search

ansible-collections / arista.eos

Ansible Network Collection for Arista EOS
GNU General Public License v3.0
82 stars 68 forks source link

"arista.eos.eos_acls" idempotency is not working correctly #512

Open ivanchakarov opened 8 months ago

ivanchakarov commented 8 months ago
SUMMARY

I'm trying to deploy simple access-lists to an Arista switch:

ip access-list SNMP-ACCESS
   10 permit ip host 10.10.10.5 any
ip access-list SSH-ACCESS
   10 permit ip any any

For which I'm using the following playbook:

---
- name: Test-play
  hosts: lab_sw

  tasks:
    - name: Configure ACLs
      arista.eos.eos_acls:
        config:
          - afi: ipv4
            acls:
              - name: SSH-ACCESS
                aces:
                  - sequence: 10
                    grant: permit
                    protocol: ip
                    source:
                      any: true
                    destination:
                      any: true
              - name: SNMP-ACCESS
                aces:
                  - sequence: 10
                    grant: permit
                    protocol: ip
                    source:
                      host: 10.10.10.5
                    destination:
                      any: true

The initial run completes successfully, and the ACLs are deployed. Unfortunately, if I rerun the playbook, the access lists get broken.

As you can see on the below output, the "before" and "after" do not match, and a change is made. The entry in "SSH-ACCESS" gets deleted. This is not the expected behavior since no changes are desired and Ansible should identify that.

changed: [VBOX-SWITCH1] => {
    "after": [
        {
            "acls": [
                {
                    "aces": [
                        {
                            "destination": {
                                "any": true
                            },
                            "grant": "permit",
                            "protocol": "ip",
                            "sequence": 10,
                            "source": {
                                "host": "10.10.10.5"
                            }
                        }
                    ],
                    "name": "SNMP-ACCESS"
                },
                {
                    "name": "SSH-ACCESS"
                }
            ],
            "afi": "ipv4"
        }
    ],
    "before": [
        {
            "acls": [
                {
                    "aces": [
                        {
                            "destination": {
                                "any": true
                            },
                            "grant": "permit",
                            "protocol": "ip",
                            "sequence": 10,
                            "source": {
                                "host": "10.10.10.5"
                            }
                        }
                    ],
                    "name": "SNMP-ACCESS"
                },
                {
                    "aces": [
                        {
                            "destination": {
                                "any": true
                            },
                            "grant": "permit",
                            "protocol": "ip",
                            "sequence": 10,
                            "source": {
                                "any": true
                            }
                        }
                    ],
                    "name": "SSH-ACCESS"
                }
            ],
            "afi": "ipv4"
        }
    ],
    "changed": true,
    "commands": [
        "ip access-list SSH-ACCESS",
        "no 10"
    ]

If I rerun it one more time the issue get fixed but in a weird way - check the applied by Ansible commands - there is one unnecessary "no 10":

changed: [VBOX-SWITCH1] => {
    "after": [
        {
            "acls": [
                {
                    "aces": [
                        {
                            "destination": {
                                "any": true
                            },
                            "grant": "permit",
                            "protocol": "ip",
                            "sequence": 10,
                            "source": {
                                "host": "10.10.10.5"
                            }
                        }
                    ],
                    "name": "SNMP-ACCESS"
                },
                {
                    "aces": [
                        {
                            "destination": {
                                "any": true
                            },
                            "grant": "permit",
                            "protocol": "ip",
                            "sequence": 10,
                            "source": {
                                "any": true
                            }
                        }
                    ],
                    "name": "SSH-ACCESS"
                }
            ],
            "afi": "ipv4"
        }
    ],
    "before": [
        {
            "acls": [
                {
                    "aces": [
                        {
                            "destination": {
                                "any": true
                            },
                            "grant": "permit",
                            "protocol": "ip",
                            "sequence": 10,
                            "source": {
                                "host": "10.10.10.5"
                            }
                        }
                    ],
                    "name": "SNMP-ACCESS"
                },
                {
                    "name": "SSH-ACCESS"
                }
            ],
            "afi": "ipv4"
        }
    ],
    "changed": true,
    "commands": [
        "ip access-list SSH-ACCESS",
        "no 10",
        "10 permit ip any any"
    ]

Another run repeats the same behavior.

My assumption is that during the check for differences before/after the names of the two ACLs are not compared but only their entries (in my case the two ACLs have seq 10). If I change the sequence number in the second access list from 10 to 20 the issue is not observed. Another evidence for this theory is that if I create another playbook and include an access list with different name but same entries, Ansible reports that no changes need to be done, and the new ACL is not configured.

ISSUE TYPE
COMPONENT NAME

arista.eos.eos_acls

ANSIBLE VERSION
ansible [core 2.15.8]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ichakarov/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/ichakarov/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
Collection                    Version
----------------------------- -------
ansible.netcommon             6.0.0  
ansible.utils                 3.0.0  
arista.eos                    7.0.0
CONFIGURATION
CONFIG_FILE() = /etc/ansible/ansible.cfg
OS / ENVIRONMENT
Arista vEOS-lab
Software image version: 4.31.1F
STEPS TO REPRODUCE

Run the following play book 2-3 times:

---
- name: Test-play
  hosts: lab_sw

  tasks:
    - name: Configure ACLs
      arista.eos.eos_acls:
        config:
          - afi: ipv4
            acls:
              - name: SSH-ACCESS
                aces:
                  - sequence: 10
                    grant: permit
                    protocol: ip
                    source:
                      any: true
                    destination:
                      any: true
              - name: SNMP-ACCESS
                aces:
                  - sequence: 10
                    grant: permit
                    protocol: ip
                    source:
                      host: 10.10.10.5
                    destination:
                      any: true
EXPECTED RESULTS

On the second run (and every next one), no changes have to me made on the end device.

ACTUAL RESULTS

On the second run, Ansible does not properly identify the differences before/after (there aren't any) and make changes on the first ACL in the playbook:

    "commands": [
        "ip access-list SSH-ACCESS",
        "no 10"
    ]