From 84e5328906f566ba56d718312daeb6b19fb568de Mon Sep 17 00:00:00 2001
From: Karim Hamza <karim.hamza@axa.fr>
Date: Tue, 23 Apr 2019 12:47:00 +0200
Subject: [PATCH] change way of enabling/disabling apache modules for Redhat

use file.comment and file.uncomment builtin states instead of sed
command
---
 apache/modules.sls | 40 ++++++++++++++++++++++++++++++----------
 1 file changed, 30 insertions(+), 10 deletions(-)

diff --git a/apache/modules.sls b/apache/modules.sls
index ad6f0aa..b829f79 100644
--- a/apache/modules.sls
+++ b/apache/modules.sls
@@ -31,27 +31,47 @@ a2dismod -f {{ module }}:
 
 include:
   - apache
+  - apache.config
+  - apache.vhosts.vhost
 
-{% for module in salt['pillar.get']('apache:modules:enabled', default=hardening_values.modules.enforce_enabled, merge=True) if module not in hardening_values.modules.enforce_disabled %}
-find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;:
-  cmd.run:
-    - unless: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module"
-    - order: 225
+{% set modules_enabled = salt['pillar.get']('apache:modules:enabled', default=hardening_values.modules.enforce_enabled, merge=True) %}
+{% set conf_files = salt['file.find'](path='/etc/httpd/', type='f', name='*.conf') %}
+
+{% for module in modules_enabled if module not in hardening_values.modules.enforce_disabled %}
+
+{% for conf_file in conf_files if salt['file.search'](path=conf_file, pattern='LoadModule.' ~ module ) %}
+
+enable_{{ module }}_{{ conf_file }}:
+  file.uncomment:
+    - name: {{ conf_file }}
+    - regex: LoadModule.{{ module }}
     - require:
       - pkg: apache
+      - sls: apache.config
+      - sls: apache.vhosts.vhost
     - watch_in:
       - module: apache-restart
+
+{% endfor %}
 {% endfor %}
 
-{% for module in salt['pillar.get']('apache:modules:disabled', default=hardening_values.modules.enforce_disabled, merge=True) if module not in hardening_values.modules.enforce_enabled %}
-find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \;:
-  cmd.run:
-    - onlyif: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module"
-    - order: 225
+{% set modules_disabled = salt['pillar.get']('apache:modules:disabled', default=hardening_values.modules.enforce_disabled, merge=True) %}
+
+{% for module in modules_disabled if module not in hardening_values.modules.enforce_enabled %}
+{% for conf_file in conf_files if salt['file.search'](path=conf_file, pattern='LoadModule.' ~ module ) %}
+
+disable_{{ module }}_{{ conf_file }}:
+  file.comment:
+    - name: {{ conf_file }}
+    - regex: LoadModule.{{ module }}
     - require:
       - pkg: apache
+      - sls: apache.config
+      - sls: apache.vhosts.vhost
     - watch_in:
       - module: apache-restart
+
+{% endfor %}
 {% endfor %}