From 3e5fad6ba942333212d9cc8b3b597123c384abf6 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Tue, 22 Sep 2020 19:10:18 +0200 Subject: [PATCH] Fix occasional update_cache idempotence failure (#31) --- CHANGELOG.md | 1 + tasks/install/install-app-protect.yml | 9 +-------- tasks/install/{setup-debian.yml => install-debian.yml} | 5 ++++- tasks/install/{setup-redhat.yml => install-redhat.yml} | 7 +++++++ 4 files changed, 13 insertions(+), 9 deletions(-) rename tasks/install/{setup-debian.yml => install-debian.yml} (90%) rename tasks/install/{setup-redhat.yml => install-redhat.yml} (80%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0790a83d..ef45d783 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ BUG FIXES: * Rename handlers to use more specific role related naming and prevent namespace collision issues. * Add a `nginx_app_protect_service_modify` variable to revert a breaking change introduced in 0.3.0 where timeouts would not be set by default. * Set NGINX handler to `state: restarted` to prevent some compatibility issues when NGINX App Protect is installed on an instance already running NGINX beforehand. +* Using `update_cache: true` by itself in the `apt` module is not always idempotent. Moved the NGINX App Protect installation task to a corresponding `apt` or `yum` module to avoid this scenario. ## 0.3.0 (September 21, 2020) diff --git a/tasks/install/install-app-protect.yml b/tasks/install/install-app-protect.yml index 22e75ffa..34101713 100644 --- a/tasks/install/install-app-protect.yml +++ b/tasks/install/install-app-protect.yml @@ -14,15 +14,8 @@ quiet: true when: nginx_plus_version is defined -- name: Set up NGINX App Protect repositories - include_tasks: "{{ role_path }}/tasks/install/setup-{{ ansible_facts['os_family'] | lower }}.yml" - when: nginx_app_protect_state != "absent" - - name: Install NGINX App Protect - package: - name: "app-protect{{ nginx_app_protect_version | default('') }}" - state: "{{ nginx_app_protect_state }}" - notify: (Handler - NGINX App Protect) Run NGINX + include_tasks: "{{ role_path }}/tasks/install/install-{{ ansible_facts['os_family'] | lower }}.yml" - name: Install latest NGINX App Protect signatures package: diff --git a/tasks/install/setup-debian.yml b/tasks/install/install-debian.yml similarity index 90% rename from tasks/install/setup-debian.yml rename to tasks/install/install-debian.yml index ca922e53..4412e998 100644 --- a/tasks/install/setup-debian.yml +++ b/tasks/install/install-debian.yml @@ -40,6 +40,9 @@ update_cache: false state: "{{ nginx_app_protect_license_status | default ('present') }}" -- name: (Debian/Ubuntu) Update the apt cache +- name: (Debian/Ubuntu) Install NGINX App Protect apt: + name: "app-protect{{ nginx_app_protect_version | default('') }}" + state: "{{ nginx_app_protect_state }}" update_cache: true + notify: (Handler - NGINX App Protect) Run NGINX diff --git a/tasks/install/setup-redhat.yml b/tasks/install/install-redhat.yml similarity index 80% rename from tasks/install/setup-redhat.yml rename to tasks/install/install-redhat.yml index f237f3ad..51e0eadf 100644 --- a/tasks/install/setup-redhat.yml +++ b/tasks/install/install-redhat.yml @@ -20,3 +20,10 @@ enabled: true gpgcheck: true state: "{{ nginx_app_protect_license_status | default ('present') }}" + +- name: (CentOS/RHEL) Install NGINX App Protect + yum: + name: "app-protect{{ nginx_app_protect_version | default('') }}" + state: "{{ nginx_app_protect_state }}" + update_cache: true + notify: (Handler - NGINX App Protect) Run NGINX