arista.eos.eos_config Returning incorrect diff for ACLs in configuration sessions

Random6554 commented 1 year ago

SUMMARY

When diffing ACLs using the session configuration such as ansible_XXXXXXXX the diff is not representative of the change it will make. The module is still in the ACL sub command and that change is written to the session config after the module exits. The module is issuing the show session-config diffs command while still in ACL sub-command, hence why the last command (TESTACL6) is does not appear in the diff.

test(s2)#conf session ansible
test(s2)(config-s-ansible)#
test(s2)(config-s-ansible)#
test(s2)(config-s-ansible)#ip access-list TESTACL1
test(s2)(config-s-ansible-acl-TESTACL1)#   10 permit tcp any any eq microsoft-ds
test(s2)(config-s-ansible-acl-TESTACL1)#ip access-list TESTACL2
test(s2)(config-s-ansible-acl-TESTACL2)#   10 permit tcp any any eq microsoft-ds
test(s2)(config-s-ansible-acl-TESTACL2)#ip access-list TESTACL3
test(s2)(config-s-ansible-acl-TESTACL3)#   10 permit tcp any any eq microsoft-ds
test(s2)(config-s-ansible-acl-TESTACL3)#ip access-list TESTACL4
test(s2)(config-s-ansible-acl-TESTACL4)#   10 permit tcp any any eq microsoft-ds
test(s2)(config-s-ansible-acl-TESTACL4)#ip access-list TESTACL5
test(s2)(config-s-ansible-acl-TESTACL5)#   10 permit tcp any any eq microsoft-ds
test(s2)(config-s-ansible-acl-TESTACL5)#ip access-list TESTACL6
test(s2)(config-s-ansible-acl-TESTACL6)#   10 permit tcp any any eq microsoft-ds
test(s2)(config-s-ansible-acl-TESTACL6)#show session-config diffs
--- system:/running-config
+++ session:/ansible-session-config
@@ -2989,6 +2989,21 @@
    420 deny tcp any any eq 3268
    430 permit ip any any
 !
+ip access-list TESTACL1
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL2
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL3
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL4
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL5
+   10 permit tcp any any eq microsoft-ds
+!
 ip access-list VIDEO_RTP
    5 permit udp any any eq 8801 dscp 32
    10 remark Pexip Audio/Video RTP
test(s2)(config-s-ansible-acl-TESTACL6)#show session-config | inc TESTACL6
test(s2)(config-s-ansible-acl-TESTACL6)#exit
test(s2)(config-s-ansible)#show session-config | inc TESTACL6
ip access-list TESTACL6
test(s2)(config-s-ansible)#

https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1148961 Creating and Modifying Lists

The switch provides configuration modes for creating and modifying ACLs. The command that enters an ACL configuration mode specifies the name of the list that the mode modifies. The switch saves the list to the running configuration when the configuration mode is exited.

ISSUE TYPE

Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible [core 2.12.4]

COLLECTION VERSION

arista.eos             6.2.1

CONFIGURATION

- name: EOS - DIFF PARTIAL INTENDED CONFIG AGAINST RUNNING CONFIG
  arista.eos.eos_config:
    src: "../local-outputs/golden-configs/{{ inventory_hostname }}/assembled.cfg"
  when: ansible_network_os == "eos"
  diff: true
  no_log: false
  check_mode: true

OS / ENVIRONMENT

STEPS TO REPRODUCE

Run any ACL line through the module without a command changed below the ACL in question.

EXPECTED RESULTS

The diff should show TESTACL6 as a change/diff

+ip access-list TESTACL1
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL2
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL3
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL4
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL5
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL6
+   10 permit tcp any any eq microsoft-ds
+!

ACTUAL RESULTS

 !
+ip access-list TESTACL1
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL2
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL3
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL4
+   10 permit tcp any any eq microsoft-ds
+!
+ip access-list TESTACL5
+   10 permit tcp any any eq microsoft-ds
+!
 ip access-list VIDEO_RTP

Potential Fix

https://github.com/ansible-collections/arista.eos/blob/8fc41fc33a0cc05c034fd85bb1cb2ca253cb9078/plugins/cliconf/eos.py#L251

Add a return to the config session before sending the diff command. This ensures sub-commands are written to the session config before the diff command is sent. self.send_command("configure session %s" % session)

TheRealBecks commented 12 months ago

@Random6554 I'm not sure if it's an Ansible bug, because you're missing an exit after:

ip access-list TESTACL6
10 permit tcp any any eq microsoft-ds

->

ip access-list TESTACL6
10 permit tcp any any eq microsoft-ds
exit

ACLs will be written into the config (session-config, running-config) after you exit the ACL edit mode. After the exit the show session-config diffs will return the expected result. That's normal behavior in Arista EOS (and that differs to Cisco IOS). That's an EOS feature, so you're able to complete the changes of your ACL before it will be written once into the config.

The exit command is optional if you enter a command to change the config node, e.g. you're in ip access-list TESTACL5 and you're entering ip access-list TESTACL6. Internally the commands exit and afterwards ip access-list TESTACL6 will be executed. At the end it's good practice to always execute an exit so the config node will be written into the config.

Random6554 commented 11 months ago

This would be a good optimisation if not a bug, I've been running the fix in production for a few weeks now.

Adding an exit at the end of ACL(s) file is less desirable as it does not show in the running config or session config.

This creates an anti-pattern as the person updating or writing the ACL file has to remember to add an explicit exit.

ansible-collections / arista.eos