Always update NAP dependencies to the latest available version (#133)

Author: alessfg

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.6.2 (Unreleased)
+
+ENHANCEMENTS:
+
+Move non NGINX App Protect specific dependencies from the role into the Molecule Dockerfile.
+
+BUG FIXES:
+
+Always update NGINX App Protect dependencies to the latest available version to avoid outdated dependency issues (e.g. outdated CA certificates).
+
 ## 0.6.1 (September 30, 2021)
 
 KNOWN ISSUES:

molecule/Dockerfile.j2

@@ -17,15 +17,15 @@ ENV {{ var }} {{ value }}
 RUN \
   if [ $(command -v apt-get) ]; then \
     apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv vim \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash curl dirmngr iproute2 python3 python3-apt procps sudo systemd systemd-sysv vim \
     && apt-get clean; \
   elif [ $(command -v dnf) ]; then \
     dnf makecache \
     && dnf --assumeyes install bash iproute sudo /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config vim \
     && dnf clean all; \
   elif [ $(command -v yum) ]; then \
     yum makecache fast \
-    && yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl initscripts \
+    && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \
     && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \
     && yum clean all; \
   elif [ $(command -v zypper) ]; then \
@@ -34,10 +34,10 @@ RUN \
     && zypper clean -a; \
   elif [ $(command -v apk) ]; then \
     apk update \
-    && apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \
+    && apk add --no-cache bash curl openrc python3 sudo vim; \
     echo 'rc_provide="loopback net"' >> /etc/rc.conf; \
   elif [ $(command -v xbps-install) ]; then \
     xbps-install -Syu \
-    && xbps-install -y bash ca-certificates iproute2 python3 sudo vim \
+    && xbps-install -y bash iproute2 python3 sudo vim \
     && xbps-remove -O; \
   fi

molecule/advanced/requirements.yml

@@ -1,6 +1,6 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.21.1
+    version: 0.21.2
   - name: robertdebock.rsyslog
     version: 3.2.0

molecule/default/requirements.yml

@@ -1,4 +1,4 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.21.1
+    version: 0.21.2

molecule/dos/molecule.yml

@@ -10,13 +10,34 @@ lint: |
   yamllint .
   ansible-lint --force-color
 platforms:
+  - name: centos-7
+    image: centos:7
+    dockerfile: ../Dockerfile.j2
+    privileged: true
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/usr/sbin/init"
   - name: debian-buster
     image: debian:buster-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
+  - name: ubuntu-bionic
+    image: ubuntu:bionic
+    dockerfile: ../Dockerfile.j2
+    privileged: true
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/sbin/init"
+  - name: ubuntu-focal
+    image: ubuntu:focal
+    dockerfile: ../Dockerfile.j2
+    privileged: true
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/sbin/init"
 provisioner:
   name: ansible
   playbooks:

molecule/dos/requirements.yml

@@ -1,4 +1,4 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.21.1
+    version: 0.21.2

molecule/specific-version/requirements.yml

@@ -1,4 +1,4 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.21.1
+    version: 0.21.2

tasks/common/prerequisites/install-dependencies.yml

@@ -3,27 +3,26 @@
   apk:
     name: "{{ nginx_app_protect_alpine_dependencies }}"
     update_cache: true
-  ignore_errors: "{{ ansible_check_mode }}"
+    state: latest  # noqa package-latest
   when: ansible_os_family == "Alpine"
 
 - name: (Debian/Ubuntu) Install package dependencies
   apt:
     name: "{{ nginx_app_protect_debian_dependencies }}"
     update_cache: true
+    state: latest  # noqa package-latest
   when: ansible_os_family == "Debian"
 
-- name: (CentOS) Install package dependencies
+- name: (Amazon Linux/CentOS/RHEL) Install package dependencies
   yum:
-    name: "{{ nginx_app_protect_centos_dependencies }}"
-  when: ansible_distribution == "CentOS"
+    name: "{{ nginx_app_protect_redhat_dependencies }}"
+    update_cache: true
+    state: latest  # noqa package-latest
+  when: ansible_os_family == "RedHat"
 
-- name: (RHEL) Install dependencies
+- name: (RHEL) Set up RHEL specific repositories
   block:
-    - name: (RHEL) Install package dependencies
-      yum:
-        name: "{{ nginx_app_protect_rhel_dependencies }}"
-
-    - name: (RHEL) Set up RHEL repository
+    - name: (RHEL) Install extended dependencies from CentOS repositories
       yum_repository:
         name: CentOS-7
         baseurl: "http://ftp.heanet.ie/pub/centos/{{ ansible_distribution_major_version }}/os/$basearch/"
@@ -35,28 +34,16 @@
         state: "{{ nginx_app_protect_license_status | default ('present') }}"
       when: not nginx_app_protect_use_rhel_subscription_repos | bool
 
-    - name: (RHEL) Install package dependencies from your RHEL subscription
-      yum:
+    - name: (RHEL) Install extended dependencies from RHEL subscription repositories
+      rhsm_repository:
         name:
-          - rhel-7-server-optional-rpms
           - rhel-7-server-rpms
+          - rhel-7-server-optional-rpms
       when: nginx_app_protect_use_rhel_subscription_repos | bool
   when: ansible_distribution == "RedHat"
 
-- name: (Amazon Linux) Install dependencies
-  block:
-    - name: (Amazon Linux) Enable amazon-linux-extras packages
-      command: "amazon-linux-extras enable {{ item }}"
-      changed_when: false
-      loop: "{{ nginx_app_protect_amazon_extras_packages }}"
-
-    - name: (Amazon Linux) Clean Yum Metadata
-      command: yum clean metadata
-      changed_when: false
-      args:
-        warn: false
-
-    - name: (Amazon Linux) Install package dependencies
-      yum:
-        name: "{{ nginx_app_protect_amazon_dependencies }}"
+- name: (Amazon Linux) Set up Amazon Linux Extras repositories
+  command: "amazon-linux-extras enable {{ item }}"
+  changed_when: false
+  loop: "{{ nginx_app_protect_amazon_extras }}"
   when: ansible_distribution == "Amazon"

vars/main.yml

@@ -2,64 +2,54 @@
 # NGINX App Protect WAF platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts
 nginx_app_protect_waf_linux_families:
   alpine: [
-    "3.10",
+    '3.10',
   ]
   amazon: [
-    "2",
+    '2',
   ]
   debian: [
-    "10",
+    '10',
   ]
   centos: [
-    "7.4", "7.5", "7.6", "7.7", "7.8", "7.9",
+    '7.4', '7.5', '7.6', '7.7', '7.8', '7.9',
   ]
   redhat: [
-    "7.4", "7.5", "7.6", "7.7", "7.8", "7.9",
+    '7.4', '7.5', '7.6', '7.7', '7.8', '7.9',
   ]
   ubuntu: [
-    "18.04", "20.04",
+    '18.04', '20.04',
   ]
 
 # NGINX App Protect DoS platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts
 nginx_app_protect_dos_linux_families:
   centos: [
-    "7.4", "7.5", "7.6", "7.7", "7.8", "7.9",
+    '7.4', '7.5', '7.6', '7.7', '7.8', '7.9',
   ]
   debian: [
-    "10",
+    '10',
   ]
   ubuntu: [
-    "18.04", "20.04",
+    '18.04', '20.04',
   ]
 
 # Alpine Linux dependencies
 nginx_app_protect_alpine_dependencies: [
-  "python3",
+  'ca-certificates',
 ]
 
 # Debian dependencies
 nginx_app_protect_debian_dependencies: [
-  "apt-transport-https", "ca-certificates", "dirmngr",
+  'apt-transport-https', 'ca-certificates',
 ]
 
-# CentOS dependencies
-nginx_app_protect_centos_dependencies: [
-  "ca-certificates", "epel-release", "openssl",
-]
-
-# RHEL dependencies
-nginx_app_protect_rhel_dependencies: [
-  "ca-certificates", "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm", "openssl",
-]
-
-# Amazon Linux 2 dependencies
-nginx_app_protect_amazon_dependencies: [
-  "ca-certificates", "epel-release",
+# Red Hat dependencies
+nginx_app_protect_redhat_dependencies: [
+  'ca-certificates', 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm',
 ]
 
 # Amazon Linux 2 extras
-nginx_app_protect_amazon_extras_packages: [
-  "epel", "selinux-ng",
+nginx_app_protect_amazon_extras: [
+  'selinux-ng',
 ]
 
 # Choose where to fetch the NGINX App Protect and Security Updates signing keys from.