Comments (6)
dstogsdill
commented on September 16, 2024
I'm seeing this behavior too, however, it looks like this module doesn't use the 'apply_state' function as suggested. Rather it's relying on the pan object 'equal' function from the the base.py pan-os-python package.
if not item.equal(virtual_router, compare_children=False):
changed = True
virtual_router.extend(item.children)
This looks to be doing a straight string comparison of the XML representation of the objects. unfortunately if there is a change to the device configuration outside of this module (say assigning a virtual router to an interface using panos_l3_subinterface) then this will ALWAYS incorrectly detect a change.
edit #1: Additionally the VirtualRouter object has an 'Interface' var that needs to be accounted for otherwise the assigned interfaces get removed upon applying the change. Right now the module only extends for the 'children' var to replicate any existing configurations.
edit #2: I just realized this issue refers to several BPG modules and not the panos_virtual_router module which my comment refers to. I'll open a new new issue to apply a bug fix for the panos_virtual_router module
I'm working on a fix for this but unsure how to assign this issue/bug to myself.
from pan-os-ansible.
chancez
commented on September 16, 2024
panos_log_forwarding_profile_match_list isn't idempotent either, yet it but it does use apply_state, so apply_state isn't perfect either.
from pan-os-ansible.
dstogsdill
commented on September 16, 2024
@chancez You are correct. the apply_state function mutates the object during iteration so any module calling this function will pretty much always register a change. Additionally, the function does not account for any objects with interfaces so these objects will also register a change if not accounted for before calling the function.
from pan-os-ansible.
dstogsdill
commented on September 16, 2024
There is another specific issue with the panos_bgp_peer module in addition to the underlying apply_state function. the PANOS xml api sets defaults to specific fields (i.e. keep-alive-interval and min-route-adv-interval). If these fields are omitted from your playbook the module will continue to detect a change.
You can work around this by explicitly setting all fields in this module.
I believe the permanent fix would be for the module to assign default values to these fields.
from pan-os-ansible.
mrichardson03
commented on September 16, 2024
The problem with idempotence here is the child objects attached to the virtual router. panos_virtual_router should really write all child objects itself, rather than only doing part of the configuration and then having multiple other modules then modify that VR. One way to do this would be to move all the BGP configuration into panos_virtual_router, which would make some sense because BGP configuration can't exist outside of a VR.
Another way to do this (and a lot of other modules) better in my opinion, is to have an idempotent way to manipulate the XML config. I have code that does this, and I opened #219 to show how it works and can be used.
from pan-os-ansible.
shinmog
commented on September 16, 2024
Another idempotency fix was added, this should be resolved now in the next release.
from pan-os-ansible.
Related Issues (20)
- Create a list of downloaded software versions HOT 2
- Policy Match Rule Fails to Retry
- Configure Path Monitoring for a Static Route HOT 2
- Feature request: Custom timeout HOT 3
- state: merged doesn't merge deep enough. HOT 1
- Get module created for security profiles
- paloaltonetworks.panos.panos_template issue on second run HOT 1
- Bug: Software Upgrade Doesn't Allow for Larger Major Version Change
- panos_import no longer imports trusted certificates HOT 2
- pan-os ansible to add Firewall device in panorama
- Modules used as libraries in upgrade automation playbooks
- When using state "merged" in panos_security_rule if there is an existing rule with an existing group_profile the job fails
- "state: merged" merges default values in with existing ones HOT 2
- chore: Change branching model
- pan_os_python requirements issue
- panos_commit_panorama do not commit ot running in PANOS11 HOT 1
- Minimum Pytohn version is 3.9
- result["before"] includes newly added items for list type params
- "target_negate" being removed from config xml with present state
- panos_security_rule - gather security rules based on vsys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pan-os-ansible.