Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure_rm_networkinterface module ignores subscription_id parameter #1253

Closed
pauronda-visma opened this issue Sep 1, 2023 · 9 comments · Fixed by #1416
Closed

azure_rm_networkinterface module ignores subscription_id parameter #1253

pauronda-visma opened this issue Sep 1, 2023 · 9 comments · Fixed by #1416
Labels
medium_priority Medium priority not a bug Not a bug question Further information is requested work in In trying to solve, or in working with contributors

Comments

@pauronda-visma
Copy link

SUMMARY

When I use Environment variables with the credentials that include AZURE_SUBSCRIPTION_ID the module parameter subscription_id is ignored.

It produces a mismatch between the subnet (that points to the Environment variable of the credentials) and the NIC that is been created into the subscription id of the module parameter.
It tries to find the subnet into the Environment Variable AZURE_SUBSCRIPTION_ID instead of subscription_id of the module parameter.

To call the module, I pass the subnet_name as a string with the name of the subnet and the virtual_network as a dict with the name and the resource_group (also as name an not with the complete resource ids)

Thank you for your attention and help.

ISSUE TYPE
  • Bug Report
COMPONENT NAME
  • azure.azcollection.azure_rm_networkinterface module
  • network_client (module_utils/azure_rm_common.py) (indirectly)
ANSIBLE VERSION
ansible [core 2.15.1]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.16 (main, Jan 17 2023, 18:53:15) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
azure.azcollection    1.16.0
@markstoel
Copy link

Looks like the environment variable is being taken in subsequent calls to sub-modules.
I feel that the parameter passed to the module should always take precedence over the environment variables also when calling sub-modules in a module.

For example this code fails in the check on the subnet when creating a nic:
- name: "Network interface state : {{ vmstate }}" azure.azcollection.azure_rm_networkinterface: subscription_id: "{{ hostvars[inventory_hostname].host_subscription_id }}" location: "{{ hostvars[inventory_hostname].host_location }}" resource_group: "{{ hostvars[inventory_hostname].host_resource_group }}" create_with_security_group: false ip_configurations: - name: "{{ hostvars[inventory_hostname].host_azure_object }}-nic1-config" primary: true private_ip_address: "{{ ip_dictlist[inventory_hostname] | default(omit) }}" private_ip_allocation_method: "{{ hostvars[inventory_hostname].host_ipam | default(false) | bool | ternary('Static','Dynamic') }}" name: "{{ hostvars[inventory_hostname].host_azure_object }}-nic1" state: "{{ vmstate }}" subnet_name: "{{ hostvars[inventory_hostname].host_subnet_name }}" tags: objectname: "{{ hostvars[inventory_hostname].host_azure_object + '-nic1' }}" virtual_network: name: "{{ hostvars[inventory_hostname].host_vnet_name }}" resource_group: "{{ hostvars[inventory_hostname].host_vnet_resourcegroup }}" when: hostvars[inventory_hostname].host_state == "present" delegate_to: localhost

The error is:
"Error creating or updating network interface we-vm-sd-d-ptiis21-nic1 - (InvalidResourceReference) Resource /subscriptions/_09609272-1dc6-429a-9c04-9e92827e53cf_/resourceGroups/rsg-network/providers/Microsoft.Network/virtualNetworks/net-dev-declarations/subnets/subnet-declaration-d-pt referenced by resource /subscriptions/_e4d0178f-f621-4e30-bf64-6282c0d84ba3_/resourceGroups/rsg-declaration-d-pt/providers/Microsoft.Network/networkInterfaces/we-vm-sd-d-ptiis21-nic1 was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.\nCode: InvalidResourceReference\nMessage: Resource /subscriptions/_09609272-1dc6-429a-9c04-9e92827e53cf_/resourceGroups/rsg-network/providers/Microsoft.Network/virtualNetworks/net-dev-declarations/subnets/subnet-declaration-d-pt referenced by resource /subscriptions/e4d0178f-f621-4e30-bf64-6282c0d84ba3/resourceGroups/rsg-declaration-d-pt/providers/Microsoft.Network/networkInterfaces/we-vm-sd-d-ptiis21-nic1 was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.",
Where the subscription-id that was passed as a parameter to the module is the one on the nic and the subscription-id for the subnet is the one from the environment variable.

@Fred-sun
Copy link
Collaborator

@pauronda-visma Thank you very much for the question you submitted. First of all, we need to create network cards and subnets, virtual networks must be under the same subscription. To create a resource, we must first obtain credentials and we will also obtain its subscription id. Since it's under the same subscription_id, it's all the same. Thank you!

@Fred-sun Fred-sun added question Further information is requested medium_priority Medium priority work in In trying to solve, or in working with contributors labels Nov 28, 2023
@Fred-sun
Copy link
Collaborator

kindly ping!

@Fred-sun Fred-sun added the not a bug Not a bug label Jan 22, 2024
@pauronda-visma
Copy link
Author

Hi, the issue was if you define both variables (environment variable and module parameter) and doesn't match.
One is the AZURE_SUBSCRIPTION_ID environment variable and the other is the subscription id module parameter.
Problem comes because for getting the subnet it takes the environment value and for the NIC uses the module parameter.
This is not consistent and for certain situation it produces errors.

@markstoel
Copy link

The credentials are client credentials for a tenant with multiple subscriptions. We use the credential to authenticate only. Creating vnets and subnets in the separate subscriptions that the user/app has access to.

@Fred-sun
Copy link
Collaborator

@pauronda-visma But we will get the subnet ID from the subscription_id, virtual network name, and subnet name in the credentials. If you want to specify a different subscription_id, we can add the full subnet ID to pass it. Is that okay?

@pauronda-visma
Copy link
Author

pauronda-visma commented Jan 22, 2024
edited
Loading

Yes, I think this would solve the issue when there is a mismatch between the environment variable and the subscription_id module parameter.
It is related with #1223
Thanks for your attention and time.

@Fred-sun Fred-sun mentioned this issue Jan 23, 2024
Merged
@Fred-sun
Copy link
Collaborator

@pauronda-visma We can support this (Added in #1416), but your tenant ID must have access to the permissions of the other subscription_id, if not, an error similar to the one below will appear! Thank you!

- name: Create a NIC with different subscription's subnet
  azure_rm_networkinterface:
    resource_group: "{{ resource_group }}"
    name: "tn{{ rpfx }}"   //This subnet name is under the same subscription as the virtual network
    virtual_network: "/subscriptions/{{ secondary_subscription_id }}/resourcegroups/v-xisuRG/providers/Microsoft.Network/virtualNetworks/fredvnet"
    subnet: "default"
    public_ip: false
    create_with_security_group: false

If you do not have permission, a similar error will occur!

The current tenant 'tenant_id' is not authorized to access linked subscription  'secondary-subscrition-id'

@pauronda-visma
Copy link
Author

This would fix it, thank you very much

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
medium_priority Medium priority not a bug Not a bug question Further information is requested work in In trying to solve, or in working with contributors
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed an issue where resource ID subscription_id was not used Fred-sun/ansible_collections_azure
3 participants
@Fred-sun @pauronda-visma @markstoel