proxmox_kvm - new param to support unsafe updates (#7843)

* proxmox_kvm - new param to support unsafe updates

* changelog fragments

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

* improved docs

* updated `version_added`

---------

Co-authored-by: Felix Fontein <felix@fontein.de>

changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - proxmox_kvm - add parameter ``update_unsafe`` to avoid limitations when updating dangerous values (https://github.com/ansible-collections/community.general/pull/7843).

plugins/modules/proxmox_kvm.py

@@ -522,9 +522,17 @@ options:
       - If V(true), the VM will be updated with new value.
       - Because of the operations of the API and security reasons, I have disabled the update of the following parameters
         O(net), O(virtio), O(ide), O(sata), O(scsi). Per example updating O(net) update the MAC address and C(virtio) create always new disk...
+        This security feature can be disabled by setting the O(update_unsafe) to V(true).
       - Update of O(pool) is disabled. It needs an additional API endpoint not covered by this module.
     type: bool
     default: false
+  update_unsafe:
+    description:
+      - If V(true), do not enforce limitations on parameters O(net), O(virtio), O(ide), O(sata), O(scsi), O(efidisk0), and O(tpmstate0).
+        Use this option with caution because an improper configuration might result in a permanent loss of data (e.g. disk recreated).
+    type: bool
+    default: false
+    version_added: 8.4.0
   vcpus:
     description:
       - Sets number of hotplugged vcpus.
@@ -846,6 +854,20 @@ EXAMPLES = '''
     memory: 16384
     update: true
 
+- name: Update VM configuration (incl. unsafe options)
+  community.general.proxmox_kvm:
+    api_user: root@pam
+    api_password: secret
+    api_host: helldorado
+    name: spynal
+    node: sabrewulf
+    cores: 8
+    memory: 16384
+    net:
+        net0: virtio,bridge=vmbr1
+    update: true
+    update_unsafe: true
+
 - name: Delete QEMU parameters
   community.general.proxmox_kvm:
     api_user: root@pam
@@ -981,7 +1003,7 @@ class ProxmoxKvmAnsible(ProxmoxAnsible):
             time.sleep(1)
         return False
 
-    def create_vm(self, vmid, newid, node, name, memory, cpu, cores, sockets, update, **kwargs):
+    def create_vm(self, vmid, newid, node, name, memory, cpu, cores, sockets, update, update_unsafe, **kwargs):
         # Available only in PVE 4
         only_v4 = ['force', 'protection', 'skiplock']
         only_v6 = ['ciuser', 'cipassword', 'sshkeys', 'ipconfig', 'tags']
@@ -1018,23 +1040,24 @@ class ProxmoxKvmAnsible(ProxmoxAnsible):
             urlencoded_ssh_keys = quote(kwargs['sshkeys'], safe='')
             kwargs['sshkeys'] = str(urlencoded_ssh_keys)
 
-        # If update, don't update disk (virtio, efidisk0, tpmstate0, ide, sata, scsi) and network interface
+        # If update, don't update disk (virtio, efidisk0, tpmstate0, ide, sata, scsi) and network interface, unless update_unsafe=True
         # pool parameter not supported by qemu/<vmid>/config endpoint on "update" (PVE 6.2) - only with "create"
         if update:
-            if 'virtio' in kwargs:
+            if update_unsafe is False:
-                del kwargs['virtio']
+                if 'virtio' in kwargs:
-            if 'sata' in kwargs:
+                    del kwargs['virtio']
-                del kwargs['sata']
+                if 'sata' in kwargs:
-            if 'scsi' in kwargs:
+                    del kwargs['sata']
-                del kwargs['scsi']
+                if 'scsi' in kwargs:
-            if 'ide' in kwargs:
+                    del kwargs['scsi']
-                del kwargs['ide']
+                if 'ide' in kwargs:
-            if 'efidisk0' in kwargs:
+                    del kwargs['ide']
-                del kwargs['efidisk0']
+                if 'efidisk0' in kwargs:
-            if 'tpmstate0' in kwargs:
+                    del kwargs['efidisk0']
-                del kwargs['tpmstate0']
+                if 'tpmstate0' in kwargs:
-            if 'net' in kwargs:
+                    del kwargs['tpmstate0']
-                del kwargs['net']
+                if 'net' in kwargs:
+                    del kwargs['net']
             if 'force' in kwargs:
                 del kwargs['force']
             if 'pool' in kwargs:
@@ -1286,6 +1309,7 @@ def main():
                            version=dict(type='str', choices=['2.0', '1.2'], default='2.0')
                        )),
         update=dict(type='bool', default=False),
+        update_unsafe=dict(type='bool', default=False),
         vcpus=dict(type='int'),
         vga=dict(choices=['std', 'cirrus', 'vmware', 'qxl', 'serial0', 'serial1', 'serial2', 'serial3', 'qxl2', 'qxl3', 'qxl4']),
         virtio=dict(type='dict'),
@@ -1320,6 +1344,7 @@ def main():
     sockets = module.params['sockets']
     state = module.params['state']
     update = bool(module.params['update'])
+    update_unsafe = bool(module.params['update_unsafe'])
     vmid = module.params['vmid']
     validate_certs = module.params['validate_certs']
 
@@ -1429,7 +1454,7 @@ def main():
             module.fail_json(msg="node '%s' does not exist in cluster" % node)
 
         try:
-            proxmox.create_vm(vmid, newid, node, name, memory, cpu, cores, sockets, update,
+            proxmox.create_vm(vmid, newid, node, name, memory, cpu, cores, sockets, update, update_unsafe,
                               archive=module.params['archive'],
                               acpi=module.params['acpi'],
                               agent=module.params['agent'],