---
# ============================================================================
# Sophos WAF Role - Main Tasks
# ============================================================================

- name: Display WAF configuration overview
  ansible.builtin.debug:
    msg:
      - "======================================"
      - "Configuring Web Application Firewall"
      - "======================================"
      - "Firewall: {{ inventory_hostname }}"
      - "Backends: {{ sophos_waf_backends | default([]) | length }}"
      - "Policies: {{ sophos_waf_policies | default([]) | length }}"
      - "Virtual Hosts: {{ sophos_waf_virtual_hosts | default([]) | length }}"
      - "Exceptions: {{ sophos_waf_exceptions | default([]) | length }}"
  tags: ['always']

- name: Configure WAF backend servers
  ansible.builtin.uri:
    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
    method: POST
    validate_certs: "{{ sophos_validate_certs }}"
    headers:
      Content-Type: "application/x-www-form-urlencoded"
    body: "reqxml={{ lookup('template', 'waf_backend.json.j2') | urlencode }}"
    status_code: [200, 201]
    timeout: "{{ sophos_api_timeout }}"
  loop: "{{ sophos_waf_backends | default([]) }}"
  loop_control:
    label: "{{ item.name }}"
  when: sophos_waf_backends is defined and sophos_waf_backends | length > 0
  no_log: "{{ sophos_no_log_sensitive }}"
  tags: ['waf', 'backends']

- name: Configure WAF protection policies
  ansible.builtin.uri:
    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
    method: POST
    validate_certs: "{{ sophos_validate_certs }}"
    headers:
      Content-Type: "application/x-www-form-urlencoded"
    body: "reqxml={{ lookup('template', 'waf_policy.json.j2') | urlencode }}"
    status_code: [200, 201]
    timeout: "{{ sophos_api_timeout }}"
  loop: "{{ sophos_waf_policies | default([]) }}"
  loop_control:
    label: "{{ item.name }}"
  when: sophos_waf_policies is defined and sophos_waf_policies | length > 0
  no_log: "{{ sophos_no_log_sensitive }}"
  tags: ['waf', 'policies']

- name: Configure WAF virtual hosts
  ansible.builtin.uri:
    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
    method: POST
    validate_certs: "{{ sophos_validate_certs }}"
    headers:
      Content-Type: "application/x-www-form-urlencoded"
    body: "reqxml={{ lookup('template', 'waf_policy.json.j2') | urlencode }}"
    status_code: [200, 201]
    timeout: "{{ sophos_api_timeout }}"
  loop: "{{ sophos_waf_virtual_hosts | default([]) }}"
  loop_control:
    label: "{{ item.name }} ({{ item.domain }})"
  when: sophos_waf_virtual_hosts is defined and sophos_waf_virtual_hosts | length > 0
  no_log: "{{ sophos_no_log_sensitive }}"
  tags: ['waf', 'virtual-hosts']

- name: Configure WAF exceptions
  ansible.builtin.uri:
    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
    method: POST
    validate_certs: "{{ sophos_validate_certs }}"
    headers:
      Content-Type: "application/x-www-form-urlencoded"
    body: "reqxml={{ lookup('template', 'waf_exception.json.j2') | urlencode }}"
    status_code: [200, 201]
    timeout: "{{ sophos_api_timeout }}"
  loop: "{{ sophos_waf_exceptions | default([]) }}"
  loop_control:
    label: "{{ item.name }}"
  when: sophos_waf_exceptions is defined and sophos_waf_exceptions | length > 0
  no_log: "{{ sophos_no_log_sensitive }}"
  tags: ['waf', 'exceptions']

- name: WAF configuration completed
  ansible.builtin.debug:
    msg: "Web Application Firewall configured successfully"
  tags: ['always']