DIGITAL-723: Update docs re: nginx version in modsecurity build

Author: akf

docs/runbooks/scripts/pipeline/cloud-gov-waf-version.sh.MD

@@ -1,5 +1,11 @@
 ### Runbook for `cloud-gov-waf-version.sh`
 
+#### DEPRECATED!
+
+The script described here has been replaced. We no longer try to determine the `new_nginx_version` dynamically. In the absence of a stable API for buildpack details, this turned out to be too unreliable for the deployment pipeline.
+
+However, something like this might make sense as part of a build-and-commit pipeline to generate a modsecurity bundle for later deployment.
+
 #### Overview
 
 The script `cloud-gov-waf-version.sh` is a bash script designed to check for new versions of an nginx buildpack and update the environment variables accordingly. It also initializes the necessary libraries and checks if there are new versions available. The script runs a series of commands to determine the current and new versions of the nginx buildpack, extracts the relevant nginx version from the GitHub releases page, and makes decisions based on whether an update is necessary.
@@ -66,7 +72,7 @@ current_nginx_version=$(cat /tmp/current_bp_version | pup 'table json{}' | jq -r
 and for the new version:
 
 ```bash
-curl -Ls "https://github.com/cloudfoundry/nginx-buildpack/releases/tag/v${NEW_BP_VERSION}" > /tmp/new_nginx_version 
+curl -Ls "https://github.com/cloudfoundry/nginx-buildpack/releases/tag/v${NEW_BP_VERSION}" > /tmp/new_nginx_version
 declare default_nginx_binary_version
 default_nginx_binary_version=$(cat /tmp/new_nginx_version | pup 'table json{}' | jq -r '.[].children[].children[] | select(.children[].text == "nginx") | select(.children[].text | contains(".x")) | .children[].text' | grep -v nginx | sed 's/.\{1\}$//')
 

docs/runbooks/scripts/pipeline/terraform-build-waf-plugin.sh.MD

@@ -7,7 +7,7 @@ This runbook is for the `terraform-build-waf-plugin.sh` script, which involves b
 
 ##### Variable Checks
 The script begins with checks to ensure the presence of several environment variables, namely:
-- `${new_nginx_version}`
+- `${nginx_version}`
 - `${modsecurity_nginx_version}`
 - `${ubuntu_version}`
 

terraform/applications/nginx-waf/.docker/RUNBOOK.md

@@ -18,12 +18,12 @@ The `Dockerfile` initializes a Docker image that is based on the Ubuntu `jammy`
    ARG ubuntu_version="jammy"
    ```
    These environment variables are important because they allow the builder to specify the exact versions of the components that will be built.
-   
+
       - `modsecurity_nginx_version` is determined by the version of the [OWASP ModSecurity NGINX repo](https://github.com/owasp-modsecurity/ModSecurity-nginx).
       - `nginx_version` is deterimined by the version shipped in version of NGINX buildpack that is in use.  This can be determined by using the `cf buildpacks` command to see what version Cloud.gov is using.  That buildpack version can then be referenced at the [NGINX Buildpack GitHub repository](https://github.com/cloudfoundry/nginx-buildpack/releases) to see what version of NGINX is shipped in that version of the buildpack.
       - `ubuntu_version` is determined by what version of `cflinuxfs` is in use.  As of this documents creation, it is `cflinuxfs4`, based on Ubuntu Jammy.
-    
-  The ModSecurity plugin needs to be build for the specific version of NGINX running.
+
+  The ModSecurity plugin needs to be built for the specific version of NGINX running.
 
 2. **Apt Source List Modification**
    ```
@@ -65,7 +65,7 @@ In addition to the `Dockerfile`, a `Makefile` provides a build pipeline to compi
 
 1. **Building the Docker Image**
    ```
-   docker build --platform linux/amd64 --tag nginx-modsecurity --build-arg=modsecurity_nginx_version=${modsecurity_nginx_version} --build-arg=nginx_version=${new_nginx_version} --build-arg=ubuntu_version=${ubuntu_version} .
+   docker build --platform linux/amd64 --tag nginx-modsecurity --build-arg=modsecurity_nginx_version=${modsecurity_nginx_version} --build-arg=nginx_version=${nginx_version} --build-arg=ubuntu_version=${ubuntu_version} .
    ```
    The Makefile references the arguments for the builds and constructs the Docker image.
 
@@ -92,4 +92,4 @@ In addition to the `Dockerfile`, a `Makefile` provides a build pipeline to compi
 
 - **Incorrect Version Compilation**: You might receive warnings about mismatching versions if the environment variables passed to the Docker build (`modsecurity_nginx_version`, `nginx_version`, and `ubuntu_version`) do not match the expected versions inside the Dockerfile statements.
 
-- **Module Compilation Failure**: If there are issues with the dynamic module compilation step (`make` command), review the configuration and build paths to ensure that there are no typos or missing paths declared within the `Dockerfile`. 
+- **Module Compilation Failure**: If there are issues with the dynamic module compilation step (`make` command), review the configuration and build paths to ensure that there are no typos or missing paths declared within the `Dockerfile`.

terraform/applications/nginx-waf/README.md

@@ -8,8 +8,8 @@ The WAF (Nginx) server is an ingress proxy, routing traffic to various internal
     - `Dockerfile`: Builds the Nginx `modsecurity` plugin.
     - `Makefile`: Builds a new version of the Caddy binary, then copies the resulting binary to the `modules` directory above this one (`../modules`).
 - `modsecurity`: modsecurity configuration, utilizing OWASP CRS.
-    - https://github.com/SpiderLabs/ModSecurity
-    - https://github.com/SpiderLabs/ModSecurity-nginx
+    - https://github.com/owasp-modsecurity/ModSecurity
+    - https://github.com/owasp-modsecurity/ModSecurity-nginx
     - https://github.com/coreruleset/coreruleset/
 - `modules`: Contains the compiled Nginx modsecurity binary.
 - `nginx`: Contains Nginx configuration files.