initial ga conversion

Author: aknot242

README.md

@@ -37,15 +37,34 @@ Use `git clone https://github.com/nginxinc/ansible-role-nginx-app-protect.git` t
 Platforms
 ---------
 
-The NGINX Ansible role supports all platforms supported by [NGINX Plus](https://www.nginx.com/products/technical-specs/):
-
-
-**NGINX Plus**
+The NGINX App Protect Ansible role supports all platforms supported by [NGINX Plus](https://www.nginx.com/products/technical-specs/) that intersect with the following list:
 
 ```yaml
 CentOS:
   versions:
     - 7.4
+    - 7.5
+    - 7.6
+    - 7.7
+    - 7.8
+    - 8.0
+    - 8.1
+    - 8.2
+Debian:
+  versions:
+    - 9.0
+    - 9.1
+    - 9.2
+    - 9.3
+    - 9.4
+    - 9.5
+    - 9.6
+    - 9.7
+    - 9.8
+    - 9.9
+    - 9.10
+    - 9.11
+    - 9.12
 ```
 
 Role Variables
@@ -59,7 +78,7 @@ Dependencies
 
 - Since this role uses the [package_facts](https://docs.ansible.com/ansible/latest/modules/package_facts_module.html) module, on debian-based systems the `python-apt` package must be installed on targeted hosts.
 
-- NGINX+ R18-R20 must already be installed on the target system 
+- NGINX+ R19-R21 must already be installed on the target system 
 
 Example Playbook
 ----------------
@@ -73,11 +92,26 @@ This is a sample playbook file for using the role to install NGINX App Protect o
   become: true
   vars:
     # Installs NGINX App Protect and all dependencies to the target host
-    app_protect_install: true
+    app_protect_enable: true
+
+    # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
+    # Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
+    # Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install.
+    # Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'app_protect_version') of NGINX App Protect on every playbook execution.
+    # Using 'absent' will remove NGINX App Protect from your system.
+    # Default is present.
+    app_protect_state: present
+
+    # The installation of NGINX App Protect includes a base signature set, which may be out of date. 
+    # This option installs the latest NGINX App Protect signatures.
+    app_protect_install_signatures: true
 
     # Creates basic configuration files and enables NGINX App Protect on the target host
     app_protect_configure: true
 
+    # Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete.
+    app_protect_delete_license: true
+
     # For use with the app_protect_configure option to determine if the default security policy will be written to the target host
     # Used when `app_protect_configure: true`.
     app_protect_security_policy_template_enable: true
@@ -90,7 +124,7 @@ This is a sample playbook file for using the role to install NGINX App Protect o
     # Used when `app_protect_configure: true`.
     app_protect_log_policy_template_enable: true
 
-    # Which violation types to log. Possible values: TBD
+    # Which violation types to log. Possible values: all, illegal, blocked
     # Used when `app_protect_configure: true` and `app_protect_log_policy_template_enable: true`.
     log_policy_filter_request_type: all
 
@@ -109,8 +143,10 @@ This is a sample playbook file for using the role to install NGINX App Protect o
     # Used when `nginx_conf_template_enable: true`.
     nginx_demo_workload: http://10.1.10.105:8080
 
-    # Determines whether or not to clean up tmp files created during the installation and configuration steps.
-    cleanup_when_done: true
+    # The location of the certificate and key to be used when downloading the packages onto the host
+    nginx_license: 
+      certificate: "{{playbook_dir}}/license/nginx-repo.crt"
+      key: "{{playbook_dir}}/license/nginx-repo.key"
 
   roles:
     - role: ansible-role-nginx-app-protect

defaults/main.yml

@@ -1,20 +1,63 @@
 ---
 # defaults file for ansible-role-nginx-app-protect
 
-app_protect_install: true
+# Installs NGINX App Protect and all dependencies to the target host
+app_protect_enable: true
+
+# Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
+# Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
+# Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install.
+# Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'app_protect_version') of NGINX App Protect on every playbook execution.
+# Using 'absent' will remove NGINX App Protect from your system.
+# Default is present.
+app_protect_state: present
+
+# # OPTIONAL - Installs a specific version of NGINX App Protect
+# app_protect_version: 20
+
+# The installation of NGINX App Protect includes a base signature set, which may be out of date. 
+# This option installs the latest NGINX App Protect signatures.
+app_protect_install_signatures: true
+
+# Creates basic configuration files and enables NGINX App Protect on the target host
 app_protect_configure: true
 
-tmp_dir: /tmp/app-protect
-cleanup_when_done: true
+# Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete.
+app_protect_delete_license: true
 
-# Start NGINX service.
+# Start/Restart NGINX service when App Protect related changes are complete.
 # Default is true.
 nginx_start: true
 
+# Choose where to fetch the NGINX App Protect signing key from.
+# Default is the official NGINX App Protect signing key host.
+# app_protect_signing_key: https://cs.nginx.com/static/keys/app-protect.key
+
 # populate this dictionary of lists with appropriate values from the ansible_os_family and ansible_distribution_version facts
 app_protect_linux_families:
-  RedHat:
+  CentOS:
     - 7.4
+    - 7.5
+    - 7.6
+    - 7.7
+    - 7.8
+    - 8.0
+    - 8.1
+    - 8.2
+  Debian:
+    - 9.0
+    - 9.1
+    - 9.2
+    - 9.3
+    - 9.4
+    - 9.5
+    - 9.6
+    - 9.7
+    - 9.8
+    - 9.9
+    - 9.10
+    - 9.11
+    - 9.12
 
 app_protect_security_policy_template_enable: true
 app_protect_security_policy_template:
@@ -37,7 +80,7 @@ nginx_conf_template:
 # possible values: transparent, blocking
 security_policy_enforcement_mode: transparent
 
-# possible values: TBD
+# possible values: all, illegal, blocked
 log_policy_filter_request_type: all
 
 log_policy_syslog_target: 127.0.0.1:514

handlers/main.yml

@@ -7,7 +7,7 @@
       service:
         name: nginx
         state: started
-        enabled: yes
+        enabled: true
 
     - name: "(Handler: All OSs) Reload NGINX"
       service:

meta/main.yml

@@ -9,9 +9,14 @@ galaxy_info:
   min_ansible_version: 2.7
 
   platforms:
-    - name: EL
+    - name: CentOS
       versions:
-        - 7.4
+        - 7
+        - 8
+    - name: Debian
+      versions:
+        - stretch
+        - buster
 
   galaxy_tags:
     - waf

tasks/configure-app-protect.yml

@@ -9,28 +9,28 @@
   copy:
     src: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}"
     dest: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}.orig"
-    remote_src: yes
+    remote_src: true
   when: nginx_conf_template_enable
 
 - name: "Dynamically Generate NGINX App Protect security policy file"
   template:
     src: "{{ app_protect_security_policy_template.template_file }}"
     dest: "{{ app_protect_security_policy_template.out_file_location }}{{ app_protect_security_policy_template.out_file_name }}"
-    backup: yes
+    backup: true
   when: app_protect_security_policy_template_enable
 
 - name: "Dynamically Generate NGINX App Protect log policy file"
   template:
     src: "{{ app_protect_log_policy_template.template_file }}"
     dest: "{{ app_protect_log_policy_template.out_file_location }}{{ app_protect_log_policy_template.out_file_name }}"
-    backup: yes
+    backup: true
   when: app_protect_log_policy_template_enable
 
 - name: "Dynamically Generate NGINX conf file"
   template:
     src: "{{ nginx_conf_template.template_file }}"
     dest: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}"
-    backup: yes
+    backup: true
   when: nginx_conf_template_enable
 
 - name: "Reload NGINX"

tasks/delete-license.yml

@@ -0,0 +1,17 @@
+---
+- name: "(Setup: All OSs) Set NGINX App Protect License State"
+  set_fact:
+    key_value: "" # appeasing the linter
+    nginx_license_status: absent
+
+- name: "(Setup: All OSs) Delete NGINX App Protect License"
+  file:
+    path: /etc/ssl/nginx
+    state: absent
+  when: ansible_distribution != "Alpine"
+
+- import_tasks: setup-debian.yml
+  when: ansible_os_family == "Debian"
+
+- import_tasks: setup-redhat.yml
+  when: ansible_os_family == "RedHat"

tasks/install-app-protect-linux.yml

@@ -1,122 +1,27 @@
 ---
-- name: Check that the NGINX App Protect install zip exists locally
-  stat:
-    path: "{{ install_zip}}"
-  register: local_install_zip_stat
-  connection: local
+- import_tasks: setup-debian.yml
+  when: ansible_os_family == "Debian"
 
-- name: Check preconditions
-  assert:
-    that:
-      - "local_install_zip_stat.stat.exists == true"
-    quiet: true
+- import_tasks: setup-redhat.yml
+  when: ansible_os_family == "RedHat"
 
-- name: Copy NGINX App Protect install zip to host
-  copy:
-    src: "{{ install_zip }}"
-    dest: "{{ install_zip }}"
-
-- name: Get package facts
-  package_facts:
-    manager: "auto"
-
-- name: Set zip version number
-  set_fact:
-    key_value: "" # appeasing the linter
-    app_protect_version: "{{ install_zip | regex_search('(\\d+)') }}"
-
-- name: Set NGINX Plus version
-  set_fact:
-    key_value: "" # appeasing the linter
-    nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}"
-  when: "'nginx-plus' in ansible_facts.packages"
-
-- name: Fail if NGINX+ version preconditions fail
-  assert:
-    that:
-      - nginx_plus_version is defined
-      - nginx_plus_version | int >= 18
-    fail_msg: "'nginx_plus_version' release version must be a minimum of 18 for App Protect. Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
-    success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
-    quiet: true
-
-- name: Fail if app protect zip doesn't not match detected NGINX+ version
-  assert:
-    that:
-      - app_protect_version is defined
-      - nginx_plus_version | int == app_protect_version | int
-    fail_msg: "'nginx_plus_version' {{ nginx_plus_version }} must match the NGINX App Protect version {{ app_protect_version }}"
-    success_msg: "'nginx_plus_version' is {{ nginx_plus_version }} and 'app_protect_version' is {{ app_protect_version }}"
-    quiet: true
-
-- name: Install epel-release, unzip and openssl packages
-  package:
-    name: epel-release, unzip, openssl
-    state: present
-
-- name: Create a directory if it does not exist
-  file:
-    path: "{{ tmp_dir }}"
-    state: directory
-
-- name: Unarchive the App Protect package file that is already on the remote machine
-  unarchive:
-    src: "{{ install_zip }}"
-    dest: "{{ tmp_dir }}/"
-    remote_src: true
-
-- name: Display paths of all .rpm files in dir; exclude NGINX+ installer
-  find:
-    paths: 
-      - "{{ tmp_dir }}"
-    file_type: file
-    use_regex: true
-    patterns:
-      - "^(?!.*nginx-plus-{{ app_protect_version }}).*\\.rpm$"
-  register: rpm_files_dict
-
-- name: Remap list to just filenames
-  set_fact:
-    key_value: "" # appeasing the linter
-    rpm_files: "{{ rpm_files_dict.files | map(attribute='path' | basename) | list }}"
-
-- name: Debug rpm files found
-  debug:
-    msg: "rpm files found: {{ rpm_files }}"
-    verbosity: 2
-
-- name: Install packages
+- name: "(Install: Linux) Install NGINX App Protect"
   package:
-    name: "{{ rpm_files }}"
-    state: present
-
-- name: Disable SELinux
-  selinux:
-    state: disabled
-
-- name: "Start NGINX App Protect"
-  service:
-    name: nginx-app-protect
-    state: started
-    enabled: yes
-  when:
-    - not ansible_check_mode
-
-- name: "Start NGINX"
-  service:
-    name: nginx
-    state: reloaded
-  when:
-    - not ansible_check_mode
-
-- name: Recursively remove extracted directory
-  file:
-    path: "{{ tmp_dir }}"
-    state: absent
-  when: cleanup_when_done
-
-- name: Remove source zip
-  file:
-    path: "{{ install_zip }}"
-    state: absent
-  when: cleanup_when_done
+    name: "app-protect{{ nginx_version | default('') }}"
+    state: "{{ app_protect_state }}"
+  notify: "(Handler: All OSs) Start NGINX"
+
+# - name: "Start NGINX App Protect"
+#   service:
+#     name: nginx-app-protect
+#     state: started
+#     enabled: true
+#   when:
+#     - not ansible_check_mode
+
+# - name: "Start NGINX"
+#   service:
+#     name: nginx
+#     state: reloaded
+#   when:
+#     - not ansible_check_mode