diff --git a/.ansible-lint b/.ansible-lint index ec7eca8b..fa817687 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,3 +1,4 @@ +--- skip_list: -- '106' -- '204' + - '106' + - '204' diff --git a/.github/workflows/requirements/requirements_molecule.txt b/.github/workflows/requirements/requirements_molecule.txt index 0984b5d7..77632221 100644 --- a/.github/workflows/requirements/requirements_molecule.txt +++ b/.github/workflows/requirements/requirements_molecule.txt @@ -1,5 +1,5 @@ ansible-base==2.10.7 -ansible-lint==4.3.7 +ansible-lint==5.0.4 yamllint==1.26.0 molecule[docker]==3.2.4 docker==4.4.4 diff --git a/CHANGELOG.md b/CHANGELOG.md index 5db2d9ea..f700bba6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ ENHANCEMENTS: * Consolidate dependencies into a single tasks file. * Remove requirement for `package_facts` module when using this role. * Update Signatures repository URL. -* Update Ansible base to `2.10.7`, Molecule to `3.2.4`, yamllint to `1.26.0` and Docker Python SDK to `4.4.4`. +* Update Ansible base to `2.10.7`, Ansible Lint to `5.0.4`, Molecule to `3.2.4`, yamllint to `1.26.0` and Docker Python SDK to `4.4.4`. * Specify GitHub actions Ubuntu release. * Minor GitHub template tweaks, including the creation of a SECURITY doc. * Only run GitHub actions Galaxy CI/CD workflow when a new release is published. diff --git a/meta/main.yml b/meta/main.yml index 4e7da6c9..fb1c7769 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -3,6 +3,7 @@ galaxy_info: author: Daniel Edgar description: Official Ansible role for NGINX App Protect role_name: nginx_app_protect + namespace: nginxinc company: F5 Networks, Inc. license: Apache License, Version 2.0 diff --git a/molecule/advanced/molecule.yml b/molecule/advanced/molecule.yml index 6cc0b976..3764e3de 100644 --- a/molecule/advanced/molecule.yml +++ b/molecule/advanced/molecule.yml @@ -1,4 +1,8 @@ --- +dependency: + name: galaxy + options: + role-file: molecule/advanced/requirements.yml driver: name: docker lint: | @@ -74,3 +78,7 @@ provisioner: defaults: no_target_syslog: true log: false + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/molecule/advanced/prepare.yml b/molecule/advanced/prepare.yml index 394dfd4e..e0c2a100 100644 --- a/molecule/advanced/prepare.yml +++ b/molecule/advanced/prepare.yml @@ -19,12 +19,14 @@ - name: Set up rsyslog server for verifying NAP syslog events hosts: nap - roles: - - role: robertdebock.rsyslog - vars: - rsyslog_receiver: true - rsyslog_remote_tcp: true - rsyslog_remote_port: 514 + tasks: + - name: Set up rsyslog + include_role: + name: robertdebock.rsyslog + vars: + rsyslog_receiver: true + rsyslog_remote_tcp: true + rsyslog_remote_port: 514 - name: Prepare workload for tests hosts: workload diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index d3d32dea..7d251d61 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -43,3 +43,7 @@ platforms: command: "/sbin/init" provisioner: name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/molecule/specific-version/converge.yml b/molecule/specific-version/converge.yml index 0baf61df..4cbcc748 100644 --- a/molecule/specific-version/converge.yml +++ b/molecule/specific-version/converge.yml @@ -1,8 +1,17 @@ --- - name: Converge hosts: all - vars_files: - - scenario-vars.yml + vars: + specify_app_protect_signatures_version: true + specify_app_protect_threat_campaigns_version: true + app_protect_signature_version_matrix: + alpine: "=2021.01.20-r1" + debian: "=2019.07.16-1" + redhat: "-2019.07.16" + app_protect_threat_campaigns_version_matrix: + alpine: "=2021.01.03-r1" + debian: "=2020.08.20-1" + redhat: "-2020.08.20" tasks: - name: Set NGINX App Protect signature version fact set_fact: @@ -17,3 +26,12 @@ - name: Install NGINX App Protect include_role: name: ansible-role-nginx-app-protect + vars: + nginx_app_protect_license: + certificate: license/nginx-repo.crt + key: license/nginx-repo.key + nginx_app_protect_remove_license: false + nginx_app_protect_install_signatures: true + nginx_app_protect_install_threat_campaigns: true + nginx_app_protect_configure: false + nginx_app_protect_state: present diff --git a/molecule/specific-version/molecule.yml b/molecule/specific-version/molecule.yml index d3d32dea..7d251d61 100644 --- a/molecule/specific-version/molecule.yml +++ b/molecule/specific-version/molecule.yml @@ -43,3 +43,7 @@ platforms: command: "/sbin/init" provisioner: name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/molecule/specific-version/scenario-vars.yml b/molecule/specific-version/scenario-vars.yml deleted file mode 100644 index c4f626d9..00000000 --- a/molecule/specific-version/scenario-vars.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# ROLE SPECIFIC VARS -nginx_app_protect_license: - certificate: license/nginx-repo.crt - key: license/nginx-repo.key -nginx_app_protect_remove_license: false -nginx_app_protect_install_signatures: true -nginx_app_protect_install_threat_campaigns: true -nginx_app_protect_configure: false -nginx_app_protect_state: present - -# TEST SCENARIO VARS -specify_app_protect_signatures_version: true -specify_app_protect_threat_campaigns_version: true -app_protect_signature_version_matrix: - alpine: "=2021.01.20-r1" - debian: "=2019.07.16-1" - redhat: "-2019.07.16" -app_protect_threat_campaigns_version_matrix: - alpine: "=2021.01.03-r1" - debian: "=2020.08.20-1" - redhat: "-2020.08.20" diff --git a/molecule/specific-version/verify.yml b/molecule/specific-version/verify.yml index c0165c39..440b2aab 100644 --- a/molecule/specific-version/verify.yml +++ b/molecule/specific-version/verify.yml @@ -1,8 +1,17 @@ --- - name: Verify hosts: all - vars_files: - - scenario-vars.yml + vars: + specify_app_protect_signatures_version: true + specify_app_protect_threat_campaigns_version: true + app_protect_signature_version_matrix: + alpine: "=2021.01.20-r1" + debian: "=2019.07.16-1" + redhat: "-2019.07.16" + app_protect_threat_campaigns_version_matrix: + alpine: "=2021.01.03-r1" + debian: "=2020.08.20-1" + redhat: "-2020.08.20" tasks: - name: Check if NGINX Plus is installed package: @@ -53,21 +62,6 @@ package_facts: manager: auto - - name: Get installed NAP version - debug: - msg: "{{ ansible_distribution }} {{ ansible_distribution_version }} - App Protect version installed: {{ ansible_facts.packages['app-protect'] | map(attribute='version') | first }}" - when: nginx_app_protect_state != "absent" - - - name: Get installed NAP signatures version - debug: - msg: "{{ ansible_distribution }} {{ ansible_distribution_version }} - Signatures version installed: {{ ansible_facts.packages['app-protect-attack-signatures'] | map(attribute='version') | first }}" - when: nginx_app_protect_install_signatures - - - name: Get installed NAP threat campaigns version - debug: - msg: "{{ ansible_distribution }} {{ ansible_distribution_version }} Threat Campaigns version installed: {{ ansible_facts.packages['app-protect-threat-campaigns'] | map(attribute='version') | first }}" - when: nginx_app_protect_install_threat_campaigns - - name: Verify installed NAP signatures version matches requested version assert: that: (ansible_facts.packages['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, ''))