azure
azure copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
Firewall application rule collections fails with simple configuration
SUMMARY
Firewall module azure_rm_azurefirewall is not processing correctly the application_rule_collections.
ISSUE TYPE
- Bug Report
COMPONENT NAME
azure_rm_azurefirewall
ANSIBLE VERSION
ansible --version
ansible 2.9.15
CONFIGURATION
azure_resource_group: ocp4-rg
azure_fw_name: ocp4-az-fw
OS / ENVIRONMENT
Tested in Fedora 33 and in RHEL7
STEPS TO REPRODUCE
Ansible playbook with the azure_rm_azurefirewall as shown below (same as the official documentation in ansible https://docs.ansible.com/ansible/2.10/collections/azure/azcollection/azure_rm_azurefirewall_module.html#examples):
- name: Create Azure Firewall App Rule for RedHat resources
azure_rm_azurefirewall:
resource_group: "{{ azure_resource_group }}"
name: "{{ azure_fw_name }}"
application_rule_collections:
- priority: 110
action:
type: deny
rules:
- name: rule1
description: Deny inbound rule
source_addresses:
- 216.58.216.164
protocols:
- type: https
port: '443'
target_fqdns:
- www.test.com
name: apprulecoll`
EXPECTED RESULTS
Apply and update the application rules collection into the azure firewall
ACTUAL RESULTS
The full traceback is:
Traceback (most recent call last):
File "/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py", line 102, in <module>
_ansiballz_main()
File "/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible.modules.cloud.azure.azure_rm_azurefirewall', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.8/runpy.py", line 207, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.8/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib64/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py", line 716, in <module>
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py", line 712, in main
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py", line 552, in __init__
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common.py", line 348, in __init__
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py", line 563, in exec_module
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py", line 47, in inflate_parameters
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py", line 16, in inflate_parameters
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py", line 27, in inflate_parameters
File "/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/common/dict_transformations.py", line 79, in _snake_to_camel
AttributeError: 'dict' object has no attribute 'split'
fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py\", line 102, in <module>\n _ansiballz_main()\n File \"/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/rcarrata/.ansible/tmp/ansible-tmp-1610626141.8314412-1838968-104420885497022/AnsiballZ_azure_rm_azurefirewall.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.cloud.azure.azure_rm_azurefirewall', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py\", line 716, in <module>\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py\", line 712, in main\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py\", line 552, in __init__\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common.py\", line 348, in __init__\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/modules/cloud/azure/azure_rm_azurefirewall.py\", line 563, in exec_module\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py\", line 47, in inflate_parameters\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py\", line 16, in inflate_parameters\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/azure_rm_common_ext.py\", line 27, in inflate_parameters\n File \"/tmp/ansible_azure_rm_azurefirewall_payload_t9kberqb/ansible_azure_rm_azurefirewall_payload.zip/ansible/module_utils/common/dict_transformations.py\", line 79, in _snake_to_camel\nAttributeError: 'dict' object has no attribute 'split'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
OTHER STEPS
Created the firewall successfully with the PIP assignation, fails when tried to do the application_rule_collections:
This worked like a charm:
- name: Create Azure Firewall and associate the fw PIP
azure_rm_azurefirewall:
resource_group: "{{ azure_resource_group }}"
name: "{{ azure_fw_name }}"
ip_configurations:
- subnet: "/subscriptions/{{ azure_subscription_id }}/resourceGroups/{{ azure_resource_group }}/providers/Microsoft.Network/virtualNetworks/{{ azure_vnet_fw_name }}/subnets/{{ azure_subnet_fw_name }}"
public_ip_address: "/subscriptions/{{ azure_subscription_id }}/resourceGroups/{{ azure_resource_group }}/providers/Microsoft.Network/publicIPAddresses/{{ azure_fw_pip_name }}"
name: azureFirewallIpConfiguration
It's an issue with the doc, the sample is incorrect. Action is a "string". It should read:
application_rule_collections:
- priority: 110
action: deny
rules:
Not:
application_rule_collections:
- priority: 110
action:
type: deny
rules:
