Pin assets to cluster by subnet#45
Merged
Merged
Conversation
Add the ByTargetSubnet parameter set so operators can resolve and pin/unpin all monitored assets within an IPv4 CIDR range in one call, instead of enumerating individual asset IDs. Add -SkipAssetHealthValidation so a transient or stale unhealthy status in the portal doesn't block a pin/unpin operation, while every other validation (segment server check, monitored-by-Segment-Server check, applicability, and already-pinned/not-pinned state) stays enforced. Ignore local planning and test artifacts (test-plan.md, plan.md, testing/) that shouldn't be tracked in the repo. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019Nox4wjcx2VFvMwn9Wup7t
Run subnet-batch asset resolution requests concurrently via ForEach-Object -Parallel, throttled by the new -MaxConcurrentBatches parameter (default 5), to speed up resolution for large subnets. Add exponential backoff retry (up to 3 attempts) in Invoke-ApiRequest for HTTP 429 responses, since the added concurrency can trigger rate limiting that a single sequential request stream would not. Sync CLAUDE.md workflow notes to describe the new concurrent batching and retry behavior. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019Nox4wjcx2VFvMwn9Wup7t
Add the IPv4 subnet bulk-pin use case, -SkipAssetHealthValidation, and -MaxConcurrentBatches to the README so it matches the ByTargetSubnet parameter set and health-check bypass already present in the script. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019Nox4wjcx2VFvMwn9Wup7t
Untrack the standalone reference JSON alongside AssetDetailsFieldMappings.json; the script keeps its own inline copy of this mapping data and never reads the file, so it doesn't need to be version controlled. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019Nox4wjcx2VFvMwn9Wup7t
Concurrent subnet batches querying overlapping IP ranges can resolve the same asset more than once; dedupe by id before returning so downstream validation and pinning never see duplicates. Also stop Format-Table from truncating long ErrorMessage text in the failure summary, so the full reason for each validation failure is visible.
BREAKING CHANGE: -PortalUrl no longer defaults to https://portal.zeronetworks.com and must be supplied explicitly on every invocation (except -ExportCsvTemplate). The prior default pointed at the generic SaaS URL rather than a tenant-specific admin URL, risking silent use of the wrong endpoint. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
BREAKING CHANGE: -DeploymentClusterId is removed everywhere (script parameter and the CSV DeploymentClusterId column) and replaced by -DeploymentClusterName / a DeploymentClusterName CSV column. Names are resolved to cluster IDs via a local <envName>-DeploymentClusters.json cache file kept next to the script, auto-created on first use and refreshed by -ListDeploymentClusters. This removes the previous workflow of running -ListDeploymentClusters separately to copy an opaque cluster ID into a follow-up command. Also fixes a pre-existing latent bug in Test-AssetCanBePinned that indexed the deployment cluster hashtable with an unset $DeploymentClusterId during CSV-based validation (ByCsvPath never bound that variable), which threw on every asset and silently failed all CSV validation. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Prevent DeploymentClusters.json files produced by -ListDeploymentClusters from being committed alongside the mapping reference file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds subnet-based bulk pinning to
Pin-AssetsToClusters.ps1and switches deployment cluster targeting from raw IDs to human-readable names.-TargetSubnet): expand an IPv4 CIDR range into host addresses, resolve them to monitored assets vialastIpAddress, and pin/unpin them in batches. Batches run concurrently (-MaxConcurrentBatches, default 5) with exponential backoff retry on HTTP 429. Includes interactive confirmation above /24 and a hard stop above /16 to guard against runaway address expansion.-DeploymentClusterIdis removed everywhere in favor of-DeploymentClusterName(and aDeploymentClusterNameCSV column). Names resolve to IDs via a local<envName>-DeploymentClusters.jsoncache file (gitignored), refreshed on-ListDeploymentClustersand auto-created if missing.-PortalUrlis now mandatory (previously had a default), so every invocation is explicit about which tenant it targets.-DeploymentClusterIdis gone (use-DeploymentClusterName);-PortalUrlno longer defaults and must be supplied explicitly.Changes
Pin-AssetsToClusters.ps1— subnet pinning path, concurrent batching + 429 retry, cluster name↔ID cache/resolution, mandatory-PortalUrlREADME.md— documents subnet pinning, health-check bypass, and name-based cluster targetingCLAUDE.md— updated architecture notes for the per-parameter-set workflows and cluster name resolution.gitignore— ignore generated*-DeploymentClusters.jsoncache filesDeploymentClusterFieldMappings.json— removed (superseded by the inline$script:DeploymentClusterFieldMappingsmapping in the script)Test plan
-ListDeploymentClustersagainst a test tenant, confirm cache file is created/refreshed-TargetSubnetwith-DryRunagainst a small (/28 or smaller) range, confirm expected assets resolved and batched-TargetSubnetabove /24 to confirm the interactive confirmation prompt fires, and above /16 to confirm the hard stop-AssetId/-OUPath/-CsvPathpaths still work with-DeploymentClusterName(no regressions from the ID→name switch)-PortalUrlnow fails fast with a clear error