Fix and improve stub status and REST API templating (#41)

alessfg · web-flow · commit 970320bc411b · 2020-11-18T18:27:06.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,31 +1,33 @@
 # Changelog
 
-## 0.3.0 (Unreleased)
+## 0.3.0 (November 17, 2020)
 
 BREAKING CHANGES:
 
-*   The default port of the status module is now 8080 and matches the CI molecule test which already used it. Set ```nginx_config_status_port```to another desired value.
+The default port of the status module is now 8080 and matches the CI molecule test which already used it. Set `nginx_config_status_port` to another desired value.
 
 ENHANCEMENTS:
 
 *   Add survey to README.
 *   Improve README structure and use tables where relevant.
 *   Update Ansible (now Ansible base) to `2.10.3`, Ansible (now Ansible Community Distribution) to `2.10.3`, Ansible Lint to `4.3.7`, Molecule to `3.1.5`, and yamllint to `1.25.0`.
+*   Improve templating of stub status and REST API config.
 
 BUG FIXES:
 
 *   Prevent TravisCI from trying to build (and failing) NGINX Plus images on external PRs.
-*   Fix naming for SELinux Ansible facts.
+*   Fix naming for SELinux facts dictionary.
 *   Correctly import `app_protect` global directives in template.
 *   Role now runs correctly when using Ansible's check mode.
+*   Fix issue with access log in stub status and REST API config template not being properly parsed.
 
 ## 0.2.0 (September 24, 2020)
 
 BREAKING CHANGES:
 
-*   The process to configure modules has changed. Instead of manually setting the modules you want to install to `true` or `false`, you will now have to use either:
-    *   A newly introduced top level list variable, `nginx_config_modules`.
-    *   A newly introduced list variable within your main NGINX config template, `nginx_config_main_template.modules`.
+The process to configure modules has changed. Instead of manually setting the modules you want to install to `true` or `false`, you will now have to use either:
+*   A newly introduced top level list variable, `nginx_config_modules`.
+*   A newly introduced list variable within your main NGINX config template, `nginx_config_main_template.modules`.
 
 Make sure you only use one variable or the other, since they will overwrite each other. This change will simplify adding future supported modules to this role, and allows you to include any external modules you may wish in your NGINX config.
 
@@ -49,7 +51,7 @@ ENHANCEMENTS:
 
 BUG FIXES:
 
-*   An empty `nginx_config_cleanup_files` will no longer cause `nginx_config_cleanup` related tasks to fail.
+An empty `nginx_config_cleanup_files` will no longer cause `nginx_config_cleanup` related tasks to fail.
 
 ## 0.1.0 (August 19, 2020)
 
diff --git a/defaults/main/template.yml b/defaults/main/template.yml
@@ -360,25 +360,35 @@ nginx_config_http_template:
 nginx_config_status_enable: false
 nginx_config_status_template_file: http/status.conf.j2
 nginx_config_status_file_location: /etc/nginx/conf.d/status.conf
-nginx_config_status_log: false
-nginx_config_status_port: 8080
-nginx_config_status_allow: 127.0.0.1
-nginx_config_status_deny: all
+nginx_config_status_port: 8080  # Optional -- Defaults to 8080
+nginx_config_status_access_log:  # Optional -- Set to 'false' to disable access log
+  location: /var/log/nginx/access.log  # Required
+  name: main  # Required
+nginx_config_status_allow:  # Optional
+  - 127.0.0.1
+nginx_config_status_deny:  # Optional
+  - all
 
 # Enable NGINX Plus REST API, write access to the REST API, and NGINX Plus dashboard.
 # Requires NGINX Plus.
 # Default is false.
 nginx_config_rest_api_enable: false
 nginx_config_rest_api_template_file: http/api.conf.j2
 nginx_config_rest_api_file_location: /etc/nginx/conf.d/api.conf
-nginx_config_rest_api_log: false
-nginx_config_rest_api_port: 80
-nginx_config_rest_api_write: false
-nginx_config_rest_api_dashboard: false
-nginx_config_rest_api_allow: 127.0.0.1
-nginx_config_rest_api_deny: all
-nginx_config_rest_api_dashboard_allow: 127.0.0.1
-nginx_config_rest_api_dashboard_deny: all
+nginx_config_rest_api_port: 8080  # Optional-- Defaults to 8080
+nginx_config_rest_api_write: false  # Optional
+nginx_config_rest_api_access_log:  # Optional -- Set to 'false' to disable access log
+  location: /var/log/nginx/access.log  # Required
+  name: main  # Required
+nginx_config_rest_api_allow:  # Optional
+  - 127.0.0.1
+nginx_config_rest_api_deny:  # Optional
+  - all
+nginx_config_rest_api_dashboard: false  # Optional
+nginx_config_rest_api_dashboard_allow:  # Optional
+  - 127.0.0.1
+nginx_config_rest_api_dashboard_deny:  # Optional
+  - all
 
 # Enable creating dynamic templated NGINX stream configuration files.
 # Defaults will not produce a valid configuration. Instead they are meant to showcase
diff --git a/molecule/common/playbooks/oss_requirements.yml b/molecule/common/playbooks/oss_requirements.yml
@@ -1,4 +1,4 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.17.2
+    version: 0.18.1
diff --git a/molecule/common/playbooks/plus_requirements.yml b/molecule/common/playbooks/plus_requirements.yml
@@ -1,6 +1,6 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.17.2
+    version: 0.18.1
   - name: nginxinc.nginx_app_protect
-    version: 0.3.1
+    version: 0.4.1
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -7,6 +7,7 @@
         name: ansible-role-nginx-config
       vars:
         nginx_config_debug_output: true
+
         nginx_config_selinux: true
         nginx_config_selinux_tcp_ports:
           - 80
@@ -58,7 +59,9 @@
 
         nginx_config_status_enable: true
         nginx_config_status_port: 8080
-        nginx_config_status_log: true
+        nginx_config_status_access_log:
+          location: /var/log/nginx/access.log
+          name: main
 
         nginx_config_http_template_enable: true
         nginx_config_http_template:
diff --git a/molecule/plus/converge.yml b/molecule/plus/converge.yml
@@ -64,8 +64,9 @@
           stream_enable: true
 
         nginx_config_rest_api_enable: true
-        nginx_config_rest_api_write: true
-        nginx_config_rest_api_dashboard: true
+        nginx_config_rest_api_write: false
+        nginx_config_rest_api_access_log: false
+        nginx_config_rest_api_dashboard: false
 
         nginx_config_http_template_enable: true
         nginx_config_http_template:
diff --git a/templates/http/api.conf.j2 b/templates/http/api.conf.j2
@@ -1,29 +1,37 @@
 {{ ansible_managed | comment }}
 
 server {
-    listen {{ nginx_config_rest_api_port | default('80') }};
-    access_log {{ nginx_config_rest_api_log | ternary('on', 'off') }};
+    listen {{ nginx_config_rest_api_port | default('8080') }};
+{% if nginx_config_rest_api_access_log is defined %}
+    access_log{{ ' off' if not nginx_config_rest_api_access_log }}{{ (' ' + nginx_config_rest_api_access_log.location) if nginx_config_rest_api_access_log.location is defined }}{{ (' ' + nginx_config_rest_api_access_log.name) if nginx_config_status_rest_api_log.name is defined }};
+{% endif %}
     location /api {
-{% if nginx_config_rest_api_write %}
-        api write=on;
-{% else %}
-        api;
+{% if nginx_config_rest_api_write is defined %}
+        api{{ ' write=on' if nginx_config_rest_api_write }};
 {% endif %}
 {% if nginx_config_rest_api_allow is defined %}
-        allow {{ nginx_config_rest_api_allow }};
+{% for address in nginx_config_rest_api_allow %}
+        allow {{ address }};
+{% endfor %}
 {% endif %}
 {% if nginx_config_rest_api_deny is defined %}
-        deny {{ nginx_config_rest_api_deny }};
+{% for address in nginx_config_rest_api_deny %}
+        deny {{ address }};
+{% endfor %}
 {% endif %}
     }
-{% if nginx_config_rest_api_dashboard %}
+{% if nginx_config_rest_api_dashboard is defined and nginx_config_rest_api_dashboard %}
     location = /dashboard.html {
         root /usr/share/nginx/html;
 {% if nginx_config_rest_api_dashboard_allow is defined %}
-        allow {{ nginx_config_rest_api_dashboard_allow }};
+{% for address in nginx_config_rest_api_dashboard_allow %}
+        allow {{ address }};
+{% endfor %}
 {% endif %}
 {% if nginx_config_rest_api_dashboard_deny is defined %}
-        deny {{ nginx_config_rest_api_dashboard_deny }};
+{% for address in nginx_config_rest_api_dashboard_deny %}
+        deny {{ address }};
+{% endfor %}
 {% endif %}
     }
 {% endif %}
diff --git a/templates/http/status.conf.j2 b/templates/http/status.conf.j2
@@ -2,14 +2,20 @@
 
 server {
     listen {{ nginx_config_status_port | default('8080') }};
-    access_log {{ nginx_config_status_log | ternary('on', 'off') }};
+{% if nginx_config_status_access_log is defined %}
+    access_log{{ ' off' if not nginx_config_status_access_log }}{{ (' ' + nginx_config_status_access_log.location) if nginx_config_status_access_log.location is defined }}{{ (' ' + nginx_config_status_access_log.name) if nginx_config_status_access_log.name is defined }};
+{% endif %}
     location /nginx_status {
         stub_status on;
     }
 {% if nginx_config_status_allow is defined %}
-    allow {{ nginx_config_status_allow }};
+{% for address in nginx_config_status_allow %}
+    allow {{ address }};
+{% endfor %}
 {% endif %}
 {% if nginx_config_status_deny is defined %}
-    deny {{ nginx_config_status_deny }};
+{% for address in nginx_config_status_deny%}
+    deny {{ address }};
+{% endfor %}
 {% endif %}
 }
