DO does not capture firewall policy partition info correctly

[bloodsun]

Environment

• Declarative Onboarding Version: 1.22.0
• AS3: 3.20.0
• BIG-IP Version: 15.1.3

Summary

DO seem to assume all firewall policy are on Common partition and it results in "The requested firewall policy (/Common/xxx) was not found".

Firewall Policy created using AS3 would be captured by DO and assumed it is part of Common partition since partition information is not capture in DO.

Steps To Reproduce

Steps to reproduce the behavior:

1. On a newly provisioned VE, licensed and install DO and AS3 packages.
2. Submit the following declaration:

{
    "schemaVersion": "1.22.0",
    "class": "Device",
    "async": true,
    "label": "BIG-IP declaration for declarative onboarding",
    "Common": {
        "class": "Tenant",
        "myProvisioning": {
            "afm": "nominal",
            "class": "Provision",
            "gtm": "nominal",
            "ltm": "none",
            "pem": "nominal"
        }
    }
}

2. After DO completes successfully, observed that the currentConfig and OriginalConfig FirewallPolicy is empty:

{
      "GSLBProberPool": {},
      "FirewallPolicy": {},
      "FirewallAddressList": {},
      "FirewallPortList": {}
}

3. Submit the following AS3 to configure a Firewall Policy on /Common/Shared partition

{
    "class": "AS3",
    "action": "deploy",
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.20.0",
        "Common": {
            "Shared": {
                "class": "Application",
                "template": "shared",
                "pol_fw_03": {
                    "class": "Firewall_Policy",
                    "rules": [
                        {
                            "name": "rl_nwfw_default",
                            "remark": "Default",
                            "action": "drop",
                            "loggingEnabled": true,
                            "protocol": "any"
                        }
                    ]
                }
            }
        }
    }
}

[admin@localhost:Active:Standalone] config # tmsh list security firewall policy /Common/Shared/pol_fw_03 all-properties  
security firewall policy Shared/pol_fw_03 {
    app-service none
    description none
    partition Common
    rules {
        rl_nwfw_default {
            action drop
            app-service none
            classification-policy none
            description none
            ip-protocol any
            irule none
            irule-sample-rate 1
            log yes
            protocol-inspection-profile none
            rule-list none
            rule-number 1
            schedule none
            service-policy none
            status enabled
            uuid none
            virtual-server none
            destination {
                address-lists none
                addresses none
                fqdns none
                geo none
                ipi-category none
                port-lists none
                ports none
                zones none
            }
            icmp none
            rule-list-expanded none
            source {
                address-lists none
                addresses none
                fqdns none
                geo none
                identity {
                    subscriber-groups none
                    subscribers none
                    user-groups none
                    user-lists none
                    users none
                }
                ipi-category none
                port-lists none
                ports none
                vlans none
                zones none
            }
        }
    }
}

4. Re-submit the same DO without any changes

{
    "schemaVersion": "1.22.0",
    "class": "Device",
    "async": true,
    "label": "BIG-IP declaration for declarative onboarding",
    "Common": {
        "class": "Tenant",
        "myProvisioning": {
            "afm": "nominal",
            "class": "Provision",
            "gtm": "nominal",
            "ltm": "none",
            "pem": "nominal"
        }
    }
}

5. It will result in the following error with the firewall policy not found on Common partition. The firewall policy is at /Common/Shared partition.

{
  "id": "7f5da250-c8d8-4da5-adb3-ad61093ccaa6",
  "selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/7f5da250-c8d8-4da5-adb3-ad61093ccaa6",
  "code": 404,
  "status": "ERROR",
  "message": "invalid config - rolled back",
  "errors": [
    "tryUntil: max tries reached: 01020036:3: The requested firewall policy (/Common/pol_fw_03) was not found.",
    "tryUntil: max tries reached: 01020036:3: The requested firewall policy (/Common/pol_fw_03) was not found."
  ],
  "result": {
    "class": "Result",
    "code": 404,
    "status": "ERROR",
    "message": "invalid config - rolled back",
    "errors": [
      "tryUntil: max tries reached: 01020036:3: The requested firewall policy (/Common/pol_fw_03) was not found.",
      "tryUntil: max tries reached: 01020036:3: The requested firewall policy (/Common/pol_fw_03) was not found."
    ]
  },
  "declaration": {
    "schemaVersion": "1.22.0",
    "class": "Device",
    "async": true,
    "label": "BIG-IP declaration for declarative onboarding",
    "Common": {
      "class": "Tenant",
      "myProvisioning": {
        "afm": "nominal",
        "class": "Provision",
        "gtm": "nominal",
        "ltm": "none",
        "pem": "nominal"
      }
    }
  },
  "currentConfig": "HTML Tag-like Content in the Request URL/Body",
  "originalConfig": "HTML Tag-like Content in the Request URL/Body",
  "lastUpdate": "2021-08-15T07:08:13.888Z"
}

Expected Behavior

DO should be able to capture the firewall policy at the correct partition and allow re-run of same DO without issue.

Actual Behavior

DO captures the firewall policy created but it seems to assume that all the firewall policy is at Common partition. A re-run result in error.

[enceladus-beep]

Internal ticket 1-7679873643

[dstokesf5]

Thank you for your feedback. This issue has been added to our internal product backlog as AUTOTOOL-2688.