handler) Run NGINX
-  block:
-    - name: (Handler) Start NGINX
-      service:
-        name: nginx
-        state: started
-        enabled: true
-      notify: (Handler) Check NGINX
+- name: (Handler) Print NGINX error if syntax check fails
+  debug:
+    var: config.stderr_lines
+  failed_when: config.rc != 0
+  when: config.rc != 0
+  listen: (Handler) Run NGINX
 
-    - name: (Handler) Restart NGINX
-      service:
-        name: nginx
-        state: restarted
-      changed_when: false
+- name: (Handler) Start/Reload NGINX
+  service:
+    name: nginx
+    state: reloaded
+    enabled: true
   when:
     - nginx_app_protect_start | bool
-    - not ansible_check_mode
+    - not ansible_check_mode | bool
+  listen: (Handler) Run NGINX

molecule/default/converge.yml

@@ -7,19 +7,19 @@
         name: ansible-role-nginx-app-protect
       vars:
         nginx_app_protect_enable: true
+        nginx_app_protect_remove_license: false
         nginx_app_protect_install_signatures: true
         nginx_app_protect_install_threat_campaigns: true
         nginx_app_protect_configure: true
         nginx_app_protect_security_policy_template_enable: true
         nginx_app_protect_security_policy_enforcement_mode: blocking
         nginx_app_protect_log_policy_template_enable: true
         nginx_app_protect_log_policy_filter_request_type: all
-        nginx_app_protect_conf_template_enable: true
         nginx_app_protect_log_policy_syslog_target: localhost:514
+        nginx_app_protect_conf_template_enable: true
         nginx_app_protect_demo_workload_protocol: http://
         nginx_app_protect_demo_workload_host: test-workload:80
         nginx_app_protect_license:
-          certificate: "license/nginx-repo.crt"
-          key: "license/nginx-repo.key"
-        nginx_app_protect_delete_license: false
-        nginx_app_protect_timeout: 600
+          certificate: license/nginx-repo.crt
+          key: license/nginx-repo.key
+        nginx_app_protect_timeout: 180

molecule/default/prepare.yml

@@ -1,40 +1,30 @@
 ---
 - name: Prepare
   hosts: localhost
-  connection: local
   gather_facts: false
-  vars:
-    nginx_license:
-      certificate: "./license/nginx-repo.crt"
-      key: "./license/nginx-repo.key"
-
   tasks:
-    - name: Create license directory
-      file:
-        path: "./license"
-        state: directory
-        mode: 0755
-
     - name: Create ephemeral license certificate file from b64 decoded env var
       copy:
         content: "{{ lookup('env','NGINX_CRT') | b64decode }}"
-        dest: "{{ nginx_license.certificate }}"
+        dest: ../../files/license/nginx-repo.crt
+        force: false
         mode: 0444
 
     - name: Create ephemeral license key file from b64 decoded env var
       copy:
         content: "{{ lookup('env','NGINX_KEY') | b64decode }}"
-        dest: "{{ nginx_license.key }}"
+        dest: ../../files/license/nginx-repo.key
+        force: false
         mode: 0444
 
 - name: Set up rsyslog server for verifying NAP syslog events
   hosts: nap
+  roles:
+    - role: robertdebock.rsyslog
   vars:
     rsyslog_receiver: true
     rsyslog_remote_tcp: true
     rsyslog_remote_port: 514
-  roles:
-    - role: robertdebock.rsyslog
 
 - name: Prepare workload for tests
   hosts: workload

tasks/config/configure-app-protect.yml

@@ -24,7 +24,7 @@
     backup: true
   when: nginx_app_protect_log_policy_template_enable | bool
 
-- name: Backup existing nginx.conf
+- name: (DEPRECATED) Backup existing nginx.conf
   copy:
     src: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}"
     dest: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}.orig"
@@ -33,7 +33,7 @@
   when: nginx_app_protect_conf_template_enable | bool
   changed_when: false
 
-- name: Dynamically Generate NGINX conf file
+- name: (DEPRECATED) Dynamically generate nginx.conf file
   template:
     src: "{{ nginx_app_protect_conf_template.template_file }}"
     dest: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}"
@@ -42,27 +42,25 @@
     - nginx_app_protect_conf_template_enable | bool
     - nginx_app_protect_state != "absent"
 
-- name: Remove NGINX App Protect
+- name: (DEPRECATED) Remove NGINX App Protect
   block:
-    - name: Comment out NGINX App Protect module reference in nginx.conf
+    - name: (DEPRECATED) Comment out NGINX App Protect module reference in nginx.conf
       replace:
         path: /etc/nginx/nginx.conf
         regexp: '^([ \t]*load_module.*ngx_http_app_protect_module.so;)'
         replace: '# \1'
-        mode: preserve
 
-    - name: Comment out NGINX App Protect directives in nginx.conf
+    - name: (DEPRECATED) Comment out NGINX App Protect directives in nginx.conf
       replace:
         path: /etc/nginx/nginx.conf
         regexp: '^([ \t]*app_protect_)'
         replace: '# \1'
-        mode: preserve
   when: nginx_app_protect_state == "absent"
 
 - name: Reload NGINX
   debug:
     msg: Trigger nginx reload if needed
-  notify: (Handler) Restart NGINX
+  notify: (Handler) Run NGINX
   when: nginx_app_protect_security_policy_template_enable | bool
         or nginx_app_protect_log_policy_template_enable | bool
         or nginx_app_protect_conf_template_enable | bool