{%- set apache = pillar.get('apache', {}) %} {%- set mod_security = apache.get('mod_security', {}) %} {%- if mod_security.get('manage_config', False) %} include: - apache.mod_security {%- for rule_name, rule_details in mod_security.get('rules', {}).items() %} {%- set rule_set = rule_details.get('rule_set', '') %} {%- set enabled = rule_details.get('enabled', False ) %} {%- if enabled %} /etc/modsecurity/{{ rule_name }}: file.symlink: - target: /usr/share/modsecurity-crs/{{ rule_set }}/{{ rule_name }} - user: {{ apache.rootuser }} - group: {{ apache.rootgroup }} - mode: 755 {%- else %} /etc/modsecurity/{{ rule_name }}: file.absent: - name: /etc/modsecurity/{{ rule_name }} {%- endif %} {%- endfor %} {%- for custom_rule, custom_rule_details in mod_security.get('custom_rule_files', {}).items() %} {%- set file = custom_rule_details.get('file', None) %} {%- set path = custom_rule_details.get('path', None) %} {%- set enabled = custom_rule_details.get('enabled', False ) %} {%- if enabled %} /etc/modsecurity/{{ file }}: file.managed: - source: {{ path }} - user: {{ apache.rootuser }} - group: {{ apache.rootgroup }} - mode: 755 - makedirs: True {%- else %} /etc/modsecurity/{{ file }}: file.absent: - name: /etc/modsecurity/{{ file }} {%- endif %} {%- endfor %} {%- endif %}