bigip_device_certificate - try to connect to inventory_hostname instead of its value

[apellini]

COMPONENT NAME

bigip_device_certificate

Environment

ANSIBLE VERSION

ansible [core 2.13.6]
  config file = /spimi/NetDevOps/terraform-deploy-f5/postconfig/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.4 (default, Apr 14 2021, 10:57:48) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
  jinja version = 3.1.2
  libyaml = True

BIGIP VERSION

Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.3.2
  Build       0.0.4
  Edition     Point Release 2
  Date        Wed Sep 14 08:12:07 PDT 2022

CONFIGURATION

[defaults]
inventory = ./inventory
host_key_checking = False
interpreter_python = /usr/local/bin/python3.9
forks = 50
gathering = explicit
roles_path = roles/
deprecation_warnings = False
warnings = False
display_skipped_hosts = no
callback_whitelist = timer, profile_tasks
show_custom_stats = yes
check_mode_markers = yes

OS / ENVIRONMENT

N/A

SUMMARY

With provider configure with transport cli, we receive an error of Name or service not known because it tries to connect to inventory_hostname instead of connect to its value.

STEPS TO REPRODUCE

[vars]
provider_cli:
  transport: cli
  server: "{{ ansible_host }}"
  password: "{{ ansible_password }}"
  user: "{{ ansible_user }}"
  validate_certs: False

[play]
- name: Deploy baseline config to devices discovered by previous play
  hosts: f5
  connection: local
  collections:
    - f5networks.f5_modules
    - ansible.builtin
  tasks:
      - name: Generate new device certificate
        bigip_device_certificate:
          provider: "{{ provider_cli }}"
          days_valid: "{{ baseline.device_certificate.days }}"
          force: "{{ baseline.device_certificate.force }}"
          key_size: "{{ baseline.device_certificate.key_size }}"
          issuer:
            division: "{{ baseline.device_certificate.division }}"
            organization: "{{ baseline.device_certificate.organization }}"
            common_name: "{{ inventory_hostname }}"
            state: "{{ baseline.device_certificate[region].state }}"
            country: "{{ baseline.device_certificate[region].country }}"
            location: "{{ location }}"

EXPECTED RESULTS

Connect correctly to F5

ACTUAL RESULTS

The full traceback is:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/ansible/executor/task_executor.py", line 158, in run
    res = self._execute()
  File "/usr/local/lib/python3.9/site-packages/ansible/executor/task_executor.py", line 647, in _execute
    result = self._handler.run(task_vars=vars_copy)
  File "/root/.ansible/collections/ansible_collections/f5networks/f5_modules/plugins/action/bigip.py", line 90, in run
    out = conn.get_prompt()
  File "/usr/local/lib/python3.9/site-packages/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
ansible.module_utils.connection.ConnectionError: ssh connection failed: ssh connect failed: Failed to resolve hostname inventory_hostname (Name or service not known)

[pgouband]

Hi @apellini,

I tried with the following ansible playbook and I didn't get any error.

---
- name: Create a a new certificate
  hosts: all
  connection: local
  collections:
    - f5networks.f5_modules
    - ansible.builtin

  vars:
    provider:
     password: secret
     server: 10.1.1.9
     user: root
     validate_certs: no
     transport: cli
     server_port: 22

  tasks:
    - name: Create a new certificate to replace expired certificate
      bigip_device_certificate:
        provider: "{{ provider }}"
        days_valid: 365
        force: yes
        issuer:
          country: US
          state: WA
          common_name: foobar.foo.local
      delegate_to: localhost

Output:

PLAY [Create a VIP, pool and pool members] ***************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************
ok: [10.1.1.9]

TASK [Create a new certificate to replace expired certificate] *******************************************************************
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
changed: [10.1.1.9 -> localhost]

PLAY RECAP ***********************************************************************************************************************
10.1.1.9                   : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Did you follow this requirement?
"When using this module make sure SSH type is not set to libssh. To do this you could either set the environment variable like this ANSIBLE_NETWORK_CLI_SSH_TYPE=paramiko or set add ssh_type = paramiko under section persistent_connection in ansible.cfg."

[apellini]

Ok it works