Role wazuh-ansible-agent not idempotent when installing from repository

[lupa95]

Expected Behavior

The Ansible role wazuh-ansible-agent should not show changes on subsequent runs without changing the configuration.

Actual Behavior

The Ansible role wazuh-ansible-agent is not idempotent and will always show at least one change when installing from apt repositories.

The role first adds an apt repository here and later removes the repository here.

The next playbook run will add and remove the repository again. I didn't test it for RedHat, but judging from the code it should be the same behavior.

I would rather not see any changes on subsequent runs and keep the repository configured on my host. Is this behavior intended?

IMO the cleanup task should be optional or removed.

Steps to Reproduce the Problem

1. Download role and vars files
2. Run playbook, e.g.

- hosts: localhost
  connection: local
  gather_facts: true
  become: true

  roles:
    - ansible-wazuh-agent

3. Run playbook again --> shows changes

Specifications

• OS: Ubuntu 22.04
• Tag: v4.7.3
• Ansible version: 2.16.3

[davidcr01]

Hello.

Yes, the behavior you comment is the expected behavior. We add and remove the Wazuh APT/RPM repository to avoid upgrading a Wazuh component accidentally.

If the repository is kept in the source list and if you run the apt-get upgrade or the yum upgrade command, you could upgrade a Wazuh component (indexer, manager, dashboard, or agent in your specific case) accidentally, and this could lead to a non-desirable environment or configuration. We prefer that the user manually upgrades a Wazuh component when it is actually the desired action.

[lupa95]

Hey, thank you for the clarification.

I understand that accidently upgrading Wazuh components is a risk, but removing the repository source to prevent that does not seem to be a great solution to me.

What do you think about locking the package version in the package manager (Something like apt-mark hold or yum version-lock)?

You would need some additional tasks that do the unlock/lock operations when you actually upgrade the version via Ansible, but this should solve the idempotency issue and keep hosts safe from getting their Wazuh components unintentionally upgraded.

[davidcr01]

Hello.

From the team, we do not have plans to change the way this is performed. I kindly suggest you open a Pull Request to perform the necessary changes and the team will review it and merge it if applicable. https://github.com/wazuh/wazuh-ansible/pulls

[dlouzan]

@lupa95 @davidcr01 Would it be a better approach to just enable the repository for the actual task coupled with a fixed version on install? I know that this is at least possible for dnf.

That means, the repository is installed but disabled, and is only enabled for the specific dnf task, e.g. we have something like:

- name: Add repository source for wazuh-agent (disabled to avoid unintended version bumps on updates)
  yum_repository:
    name: wazuh
    description: Wazuh EL Repository
    baseurl: https://packages.wazuh.com/4.x/yum/
    gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
    mode: u=rw,go=r
    gpgcheck: true
    protect: true
    skip_if_unavailable: true
    enabled: false

- name: Install package wazuh-agent
  dnf:
    name: "wazuh-agent-{{ wazuh_agent_package_version }}*"
    state: latest
    enablerepo: wazuh

[jonhattan]

@dlouzan there's no way to disable an apt repository. A workaround may be to rename the file