Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible not updating MX L3 Firewall, but states success #61

Closed
pokepoke81 opened this issue Feb 6, 2020 · 6 comments · Fixed by #62
Closed

Ansible not updating MX L3 Firewall, but states success #61

pokepoke81 opened this issue Feb 6, 2020 · 6 comments · Fixed by #62
Assignees
@kbreit
Labels
bug Something isn't working

Comments

@pokepoke81
Copy link
Contributor

pokepoke81 commented Feb 6, 2020
edited by kbreit
Loading

A simple playbook to update firewall rules on an MX device fails to to change, but Ansible reports success and no change. No change occurs on the Meraki Dashboard either. This playbook was used to generate the "Ansible Block traffic to server2" rule, so it did work at one point.

Playbook:

---

- name: Configure network settings for Meraki MX250 in Headquarters
  hosts: localhost
  collections:
    - cisco.meraki
  tasks:
    - name: Create firewall rules
      meraki_mx_l3_firewall:
        #org_id: '1234'
        #net_id: '1234'
        org_name: REDACTED ORG
        net_name: REDACTED NETWORK NAME
        state: present
        rules:
          - comment: Ansible Block traffic to server3
            src_cidr: 192.168.1.1/32,192.168.1.2/32
            src_port: any
            dest_cidr: 192.168.2.2/32
            dest_port: any
            protocol: any
            policy: deny

Output:

$ ansible-playbook -vvv playbooks/pb_meraki_hqmx_firewall.yml
 ansible-playbook 2.9.4
   config file = /builds/browngb/wci-headquarters-infrastructure/ansible.cfg
   configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
   ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
   executable location = /usr/local/bin/ansible-playbook
   python version = 3.6.9 (default, Nov  7 2019, 10:44:02) [GCC 8.3.0]
 Using /builds/browngb/wci-headquarters-infrastructure/ansible.cfg as config file
 vmware_vm_inventory declined parsing /builds/browngb/wci-headquarters-infrastructure/environments/prod/hosts as it did not pass its verify_file() method
 script declined parsing /builds/browngb/wci-headquarters-infrastructure/environments/prod/hosts as it did not pass its verify_file() method
 Parsed /builds/browngb/wci-headquarters-infrastructure/environments/prod/hosts inventory source with ini plugin
 PLAYBOOK: pb_meraki_hqmx_firewall.yml ******************************************
 1 plays in playbooks/pb_meraki_hqmx_firewall.yml
 PLAY [Configure network settings for Meraki MX250 in Headquarters] *************
 TASK [Gathering Facts] *********************************************************
 task path: /builds/browngb/wci-headquarters-infrastructure/playbooks/pb_meraki_hqmx_firewall.yml:7
 <127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
 <127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
 <127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1580999540.4487858-86641614080556 `" && echo ansible-tmp-1580999540.4487858-86641614080556="` echo /root/.ansible/tmp/ansible-tmp-1580999540.4487858-86641614080556 `" ) && sleep 0'
 Using module file /usr/local/lib/python3.6/dist-packages/ansible/modules/system/setup.py
 <127.0.0.1> PUT /root/.ansible/tmp/ansible-local-10_tlojw82/tmpwi996fgu TO /root/.ansible/tmp/ansible-tmp-1580999540.4487858-86641614080556/AnsiballZ_setup.py
 <127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1580999540.4487858-86641614080556/ /root/.ansible/tmp/ansible-tmp-1580999540.4487858-86641614080556/AnsiballZ_setup.py && sleep 0'
 <127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1580999540.4487858-86641614080556/AnsiballZ_setup.py && sleep 0'
 <127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1580999540.4487858-86641614080556/ > /dev/null 2>&1 && sleep 0'
 ok: [localhost]
 META: ran handlers
 TASK [Create firewall rules] ***************************************************
 task path: /builds/browngb/wci-headquarters-infrastructure/playbooks/pb_meraki_hqmx_firewall.yml:12
 <127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
 <127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
 <127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1580999541.1921477-107598852911355 `" && echo ansible-tmp-1580999541.1921477-107598852911355="` echo /root/.ansible/tmp/ansible-tmp-1580999541.1921477-107598852911355 `" ) && sleep 0'
 Using module file /root/.ansible/collections/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l3_firewall.py
 <127.0.0.1> PUT /root/.ansible/tmp/ansible-local-10_tlojw82/tmp3puw0lu4 TO /root/.ansible/tmp/ansible-tmp-1580999541.1921477-107598852911355/AnsiballZ_meraki_mx_l3_firewall.py
 <127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1580999541.1921477-107598852911355/ /root/.ansible/tmp/ansible-tmp-1580999541.1921477-107598852911355/AnsiballZ_meraki_mx_l3_firewall.py && sleep 0'
 <127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1580999541.1921477-107598852911355/AnsiballZ_meraki_mx_l3_firewall.py && sleep 0'
 <127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1580999541.1921477-107598852911355/ > /dev/null 2>&1 && sleep 0'
 ok: [localhost] => {
     "changed": false,
     "data": [
         {
             "comment": "Ansible Block traffic to server2",
             "dest_cidr": "192.168.2.2/32",
             "dest_port": "Any",
             "policy": "deny",
             "protocol": "any",
             "src_cidr": "192.168.1.0/24",
             "src_port": "Any",
             "syslog_enabled": false
         },
         {
             "comment": "Default rule",
             "dest_cidr": "Any",
             "dest_port": "Any",
             "policy": "allow",
             "protocol": "Any",
             "src_cidr": "Any",
             "src_port": "Any",
             "syslog_enabled": false
         }
     ],
     "invocation": {
         "module_args": {
             "auth_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
             "follow_redirects": "all",
             "host": "api.meraki.com",
             "internal_error_retry_time": 60,
             "net_id": null,
             "net_name": "REDACTED NETWORK NAME",
             "org_id": null,
             "org_name": "REDACTED ORG",
             "output_format": "snakecase",
             "output_level": "normal",
             "protocol": "https",
             "rate_limit_retry_time": 165,
             "rules": [
                 {
                     "comment": "Ansible Block traffic to server3",
                     "dest_cidr": "192.168.2.2/32",
                     "dest_port": "any",
                     "policy": "deny",
                     "protocol": "any",
                     "src_cidr": "192.168.1.1/32,192.168.1.2/32",
                     "src_port": "any",
                     "syslog_enabled": false
                 }
             ],
             "state": "present",
             "syslog_default_rule": null,
             "timeout": 30,
             "use_https": true,
             "use_proxy": false,
             "validate_certs": true
         }
     },
     "response": "OK (unknown bytes)",
     "status": 200
 }
 META: ran handlers
 META: ran handlers
 PLAY RECAP *********************************************************************
 localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
 Job succeeded
@kbreit kbreit self-assigned this Feb 7, 2020
@kbreit kbreit added the bug Something isn't working label Feb 7, 2020
@kbreit kbreit mentioned this issue Feb 8, 2020
Merged
@kbreit
Copy link
Collaborator

kbreit commented Feb 8, 2020

@pokepoke81 - I created a pull request (#62) to fix this problem. Please test. If you need assistance on how to test, let me know and I can help you through.

@pokepoke81
Copy link
Contributor Author

I’m new to this so I could use help in learning how to test. Thanks.

@kbreit
Copy link
Collaborator

kbreit commented Feb 8, 2020

@pokepoke81 Easiest way is to download the file at https://raw.githubusercontent.com/kbreit/ansible-meraki/bugfix/61_mx_firewall/plugins/modules/meraki_mx_l3_firewall.py and copy that into your ansible collections directory. Most likely it's at ~/.ansible/collections/...

@pokepoke81
Copy link
Contributor Author

@kbreit took a minute, but I was able to test and it's working now.

Again, I'm new at this, so please forgive the beginner questions. How does this bug fix make it into the Galaxy repo so it will show up on my configuration? How long does that take?

@kbreit
Copy link
Collaborator

kbreit commented Feb 14, 2020
edited
Loading

@pokepoke81 Thanks for testing. The first thing that needs to happen is GitHub needs to email me so I know you responded. It didn't so I'm glad I checked back. Note: I meant this sarcastically. Your response was never emailed to me for some reason.

How long should it take? Overall, it shouldn't take very long. It's up to me to merge the bugfix (minutes) and post a new version in Galaxy (minutes). I should be able to dedicate some time to it tomorrow. You should be able to follow the collection in Galaxy and be notified every time I do a release.

@pokepoke81
Copy link
Contributor Author

@kbreit thank you. I appreciate all your help with this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kbreit kbreit

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

meraki_mx_l3_firewall - Fix firewall rules not updating kbreit/ansible-meraki
2 participants
@pokepoke81 @kbreit