Skip to content

Pin assets to cluster by subnet#45

Merged
tjobarow merged 9 commits into
masterfrom
pin-assets-to-cluster-by-subnet
Jul 2, 2026
Merged

Pin assets to cluster by subnet#45
tjobarow merged 9 commits into
masterfrom
pin-assets-to-cluster-by-subnet

Conversation

@tjobarow

@tjobarow tjobarow commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds subnet-based bulk pinning to Pin-AssetsToClusters.ps1 and switches deployment cluster targeting from raw IDs to human-readable names.

  • Subnet targeting (-TargetSubnet): expand an IPv4 CIDR range into host addresses, resolve them to monitored assets via lastIpAddress, and pin/unpin them in batches. Batches run concurrently (-MaxConcurrentBatches, default 5) with exponential backoff retry on HTTP 429. Includes interactive confirmation above /24 and a hard stop above /16 to guard against runaway address expansion.
  • Deployment cluster name resolution: -DeploymentClusterId is removed everywhere in favor of -DeploymentClusterName (and a DeploymentClusterName CSV column). Names resolve to IDs via a local <envName>-DeploymentClusters.json cache file (gitignored), refreshed on -ListDeploymentClusters and auto-created if missing.
  • -PortalUrl is now mandatory (previously had a default), so every invocation is explicit about which tenant it targets.
  • Deduped assets returned across concurrent subnet batches and fixed validation error messages being truncated.

⚠️ Breaking changes: -DeploymentClusterId is gone (use -DeploymentClusterName); -PortalUrl no longer defaults and must be supplied explicitly.

Changes

  • Pin-AssetsToClusters.ps1 — subnet pinning path, concurrent batching + 429 retry, cluster name↔ID cache/resolution, mandatory -PortalUrl
  • README.md — documents subnet pinning, health-check bypass, and name-based cluster targeting
  • CLAUDE.md — updated architecture notes for the per-parameter-set workflows and cluster name resolution
  • .gitignore — ignore generated *-DeploymentClusters.json cache files
  • DeploymentClusterFieldMappings.json — removed (superseded by the inline $script:DeploymentClusterFieldMappings mapping in the script)

Test plan

  • -ListDeploymentClusters against a test tenant, confirm cache file is created/refreshed
  • -TargetSubnet with -DryRun against a small (/28 or smaller) range, confirm expected assets resolved and batched
  • -TargetSubnet above /24 to confirm the interactive confirmation prompt fires, and above /16 to confirm the hard stop
  • -AssetId / -OUPath / -CsvPath paths still work with -DeploymentClusterName (no regressions from the ID→name switch)
  • Confirm omitting -PortalUrl now fails fast with a clear error

tjobarow and others added 9 commits July 1, 2026 17:49
Add the ByTargetSubnet parameter set so operators can resolve and
pin/unpin all monitored assets within an IPv4 CIDR range in one call,
instead of enumerating individual asset IDs.

Add -SkipAssetHealthValidation so a transient or stale unhealthy status
in the portal doesn't block a pin/unpin operation, while every other
validation (segment server check, monitored-by-Segment-Server check,
applicability, and already-pinned/not-pinned state) stays enforced.

Ignore local planning and test artifacts (test-plan.md, plan.md,
testing/) that shouldn't be tracked in the repo.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019Nox4wjcx2VFvMwn9Wup7t
Run subnet-batch asset resolution requests concurrently via
ForEach-Object -Parallel, throttled by the new -MaxConcurrentBatches
parameter (default 5), to speed up resolution for large subnets.

Add exponential backoff retry (up to 3 attempts) in Invoke-ApiRequest
for HTTP 429 responses, since the added concurrency can trigger rate
limiting that a single sequential request stream would not.

Sync CLAUDE.md workflow notes to describe the new concurrent batching
and retry behavior.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019Nox4wjcx2VFvMwn9Wup7t
Add the IPv4 subnet bulk-pin use case, -SkipAssetHealthValidation,
and -MaxConcurrentBatches to the README so it matches the
ByTargetSubnet parameter set and health-check bypass already present
in the script.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019Nox4wjcx2VFvMwn9Wup7t
Untrack the standalone reference JSON alongside AssetDetailsFieldMappings.json;
the script keeps its own inline copy of this mapping data and never
reads the file, so it doesn't need to be version controlled.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019Nox4wjcx2VFvMwn9Wup7t
Concurrent subnet batches querying overlapping IP ranges can resolve
the same asset more than once; dedupe by id before returning so
downstream validation and pinning never see duplicates. Also stop
Format-Table from truncating long ErrorMessage text in the failure
summary, so the full reason for each validation failure is visible.
BREAKING CHANGE: -PortalUrl no longer defaults to
https://portal.zeronetworks.com and must be supplied explicitly on
every invocation (except -ExportCsvTemplate). The prior default
pointed at the generic SaaS URL rather than a tenant-specific admin
URL, risking silent use of the wrong endpoint.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
BREAKING CHANGE: -DeploymentClusterId is removed everywhere (script
parameter and the CSV DeploymentClusterId column) and replaced by
-DeploymentClusterName / a DeploymentClusterName CSV column. Names are
resolved to cluster IDs via a local <envName>-DeploymentClusters.json
cache file kept next to the script, auto-created on first use and
refreshed by -ListDeploymentClusters. This removes the previous
workflow of running -ListDeploymentClusters separately to copy an
opaque cluster ID into a follow-up command.

Also fixes a pre-existing latent bug in Test-AssetCanBePinned that
indexed the deployment cluster hashtable with an unset $DeploymentClusterId
during CSV-based validation (ByCsvPath never bound that variable),
which threw on every asset and silently failed all CSV validation.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Prevent DeploymentClusters.json files produced by -ListDeploymentClusters
from being committed alongside the mapping reference file.
@tjobarow tjobarow merged commit 9f0e157 into master Jul 2, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant