From 0e6628395ae827953abf2d5cdeaa1162ebb8527b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Moser?= Date: Sun, 8 Jul 2018 00:51:46 +0200 Subject: [PATCH] cs_firewall: fix idempotence and tests for cloudstack v4.11 (#42458) --- .../modules/cloud/cloudstack/cs_firewall.py | 17 ++++++++++++++--- .../targets/cs_firewall/tasks/main.yml | 15 ++++++++------- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/lib/ansible/modules/cloud/cloudstack/cs_firewall.py b/lib/ansible/modules/cloud/cloudstack/cs_firewall.py index 5f02f07339..04841e3c13 100644 --- a/lib/ansible/modules/cloud/cloudstack/cs_firewall.py +++ b/lib/ansible/modules/cloud/cloudstack/cs_firewall.py @@ -249,16 +249,24 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack): args['networkid'] = self.get_network(key='id') if not args['networkid']: self.module.fail_json(msg="missing required argument for type egress: network") + + # CloudStack 4.11 use the network cidr for 0.0.0.0/0 in egress + # That is why we need to replace it. + network_cidr = self.get_network(key='cidr') + egress_cidrs = [network_cidr if cidr == '0.0.0.0/0' else cidr for cidr in cidrs] + firewall_rules = self.query_api('listEgressFirewallRules', **args) else: args['ipaddressid'] = self.get_ip_address('id') if not args['ipaddressid']: self.module.fail_json(msg="missing required argument for type ingress: ip_address") + egress_cidrs = None + firewall_rules = self.query_api('listFirewallRules', **args) if firewall_rules: for rule in firewall_rules: - type_match = self._type_cidrs_match(rule, cidrs) + type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs) protocol_match = ( self._tcp_udp_match(rule, protocol, start_port, end_port) or @@ -294,8 +302,11 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack): icmp_type == rule['icmptype'] ) - def _type_cidrs_match(self, rule, cidrs): - return ",".join(cidrs) == rule['cidrlist'] + def _type_cidrs_match(self, rule, cidrs, egress_cidrs): + if egress_cidrs is not None: + return ",".join(egress_cidrs) == rule['cidrlist'] or ",".join(cidrs) == rule['cidrlist'] + else: + return ",".join(cidrs) == rule['cidrlist'] def create_firewall_rule(self): firewall_rule = self.get_firewall_rule() diff --git a/test/integration/targets/cs_firewall/tasks/main.yml b/test/integration/targets/cs_firewall/tasks/main.yml index 5b569f22ed..67fe13ff11 100644 --- a/test/integration/targets/cs_firewall/tasks/main.yml +++ b/test/integration/targets/cs_firewall/tasks/main.yml @@ -244,8 +244,8 @@ that: - fw is successful - fw is changed - - fw.cidr == "0.0.0.0/0" - - fw.cidrs == [ '0.0.0.0/0' ] + - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24" + - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ] - fw.network == "{{ cs_firewall_network }}" - fw.protocol == "all" - fw.type == "egress" @@ -262,7 +262,8 @@ that: - fw is successful - fw is not changed - - fw.cidr == "0.0.0.0/0" + - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24" + - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ] - fw.network == "{{ cs_firewall_network }}" - fw.protocol == "all" - fw.type == "egress" @@ -404,8 +405,8 @@ that: - fw is successful - fw is changed - - fw.cidr == "0.0.0.0/0" - - fw.cidrs == [ '0.0.0.0/0' ] + - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24" + - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ] - fw.network == "{{ cs_firewall_network }}" - fw.protocol == "all" - fw.type == "egress" @@ -423,8 +424,8 @@ that: - fw is successful - fw is changed - - fw.cidr == "0.0.0.0/0" - - fw.cidrs == [ '0.0.0.0/0' ] + - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24" + - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ] - fw.network == "{{ cs_firewall_network }}" - fw.protocol == "all" - fw.type == "egress"