Assign ressources to applications

[alehaa]

An application can have multiple resources, such as devices, virtual machines, or IP addresses. Especially in emergencies, it's important to identify not only the affected data flows, but also all components involved. Also, having an inventory of all application resources could allow future features of this plugin to show data flows between resources of different application resources.

Scenario:.

For example, during a DDoS attack against service Foo, it's useful to know that hardware servers A and B are affected. Then, NOC personnel can easily identify high CPU or interface usage as being related to this service incident.

Proposed solutions:

1. One can add a special mapping between an application and resources using a GenericForeignKey relationship. However, this introduces a lot of code and forms to manage relationships. Also, future extensions to the NetBox core model will need to be implemented.

2. (Preferred) NetBox already includes the Tenancy feature for grouping all resources of a specific organizational unit, and other groups can be implemented as well. For each application, a Tenant object could be automatically created and bound via a OneToOne relationship. This allows to use the standard NetBox features of assigning resources to the application's virtual Tenant object in all current NetBox forms, even those of plugins using tenancy. The resources could then be visible on the application page like the tenant details, listing all related objects of the virtual tenant.

If accepted, I could work on a PR for this feature.

[Alef-Burzmali]

Solution 1 is more or less what I did with the ObjectAlias and their ObjectAliasTarget linking to IPAddress, Prefix or IPRange objects. The ObjectAliasTarget is needed because it is (was?) not possible to have ManyToMany GenericForeignKey relationships (i.e.: one IPAddress being used in several ObjectAlias/Application). I agree that is not ideal and not easy to maintain with future evolutions of NetBox.

Solution 2 seems like it would distort the meaning of the Tenant object, which could also be hard to maintain if the NetBox model evolves (e.g.: feature request netbox-community/netbox#16125). But I see two additional limitations:

• You can only assign 1 Tenant to a Device (or other models), meaning you could only assign one application to the device/vm/etc. That may be too restrictive for real life environments.
• Because you can only assign 1 Tenant, it would prevent users from assigning the tenant for their intended purposes, i.e.: identifying the client or organizational unit to whom the device belong.

Do you have example of other plugins using tenant in that way?

[Alef-Burzmali]

I see two other potential solutions:

• As the application already lists the associated ObjectAliases, we can list the members of these aliases. However, that would be a list of IP address, ranges and prefixes, and not directly the devices/vm/other associated to them, and we could not list resources that don't have an IP.
• CustomFields can be used to assign one (or several) application to other resources. There are no built-in ways (as far as I know) for the Application object to directly access the resources that point to it, but it's somewhere in the DB and the info can probably be retrieved. I'm not sure if the plugin can automatically create a CustomField in a clean way though.

[alehaa]

To my knowledge there is no other plugin that uses the Tenant object in this way. Although assigning multiple tenants wouldn't be a use case for me, I accept that it might be a problem for other NetBox users.

My fear about using a separate form to map the relationships is that this extra task might be too much of a hassle for users and they won't want to use this feature. Using a custom field might be a solution and I think there's also netbox-community/netbox#14732 to allow plugins to inject additional form fields. If this feature is implemented, we could add a new field like application to most models and duplicate the tenancy logic instead of abusing it directly? So I suggest waiting for the linked feature request to be implemented.