Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error Handle for not allowing to shrink CIDR for gcp subnet #563

Open
jimmycgz opened this issue Mar 2, 2023 · 0 comments · May be fixed by #562
Open

Error Handle for not allowing to shrink CIDR for gcp subnet #563

jimmycgz opened this issue Mar 2, 2023 · 0 comments · May be fixed by #562

Comments

@jimmycgz
Copy link

jimmycgz commented Mar 2, 2023

SUMMARY

GCP doesn't allow to shrink of the CIDR of a subnet but the original module doesn't throw an error if the requested new CIDR is not a superset of the original IP range. So I suggest adding a condition check and error out for this scenario.

Many years ago there was a similar issue reported but closed due to the old ansible module getting migrated to Galaxy Collection
ansible/ansible#63348
When there are no changes ansible still shows that the configuration has been changed. Diff on the debug output from 3 consecutive run shows no differences.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

plugins/modules/gcp_compute_subnetwork.py

ANSIBLE VERSION
ansible [core 2.14.2]
  config file = /Users/x/proj/hands-on/ansible/sbn-bug-ansible/playbooks/ansible.cfg
  configured module search path = ['/Users/x/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /Users/x/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.16 (main, Dec  7 2022, 10:16:11) [Clang 14.0.0 (clang-1400.0.29.202)] (/usr/local/opt/[email protected]/bin/python3.9)
  jinja version = 3.0.1
  libyaml = True
COLLECTION VERSION
google.cloud 1.1.2
CONFIGURATION
nothing special, just local ansible.cfg
OS / ENVIRONMENT

MacOS 13.0 (22A380)

STEPS TO REPRODUCE

#A1: create a network vpc-a
#A2: create a subnetwork {{ sbn_name }} in vpc-a
#A3: shrink the CIDR for {{ sbn_name }}
#A4: Collect fact about subnet {{ sbn_name }}
#A5: Show subnet info {{ sbn_name }}

---
- name: Define variables
  set_fact:
    project: your-project-name
    region: us-east4
    gcp_auth_kind: application
    sbn_name: subnet-a

- name: "#A1: create a network vpc-a"
  google.cloud.gcp_compute_network:
    name: "vpc-a"
    auto_create_subnetworks: 'false'
    project: "{{ project }}"
    auth_kind: "{{ gcp_auth_kind }}"
    state: present
  register: network_a

- name: "#A2: create a subnetwork {{ sbn_name }} in vpc-a"
  google.cloud.gcp_compute_subnetwork:
    name: "{{ sbn_name }}"
    region: "{{ region }}"
    network: "{{ network_a }}"
    ip_cidr_range: 172.16.0.0/20
    project: "{{ project }}"
    auth_kind: "{{ gcp_auth_kind }}"
    state: present

- name: "#A3: shrink the CIDR for {{ sbn_name }}"
  google.cloud.gcp_compute_subnetwork:
    name: "{{ sbn_name }}"
    region: "{{ region }}"
    network: "{{ network_a }}"
    ip_cidr_range: 172.16.0.0/21
    project: "{{ project }}"
    auth_kind: "{{ gcp_auth_kind }}"
    state: present

- name: "#A4: Collect fact about subnet {{ sbn_name }}"
  gcp_compute_subnetwork_info:
    filters:
      - network = "{{ network_a.selfLink }}"
      - name = {{ sbn_name }}
    auth_kind: "{{ gcp_auth_kind }}"
    project: "{{ project }}"
    region: "{{ region }}"
  register: subnet_facts

- name: "#A5: Show subnet info {{ sbn_name }}"
  debug: 
    msg:
      - "{{ subnet_facts }}"
EXPECTED RESULTS

Since GCP API doesn't allow such CIDR shrink, Step #A4 should through such error but actually not, instead, report the status as changed but didn't shrink the CIDR

ACTUAL RESULTS

Actually, the original doesn't validate the new CIDR is invalid, doesn't throw any error, instead, reports the status as changed but didn't shrink the CIDR.

changed: [localhost] => {
    "changed": true,
    "creationTimestamp": "2023-03-02T15:24:06.150-08:00",
    "fingerprint": "Nz33qz_KLmw=",
    "gatewayAddress": "172.16.0.1",
    "id": "4466064884805439225",
    "invocation": {
        "module_args": {
            "auth_kind": "application",
            "description": null,
            "env_type": null,
            "ip_cidr_range": "172.16.0.0/21",
            "name": "subnet-a",
            "network": {
                "ansible_facts": {
                    "discovered_interpreter_python": "/usr/local/bin/python3.11"
                },
                "autoCreateSubnetworks": false,
                "changed": false,
                "creationTimestamp": "2023-03-02T15:23:11.142-08:00",
                "failed": false,
                "id": "2905869197935153456",
                "kind": "compute#network",
                "name": "vpc-a",
                "networkFirewallPolicyEnforcementOrder": "AFTER_CLASSIC_FIREWALL",
                "routingConfig": {
                    "routingMode": "REGIONAL"
                },
                "selfLink": "https://www.googleapis.com/compute/v1/projects/xx-demo/global/networks/vpc-a",
                "selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/xx-demo/global/networks/2905869197935153456",
                "subnetworks": [
                    "https://www.googleapis.com/compute/v1/projects/xx-demo/regions/us-east4/subnetworks/subnet-a"
                ],
                "warnings": [
                    "Platform darwin on host localhost is using the discovered Python interpreter at /usr/local/bin/python3.11, but future installation of another Python interpreter could change the meaning of that path. See https://docs.ansible.com/ansible-core/2.14/reference_appendices/interpreter_discovery.html for more information."
                ]
            },
            "private_ip_google_access": null,
            "private_ipv6_google_access": null,
            "project": "xx-demo",
            "region": "us-east4",
            "scopes": [
                "https://www.googleapis.com/auth/compute"
            ],
            "secondary_ip_ranges": null,
            "service_account_contents": null,
            "service_account_email": null,
            "service_account_file": null,
            "state": "present"
        }
    },
    "ipCidrRange": "172.16.0.0/20",
    "kind": "compute#subnetwork",
    "name": "subnet-a",
    "network": "https://www.googleapis.com/compute/v1/projects/xx-demo/global/networks/vpc-a",
    "privateIpGoogleAccess": false,
    "privateIpv6GoogleAccess": "DISABLE_GOOGLE_ACCESS",
    "purpose": "PRIVATE",
    "region": "https://www.googleapis.com/compute/v1/projects/xx-demo/regions/us-east4",
    "selfLink": "https://www.googleapis.com/compute/v1/projects/xx-demo/regions/us-east4/subnetworks/subnet-a",
    "stackType": "IPV4_ONLY"
}
@jimmycgz jimmycgz linked a pull request Mar 2, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add function to validate cidr superset jimmycgz/google.cloud
1 participant
@jimmycgz