Skip to content

feat: failure output prints firewall-rule punch list#16

Merged
ericcames merged 1 commit into
mainfrom
12-firewall-rule-output
May 21, 2026
Merged

feat: failure output prints firewall-rule punch list#16
ericcames merged 1 commit into
mainfrom
12-firewall-rule-output

Conversation

@ericcames

@ericcames ericcames commented May 21, 2026

Copy link
Copy Markdown
Owner

Summary

Closes #12.

The playbook exists to help a customer fix Azure firewall rules. Today the failure output tells them what failed but not what to do. This PR turns the failure path into an actionable punch list.

Before / after

Before (existing behavior):

FAIL: https://acs-mirror.azureedge.net (HEAD) expected 400 got no response - Connection refused

After:

FAIL: https://acs-mirror.azureedge.net (HEAD)
      expected 400 got no response - Connection refused
  -> Add egress rule: allow tcp/443 to acs-mirror.azureedge.net

And at the end of the play:

Firewall rules to add (N unique):
  - allow tcp/443 to acs-mirror.azureedge.net
  - allow tcp/80 to crl.microsoft.com
  - ...

How it works

  • A scheme_to_port map (http: 80, https: 443) drives the rule format.
  • Host is extracted via item.0.url.split('/') | first so URLs with paths (e.g. googleapis.com/foo) still produce a clean rule.
  • Deduplication is per (host, port) — if the same host fails on both http and https, you get two rules (one per port), not one. Same scheme + same host = one rule.
  • Failure exit code is unchanged — the play still fails non-zero on any miss so the weekly cron still opens issues as designed.

Test results

Tested locally on both paths:

Path Result
Success — real live URL list (playbooks/files/websites.yml) 16 of 16 probes pass; all 4 new failure tasks correctly skipping; exit 0
Failure — synthetic via -e @bad-websites.yml: nonexistent.invalid on both schemes + 192.0.2.1/bad/path All 3 FAIL lines render with the rule beneath; dedup summary lists 3 unique rules; ports correctly mapped; host correctly stripped from path; exit 2

Files

  • playbooks/main.yml — 4 task changes (extended set_fact, restructured failure msg, new dedup set_fact, new summary debug)
  • CHANGELOG.md — entry under [Unreleased] / Changed

Test plan

  • yamllint clean locally
  • ansible-lint clean locally
  • Success path verified (16/16, exit 0)
  • Failure path verified (3 synthetic, exit 2, output correct)
  • CI green on PR
  • Weekly cron remains green on next scheduled run

🤖 Generated with Claude Code

For each failed probe, print the corresponding `allow tcp/<port> to <host>`
rule beneath the FAIL line. After the per-failure list, print a
deduplicated summary of every rule the customer needs to add. Host is
extracted with `.split('/') | first` so URLs with paths (e.g.
`googleapis.com/foo`) still produce a clean firewall rule.

Failure exit code is unchanged — the play still fails non-zero on any
miss so the weekly CI cron still opens issues as before.

Tested:
- Success path: 16 of 16 live URLs pass, all firewall-rule tasks skip,
  exit 0.
- Failure path (synthetic): 3 failures across http+https and a path-
  bearing URL — per-line rules render correctly, dedup summary lists 3
  unique rules with correct port/host derivation, exit 2.

Refs #12.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@ericcames ericcames added the enhancement New feature or request label May 21, 2026
@ericcames
ericcames merged commit 1a2da66 into main May 21, 2026
2 checks passed
@ericcames
ericcames deleted the 12-firewall-rule-output branch May 21, 2026 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Failure output should print the firewall rule to allow for each miss

1 participant