Merge pull request #1 from nginxinc/ga

GA release of the role

Author: aknot242

README.md

@@ -1,4 +1,4 @@
-![NGINX App Protect logo](images/nap-logo.png)
+<img src="images/nap-logo.png" width="60">
 
 NGINX App Protect Ansible Role
 ==============================
@@ -37,15 +37,34 @@ Use `git clone https://github.com/nginxinc/ansible-role-nginx-app-protect.git` t
 Platforms
 ---------
 
-The NGINX Ansible role supports all platforms supported by [NGINX Plus](https://www.nginx.com/products/technical-specs/):
-
-
-**NGINX Plus**
+The NGINX App Protect Ansible role supports all platforms supported by [NGINX Plus](https://www.nginx.com/products/technical-specs/) that intersect with the following list:
 
 ```yaml
 CentOS:
   versions:
     - 7.4
+    - 7.5
+    - 7.6
+    - 7.7
+    - 7.8
+    - 8.0
+    - 8.1
+    - 8.2
+Debian:
+  versions:
+    - 9.0
+    - 9.1
+    - 9.2
+    - 9.3
+    - 9.4
+    - 9.5
+    - 9.6
+    - 9.7
+    - 9.8
+    - 9.9
+    - 9.10
+    - 9.11
+    - 9.12
 ```
 
 Role Variables
@@ -59,7 +78,7 @@ Dependencies
 
 - Since this role uses the [package_facts](https://docs.ansible.com/ansible/latest/modules/package_facts_module.html) module, on debian-based systems the `python-apt` package must be installed on targeted hosts.
 
-- NGINX+ R18-R20 must already be installed on the target system 
+- NGINX+ R19-R21 must already be installed on the target system 
 
 Example Playbook
 ----------------
@@ -73,11 +92,26 @@ This is a sample playbook file for using the role to install NGINX App Protect o
   become: true
   vars:
     # Installs NGINX App Protect and all dependencies to the target host
-    app_protect_install: true
+    app_protect_enable: true
+
+    # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
+    # Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
+    # Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install.
+    # Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'app_protect_version') of NGINX App Protect on every playbook execution.
+    # Using 'absent' will remove NGINX App Protect from your system.
+    # Default is present.
+    app_protect_state: present
+
+    # The installation of NGINX App Protect includes a base signature set, which may be out of date. 
+    # This option installs the latest NGINX App Protect signatures.
+    app_protect_install_signatures: true
 
     # Creates basic configuration files and enables NGINX App Protect on the target host
     app_protect_configure: true
 
+    # Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete.
+    app_protect_delete_license: true
+
     # For use with the app_protect_configure option to determine if the default security policy will be written to the target host
     # Used when `app_protect_configure: true`.
     app_protect_security_policy_template_enable: true
@@ -90,7 +124,7 @@ This is a sample playbook file for using the role to install NGINX App Protect o
     # Used when `app_protect_configure: true`.
     app_protect_log_policy_template_enable: true
 
-    # Which violation types to log. Possible values: TBD
+    # Which violation types to log. Possible values: all, illegal, blocked
     # Used when `app_protect_configure: true` and `app_protect_log_policy_template_enable: true`.
     log_policy_filter_request_type: all
 
@@ -109,8 +143,10 @@ This is a sample playbook file for using the role to install NGINX App Protect o
     # Used when `nginx_conf_template_enable: true`.
     nginx_demo_workload: http://10.1.10.105:8080
 
-    # Determines whether or not to clean up tmp files created during the installation and configuration steps.
-    cleanup_when_done: true
+    # The location of the certificate and key to be used when downloading the packages onto the host
+    nginx_license: 
+      certificate: "{{playbook_dir}}/license/nginx-repo.crt"
+      key: "{{playbook_dir}}/license/nginx-repo.key"
 
   roles:
     - role: ansible-role-nginx-app-protect

defaults/main.yml

@@ -1,20 +1,63 @@
 ---
 # defaults file for ansible-role-nginx-app-protect
 
-app_protect_install: true
-app_protect_configure: true
+# Installs NGINX App Protect and all dependencies to the target host
+app_protect_enable: true
 
-tmp_dir: /tmp/app-protect
-cleanup_when_done: true
+# Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
+# Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
+# Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install.
+# Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'app_protect_version') of NGINX App Protect on every playbook execution.
+# Using 'absent' will remove NGINX App Protect from your system.
+# Default is present.
+app_protect_state: present
 
-# Start NGINX service.
+# # OPTIONAL - Installs a specific version of NGINX App Protect
+# app_protect_version: 20
+
+# The installation of NGINX App Protect includes a base signature set, which may be out of date. 
+# This option installs the latest NGINX App Protect signatures.
+app_protect_install_signatures: true
+
+# Creates basic configuration files and enables NGINX App Protect on the target host
+app_protect_configure: false
+
+# Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete.
+app_protect_delete_license: true
+
+# Start/Restart NGINX service when App Protect related changes are complete.
 # Default is true.
 nginx_start: true
 
+# Choose where to fetch the NGINX App Protect signing key from.
+# Default is the official NGINX App Protect signing key host.
+# app_protect_signing_key: https://cs.nginx.com/static/keys/app-protect.key
+
 # populate this dictionary of lists with appropriate values from the ansible_os_family and ansible_distribution_version facts
 app_protect_linux_families:
-  RedHat:
+  CentOS:
     - 7.4
+    - 7.5
+    - 7.6
+    - 7.7
+    - 7.8
+    - 8.0
+    - 8.1
+    - 8.2
+  Debian:
+    - 9.0
+    - 9.1
+    - 9.2
+    - 9.3
+    - 9.4
+    - 9.5
+    - 9.6
+    - 9.7
+    - 9.8
+    - 9.9
+    - 9.10
+    - 9.11
+    - 9.12
 
 app_protect_security_policy_template_enable: true
 app_protect_security_policy_template:
@@ -37,7 +80,7 @@ nginx_conf_template:
 # possible values: transparent, blocking
 security_policy_enforcement_mode: transparent
 
-# possible values: TBD
+# possible values: all, illegal, blocked
 log_policy_filter_request_type: all
 
 log_policy_syslog_target: 127.0.0.1:514

handlers/main.yml

@@ -7,12 +7,12 @@
       service:
         name: nginx
         state: started
-        enabled: yes
+        enabled: true
 
-    - name: "(Handler: All OSs) Reload NGINX"
+    - name: "(Handler: All OSs) Restart NGINX"
       service:
         name: nginx
-        state: reloaded
+        state: restarted
 
   when:
     - nginx_start | bool

images/nap-logo.png

@@ -9,9 +9,14 @@ galaxy_info:
   min_ansible_version: 2.7
 
   platforms:
-    - name: EL
+    - name: CentOS
       versions:
-        - 7.4
+        - 7
+        - 8
+    - name: Debian
+      versions:
+        - stretch
+        - buster
 
   galaxy_tags:
     - waf

meta/main.yml

@@ -9,32 +9,32 @@
   copy:
     src: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}"
     dest: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}.orig"
-    remote_src: yes
+    remote_src: true
   when: nginx_conf_template_enable
 
 - name: "Dynamically Generate NGINX App Protect security policy file"
   template:
     src: "{{ app_protect_security_policy_template.template_file }}"
     dest: "{{ app_protect_security_policy_template.out_file_location }}{{ app_protect_security_policy_template.out_file_name }}"
-    backup: yes
+    backup: true
   when: app_protect_security_policy_template_enable
 
 - name: "Dynamically Generate NGINX App Protect log policy file"
   template:
     src: "{{ app_protect_log_policy_template.template_file }}"
     dest: "{{ app_protect_log_policy_template.out_file_location }}{{ app_protect_log_policy_template.out_file_name }}"
-    backup: yes
+    backup: true
   when: app_protect_log_policy_template_enable
 
 - name: "Dynamically Generate NGINX conf file"
   template:
     src: "{{ nginx_conf_template.template_file }}"
     dest: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}"
-    backup: yes
+    backup: true
   when: nginx_conf_template_enable
 
 - name: "Reload NGINX"
   debug:
-    msg: "trigger nginx reloaded if needed"
-  notify: "(Handler: All OSs) Reload NGINX"
+    msg: "trigger nginx reload if needed"
+  notify: "(Handler: All OSs) Restart NGINX"
   changed_when: app_protect_security_policy_template_enable or app_protect_log_policy_template_enable or nginx_conf_template_enable

tasks/configure-app-protect.yml

@@ -0,0 +1,17 @@
+---
+- name: "(Setup: All OSs) Set NGINX App Protect License State"
+  set_fact:
+    key_value: "" # appeasing the linter
+    nginx_license_status: absent
+
+- name: "(Setup: All OSs) Delete NGINX App Protect License"
+  file:
+    path: /etc/ssl/nginx
+    state: absent
+  when: ansible_distribution != "Alpine"
+
+- import_tasks: setup-debian.yml
+  when: ansible_os_family == "Debian"
+
+- import_tasks: setup-redhat.yml
+  when: ansible_os_family == "RedHat"