codeenigma · gregharvey · Apr 25, 2024 · Apr 25, 2024 · Apr 25, 2024 · Apr 25, 2024
diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md
@@ -4,6 +4,7 @@
   - [Usage](/scripts)
   - [Roles](roles)
      - [AWS Infrastructure](/roles/aws)
+       - [AWS ACL](/roles/aws/aws_acl)
        - [AWS Certificate Manager](/roles/aws/aws_acm)
        - [AWS AMI](/roles/aws/aws_ami)
        - [AWS Backup](/roles/aws/aws_backup)

diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md
@@ -0,0 +1,39 @@
+# AWS ACL
+Creates an ACL to be attached to a CloudFront distribution or an Application Load Balancer (ALB).
+
+<!--TOC-->
+<!--ENDTOC-->
+
+<!--ROLEVARS-->
+## Default variables
+```yaml
+---
+rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+aws_acl:
+  name: example_master_acl
+  scope: CLOUDFRONT # Can be REGIONAL for ALBs
+  region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
+  tags: {}
+
+  ip_allow:
+    name: "Allowed-ips"
+    list: []
+      #- 1.1.1.1/32 # list of ip ranges
+      #- 2.2.2.2/32
+      #- 3.3.3.3/32
+
+  ip_block:
+    name: "Blocked-ips"
+    list: []
+      #- 4.4.4.4/32 # list of ip ranges
+      #- 5.5.5.5/32
+      #- 6.6.6.6/32
+
+  cc_block_list: []
+    #- BY # Belarus
+    #- CN # China
+    #- IR # Iran
+    #- SA # Saudi Arabia
+```
+
+<!--ENDROLEVARS-->
diff --git a/docs/roles/aws/aws_cloudfront_distribution.md b/docs/roles/aws/aws_cloudfront_distribution.md
@@ -7,32 +7,6 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery.
 ## Default variables
 ```yaml
 ---
-# Uncomment cf_acl to create firewall rules for Cloudfront distro
-#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int)
-#cf_acl:
-#  acl_name: "dummy_master_acl"
-#  scope: "CLOUDFRONT" # Can be "REGIONAL"
-#  region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
-#
-#  ip_allow
-#    name: "Allowed-ips"
-#    list:
-#    - 1.1.1.1/32
-#    - 2.2.2.2/32
-#    - 3.3.3.3/32
-#
-#  ip_block:
-#    name: "Blocked-ips"
-#    list:
-#    - 4.4.4.4/32
-#    - 5.5.5.5/32
-#    - 6.6.6.6/32
-#
-#  cc_block_list:
-#    - BY # Belarus
-#    - CN # China
-#    - IR # Iran
-#    - SA # Saudi Arabia
 aws_cloudfront_distribution:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
@@ -95,11 +69,7 @@ aws_cloudfront_distribution:
   cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required.
   enabled: true
   purge_existing: true # Set to false to append entries instead of replacing them.
-#  logging:
-#    bucket: "" # URL of S3 bucket to store logs
-#    enabled: false # Set true to allow logging
-#    include_cookies: false # Set true to add cookies in logs
-#    prefix: "" # Prefix for S3 object names
+
 ```
 
 <!--ENDROLEVARS-->
diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md
@@ -21,7 +21,7 @@ clamav:
       log_name: clamav_daily.log
   # scheduled scans, set to an empty dictionary for no timers
   timers:
-    clamav_scan:
+    clamscan_daily:
       timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts
       timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events
   server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name.

diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md
@@ -52,6 +52,8 @@ nginx:
     client_body_buffer_size: 512k
     fastcgi_buffer_size: 512k
     fastcgi_buffers: "8 256k"
+    cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\""
+    cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\""
     # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings.
     #custom_directives: []
   # Group prefix. Useful for grouping by environments.

diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md
@@ -61,6 +61,7 @@ php:
       memory_consumption: 128
       max_accelerated_files: 2000
       validate_timestamps: 1
+    clear_env: "yes"
 
 ```
 

diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md
@@ -0,0 +1,39 @@
+# AWS ACL
+Creates an ACL to be attached to a CloudFront distribution or an Application Load Balancer (ALB).
+
+<!--TOC-->
+<!--ENDTOC-->
+
+<!--ROLEVARS-->
+## Default variables
+```yaml
+---
+rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+aws_acl:
+  name: example_master_acl
+  scope: CLOUDFRONT # Can be REGIONAL for ALBs
+  region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
+  tags: {}
+
+  ip_allow:
+    name: "Allowed-ips"
+    list: []
+      #- 1.1.1.1/32 # list of ip ranges
+      #- 2.2.2.2/32
+      #- 3.3.3.3/32
+
+  ip_block:
+    name: "Blocked-ips"
+    list: []
+      #- 4.4.4.4/32 # list of ip ranges
+      #- 5.5.5.5/32
+      #- 6.6.6.6/32
+
+  cc_block_list: []
+    #- BY # Belarus
+    #- CN # China
+    #- IR # Iran
+    #- SA # Saudi Arabia
+```
+
+<!--ENDROLEVARS-->
diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml
@@ -1,26 +1,27 @@
 ---
-rate_limit: 200
+rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
 aws_acl:
-  name: "dummy_master_acl"
-  scope: "CLOUDFRONT" # Can be "REGIONAL" for ALBs
-  region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
+  name: example_master_acl
+  scope: CLOUDFRONT # Can be REGIONAL for ALBs
+  region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
+  tags: {}
 
   ip_allow:
     name: "Allowed-ips"
-    list:
-    - 1.1.1.1/32
-    - 2.2.2.2/32
-    - 3.3.3.3/32
+    list: []
+      #- 1.1.1.1/32 # list of ip ranges
+      #- 2.2.2.2/32
+      #- 3.3.3.3/32
 
   ip_block:
     name: "Blocked-ips"
-    list:
-    - 4.4.4.4/32
-    - 5.5.5.5/32
-    - 6.6.6.6/32
+    list: []
+      #- 4.4.4.4/32 # list of ip ranges
+      #- 5.5.5.5/32
+      #- 6.6.6.6/32
 
-  cc_block_list:
-    - BY # Belarus
-    - CN # China
-    - IR # Iran
-    - SA # Saudi Arabia
+  cc_block_list: []
+    #- BY # Belarus
+    #- CN # China
+    #- IR # Iran
+    #- SA # Saudi Arabia
diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml
@@ -1,11 +1,13 @@
-- name: Define dict for rules
+- name: Define dict for rules.
   ansible.builtin.set_fact:
     _acl_rules: []
 
-- name: Set IP block rule
-  when: aws_acl.ip_block is defined
+- name: Set IP block rule.
+  when:
+    - aws_acl.ip_block is defined
+    - aws_acl.ip_block.list | length > 0
   block:
-    - name: Create IP block set for WAF
+    - name: Create IP block set for WAF.
       community.aws.wafv2_ip_set:
         name: "{{ aws_acl.ip_block.name }}"
         state: present
@@ -16,7 +18,7 @@
         addresses: "{{ aws_acl.ip_block.list }}"
       register: _ip_set_info
 
-    - name: Create IP block rule
+    - name: Create IP block rule.
       ansible.builtin.set_fact:
         ip_block_rule:
         - name: "{{ aws_acl.ip_block.name }}"
@@ -31,14 +33,16 @@
             ip_set_reference_statement:
               arn: "{{ _ip_set_info.arn }}"
 
-    - name: Add rule to list
+    - name: Add rule to list.
       ansible.builtin.set_fact:
         _acl_rules: "{{ _acl_rules + ip_block_rule }}"
 
-- name: Set IP allow rule
-  when: aws_acl.ip_allow is defined
+- name: Set IP allow rule.
+  when:
+    - aws_acl.ip_allow is defined
+    - aws_acl.ip_allow.list | length > 0
   block:
-    - name: Create IP allow set for WAF
+    - name: Create IP allow set for WAF.
       community.aws.wafv2_ip_set:
         name: "{{ aws_acl.ip_allow.name }}"
         state: present
@@ -49,7 +53,7 @@
         addresses: "{{ aws_acl.ip_allow.list }}"
       register: _ip_set_info
 
-    - name: Create IP allow rule
+    - name: Create IP allow rule.
       ansible.builtin.set_fact:
         ip_allow_rule:
         - name: "{{ aws_acl.ip_allow.name }}"
@@ -64,12 +68,14 @@
             ip_set_reference_statement:
               arn: "{{ _ip_set_info.arn }}"
 
-    - name: Add rule to list
+    - name: Add rule to list.
       ansible.builtin.set_fact:
         _acl_rules: "{{ _acl_rules + ip_allow_rule }}"
 
-- name: Set country block rule
-  when: aws_acl.cc_block_list is defined
+- name: Set country block rule.
+  when:
+    - aws_acl.cc_block_list is defined
+    - aws_acl.cc_block_list | length > 0
   block:
     - name: Create country block rule
       ansible.builtin.set_fact:
@@ -91,10 +97,12 @@
         _acl_rules: "{{ _acl_rules + cc_block_rule }}"
 
 # Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int)
-- name: Set rate limit variable
-  when: rate_limit is defined
+- name: Set rate limit variable.
+  when:
+    - rate_limit is defined
+    - rate_limit > 0
   block:
-    - name: Define rate rule
+    - name: Define rate rule.
       ansible.builtin.set_fact:
         rate_rule:
         - name: rate_limit
@@ -110,11 +118,11 @@
               limit: "{{ rate_limit }}"
               aggregate_key_type: IP
 
-    - name: Add rule to list
+    - name: Add rule to list.
       ansible.builtin.set_fact:
         _acl_rules: "{{ _acl_rules + rate_rule}}"
 
-- name: Create web acl
+- name: Create web acl.
   community.aws.wafv2_web_acl:
     name: "{{ aws_acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$
     description: "WAF protecting the {{ _domain_name }}"
@@ -126,13 +134,11 @@
     metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name)
     rules: "{{ _acl_rules }}"
     purge_rules: true
-#    tags:
-#      A: B
-#      C: D
+    tags: "{{ aws_acl.tags }}"
     state: present
   register: _created_acl
 
-- name: Add WAF to ALB
+- name: Add WAF to ALB.
   community.aws.wafv2_resources:
     name: "{{ aws_acl.name }}"
     scope: REGIONAL

diff --git a/roles/aws/aws_cloudfront_distribution/README.md b/roles/aws/aws_cloudfront_distribution/README.md
@@ -7,32 +7,6 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery.
 ## Default variables
 ```yaml
 ---
-# Uncomment cf_acl to create firewall rules for Cloudfront distro
-#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int)
-#cf_acl:
-#  acl_name: "dummy_master_acl"
-#  scope: "CLOUDFRONT" # Can be "REGIONAL"
-#  region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
-#
-#  ip_allow
-#    name: "Allowed-ips"
-#    list:
-#    - 1.1.1.1/32
-#    - 2.2.2.2/32
-#    - 3.3.3.3/32
-#
-#  ip_block:
-#    name: "Blocked-ips"
-#    list:
-#    - 4.4.4.4/32
-#    - 5.5.5.5/32
-#    - 6.6.6.6/32
-#
-#  cc_block_list:
-#    - BY # Belarus
-#    - CN # China
-#    - IR # Iran
-#    - SA # Saudi Arabia
 aws_cloudfront_distribution:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
@@ -95,11 +69,7 @@ aws_cloudfront_distribution:
   cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required.
   enabled: true
   purge_existing: true # Set to false to append entries instead of replacing them.
-#  logging:
-#    bucket: "" # URL of S3 bucket to store logs
-#    enabled: false # Set true to allow logging
-#    include_cookies: false # Set true to add cookies in logs
-#    prefix: "" # Prefix for S3 object names
+
 ```
 
 <!--ENDROLEVARS-->