search

F5Networks / f5-ansible

Imperative Ansible modules for F5 BIG-IP products
GNU General Public License v3.0
375 stars 231 forks source link

Change in behavior of bigip_virtual_server 2.6 breaks playbooks #1129

Closed c41m4n closed 5 years ago

c41m4n commented 5 years ago
ISSUE TYPE
COMPONENT NAME

bigip_virtual_server

ANSIBLE VERSION
$ [0] ansible --version
ansible 2.7.4
  config file = /home/exampleuser/ansible-datacenter-prod/ansible.cfg
  configured module search path = [u'/home/exampleuser/ansible-datacenter-dev/my_modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
PYTHON VERSION
$ [0] python -V
Python 2.7.5
BIGIP VERSION
# tmsh show sys version

Sys::Version
Main Package
  Product     BIG-IP
  Version     13.1.1.3
  Build       0.0.1
  Edition     Point Release 3
  Date        Wed Nov 28 18:50:45 PST 2018
LIBRARY VERSIONS
$ [0] pip freeze | egrep '(f5-sdk|bigsuds)'
bigsuds==1.0.6
f5-sdk==3.0.16
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

Prior to Ansible 2.6, the bigip_virtual_server module lacked an 'ip_protocol' parameter, the behavior in this case was that the protocol was set to 'any'. This is desired and expected behavior in my environment. In 2.6, the introduction of ip_protocol changed this behavior and doesn't seem to allow for setting the protocol to 'all' or 'any'.

STEPS TO REPRODUCE
- name: "create-inbound-afm-policy: Create inboundv4 VS"
  delegate_to: localhost
  bigip_virtual_server:
    provider: "{{ f5provider }}"
    state: present
    partition: Common
    name: "SYS-{{ data_class|upper }}-{{ tenant|upper }}-INBOUND-IPv4-FWD_VS"
    description: "Inbound VLAN {{ vlan_id }} traffic"
    source: 0.0.0.0/0
    port: 0
    # ip_protocol: all
    destination: "{{ ipv4_network }}"
    enabled_vlans: "{{ outside_vlan_name }}"
    type: forwarding-ip
    firewall_enforced_policy: "{{ data_class|upper }}-{{ tenant|upper }}-INBOUNDv4_AFM_POLICY"
EXPECTED RESULTS

Prior to Ansible 2.6 the created virtual server had protocol 'any'. This is no longer the default in 2.7 (I haven't tested in 2.6). There is no 'all' or 'any' option to emulate the old behavior.

# list ltm virtual SYS-HIGH-ITS-INBOUND-IPv4-FWD_VS
ltm virtual SYS-HIGH-ITS-INBOUND-IPv4-FWD_VS {
    description "Inbound VLAN 3620 traffic"
    destination 10.92.0.0:any
    fw-enforced-policy HIGH-ITS-INBOUNDv4_AFM_POLICY
    ip-forward
    mask 255.255.255.0
    metadata {
        f5-ansible.last_modified {
            value "2018-12-19 15:43:12.853294"
        }
        f5-ansible.version {
            value 2.7.4
        }
    }
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        DC_NGFW_PUB_P2P
    }
    vlans-enabled
    vs-index 4
}
ACTUAL RESULTS
# list ltm virtual SYS-HIGH-ITS-INBOUND-IPv4-FWD_VS
ltm virtual SYS-HIGH-ITS-INBOUND-IPv4-FWD_VS {
    description "Inbound VLAN 3620 traffic"
    destination 10.92.0.0:any
    fw-enforced-policy HIGH-ITS-INBOUNDv4_AFM_POLICY
    ip-forward
    ip-protocol tcp
    mask 255.255.255.0
    metadata {
        f5-ansible.last_modified {
            value "2018-12-19 15:43:12.853294"
        }
        f5-ansible.version {
            value 2.7.4
        }
    }
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        DC_NGFW_PUB_P2P
    }
    vlans-enabled
    vs-index 4
}
wojtek0806 commented 5 years ago

There is an option to set it to any :

https://github.com/F5Networks/f5-ansible/blob/devel/library/modules/bigip_virtual_server.py#L325

Only exceptions are where VS is of specific type that does not support it: https://github.com/F5Networks/f5-ansible/blob/devel/library/modules/bigip_virtual_server.py#L2208

Unless you have a reproduction where you try to set the ip protocol or change it on a VS and you get an error, this is working as intended.