Config Deployment and Remediation #533

jeffkala · 2023-07-19T20:13:54Z

The origin branch has two new models etc. to support these features, this PR will be used to make sure all integrations of both new features work in conjunction before merging into Next.

* Adds ConfigPlan model and initial generation utils * Updates logic to not create empty config_set * Changes functions to return config_set instead * Format via black * Adds signal to create default ConfigPlan statuses * Adds ConfigPlan initial UI/API elements * Fixes Status filter * Removes unused imports * Changes variable to function * Adds ConfigPlan nested serializer * Update help text per feedback * Adds CLI rule generation * Adds ConfigPlan model tests * Adds ConfigPlan filter tests * Adds ConfigPlan api tests * Adds ConfigPlan utility tests * Adds ConfigPlan view tests * Changes the test to only run on certain versions * Hides generate button until a plan type is chosen * Adds line break to help text * Changes serializer to disable POST method * Updates wording * Changes default statuses to Approved/Not Approved * Changes field to singular * Adds plan type to str method * Adds initial Config Plan documentation * Reorders migration file after rebase * Fixes imported class after rebase * Updates from PR feedback * Fixes absolute url test * Fixes typo * Enables and fixes Edit View tests --------- Co-authored-by: Jeff Kala <48843785+jeffkala@users.noreply.github.com>

* initial commit for remediation * initial commit for remediation * typo fix * typo fix * initial commit for remediation * initial commit for remediation * typo fix * typo fix * modified: nautobot_golden_config/models.py modified: pyproject.toml * temporary fixes and changes * modified: nautobot_golden_config/nornir_plays/config_compliance.py * modified: nautobot_golden_config/models.py * modified: nautobot_golden_config/forms.py modified: nautobot_golden_config/templates/nautobot_golden_config/compliance_device_report.html modified: nautobot_golden_config/templates/nautobot_golden_config/compliancerule_retrieve.html modified: nautobot_golden_config/templates/nautobot_golden_config/configcompliance.html * Remediation options updates * modified: nautobot_golden_config/choices.py modified: nautobot_golden_config/models.py modified: nautobot_golden_config/navigation.py modified: nautobot_golden_config/tables.py * modified: nautobot_golden_config/models.py modified: nautobot_golden_config/navigation.py modified: nautobot_golden_config/tables.py modified: nautobot_golden_config/templates/nautobot_golden_config/remediationsetting_retrieve.html * modified: nautobot_golden_config/models.py modified: nautobot_golden_config/templates/nautobot_golden_config/compliancerule_retrieve.html modified: nautobot_golden_config/templates/nautobot_golden_config/remediationsetting_retrieve.html modified: nautobot_golden_config/views.py * modified: nautobot_golden_config/models.py modified: nautobot_golden_config/templates/nautobot_golden_config/compliancerule_retrieve.html modified: nautobot_golden_config/templates/nautobot_golden_config/configcompliance.html * lint: nautobot_golden_config/api/serializers.py lint: nautobot_golden_config/forms.py lint: nautobot_golden_config/models.py lint: nautobot_golden_config/tables.py lint: nautobot_golden_config/views.py * lint: nautobot_golden_config/models.py * lint: nautobot_golden_config/models.py * lint: nautobot_golden_config/models.py * lint: nautobot_golden_config/models.py * lint: nautobot_golden_config/models.py * Update pyproject.toml * Update pyproject.toml * Update pyproject.toml * remove python 3.7 from ci.yml * Update ci.yml * Update ci.yml * modified: .github/workflows/ci.yml new file: nautobot_golden_config/migrations/0025_auto_20230707_0921.py modified: poetry.lock * black: nautobot_golden_config/migrations/0025_auto_20230707_0921.py * black: nautobot_golden_config/migrations/0025_auto_20230707_0921.py * modified: nautobot_golden_config/migrations/0005_json_compliance_rule.py modified: nautobot_golden_config/migrations/0025_auto_20230707_0921.py * modified: nautobot_golden_config/tests/test_models.py * tests: nautobot_golden_config/tests/test_models.py * modified: nautobot_golden_config/tests/test_models.py * peer-review: .github/workflows/ci.yml peer-review: nautobot_golden_config/models.py * new file: docs/images/remediation_custom_function_setup.png new file: docs/images/remediation_enable_compliance_rule_feature.png new file: docs/images/remediation_hier_edit_options.png new file: docs/images/remediation_settings_per_platform.png new file: docs/images/remediation_validate_feature.png new file: docs/user/app_feature_remediation.md modified: nautobot_golden_config/api/serializers.py modified: nautobot_golden_config/filters.py modified: nautobot_golden_config/models.py modified: nautobot_golden_config/tests/conftest.py modified: nautobot_golden_config/tests/test_api.py modified: nautobot_golden_config/tests/test_models.py modified: pyproject.toml * modified: nautobot_golden_config/filters.py * lint: nautobot_golden_config/filters.py * new file: nautobot_golden_config/migrations/0025_remediation_settings_part1.py * deleted: nautobot_golden_config/migrations/0025_auto_20230707_0921.py * lint: nautobot_golden_config/tests/test_models.py * modified: nautobot_golden_config/migrations/0005_json_compliance_rule.py modified: nautobot_golden_config/migrations/0025_remediation_settings_part1.py * modified: nautobot_golden_config/migrations/0025_remediation_settings_part1.py --------- Co-authored-by: pato23arg <patricior_villar@hotmail.com> Co-authored-by: pvillar_netdev <pato23arg@users.noreply.github.com> Co-authored-by: Ken Celenza <ken@celenza.org>

* Split Migrations * Bump min to 1.5.14

#536) * Add Config Set modal to list view, copy button on modal/detail view, and update bulk edit. * Update nautobot_golden_config/tables.py Co-authored-by: Joe Wesch <10467633+joewesch@users.noreply.github.com> * update navigation --------- Co-authored-by: Joe Wesch <10467633+joewesch@users.noreply.github.com>

itdependsnetworks · 2023-07-22T16:37:25Z

Just adding some screenshots

Config Plans

Config Plans Config Set Modal

Generate Config Plans from manual jinja template

Updated Navbar

Remediation in line with compliance

Custom Remdiation

* Move config create to a javascript process that waits for job to complete and report details into modal. Modal provides * Provide progress spinner * Provide job status, * Job results link * Redirect link * Error message. * Separated edit and create templates as they serve different purposes. * Converted hidden form to uses standard NautobotUIViewSet create method with small amount of JS * Updated model to link job_result and cm URL * Updated job to aggregate config to one per job run Made the JS pieces composable for near future use to kick off job to push configurations.

mzbroch · 2023-07-24T09:26:54Z

nautobot_golden_config/models.py

+        try:
+            remediation_setting = RemediationSetting.objects.get(platform=self.platform)
+        except RemediationSetting.DoesNotExist as err:
+            raise ValidationError(f"Platform {self.platform.slug} has no Remediation Settings defined.") from err


I think this should rather return None here

mzbroch · 2023-07-24T09:29:17Z

nautobot_golden_config/models.py

+            self.remediation = None
+            return
+
+        if not self.rule.config_remediation:


This will have no effect , but technically this should be the first rule in order

@mzbroch Can you expand on why you're saying here?

mzbroch · 2023-07-24T09:36:03Z

nautobot_golden_config/tests/test_views.py

+        rule2 = create_feature_rule_json(device2, feature="Test Feature 2")
+        rule3 = create_feature_rule_json(device3, feature="Test Feature 3")
+
+        not_approved_status = Status.objects.get(slug="not-approved")


With planned slug removal, would it make sense to change this to simpler form "unapproved" ?

mzbroch · 2023-07-24T09:37:01Z

nautobot_golden_config/utilities/config_plan.py

+
+# TODO: Make the default Status configurable
+def config_plan_default_status():
+    """Return the default status for config plan."""


This one should come from the plugin's settings.

mzbroch

reviewing..

Co-authored-by: Joe Wesch <10467633+joewesch@users.noreply.github.com>

* Removes deprecated pylint options * Updates CI to run on 1.5.14 * Updates CI to run on 1.5.14

* Adds config deployment job and UI elements * Adds logic to fail if any plans are not approved * Skips plan deletion if the job failed

needed for now, can remove late but some other dependencies

mkdocs.yml

Co-authored-by: Jeff Kala <48843785+jeffkala@users.noreply.github.com>

jeffkala · 2023-09-01T14:28:24Z

Last few todos:

Do additional testing and validation of all features before merging into next.
WARN - Last commit before merging to next should be a migration file cleanup.

jeffkala · 2023-09-01T14:57:25Z

Last few todos:

Do additional testing and validation of all features before merging into next.

WARN - Last commit before merging to next should be a migration file cleanup.

#559 needs to be merged into this PR before we finalize this.

* Replaces screenshots with new form fields * Removes copy pasta title

mzbroch · 2023-09-04T09:08:59Z

*** I don't think any of the following is really blocking the merge, however I believe we should implement them in nearest future / next-next release ***

In a fresh installation , "Generate Config Plan" job is disabled by default and I can not generate any plans. Is this expected behaviour / documented already ?

Limiting unexpected behaviours. I would like to discuss "match all devices" behaviour while generating config plans. By default, config plans will be generated for all of the devices if no filter options are selected. Majority of users will not want to generate config plan for all of the devices. (ie. manual), and I'm afraid for first-time users this can cause unexpected behaviour.
Pre-viewing device in scope. In general , adding a modal that would allow to pre-view list of impacted would be awesome!

filter: role, platform, site

-----------------------------------
| name | role | platform | site |
-----------------------------------
| dev1 | switch | cisco_ios | waw |
| dev2 | router | cisco_ios | nyc |
| dev3 | router | cisco_ios | jcy |

Describing changes. I would like to discuss naming or describing configuration changes. As of now there is no native place to store description. CR field is intended to store change identifiers , that are internal standard and naming could not be meaningful for network engineers.

If there are multiple config plans, this would be the view I could receive for hundreds of the devices that would allow me to easier and quicker understand change context and scope. (second column)

I think viewing the change description / name would be really helpful in such a view to understand a set of changes that is other than a CR identifier.

Limiting negative user experience. From the user perspective , it would look better if we gracefully ignore and skip the config plan that is unapproved . We could print the log "config plan was skipped as it was not approved" As of now , a hard error message is displayed

Approving plans. From the user perspective , having a new button to "approve" changes instead of relying on the status change would be awesome! See below

Persisting config plans. Please consider that once a config plan is implemented , instead of deleting the object we should change the status to the "Implemented".

This would allow to answer following questions :

when a change happened ?
how many changes were implemented from nautobot ?
can I script for rollback ?
what were the devices included in change CR xx ?

could be also useful for Grafana Dashboards.

joewesch · 2023-09-05T13:30:43Z

In a fresh installation , "Generate Config Plan" job is disabled by default and I can not generate any plans. Is this expected behaviour / documented already ?

Yes, all Jobs are disabled by default. We can, however, add a simple check to the view to create a warning message if the Job is disabled.

joewesch

There are a lack of View and Filter tests for RemediationSetting

docs/user/app_feature_config_plans.md

docs/user/app_feature_remediation.md

nautobot_golden_config/forms.py

nautobot_golden_config/models.py

nautobot_golden_config/templates/nautobot_golden_config/compliance_device_report.html

pyproject.toml

Co-authored-by: Joe Wesch <10467633+joewesch@users.noreply.github.com>

mzbroch · 2023-09-06T07:09:09Z

Yes, all Jobs are disabled by default. We can, however, add a simple check to the view to create a warning message if the Job is disabled.

Overall, plugins should be able to provide jobs that are installed and enabled without any additional user interactions.

Ideal workflow is to install and enable the golden config plugin, without any extra steps to enable / migrate jobs etc. Do You mind creating an issue within Nautobot core to track this ? The overall user experience should be simple and allow to user plugin immediately.

joewesch · 2023-09-06T13:16:02Z

Do You mind creating an issue within Nautobot core to track this ?

Do I mind? Yes. I agree with the stance that all Jobs should be disabled by default for security reasons.

* additional pr review updates * fix dunder string method * fix docstrings and fix filters * fix api testing for remediation settings

nautobot_golden_config/forms.py

Co-authored-by: Joe Wesch <10467633+joewesch@users.noreply.github.com>

jeffkala · 2023-09-06T21:15:12Z

*** I don't think any of the following is really blocking the merge, however I believe we should implement them in nearest future / next-next release ***

In a fresh installation , "Generate Config Plan" job is disabled by default and I can not generate any plans. Is this expected behaviour / documented already ?

* **Limiting unexpected behaviours**. I would like to discuss "match all devices" behaviour while generating config plans. By default, config plans will be generated for all of the devices if no filter options are selected. Majority of users will not want to generate config plan for all of the devices. (ie. manual), and I'm afraid for first-time users this can cause unexpected behaviour. * **Pre-viewing device in scope**. In general , adding a modal that would allow to pre-view list of impacted would be awesome!
filter: role, platform, site

-----------------------------------
| name | role | platform | site |
-----------------------------------
| dev1 | switch | cisco_ios | waw |
| dev2 | router | cisco_ios | nyc |
| dev3 | router | cisco_ios | jcy |
Describing changes. I would like to discuss naming or describing configuration changes. As of now there is no native place to store description. CR field is intended to store change identifiers , that are internal standard and naming could not be meaningful for network engineers.

If there are multiple config plans, this would be the view I could receive for hundreds of the devices that would allow me to easier and quicker understand change context and scope. (second column)
I think viewing the change description / name would be really helpful in such a view to understand a set of changes that is other than a CR **identifier**.

Limiting negative user experience. From the user perspective , it would look better if we gracefully ignore and skip the config plan that is unapproved . We could print the log "config plan was skipped as it was not approved" As of now , a hard error message is displayed

* **Approving plans.** From the user perspective , having a new button to "approve" changes instead of relying on the status change would be awesome! See below * **Persisting config plans.** Please consider that once a config plan is implemented , instead of deleting the object we should change the status to the "Implemented".
This would allow to answer following questions :

when a change happened ?

how many changes were implemented from nautobot ?

can I script for rollback ?

what were the devices included in change CR xx ?

could be also useful for Grafana Dashboards.

Anything else form this comment that we want to scope now? I agree that much of these would be well suited for individual feature request that can come in the near future. But don't want to neglect the solid work @mzbroch put into this review.

jeffkala · 2023-09-07T15:21:56Z

closing this as the simplified commit history was done in #573 . This has all the history along with all commits, conversation etc. for these features.

jeffkala · 2023-09-07T15:22:15Z

closing per completed in #573

joewesch and others added 3 commits July 19, 2023 13:32

Run Black and update dependencies (#532)

de7cb78

jeffkala requested review from itdependsnetworks and nkallergis as code owners July 19, 2023 20:13

jeffkala marked this pull request as draft July 19, 2023 20:14

itdependsnetworks and others added 3 commits July 20, 2023 09:47

Split Migrations (#534)

758170e

* Split Migrations * Bump min to 1.5.14

Fixes field name to be singular

be3eb57

mzbroch reviewed Jul 24, 2023

View reviewed changes

itdependsnetworks and others added 6 commits July 24, 2023 08:04

Add customer filter, minor updates

117afb2

Apply suggestions from code review

9f753c0

Co-authored-by: Joe Wesch <10467633+joewesch@users.noreply.github.com>

Merge branch 'next' into config-working-group-temp

235b707

just pushing new poetry lock after merge conflicts were fixed

d8c157f

Fixes device serializer to return names

513c2f6

Removes unused import

dc319da

jeffkala added the status: internal review Internal discussion is required to move forward with issue label Aug 9, 2023

joewesch and others added 7 commits August 21, 2023 14:13

Fixes working group tests (#548)

ce1343b

* Removes deprecated pylint options * Updates CI to run on 1.5.14 * Updates CI to run on 1.5.14

Adds config deployment job and UI elements (#545)

58fb4aa

* Adds config deployment job and UI elements * Adds logic to fail if any plans are not approved * Skips plan deletion if the job failed

add back locations to form

4ae180c

needed for now, can remove late but some other dependencies

fix default for control_url

685b0d6

update js job stat poller to support more job state

72e4195

Merge branch 'config-working-group-temp' into job_via_js

fe8583a

fixes ci testing

b1f7d21

jeffkala requested a review from joewesch August 31, 2023 19:44

jeffkala commented Sep 1, 2023

View reviewed changes

mkdocs.yml Show resolved Hide resolved

Apply suggestions from code review

87f3fa4

Co-authored-by: Jeff Kala <48843785+jeffkala@users.noreply.github.com>

jeffkala mentioned this pull request Sep 1, 2023

rerun migrations to fix name and multifiles #559

Merged

jeffkala and others added 4 commits September 1, 2023 10:41

rerun migrations to fix name and multifiles (#559)

513e768

Fixes screenshots and fixes title for config plan edit view (#561)

dabbbf3

* Replaces screenshots with new form fields * Removes copy pasta title

Update docs/user/app_feature_config_plans.md

5f43d69

Apply suggestions from code review

15f35d6

joewesch reviewed Sep 5, 2023

View reviewed changes

jeffkala and others added 2 commits September 5, 2023 14:10

Apply suggestions from code review

721af8e

Co-authored-by: Joe Wesch <10467633+joewesch@users.noreply.github.com>

Adds message if Job is not enabled (#562)

d3fdf3e

mzbroch mentioned this pull request Sep 6, 2023

Allow plugins to auto-enable and auto-install jobs nautobot/nautobot#4398

Open

12 tasks

additional pr review updates for remediation feature (#564)

fb458d9

* additional pr review updates * fix dunder string method * fix docstrings and fix filters * fix api testing for remediation settings

joewesch reviewed Sep 6, 2023

View reviewed changes

nautobot_golden_config/forms.py Outdated Show resolved Hide resolved

jeffkala and others added 3 commits September 6, 2023 14:58

Merge branch 'next' into config-working-group-temp

c1da463

Update nautobot_golden_config/forms.py

a252dcb

Co-authored-by: Joe Wesch <10467633+joewesch@users.noreply.github.com>

run black after import conflicct

841f63d

fix imports again after merge conflict

248f052

jeffkala closed this Sep 7, 2023

mzbroch mentioned this pull request Jan 19, 2024

Config Plan needs more details #697

Open

itdependsnetworks deleted the config-working-group-temp branch January 24, 2024 20:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Config Deployment and Remediation #533

Config Deployment and Remediation #533

jeffkala commented Jul 19, 2023

itdependsnetworks commented Jul 22, 2023

mzbroch Jul 24, 2023

mzbroch Jul 24, 2023

jeffkala Sep 1, 2023

mzbroch Jul 24, 2023

mzbroch Jul 24, 2023

mzbroch left a comment

jeffkala commented Sep 1, 2023 •

edited

Loading

jeffkala commented Sep 1, 2023 •

edited

Loading

mzbroch commented Sep 4, 2023 •

edited

Loading

joewesch commented Sep 5, 2023

joewesch left a comment

mzbroch commented Sep 6, 2023

joewesch commented Sep 6, 2023

jeffkala commented Sep 6, 2023

jeffkala commented Sep 7, 2023

jeffkala commented Sep 7, 2023

Config Deployment and Remediation #533

Config Deployment and Remediation #533

Conversation

jeffkala commented Jul 19, 2023

itdependsnetworks commented Jul 22, 2023

mzbroch Jul 24, 2023

Choose a reason for hiding this comment

mzbroch Jul 24, 2023

Choose a reason for hiding this comment

jeffkala Sep 1, 2023

Choose a reason for hiding this comment

mzbroch Jul 24, 2023

Choose a reason for hiding this comment

mzbroch Jul 24, 2023

Choose a reason for hiding this comment

mzbroch left a comment

Choose a reason for hiding this comment

jeffkala commented Sep 1, 2023 • edited Loading

jeffkala commented Sep 1, 2023 • edited Loading

mzbroch commented Sep 4, 2023 • edited Loading

joewesch commented Sep 5, 2023

joewesch left a comment

Choose a reason for hiding this comment

mzbroch commented Sep 6, 2023

joewesch commented Sep 6, 2023

jeffkala commented Sep 6, 2023

jeffkala commented Sep 7, 2023

jeffkala commented Sep 7, 2023

jeffkala commented Sep 1, 2023 •

edited

Loading

jeffkala commented Sep 1, 2023 •

edited

Loading

mzbroch commented Sep 4, 2023 •

edited

Loading