cs_firewall: fix idempotence and tests for cloudstack v4.11 (#42458)

lib/ansible/modules/cloud/cloudstack/cs_firewall.py

@@ -249,16 +249,24 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack):
                 args['networkid'] = self.get_network(key='id')
                 if not args['networkid']:
                     self.module.fail_json(msg="missing required argument for type egress: network")
+
+                # CloudStack 4.11 use the network cidr for 0.0.0.0/0 in egress
+                # That is why we need to replace it.
+                network_cidr = self.get_network(key='cidr')
+                egress_cidrs = [network_cidr if cidr == '0.0.0.0/0' else cidr for cidr in cidrs]
+
                 firewall_rules = self.query_api('listEgressFirewallRules', **args)
             else:
                 args['ipaddressid'] = self.get_ip_address('id')
                 if not args['ipaddressid']:
                     self.module.fail_json(msg="missing required argument for type ingress: ip_address")
+                egress_cidrs = None
+
                 firewall_rules = self.query_api('listFirewallRules', **args)
 
             if firewall_rules:
                 for rule in firewall_rules:
-                    type_match = self._type_cidrs_match(rule, cidrs)
+                    type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs)
 
                     protocol_match = (
                         self._tcp_udp_match(rule, protocol, start_port, end_port) or
@@ -294,7 +302,10 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack):
             icmp_type == rule['icmptype']
         )
 
-    def _type_cidrs_match(self, rule, cidrs):
+    def _type_cidrs_match(self, rule, cidrs, egress_cidrs):
+        if egress_cidrs is not None:
+            return ",".join(egress_cidrs) == rule['cidrlist'] or ",".join(cidrs) == rule['cidrlist']
+        else:
             return ",".join(cidrs) == rule['cidrlist']
 
     def create_firewall_rule(self):

test/integration/targets/cs_firewall/tasks/main.yml

@@ -244,8 +244,8 @@
     that:
     - fw is successful
     - fw is changed
-    - fw.cidr == "0.0.0.0/0"
+    - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24"
-    - fw.cidrs == [ '0.0.0.0/0' ]
+    - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ]
     - fw.network == "{{ cs_firewall_network }}"
     - fw.protocol == "all"
     - fw.type == "egress"
@@ -262,7 +262,8 @@
     that:
     - fw is successful
     - fw is not changed
-    - fw.cidr == "0.0.0.0/0"
+    - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24"
+    - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ]
     - fw.network == "{{ cs_firewall_network }}"
     - fw.protocol == "all"
     - fw.type == "egress"
@@ -404,8 +405,8 @@
     that:
     - fw is successful
     - fw is changed
-    - fw.cidr == "0.0.0.0/0"
+    - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24"
-    - fw.cidrs == [ '0.0.0.0/0' ]
+    - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ]
     - fw.network == "{{ cs_firewall_network }}"
     - fw.protocol == "all"
     - fw.type == "egress"
@@ -423,8 +424,8 @@
     that:
     - fw is successful
     - fw is changed
-    - fw.cidr == "0.0.0.0/0"
+    - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24"
-    - fw.cidrs == [ '0.0.0.0/0' ]
+    - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ]
     - fw.network == "{{ cs_firewall_network }}"
     - fw.protocol == "all"
     - fw.type == "egress"