⚙️ k3g Compliance & Governance

Relatório: reports/pilot-device-compliance/incidents/ROLLBACK-PLAN-FASE-2-3-WRONG-OBJECTS.md

Baixar .md

Rollback Plan — FASE 2.3 Wrong Objects

Status: CLOSED — NO ACTION REQUIRED Incident: INC-2026-04-28-001 (combined with INC-2026-04-28-002) Severity: Critical Updated: 2026-04-28 after INC-2026-04-28-002 discovery

✅ CLOSED — Audit Investigation Complete

Discovery (FASE 2.5): NetBox audit confirmed IDs 18201/18202 pre-existed.

Audit Results: - ID 18201: created 2026-04-04T21:51:31Z (LoopBack100) - ID 18202: created 2026-04-04T21:51:32Z (NULL0) - Batch executed: 2026-04-28T19:01:04Z (24 days later)

Evidence: - IDs created 24 days before batch execution - Script never made real POST (verified via code analysis) - IDs were NOT created by batch apply

Final Decision: - ✅ NO ROLLBACK NEEDED - ✅ IDs can remain in NetBox (pre-existing, unrelated to batch) - ✅ No delete required - ✅ Incident closes as "no action required"

Conclusion: This rollback plan is hereby CLOSED. No manual deletion necessary. The IDs 18201/18202 are pre-existing objects on device 2647 and have no relation to batch execution on 2026-04-28.

Objects Status (For Reference - DO NOT DELETE)

Object 1: ID 18201

Current State: - Device: INFORR-BVA-JCL-RX (ID: 2647) - Name: LoopBack100 - Type: interface - Created: 2026-04-28T18:58:23Z - Reason: Wrong device created by batch apply

Should Not Exist: - Expected: Should have been created on device 4WNET-MNS-KTG-RX (ID: 1890) as "Eth-Trunk1" - Status: INCORRECT

Object 2: ID 18202

Current State: - Device: INFORR-BVA-JCL-RX (ID: 2647) - Name: NULL0 - Type: interface - Created: 2026-04-28T18:58:23Z - Reason: Wrong device created by batch apply

Should Not Exist: - Expected: Should have been created on device 4WNET-MNS-KTG-RX (ID: 1890) as "GigabitEthernet0/5/0" - Status: INCORRECT

Pre-Deletion Verification

Before executing deletion, verify:

# Verify objects exist on wrong device
curl -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/18201/"
# Expected: { "id": 18201, "name": "LoopBack100", "device": { "id": 2647, ... } }

curl -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/18202/"
# Expected: { "id": 18202, "name": "NULL0", "device": { "id": 2647, ... } }

# Verify they are NOT on intended device
curl -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/?device_id=1890&name=Eth-Trunk1"
# Expected: count=0

curl -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/?device_id=1890&name=GigabitEthernet0/5/0"
# Expected: count=0

# Check if objects are in use
curl -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/18201/connected-endpoints/"
# Expected: empty or no connected devices

curl -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/18202/connected-endpoints/"
# Expected: empty or no connected devices

Deletion Commands

⚠️ REQUIRES APPROVAL BEFORE EXECUTION

Manual Delete via cURL

# Set token
export NETBOX_WRITE_TOKEN="your-token"

# Delete ID 18201
curl -X DELETE \
  -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/18201/"

# Expected response: 204 No Content (success) or 404 Not Found (already deleted)

# Delete ID 18202
curl -X DELETE \
  -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/18202/"

# Expected response: 204 No Content (success) or 404 Not Found (already deleted)

Python Script (Optional)

import urllib.request
import urllib.error
import os

token = os.environ.get("NETBOX_WRITE_TOKEN")
base_url = "https://docs.k3gsolutions.com.br"

for obj_id in [18201, 18202]:
    url = f"{base_url}/api/dcim/interfaces/{obj_id}/"

    req = urllib.request.Request(
        url,
        headers={"Authorization": f"Token {token}"}
    )
    req.get_method = lambda: "DELETE"

    try:
        with urllib.request.urlopen(req) as response:
            print(f"✓ Deleted ID {obj_id}: {response.status}")
    except urllib.error.HTTPError as e:
        if e.code == 404:
            print(f"✓ ID {obj_id}: Already deleted (404)")
        else:
            print(f"✗ ID {obj_id}: Error {e.code}")

Approval Workflow

Step 1: Review

  • [ ] Incident report read: INCIDENT-FASE-2-3-BATCH-PAYLOAD-MISSING.md
  • [ ] Root cause understood: batch payload had null fields
  • [ ] Objects verified in wrong device
  • [ ] No dependencies/connections on wrong objects
  • [ ] Intended correct objects NOT created on device 1890 (confirmed)

Step 2: Authorize

  • [ ] Team approval obtained
  • [ ] Supervisor/lead signed off
  • [ ] Risk assessment: LOW (objects not in use)
  • [ ] Backup: N/A (these are error-created objects)

Step 3: Execute

  • [ ] Set NETBOX_WRITE_TOKEN
  • [ ] Run deletion commands above
  • [ ] Verify 204 or 404 responses
  • [ ] Confirm deletion in NetBox UI
  • [ ] Log execution: timestamp, operator, token (last 4 digits only)

Step 4: Verify Post-Deletion

# Confirm objects deleted
curl -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/18201/"
# Expected: 404 Not Found

curl -H "Authorization: Token $NETBOX_WRITE_TOKEN" \
  "https://docs.k3gsolutions.com.br/api/dcim/interfaces/18202/"
# Expected: 404 Not Found

Why Manual (No Automation)

  • ✓ Safety-first: human review before delete
  • ✓ Reversible: deletion can be undone within NetBox audit trail
  • ✓ Auditability: explicit operator sign-off
  • ✓ Learning: team confirms root cause understanding
  • ✗ NOT: automated script (too risky without approval)
  • ✗ NOT: --confirm-real-delete flag (no automation for deletions)

Post-Deletion Actions

Once approved objects are deleted:

  1. Document Deletion
  2. [ ] Update INCIDENT-FASE-2-3-BATCH-PAYLOAD-MISSING.md with deletion timestamp
  3. [ ] Record operator who executed deletion

  4. [ ] Record exact responses (204/404)

  5. Regenerate Correct Objects

  6. [ ] Use batch-apply-plan-fixed.json (batch_id: 4340469f)
  7. [ ] Execute with fixed scripts and proper device_id=1890

  8. [ ] Verify on correct device

  9. Update Documentation

  10. [ ] Close incident (set status RESOLVED)
  11. [ ] Update CHANGELOG.md

  12. [ ] Update runbooks with validation improvements

  13. Communicate

  14. [ ] Notify team of rollback completion
  15. [ ] Share lessons learned
  16. [ ] Plan follow-up on automation

Timeframe

Phase Timeframe Owner
Review T+0 to T+1h Team
Approval T+1h to T+2h Supervisor
Execution T+2h to T+2:30h Operator
Verification T+2:30h to T+3h Operator + Team
Documentation T+3h onwards Team

Success Criteria

✅ Incident resolved when: - [ ] Objects 18201/18202 deleted from NetBox - [ ] Device 2647 (INFORR-BVA-JCL-RX) no longer has these objects - [ ] Device 1890 (4WNET-MNS-KTG-RX) has correct objects (from fixed batch) - [ ] Dry-run tests pass with fixed validation scripts - [ ] No blocked reasons in batch-apply-plan-fixed.json - [ ] Scripts prevent null payload fields in future batches - [ ] Incident document marked RESOLVED

Status: Ready for approval and execution Owner: [To be assigned] Approver: [To be identified]

Voltar ao painel