search

F5Networks / f5-ansible

Imperative Ansible modules for F5 BIG-IP products
GNU General Public License v3.0
375 stars 229 forks source link

Bigip_command.py - faking idempotency/conditional plays fail #746

Closed neozoolook closed 6 years ago

neozoolook commented 6 years ago
ISSUE TYPE
COMPONENT NAME

bigip_command.py

ANSIBLE VERSION
ansible 2.5.0
  config file = /root/ansible-bb_cgnat_configuration/ansible.cfg
  configured module search path = [u'/root/ansible-bb_cgnat_configuration/library/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]
PYTHON VERSION
python 2.7.6
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     13.1.0.4
  Build       0.0.6
  Edition     Point Release 4
  Date        Tue Mar 13 20:10:42 PDT 2018
LIBRARY VERSIONS
bigsuds==1.0.6
f5-sdk==3.0.14
CONFIGURATION

Standard ansible.cfg file.

OS / ENVIRONMENT

Ubuntu 16.04TS

SUMMARY

We had some playbooks written leveraging the bigip_command module that worked fine, however updates to the module code appear to have broken the use of faking idempotency in the playbook structure. The first portion will run a command to check to see if the configuration exists, register results then only run the create command when the 'was not found' string was seen from first command.

STEPS TO REPRODUCE
---
- name: Check for Exsisting HSL Log Profile {{ profile }}
  bigip_command:
    commands:
      - list security log profile {{ profile }}
    server: "{{ ansible_host }}"
    user: "{{ username }}"
    password: "{{ password }}"
    validate_certs: "no"
  register: result_profile
  delegate_to: localhost

- name: Create HSL Log Profile {{ profile }}
  bigip_command:
    commands:
      - create security log profile {{ profile }} { ip-intelligence { log-publisher {{ publisher }} log-translation-fields enabled } protocol-dns-dos-publisher {{ publisher }} }
      - modify security log profile {{ profile }} network replace-all-with { {{ profile }} {  publisher {{ publisher }} filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled log-ip-errors enabled log-tcp-errors enabled log-tcp-events enabled log-translation-fields enabled } } }
      - modify security log profile {{ profile }} network modify { {{ profile }} { format { field-list { date_time bigip_hostname acl_policy_name acl_rule_name src_ip src_port dest_ip dest_port protocol action drop_reason route_domain sa_translation_pool sa_translation_type translated_dest_ip translated_dest_port translated_ip_protocol translated_route_domain translated_src_ip translated_src_port translated_vlan vlan context_name context_type acl_policy_type dest_geo management_ip_address src_geo } type field-list } } }
      - modify security dos device-config all log-publisher {{ publisher }}
    server: "{{ ansible_host }}"
    user: "{{ username }}"
    password: "{{ password }}"
    validate_certs: "no"
  when: '"was not found" in result_profile.stdout|first'
  delegate_to: localhost
EXPECTED RESULTS

Looking at -vvvv outputs we can see that 'was not found' is sent out, however second portion of the play fails as error.

ACTUAL RESULTS
TASK [f5_global : Check for Exsisting HSL Log Profile HSL-LOGGING-PROFILE] ********************************************************
task path: /root/ansible-bb_cgnat_configuration/roles/f5_global/tasks/f5_log_profile.yml:2
<localhost> connection transport is rest
Using module file /root/ansible-bb_cgnat_configuration/library/modules/bigip_command.py
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<localhost> EXEC /bin/sh -c '/usr/bin/python && sleep 0'
The full traceback is:
  File "/tmp/ansible_dETVjO/ansible_module_bigip_command.py", line 680, in main
    results = mm.exec_module()
  File "/tmp/ansible_dETVjO/ansible_module_bigip_command.py", line 617, in exec_module
    result = manager.exec_module()
  File "/tmp/ansible_dETVjO/ansible_module_bigip_command.py", line 409, in exec_module
    changed = self.execute()
  File "/tmp/ansible_dETVjO/ansible_module_bigip_command.py", line 483, in execute
    self._check_known_errors(responses)
  File "/tmp/ansible_dETVjO/ansible_module_bigip_command.py", line 523, in _check_known_errors
    raise F5ModuleError(str(resp))

fatal: [zrdm8afcgi01cgi002 -> localhost]: FAILED! => {
    "changed": false, 
    "invocation": {
        "module_args": {
            "chdir": null, 
            "commands": [
                "list security log profile HSL-LOGGING-PROFILE"
            ], 
            "interval": 1, 
            "match": "all", 
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
            "provider": {
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
                "server": "172.20.216.250", 
                "server_port": 443, 
                "ssh_keyfile": null, 
                "timeout": 10, 
                "transport": "rest", 
                "user": "admin", 
                "validate_certs": false
            }, 
            "retries": 10, 
            "server": "172.20.216.250", 
            "server_port": null, 
            "transport": "rest", 
            "user": "admin", 
            "validate_certs": false, 
            "wait_for": null, 
            "warn": true
        }
    }, 
    "msg": "01020036:3: The requested security log profile (/Common/HSL-LOGGING-PROFILE) was not found."
}

PLAY RECAP ************************************************************************************************************************
zrdm8afcgi01cgi002         : ok=6    changed=0    unreachable=0    failed=1
caphrim007 commented 6 years ago

@neozoolook this appears to have been added as a measure to better report errors. I will revert it though as it seems to have broken your work.

caphrim007 commented 6 years ago

@neozoolook try now

neozoolook commented 6 years ago

Thanks will test first thing in AM.

On Jun 5, 2018, at 3:21 PM, Tim Rupp notifications@github.com wrote:

@neozoolook https://github.com/neozoolook try now

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/F5Networks/f5-ansible/issues/746#issuecomment-394879209, or mute the thread https://github.com/notifications/unsubscribe-auth/AZF_Z51iuizvdSW7w12If-6IP4qLsig6ks5t5wRdgaJpZM4UbooX.

neozoolook commented 6 years ago

@caphrim007 works like a champ, thanks again!