batfish
support for aws NAT instances in Route Table?
Describe the bug and expected behavior I am getting an init error when I supply RouteTable config referencing a NetworkInterface as a route destination. The configuration in question is aws NAT Instance.
Not sure i have the syntax below correct, but when i load that json config from a file with bf.init_snapshot(), i get the error:
'Unsupported target type: NetworkInterface'
Is this just a syntax error?
from pybatfish.client.session import Session
TXT = """
{
"Vpcs": [
{
"CidrBlock": "10.0.0.0/8",
"State": "available",
"VpcId": "vpc-one",
"OwnerId": "710",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-one",
"CidrBlock": "10.0.0.8/8",
"CidrBlockState": {
"State": "associated"
}
},
{
"AssociationId": "vpc-cidr-assoc-two",
"CidrBlock": "192.0.0.0/8",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false
}
],
"Subnets": [
{
"AvailabilityZone": "us-east-2a",
"AvailabilityZoneId": "use2-az2",
"AvailableIpAddressCount": 10,
"CidrBlock": "10.10.0.0/16",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-public",
"VpcId": "vpc-one",
"OwnerId": "710",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "owned resources that require outbound internet gateway"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:710:subnet/subnet-public",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
},
{
"AvailabilityZone": "us-east-2a",
"AvailabilityZoneId": "use2-az2",
"AvailableIpAddressCount": 10,
"CidrBlock": "192.0.0.0/8",
"DefaultForAz": true,
"MapPublicIpOnLaunch": false,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-private",
"VpcId": "vpc-one",
"OwnerId": "710",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "private subnet"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:710:subnet/subnet-private",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
],
"RouteTables": [
{
"Associations": [
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-one",
"RouteTableId": "rtb-one",
"AssociationState": {
"State": "associated"
}
}
],
"PropagatingVgws": [],
"RouteTableId": "rtb-one",
"Routes": [
{
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": "i-one",
"InstanceOwnerId": "710",
"NetworkInterfaceId": "eni-one",
"Origin": "CreateRoute",
"State": "active"
}
],
"VpcId": "vpc-one",
"OwnerId": "710"
}
]
}
"""
bf = Session()
bf.set_network("github-bug-report")
bf.init_snapshot_from_text(TXT)
# Verify that Batfish recognized the vendor format correctly
print(bf.q.fileParseStatus().answer())
# Insert command(s) below to demonstrate the problem
print(bf.q.initIssues().answer())
Additional context replacing the RouteTable Routes entry with below clears the unsupported target type error, yielding another expected error:
{
"DestinationCidrBlock": "0.0.0.0/0",
"TransitGatewayId": "tgw-one",
"Origin": "CreateRoute",
"State": "active"
}
Did you create this file yourself or was it pulled from a deployment?
Take a look at https://github.com/batfish/batfish/blob/925dd46a39cc8cc44438bef2dfbd8b28df45e465/projects/batfish/src/main/java/org/batfish/representation/aws/Subnet.java#L657 to see what is supported and what the code expects.
Thanks for the pointer and quick response! I've tried to reduce it and anonymize it based on deployment config snapshots.
Looking at that code it looks like Network Interface is not supported here, although I did notice that it seems to be allowed looking at
https://github.com/batfish/batfish/blob/925dd46a39cc8cc44438bef2dfbd8b28df45e465/projects/batfish/src/main/java/org/batfish/representation/aws/Route.java#L99. - or is that something else?
The route table config is OK on its own, but when the subnet tries to process it is when the issue occurs? Trying to get familiar with the project, thanks!