azure
azure copied to clipboard
ansible-collections
azure_rm_loadbalancer with check mode will still change values
SUMMARY
Running Ansible playbook with check mode will still overwrite load balancer values.
ansible-playbook azure_provision.yml --check
ISSUE TYPE
- Bug Report
COMPONENT NAME
azure_rm_loadbalancer
ANSIBLE VERSION
ansible 2.9.12
CONFIGURATION
No output
OS / ENVIRONMENT
Ansible running in WSL Ubuntu 18.04 LTS
STEPS TO REPRODUCE
Run Ansible playbook ansible-playbook playbook_name.yml --check which includes changes to load balancer.
- name: Load balancer | create dev lb probe and rule
azure_rm_loadbalancer:
resource_group: "{{ load_balancer_rg }}"
name: "{{ load_balancer_dev }}"
backend_address_pools:
- name: "{{ lb_dev_backend_address_pool }}"
probes:
- name: "{{ internal_name }}D-HealthProbe"
port: "{{ bp_port_dev }}"
protocol: Tcp
interval: 5
load_balancing_rules:
- name: "{{ internal_name }}D-LBRULE"
frontend_ip_configuration: LoadBalancerFrontEnd
backend_address_pool: "{{ lb_dev_backend_address_pool }}"
frontend_port: "{{ port_dev }}"
backend_port: "{{ port_dev }}"
probe: "{{ internal_name }}D-HealthProbe"
load_distribution: SourceIPProtocol
EXPECTED RESULTS
Ansible would show what would change instead of changing the load balancer
ACTUAL RESULTS
Ansible will change the load balancer configuration.
changed: [localhost] => {"changed":true,"state":{"backend_address_pools":[{"etag":"W/\"xxx000xx-x0x0-x0x0-x0x0-x0x0x0x0x0\"","id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/backendAddressPools/WEAZBSD_BackendPool02","load_balancing_rules":[{"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/loadBalancingRules/WEAZ2570D-LBRULE"}],"name":"WEAZBSD_BackendPool02","provisioning_state":"Succeeded"}],"etag":"W/\"xxx000xx-x0x0-x0x0-x0x0-x0x0x0x0x0\"","frontend_ip_configurations":[{"etag":"W/\"xxx000xx-x0x0-x0x0-x0x0-x0x0x0x0x0\"","id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/frontendIPConfigurations/LoadBalancerFrontEnd","load_balancing_rules":[{"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/loadBalancingRules/WEAZ2570D-LBRULE"}],"name":"LoadBalancerFrontEnd","private_ip_address":"10.1.0.4","private_ip_allocation_method":"Dynamic","provisioning_state":"Succeeded","subnet":{"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/virtualNetworks/Application_Backend_VNet/subnets/default"}}],"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001","inbound_nat_pools":[],"inbound_nat_rules":[],"load_balancing_rules":[{"backend_address_pool":{"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/backendAddressPools/WEAZBSD_BackendPool02"},"backend_port":9570,"disable_outbound_snat":false,"enable_floating_ip":false,"enable_tcp_reset":false,"etag":"W/\"xxx000xx-x0x0-x0x0-x0x0-x0x0x0x0x0\"","frontend_ip_configuration":{"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/frontendIPConfigurations/LoadBalancerFrontEnd"},"frontend_port":9570,"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/loadBalancingRules/WEAZ2570D-LBRULE","idle_timeout_in_minutes":4,"load_distribution":"SourceIPProtocol","name":"WEAZ2570D-LBRULE","probe":{"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/probes/WEAZ2570D-HealthProbe"},"protocol":"Tcp","provisioning_state":"Succeeded"}],"location":"westeurope","name":"WEAZDLB001","outbound_rules":[],"probes":[{"etag":"W/\"xxx000xx-x0x0-x0x0-x0x0-x0x0x0x0x0\"","id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/probes/WEAZ2570D-HealthProbe","interval_in_seconds":5,"load_balancing_rules":[{"id":"/subscriptions/xxxx1111-xxxx22222-xxx333-xx44-xxxxxx555555/resourceGroups/Application_BackEnd/providers/Microsoft.Network/loadBalancers/WEAZDLB001/loadBalancingRules/WEAZ2570D-LBRULE"}],"name":"WEAZ2570D-HealthProbe","number_of_probes":3,"port":9570,"protocol":"Tcp","provisioning_state":"Succeeded"}],"provisioning_state":"Succeeded","resource_guid":"2d7f84e7-f950-4f01-8a5d-d7fec2497406","sku":{"name":"Standard"},"tags":{},"type":"Microsoft.Network/loadBalancers"}}
@Jvekka Thanks for your contribution this issue! Do you use a module from Azure collection or add full namepsace and collecton name in you playbook? Thank you very much!
I think I'm using it from the Azure collection as we are not adding full namespaces to collections yet.
Hello. So I've hit the same bug while exploring ansible modules for azure.
I have installed them using pip install "ansible[azure]" and I run the module in ad-hoc task.
azure-mgmt-network==2.3.0 in /home/dosmanak/.local/lib/python3.9/site-packages (from ansible[azure]) (2.3.0)
╓─(10:50)dosmanak@localhost~/azure/ansible
╙─$ ansible -m azure_rm_loadbalancer -a "resource_group=vm01_group name=lb03 frontend_ip_configurations={{ fe_conf }}" -e '{"fe_conf": [{"name": "fe03", "public_ip_address": "lb03PublicIP"}]}' localhost --check
localhost | CHANGED => {
"changed": true,
"state": {
"backend_address_pools": [],
"etag": "W/\"<<<redacted>>>\"",
"frontend_ip_configurations": [
{
"etag": "W/\"<<<redacted>>>\"",
"id": "/subscriptions/<<<redacted>>>/resourceGroups/vm01_group/providers/Microsoft.Network/loadBalancers/lb03/frontendIPConfigurations/fe03",
"name": "fe03",
"private_ip_allocation_method": "Dynamic",
"provisioning_state": "Succeeded",
"public_ip_address": {
"id": "/subscriptions/<<<redacted>>>/resourceGroups/vm01_group/providers/Microsoft.Network/publicIPAddresses/lb03PublicIP"
}
}
],
"id": "/subscriptions/<<<redacted>>>/resourceGroups/vm01_group/providers/Microsoft.Network/loadBalancers/lb03",
"inbound_nat_pools": [],
"inbound_nat_rules": [],
"load_balancing_rules": [],
"location": "westeurope",
"name": "lb03",
"probes": [],
"provisioning_state": "Succeeded",
"resource_guid": "<<<redacted>>>",
"sku": {
"name": "Basic"
},
"type": "Microsoft.Network/loadBalancers"
}
}
╓─(10:51)dosmanak@localhost~/azure/ansible
╙─$ ansible -m azure_rm_loadbalancer -a "resource_group=vm01_group name=lb03 frontend_ip_configurations={{ fe_conf }}" -e '{"fe_conf": [{"name": "fe03", "public_ip_address": "lb03PublicIP"}]}' localhost
localhost | SUCCESS => {
"changed": false,
"state": {
"backend_address_pools": [],
"etag": "W/\"<<<redacted>>>\"",
"frontend_ip_configurations": [
{
"etag": "W/\"<<<redacted>>>\"",
"id": "/subscriptions/<<<redacted>>>/resourceGroups/vm01_group/providers/Microsoft.Network/loadBalancers/lb03/frontendIPConfigurations/fe03",
"name": "fe03",
"private_ip_allocation_method": "Dynamic",
"provisioning_state": "Succeeded",
"public_ip_address": {
"id": "/subscriptions/<<<redacted>>>/resourceGroups/vm01_group/providers/Microsoft.Network/publicIPAddresses/lb03PublicIP"
}
}
],
"id": "/subscriptions/<<<redacted>>>/resourceGroups/vm01_group/providers/Microsoft.Network/loadBalancers/lb03",
"inbound_nat_pools": [],
"inbound_nat_rules": [],
"load_balancing_rules": [],
"location": "westeurope",
"name": "lb03",
"probes": [],
"provisioning_state": "Succeeded",
"resource_guid": "<<<redacted>>>",
"sku": {
"name": "Basic"
},
"type": "Microsoft.Network/loadBalancers"
}
}
@Jvekka Although it returns "change=True", it doesn't update the loadbalancer, it just returns the new loadbalancer defined in the playbook. I will confirm with the developer whether this should be modified or not! Thank you very much!
@Jvekka Although it returns "change=True", it doesn't update the loadbalancer, it just returns the new loadbalancer defined in the playbook. I will confirm with the developer whether this should be modified or not! Thank you very much!
Yes, I know that now, but it did still wipe our rules from the load balancer and caused an outage. Luckily, I did not know this back then and checked the environment which made the outage shorter.
@Jvekka Although it returns "change=True", it doesn't update the loadbalancer, it just returns the new loadbalancer defined in the playbook. I will confirm with the developer whether this should be modified or not! Thank you very much!
Yes, I know that now, but it did still wipe our rules from the load balancer and caused an outage. Luckily, I did not know this back then and checked the environment which made the outage shorter.
@Jvekka I see! I will give a fixes! Thank you very much!
@Jvekka I'm sorry that this issue has been holding up. First, check_mode simply checks if the resource will not change when playbook is run. If check_mode=True, If the resource needs to be udpate or create, It will returns changed=True, but is not deployed. and if the resource does not need to be changed, It will return change=False, Nothing to change. The check mode of this module is correct. Thanks!
@Jvekka So the 'check_mode' pattern for this problem is correct. You can close this issue.
@Jvekka In addition, after the resource is deployed, the fit is executed again, returning 'change=True', which is idempotent issue. You can redescribe the problem. Or Create a new issues. . Thank you!
Thanks @Fred-sun for checking this. It is so old issue that it may have been already fixed.
The issue was not the 'Change=True' field as it did actually clear the load balancer rules even with check mode enabled.
@Jvekka Yes, The check_mode is simply a pre-check mode that returns whether executing playbook will change the resource. No processing is done on resources. Thank you!
It has been a long day, but I am not really following.
We did run ansible playbook ansible-playbook playbook_name.yml --check including azure_rm_loadbalancer module. My understanding is that it should tell if anything would be changed. No changes should be implemented.
But the issue was that it did still wipe out the load balancer rules. For my understanding this should not happen as it is against the idea of --check
@Jvekka Yes, I think you said --diff, detection mode. azure.azcollection is not currently supported. Thanks!
It has been a long day, but I am not really following.
We did run ansible playbook
ansible-playbook playbook_name.yml --checkincludingazure_rm_loadbalancermodule. My understanding is that it should tell if anything would be changed. No changes should be implemented.But the issue was that it did still wipe out the load balancer rules. For my understanding this should not happen as it is against the idea of
--check
I'll re-check why the rules were wiped. Thanks!