search

SalesAmerSP / bigiq_auto_reconciliation

Python scripts that automatically rediscovers and reimports all devices into F5's BIG-IQ Central Manager
1 stars 0 forks source link

Script showing device has ASM configured and re-discovery fails even when ASM is not provisioned #8

Closed grobf5 closed 1 month ago

grobf5 commented 1 month ago

When running the script, the task fails because 'asm is not provisioned'. ASM is not provisioned on the BIG-IP, but 'asmsecurity' and 'websafesecurity' are listed as provisioned modules.

Device JSON on Gist

grobf5 commented 1 month ago

We need to queue off of the "provisioningInfo" section:

      "provisioningInfo": [
        {
          "name": "afm",
          "deviceReference": {
            "id": "27476c44-6c13-4a20-b4be-dd9faa4a8798",
            "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
            "link": https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allBigIpDevices/devices/27476c44-6c13-4a20-b4be-dd9faa4a8798,
            "name": "example.hostname.net",
            "machineId": "27476c44-6c13-4a20-b4be-dd9faa4a8798"
          }
        },
        {
          "name": "ltm",
          "deviceReference": {
            "id": "27476c44-6c13-4a20-b4be-dd9faa4a8798",
            "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
            "link": https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allBigIpDevices/devices/27476c44-6c13-4a20-b4be-dd9faa4a8798,
            "name": "example.hostname.net",
            "machineId": "27476c44-6c13-4a20-b4be-dd9faa4a8798"
          }
        },
        {
          "name": "avr",
          "deviceReference": {
            "id": "27476c44-6c13-4a20-b4be-dd9faa4a8798",
            "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
            "link": https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allBigIpDevices/devices/27476c44-6c13-4a20-b4be-dd9faa4a8798,
            "name": "example.hostname.net",
            "machineId": "27476c44-6c13-4a20-b4be-dd9faa4a8798"
          }
        },
        {
          "name": "gtm",
          "deviceReference": {
            "id": "27476c44-6c13-4a20-b4be-dd9faa4a8798",
            "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
            "link": https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allBigIpDevices/devices/27476c44-6c13-4a20-b4be-dd9faa4a8798,
            "name": "example.hostname.net",
            "machineId": "27476c44-6c13-4a20-b4be-dd9faa4a8798"
          }
        }
      ],
grobf5 commented 1 month ago

Currently pulling list of provisioned modules on this line:

            device_modules_provisioned = current_device['sameDevices'][0]['properties']['cm:gui:module']
      "sameDevices": [
        {
          "uuid": "27476c44-6c13-4a20-b4be-dd9faa4a8798",
          "deviceUri": https://192.168.1.1:443,
          "machineId": "27476c44-6c13-4a20-b4be-dd9faa4a8798",
          "state": "ACTIVE",
          "address": "192.168.1.1",
          "httpsPort": 443,
          "hostname": "example.hostname.net",
          "version": "17.1.1.2",
          "product": "BIG-IP",
          "edition": "Point Release 2",
          "build": "0.0.10",
          "restFrameworkVersion": "17.1.1.2-0.0.10",
          "managementAddress": "192.168.1.1",
          "mcpDeviceName": "/Common/example.hostname.net",
          "properties": {
            "cm:gui:module": [
              "asmsecurity",
              "websafesecurity",
              "adc",
              "dns",
              "BigIPDevice",
              "networksecurity",
              "device",
              "sharedsecurity"
            ],
            "modules": [
              "ADC",
              "Web Application Security Group",
              "Device",
              "Security"
            ],
            "cm-bigip-allBigIpDevices": {
              "cm:gui:module": [
                "asmsecurity",
                "websafesecurity",
                "adc",
                "dns",
                "BigIPDevice",
                "networksecurity",
                "device",
                "sharedsecurity"
              ],
              "shared:resolver:device-groups:discoverer": "e3abb459-9f1f-45c5-84fa-489b125ebec5",
              "isRestProxyEnabled": "true",
              "modules": [
                "ADC",
                "Web Application Security Group",
                "Device",
                "Security"
              ],
              "clusterName": "mylab"
            },
grobf5 commented 1 month ago

It appears that the list of modules under sameDevice are appended with a module name when discovery is attempted; thus, the list of provisioned modules is inaccurate in this field. I've created a branch with a proposed change. I will test shortly and if successful, will test in customer environment.

grobf5 commented 1 month ago

This has been resolved. We now look for "True" in SameDevices -> Properties -> (module_reference) -> Discovered to ensure the device has been successfully discovered before.

Modules: cm-adccore-allbigipDevices - LTM cm-firewall-allFirewallDevices - AFM cm-access-allBigIpDevices - APM cm-fps-allBigIpDevices - FPS/Websafe cm-dns-allBigIpDevices - DNS/GTM cm-sslo-allBigIpDevices - SSLO cm-asm-allAsmDevices - ASM/AWAF cm-security-shared-allSharedDevices - Shared Security (ASM and AFM)