search

F5Networks / f5-ansible-bigip

Declarative Ansible collection for managing F5 BIG-IP/BIG-IQ.
37 stars 17 forks source link

bigip_ssl_csr: does not support relative paths in dest parameter #68

Open ncasperson opened 1 year ago

ncasperson commented 1 year ago
COMPONENT NAME

f5networks.f5_bigip bigip_ssl_csr https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_ssl_csr_module.html

Environment

ANSIBLE VERSION
$ ansible --version
ansible [core 2.14.2]
  config file = /net_home/username/work/f5/ansible.cfg
  configured module search path = ['/net_home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /net_home/username/work/f5/collections
  executable location = /usr/bin/ansible
  python version = 3.11.2 (main, Jun  6 2023, 07:39:01) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.3.3
  Build       0.0.3
  Edition     Point Release 3
  Date        Thu Dec 22 12:07:59 PST 2022
CONFIGURATION
OS / ENVIRONMENT

N/A

SUMMARY

In the bigip_ssl_csr module when using a relative path value for the dest parameter the object in the BIG-IP is created under sys crypto csr however ansible does not create the csr file and the task fails. Relative paths work with other F5 ansible modules in the dest parameter.

STEPS TO REPRODUCE
- hosts: all
  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    ansible_user: "admin"
    ansible_httpapi_password: "secret"
    ansible_httpapi_port: 443
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no

  tasks:
    - name: Create an SSL csr
      bigip_ssl_csr:
        name: csr-name
        key_name: /Common/existing.key
        common_name: csr-name
        #dest: /tmp/csr-name   # this works
        dest: folder/csr-name  # this fails
        state: present
EXPECTED RESULTS
[user.name@ansible f5]$ ls -la folder/
[user.name@ansible f5]$
[user.name@ansible f5]$ ansible-playbook --inventory ./inventories/inventory.ini testplaybook.yml -vvv
PLAYBOOK: testplaybook.yml *******************************************************************
1 plays in testplaybook.yml

PLAY [bigip] *************************************************************************************
TASK [Create an SSL csr] ************************************************************************
task path: /net_home/user.name/work/f5/testplaybook.yml:16
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
changed: [bigip] => changed=true
  common_name: csr-name
  invocation:
    module_args:
      challenge_password: null
      city: null
      common_name: csr-name
      country: null
      dest: /tmp/csr-name
      email_address: null
      key_name: /Common/existing.key
      name: csr-name
      organization: null
      ou: null
      partition: Common
      province: null
      state: present

PLAY RECAP ********************************************************************************
bigip : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[user.name@ansible f5]$ ls folder
[user.name@ansible f5]$ ls /tmp/csr-name
/tmp/csr-name
[user.name@ansible f5]$
ACTUAL RESULTS
TASK [Create an SSL csr] ***********************************************************
task path: /net_home/user.name/work/f5/testplaybook.yml:16
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
fatal: [bigip]: FAILED! => changed=false
  module_stderr: '[Errno 2] No such file or directory: ''folder/csr-name'''
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error

PLAY RECAP ***********************************************************************
bigip : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
[user.name@ansible f5]$ ls folder/
[user.name@ansible f5]$
pgouband commented 1 year ago

Hi @ncasperson,

Have you tried the following?

- hosts: all
  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    ansible_user: "admin"
    ansible_httpapi_password: "secret"
    ansible_httpapi_port: 443
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no

  tasks:
    - name: Create an SSL csr
      bigip_ssl_csr:
        name: csr-name
        key_name: /Common/existing.key
        common_name: csr-name
        #dest: /tmp/csr-name   # this works
        dest: folder/  # this fails
        state: present

And the "folder" is created on the directory you run the ansible command?

ncasperson commented 1 year ago

@pgouband

Q: Have you tried the following? dest: folder/ A: dest needs the path including the filename. I added some results below:

Parameter (dest) Value Test Result
/tmp/csr-name works with absolute path
~/work/f5/folder/csr-name works with ~ user home variable
folder/ fails module_stderr: '[Errno 21] Is a directory: ''folder/'''
folder/csr-name fails module_stderr: '[Errno 2] No such file or directory: ''folder/csr-name'''
./folder/csr-name fails module_stderr: '[Errno 2] No such file or directory: ''./folder/csr-name'''

Confirming that folder exists and is writable:

[user.name@ansible f5]$ ls folder/
[user.name@ansible f5]$ ls -la
...
drwxrwxrwx.  2 user.name user.name  4096 Jul  6 20:40 folder

Q: And the "folder" is created on the directory you run the ansible command? A: If the folder does not exist it does not create one:

TASK [Create an SSL csr] ********************************
task path: /net_home/user.name/work/f5/testplaybook.yml:15
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
The full traceback is:
  File "/net_home/user.name/work/f5/collections/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_ssl_csr.py", line 531, in main
    results = mm.exec_module()
              ^^^^^^^^^^^^^^^^
  File "/net_home/user.name/work/f5/collections/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_ssl_csr.py", line 304, in exec_module
    changed = self.present()
              ^^^^^^^^^^^^^^
  File "/net_home/user.name/work/f5/collections/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_ssl_csr.py", line 325, in present
    raise F5ModuleError(
fatal: [bigip]: FAILED! => changed=false
  invocation:
    module_args:
      challenge_password: null
      city: null
      common_name: csr-name
      country: null
      dest: folder/csr-name
      email_address: null
      key_name: /Common/existing.key
      name: csr-name
      organization: null
      ou: null
      partition: Common
      province: null
      state: present
  msg: The directory of your 'dest' file does not exist.
pgouband commented 1 year ago

Hi @ncasperson,

The error message is saying the directory does not exist and in your first test it's the same kind of message (file or directory doesn't exist). Could you create it before running TF?

ncasperson commented 1 year ago

Hi @pgouband the directory does exist and is writable:

[user.name@ansible f5]$ ls -la
...
drwxrwxrwx.  2 user.name user.name  4096 Jul  6 20:40 folder