Firewall application rule collections fails with simple configuration

rcarrata commented 3 years ago

SUMMARY

Firewall module azure_rm_azurefirewall is not processing correctly the application_rule_collections.

ISSUE TYPE

Bug Report

COMPONENT NAME

azure_rm_azurefirewall

ANSIBLE VERSION

ansible --version
ansible 2.9.15

CONFIGURATION

azure_resource_group: ocp4-rg
azure_fw_name: ocp4-az-fw

OS / ENVIRONMENT

Tested in Fedora 33 and in RHEL7

STEPS TO REPRODUCE

Ansible playbook with the azure_rm_azurefirewall as shown below (same as the official documentation in ansible https://docs.ansible.com/ansible/2.10/collections/azure/azcollection/azure_rm_azurefirewall_module.html#examples):

- name: Create Azure Firewall App Rule for RedHat resources
  azure_rm_azurefirewall:
    resource_group: "{{ azure_resource_group }}"
    name: "{{ azure_fw_name }}"
    application_rule_collections:
      - priority: 110
        action:
          type: deny
        rules:
          - name: rule1
            description: Deny inbound rule
            source_addresses:
              - 216.58.216.164
            protocols:
              - type: https
                port: '443'
            target_fqdns:
              - www.test.com
        name: apprulecoll`

EXPECTED RESULTS

Apply and update the application rules collection into the azure firewall

ACTUAL RESULTS

The full traceback is:
Traceback (most recent call last):
  File "/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py", line 102, in <module>
    _ansiballz_main()
  File "/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible.modules.cloud.azure.azure_rm_azurefirewall', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib64/python3.8/runpy.py", line 207, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.8/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py", line 716, in <module>
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py", line 712, in main
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py", line 552, in __init__
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common.py", line 348, in __init__
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py", line 563, in exec_module
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py", line 47, in inflate_parameters
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py", line 16, in inflate_parameters
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py", line 27, in inflate_parameters
  File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/common/dict_transformations.py", line 79, in _snake_to_camel
AttributeError: 'dict' object has no attribute 'split'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.cloud.azure.azure_rm_azurefirewall', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py\", line 716, in <module>\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py\", line 712, in main\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py\", line 552, in __init__\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common.py\", line 348, in __init__\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py\", line 563, in exec_module\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py\", line 47, in inflate_parameters\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py\", line 16, in inflate_parameters\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py\", line 27, in inflate_parameters\n  File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/common/dict_transformations.py\", line 79, in _snake_to_camel\nAttributeError: 'dict' object has no attribute 'split'\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

OTHER STEPS

Created the firewall successfully with the PIP assignation, fails when tried to do the application_rule_collections:

This worked like a charm:

- name: Create Azure Firewall and associate the fw PIP
  azure_rm_azurefirewall:
    resource_group: "{{ azure_resource_group }}"
    name: "{{ azure_fw_name }}"
    ip_configurations:
      - subnet: "/subscriptions/{{ azure_subscription_id }}/resourceGroups/{{ azure_resource_group }}/providers/Microsoft.Network/virtualNetworks/{{ azure_vnet_fw_name }}/subnets/{{ azure_subnet_fw_name }}"
        public_ip_address: "/subscriptions/{{ azure_subscription_id }}/resourceGroups/{{ azure_resource_group }}/providers/Microsoft.Network/publicIPAddresses/{{ azure_fw_pip_name }}"
        name: azureFirewallIpConfiguration

rcarrata commented 3 years ago

any thoughts on that?

alvarosola1 commented 3 years ago

I have exactly the same error

lacj01 commented 3 years ago

It's an issue with the doc, the sample is incorrect. Action is a "string". It should read:

    application_rule_collections:
      - priority: 110
        action: deny
        rules:

Not:

    application_rule_collections:
      - priority: 110
        action:
          type: deny
        rules:

ansible-collections / azure