When the security groups specified to the os_server module change they
should be updated on the server. This will require shade 1.19 where the
server security group commands were added.
Fixes: #23206
* allow split horizon for route53_zone and refactor
* fix documentation
remove comment
fix version_added
* Remove unused imports
* Only include zone as matching if it has the same privacy setting
* Use `.endswith` instead of indexing into a string
* Update public zone behavior to only create new if there is no matching public zone
* Remove from legacy PEP8 files
* Add ability to use either sec group name or sec group id or combination to ec2_lc. Also fix header size in AWS Guidelines
* Fix ec2 import to only import neccessary packages. Remove pep8 double line
* re-raise exception as expected
The current ThrottlingException handling code hides other actual exceptions from the user, and basically goes infinite loop instead. eg when the api caller doesn't have permission (example below) to use the api, ansible effectively hangs. adding the re-raise stops execution and shows the error to the command line as expected
can test by removing permission to the efs api, and calling the efs: module
The error was: botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeFileSystems operation: User: <x> is not authorized to perform: elasticfilesystem:DescribeFileSystems on the specified resource
* PEP8 fix
* Remove DryRun parameter in ec2_vpc_igw_facts check_mode
Using DryRun in check mode causes errors, and is not required
(as nothing changes when calling describe_internet_gateways)
Prevents the following error:
```
{"changed": false,
"failed": true,
"msg": "An error occurred (DryRunOperation) when calling
the DescribeInternetGateways operation: Request
would have succeeded, but DryRun flag is set."}
```
* ec2_vpc_igw_facts pep8 tidy up
* . switched from 'user.id' to 'account.id' in REST API calls.
+ added ability to select desired account (by name or identifier) from list of accounts to which authorized user have access.
* + added account option addition version.
* Remove pubnub_blocks from PEP8-legacy list
* [cloud][tests] Create fixtures for using placebo to test boto3-using modules
* Use pytest's importorskip instead of manually skipping on missing deps
* Fix imports in cloudformation module
* Delete unused code
* Add maybe_sleep fixtures to speed up recorded test runs
* Build basic placebo-CFN tests
* Commit placebo recordings of basic stack operations
* Add placebo to test-requires
* Allow unit tests to run regardless of environment by setting a default region
* Use explicit relative import for Python 3 compat
* Use __name__ attribute that works on Python 2 and 3
These were deprecated back in the 1.x timeframe, so have been deprecated
for the 2 cycles required. They also do things wrong and should be
avoided anyway. Go ahead and remove them.
* GCP: backend service module
* GCP: rework param-checking code. Fixed a couple of bugs and changed to ValueError instead of custom tuple.
* GCP: fixed commit, spelled out Google Cloud for clarity in module description.
* add else statement to ensure instids is set
set res_list to None to avoid UnboundLocalError and fix iteration over a nonetype by adding an empty tuple
* make res_list empty tuple by default and check for instids before setting tags (fails otherwise)
* Add examples in os_server module showing userdata
Added an example using Bash and also using Cloud-init. Also, showing using {% raw %} and {% endraw %} to provide a pointer to those hitting similar issues to the ones I had.
* Removed erronious whitespace
Set encrypted to default False, rather than None
Otherwise you get:
```
Invalid type for parameter Encrypted, value: None, type: <type 'NoneType'>, valid types: <type 'bool'>)
```
* Adding first checkin of resource_pool module
* fixing length issues and indentation multipliers
* mend
* mend
* mend
* remove * import from modules
* Add space on variable assignments
* changing line 321 to less characters
* fixing pep8 issues
* mend
* cleaning up example section
* Add RETURN section
* adding spacing to list
* all spacing consistent now
* move imports as per CI
* update integration tests for updated boto exception message
* integration tests fail on both "test credential" test cases
exception bubbles out of module. instead catch and wrap
* ec2_group does not support updating a security group's description
AWS security group descriptions are immutable.
if ec2_group finds a group that matches by name, but the descriptions do not match, the module does not support this case
previously it would check if the group was used, but would not do anything if it was
old behavior was erroneous because it could make a user expect that the description change of a group was fine when in fact it did not occur
also, it made an expensive check against all ec2 instances for no good reason
* comments not doc strings
* else must have pass w/o doc-string statement
* Catch specific BotoServerException, give context around error when fetching SGs
* python3 compatible exception blocks
* add traceback to fail_json
* two blank lines before first function
purge_subnets|routes were introduced recently.
ensure_subnet_associations now takes purge_subnets as a parameter. A
call to this function was missed when introducing this feature. With
out, results in a "got 5 expected 6" error.
Allows to health-check two services on one host. Before, asking for 2 health checks being present for `http://myhost:8888` and `http://myhost:9999` resulted in just a single health check, as this module considered the two specs as equal.
Bonus: route53_health_check now passes style guidelines
* Fix get_s3_connection (fixes#22317)
Override aws_connect_kwargs rather than prepending to them. Should fix an issue in which `calling_format` is set twice in the kwargs passed to `boto.connect_s3` or `S3Connection` if a bucket name contains a `.`
* Revert "Fix get_s3_connection (fixes#22317)"
This reverts commit 7f61b8bebd2929940495204f1a98d660a55985d8.
* implements alternative way of fixing issue with aws_connect_kwargs for rgw and fakes3 (fixes 22317)
* add comment to explain why the keys are being removed from aws_connect_kwargs
* remove trailing whitespace on comment line
* don't modify an eni without eni_id
fix pep8
remove ec2_eni from pep8 legacy files
remove a couple unused variables in main()
fix the documentation
* fix yaml
Due to how the result-dictionary is being used, in some codepaths it would have an empty dictionary.
This then is problematic if the code expects the 'changed' key later on.
I also improved the docs a bit, by clearly marking the parameter names and URL in the documentation.
* making ec2 pep8
* remove ec2 from pep8 legacy files
* missed a couple
* fix imports and remove iteritems
* making group_id and group_name mutually exclusive and fixing whitespace
Changes to the metadata format were approved here:
https://github.com/ansible/proposals/issues/54
* Update documentation to the new metadata format
* Changes to metadata-tool to account for new metadata
* Add GPL license header
* Add upgrade subcommand to upgrade metadata version
* Change default metadata to the new format
* Fix exclusion of non-modules from the metadata report
* Fix ansible-doc for new module metadata
* Exclude metadata version from ansible-doc output
* Fix website docs generation for the new metadata
* Update metadata schema in valiate-modules test
* Update the metadata in all modules to the new version
Currently the documentation utilizes with_subelements, but it does not parse the results correctly. By changing to with_items: and specifying the proper list, we are able to tag the instances as expected.
Unclear how useful it is to still be catching BotoServerError exceptions
generally, especially when we are now hopefully handling most instances
of throttling, but kept it as it was already in the code. Moved to main
as catching BotoServerErrors inside individual functions will bypass any
AWSRetry.backoff decorator.
Move additional imports to top.
Use python2.6 formatting
A bit of cleanup on imports
Make one more string interpolation Python 2.6 compatible.
* Fix connection_draining idempotency in ec2_elb_lb
Ensure connection_draining types are equivalent when comparing
whether or not connection_draining is being changed.
This means that running `ec2_elb_lb` with connection_draining
set a second time will now report `changed=False`
* ec2_elb_lb: fixed latest Ansible standards compliance
Update to current pep8 standards, fix module imports
and remove module from exclusion file
This is basically a replay of #16064 from `gce.py` to other pertinent
`gce_*.py` files. It enables expansions of paths in `gce.ini` like
`~/.project.json`
* fix module doc fields
* More module docs corrections
* More module docs corrections
* More module docs corrections
* More module docs corrections
* correct aliases
* Review comments
* Must quote ':'
* More authors
* Use suboptions:
* restore type: bool
* type should be in the same place
* More tidyups
* authors
* Use suboptions
* revert
* remove duplicate author
* More issues post rebase
* description is only required when group state is present
also note that AWS requires a non-empty description when creating a security group
* clarify description requirement
* virt.py: autostart VM attribute
autostart is now an idempotent VM attribute instead of a non idempotent forced autostart attribute set to True
* Make shippable happy
* Missing version added
* Fix some points
* Autostart default is now None
* Ident fix
1. Check less aggressively for resources that take a long time to return
(some resources can take an hour or more).
2. Handle throttling when checking for resources, and back off quickly
when it occurs.
* Add user_data_path parameter to ec2_lc module
* Improve user_data_path parameter documentation
- Specify mutual exclusivity
- Specify `version_added`
- Change module parameter type to `path`
* Use correct comparison for user_data result
* Include traceback on error and use with block
* Only hide user data if provided in file
ensure_tags fails if `tags` is None rather than an empty
dict. Ensure that not passing `tags` parameter is equivalent
to passing an empty dict.
Fixes#21778
If the host .bashrc holds a var named HOSTNAME, the container
where the lxc_container module will attach to will inherit from
this var, potentially breaking some applications (like rabbitmqctl)
due to an incorrect $HOSTNAME reported in the container.
* Add flag to Docker pull_image to know when the image is already latest
Whenever the flag pull is set to 'yes' the resource is always defined
as 'changed'. That is not true in case the image is already at the
latest version.
Related to ansible/ansible#19549
* Docker pull_image does not change status if the image is latest
* add gce_template.py
gce template manage GCE Instance Templates in Google Cloud Plateform.
* change gce_template on style/formating
Apply change on style/formating from reviewer request.
* change gce_template on style/formating again.
* Rename gce_template.py to gce_instance_template.py
* update gce_instance_template.py to pass CI
Oops :)
ERROR: Import found before documentation variables.
All imports must appear below DOCUMENTATION/EXAMPLES/RETURN/ANSIBLE_METADATA.
* Update gce_instance_template.py
change documentation replace gce_template by gce_instance_template
* Update gce_instance_template.py
Sorry for the typography fault. The day begins badly.
* Update gce_instance_template.py
apply text change
s/Compte/Compute/
s/Plateform/Platform/
s/forword/forward/
change documentation for subnetwork, subnetwork is name.
add mutually_exclusive in AnsibleModule arguments.
change disk_type as an option type.
* Update gce_instance_template.py
change the documentation.
* Update gce_instance_template.py
RETURN is required for all new modules. Is empty because no new return variable returned.
* Update gce_instance_template.py
Ansible will verify that only present/absent are passed as the state. This else is not needed.
* [GCE] Google Cloud Spanner module
Supports the creation/updating/deletion of Spanner instances and create/drop databases.
* [GCE] On update, node count will not be reset to one if not specified.
* [GCE] fixed some imports.
* [GCE] rename display_name to instance_display_name
* [GCE] Recreate instance in order to have desired values at create time.
* Fix linter error on imports
* [GCE] Added force_instance_delete option to ensure an instance is not removed by mistake.
* [GCE] Google Cloud Spanner module
Supports the creation/updating/deletion of Spanner instances and create/drop databases.
* [GCE] On update, node count will not be reset to one if not specified.
* [GCE] rename display_name to instance_display_name
* Fix linter error on imports
* fixed doc bug
* Remove imports mistakenly brought in during merge
Fixes ansible#21796 Prevent users from deleting buckets rather than objects by making object parameter and mode=delobj mutually exclusive in task.
https://github.com/ansible/ansible/issues/21796
* Add quota for the number of floating IP's to allow in Network.
* Add nova_floating_ips and neutron_floating_ips aliases to avoid confusion.
* rename aliases to compute_floating_ips and network_floating_ips.
The list_elbs call to boto doesn't use any pagination, so any time there
are more ELBs than the API page size, this module will fail. This change
uses the `next_token` attribute of `ResultSet` to check if there are
still more ELBs to return.
Fixes#21361
* Make more use of AWS Exception information
* Use pythonic dict assignments
* Improve documentation formatting to make option names clearer
in descriptions
* Meet ansible line length requirements
* Tidy up flake8 messages
* Update metadata on existing openstack instances
This adds or updates existing keys, but doesn't remove them
Fixes#5500
* Set meta to {} if None
* Move common metadata parsing into a method
Set the `force` flag to false to:
- protect existing Keys from being overwritten
- check if a Key was already existing by evaluating
the returned `changed` status
CentOS's cloud image wiki page (wiki.centos.org/Cloud/AWS) gives an
example of using their product code to search for AMIs. This commit
adds an optional parameter to ec2_ami_find to allow this filtering.
* Move availability_zone docs to each OpenStack module
This argument is in the central list for hysterical raisins (mostly me
being a doofus) but is used in almost none of them. Document it
explicitly in each module to stop the confusion.
* Fix two docs formatting bugs
If versioning is not enabled, then `get_bucket_versioning`
can return an empty dict.
If that happens, the code to enable versioning should still
run!
The logic for suspending versioning was also incorrect, so
have updated that too.
Fixes#20491
Introduces `ignore_nonexistent_bucket` option that does not require ListBuckets permission, so less permissioned IAM roles can still be used with this module.
Fixes#20501
* resolve#21056 - Add support for full cloning. Fix some issues. Update doc
* Fix condition and update doc. Fixes#28585
* Using built-in helper for argspec, revert ansible metadata, add more control and remove type in documentation
* PEP8 style compliance
Don't try to create tags on a vpc that you've just removed.
Avoids
```
"msg": "An error occurred (InvalidParameterValue) when calling the CreateTags operation: You must specify one or more tags to create"
```
Although not quite sure why the `create_tags` was being called
as `module.params.get('tags')` *should* have returned `None`.
* Added PubNub BLOCKS management module.
* . increased block start/stop wait to 30 seconds
* . fixed multi-line documentation
* . fixed YAML formatting in documentation section
* . removed multi-line commits
. fixed YAML format in description section
* . updated test script to upload event handler sources if non-local connection used for tests
. changed module configuration parameter from 'block' to 'name' (represent target block name)
. updated module docs regarding 'chanes' configuration parameter. Only block 'name' can be changed using this parameter ('description' can be changed directly in module call configuration)
. changed module configuration parameter from 'pwd' tp 'password'
. migrated 'urlencode' import from try..catch to six module imported from Ansible module utils
. removed custom method which is used to verify whether value is empty
* ^ fixed value for key-path function usage with names of application/keyset/block and handlers.
. reduced unnecessary requests (better pre-procesing of previous results)
. event handler name change won't trigger block restart
* ^ fixed too long documentation lines
* . moved PubNub BLOCKS client code into separate package under PyPi
. updated module code to utilize new package
. changed block start stop state to: started and started
* . small changes in documentation format
* Adding an elasticache snapshot module.
Allows user to create, copy, or delete a snapshot.
* Removing unnecessary function
* Make indentation uniform.
* Making requested changes.
Fixing PEP8
Adding a more graceful fail for delete() if the snapshot's state valid (such as when it is in the process of being created).
* PEP8
* Fixing some formatting
move imports
fix parameter alignment
* move imports to the top of the file below documentation
This patch enhances waiting operation of stateless VM to be down.
Because stateless VM creates a snapshot and removes it after the
VM is shutdown, we must wait until the VM is really prepared to
start again.
Replaces the usage of expanduser with the type 'path' for the
dest and object options as that functionality is available
in that type automatically.
patch related to #12263
* initial commit of cloudfront_facts.py
* modification as per review from @georgepsarakis
* fixed shippable build error
* fixed shippable build error
* removed wildcard imports and replaced with specific imports from ansible.module_utils.ec2 as advised by @georgepsarakis
* renamed all instances of cloud_front_origin_access_identity to origin_access_identity as advised by @georgepsarakis
* show facts based on alias and distribution id for easy referencing as advised by @ryansb. have done for both distribution and distribution_config
* fixed incorrect logic for default list_distributions, fixed list_distributions_by_web_acl - wasn't passing web_acl_id, fixed list_invalidations keyword args missing DistributionId
* fixed last fact added clobbering all previous facts for an alias or an id
* removed list_ prefix from list keys
* removed unnecessary boto fields. made list_distributions and list_streaming_distributions dictionaries with id/alias as key. fixed list_invalidations.
* initial commit of cloudfront_facts summary
* checks for empty list returned from boto, standardised list naming
* neatened up parameters
* added summary documentation
* refactoring of functions for modularity
* refactoring, neatening code, fix for if cname not present, added try-catch blocks
* more refactoring, cleaning
* more cleaning, allowed streaming distributions to be found by domain name alias
* removed unnecessary line
* fixed tabs
* fixed indentation
* removed trailing whitespace
* removed more whitespace
* more refactoring, modified where invalidations dict is set
* added ETag to summary
* refactored summary list
* moved list out of for loop
* trailing white space
* reverted line lengthening as advised by @willthames
* modified exceptions to multi line as advised by @willthames
* reverted variable spacing to be more pythonic'
* reverted spacing in YAML as advised by @ryansb
* reverted line spacing for parameters for correct blame attribution as advised by @ryansb
* removed white space
* more white space
* reverted line spacings for parameters as advised by @ryansb
* removed spaces between parameters as advised by @ryansb
* Avoid having module documentation links to itself
A lot of modules use M(own_module) in their documentation causing a link
in the documentation to itself.
* Make note more clear now
* Removing cmp to be compatible with Python3
* fix syntax
* Added an overlooked return
* Fixing making things overly complicated
* Simplifying since tags will always be hashable. Don't need to use cmp at all.
* Adding environment variable support for lambda.py in response to feature idea #20479.
Plus a 1-character bug fix.
* fix yaml syntax
* Fixing option name, adding alias, and fixing a line to allow the user to delete environment variables by setting an empty dict.
* Refactor dimensiondata_network to use shared base class for common functionality.
* Experiment: remove the assignments in the "except ImportError:" block that keep PyCharm happy. If this fixes the build, then I reckon there's a bug in the validate-modules script (https://github.com/ansible/ansible/blob/devel/test/sanity/validate-modules/validate-modules#L322).
* Remove unused imports.
* Changes based on feedback from @gundalow for ansible/ansible#21043.
- Use no_log=True for mcp_password parameter.
- Collapse module parameter definitions.
* Use shared definitions and doc fragments for common module arguments (ansible/ansible#21043).
* Make default network plan "ESSENTIALS", rather than "ADVANCED" (this is consistent with our other tooling).
Tidy up module parameter documentation.
* Simplify dimensiondata module documentation fragments (didn't know you could include multiple fragments).
* Change 'verify_ssl_cert' module parameter to 'validate_certs'.
* fix#19487
* add 'version_added'
* Check for version compatibility, Ignore keys if incompatible
* add comment about version support
* remove 'type' as requested
* fix merge error
* cloudstack: cs_portforward: implement vpc support
* cloudstack: cs_portforward: add vpc and network to returns
* cloudstack: cs_portforward: networkid must not be used for rule listing
* cloudstack: fail for get_network when vpc but no network name
This seem to be a global pattern for get_network, we want to enforce a
network name to be set if a vpn param is given.
This is used for cs_portforward.
* cloudstack: cs_portforward: doc: fix defaults for vpc, network
* Move gather_facts action outside of vmware_guest module
* Move facts gathering method to vmware.py library
* vmware_guest use some vmware.py library methods
* vmware.py lib: fix some PEP 8 issues
* Move snapshot actions to vmware_guest_snapshot
* Move common snapshot facts to vmware.py library
* cloud: ovirt: add snapshots module
* Move imports in ovirt_snapshots module to match style & pass CI
* Move ovirt_snapshot_facts imports to comply w/ CI
* Update validate-modules
* Validates ANSIBLE_METADATA
* Ensures imports happen after documentation vars
* Some pep8 cleanup
* Clean up some left over unneeded code
* Update modules for new module guidelines and validate-modules checks
* Update imports for ec2_vpc_route_table and ec2_vpc_nat_gateway
* cloud: ovirt: add function to get id by name
* cloud: ovirt: add instance type parameter
* cloud: ovirt: use param method instead of module.params
* cloud: ovirt: use 'and' at begging of next line
* cloud: ovirt: add description parameter to vms module
* cloud: ovirt: add comment parameter to vms module
* cloud: ovirt: add timezone parameter to vms module
* cloud: ovirt: add serial_policy parameter to vms module
Boolean options that default as `None` but are set to `False` by the user were ignored on update. This change checks to distinguish None & False so that options like multi_az can be turned off during an update.
* Modifying how optional parameters are handled in rds.py. Fixes#20370
Allowing options to be set to false/no. Previously ignored unless set to true/yes.
Added a conditional for invalid parameters since the default is false instead of null for some options (e.g. force_failover, apply_immediately, upgrade).
* Making requested revision.
* Disassociate subnets from route tables before deletion
If a route table still has subnets associated with it, it will fail
to delete:
```
"msg": "The routeTable 'rtb-abcd1234' has dependencies and cannot be deleted."
```
Avoid this by disassociating subnets before route table deletion
* Fix ec2_vpc_route_table flake8 complaints
* Check if EIP exists before deleting it
After deleting the NAT gateway, the EIP sometimes seems to
cease to exist afterwards. Check if it exists before deleting it.
Otherwise you get:
```
Failed to release EIP eipalloc-abdc1234: An error occurred (InvalidAllocationID.NotFound) \
when calling the ReleaseAddress operation: The allocation ID 'eipalloc-abcd1234' does not \
exist", "success": false}
```
* Fix flake8 errors with ec2_vpc_nat_gateway
* [GCE] External IP Address Module.
This module allows users to create and delete External IP Addresses. Both Regional and Global Addresses are supported.
* Removed whitespace causing pep8 issue
* added ec2_vpc_igw_facts module
* added cr at end of file
* corrected import json in wrong location
* corrected version added
* added snake_case conversion
* updated documentation and fixed for python 3'
* ec2_vpc_igw_facts: simplify logic
Make module arguments more 'Ansiblish'
Remove unnecessary intermediate variables in results generation
Use `ansible_dict_to_boto3_filter_list` rather than duplicating logic
Use `check_mode` rather than pass a `dryrun` argument
Update for flake8 improvements
* updated documentation
Update exception handling, remove use of iteritems
Update for better flake8 compliance
Use ansible_dict_to_boto3_filter_list rather than
duplicating its implementation
Prescribing types is not necessary as the underlying shade library
does not do so, and the Neutron API will inform us if a disallowed
or non existent type is used.
Fixes#20830
* Add support for additional properties when creating new VMs.
All vmadm(1M) options except those specific to SDC(-docker)
are now supported.
* Mark password options as no_log
Change-Id: I9dfd80e7ba5ecfc8f45ecfbe9ec098e66647e9a4
* Added support for a gce_snapshot module for managing snapshots in the Google Cloud Platform
* Fixed using sys.exit in favor of fail_json. Followed the pattern in gce_pd
* Fixed using sys.exit in favor of fail_json. Followed the pattern in gce_pd
* Fixed an issue when dealing with multiple disks. Added a bit more documentation explaining the disks argument
* Corrected a typo in the multi-disk snapshot example
* Updated module to return list of changed snapshots instead of just a message. Added a RETURN block
* Fixed issue in gce_net with firewall rules that have protocols that do not have ports.
* Fixed elif in gce_net to include check of the ports variable.
* Google Cloud Pubsub Module
The Google Cloud Pubsub module allows the Ansible user to:
* Create/Delete Topics
* Create/Delete Subscriptions
* Change subscription from pull to push (and configure endpoint)
* Publish messages to a topic
* Pull messages from a Subscription
An accessory module, gcpubsub_facts, has been added to list topics and subscriptions.
* Added docs for state field to DOCUMENTATION and RETURN blocks.
After merging the latest update, these were the few remaining
differences with upstream.
(Plus the previous proposed fast match based on unique VM name which is
not longer needed)
- get rid of changed, rc, stderr, stdout juggling
- use get_bin_path() to get 'imgadm' path
- move actual implementation to Imgadm class
- fix 'changed' for imported images
Without this patch, the os_keystone_domain module is not idempotent if
the description is empty because the description parameter is None in
ansible, but the keystone client returns an empty unicode string.
Following the example of other OpenStack modules, this patch fixes the
issue by checking whether the module parameter is None before going on
to check its value.
* update instance image with Debian 8 Jessie
* debian-7 is marked as "DEPRECATED" in Google Compute Engine Images
* as a result, by default use `debian-8` Jessie
Resolves:
Related:
Signed-off-by: Daniel Andrei Minca <danielandrei.minca@gameloft.com>
* update docs regarding latest stable default image
* after speaking with @gundalow, we decided it's better for the users to
know that the default image will follow latest stable debian by GCE
Resolves: #20558
Related:
Signed-off-by: Daniel Andrei Minca <danielandrei.minca@gameloft.com>
self.instance may be overwritten before the user data comparsion which result in a false positive changed state.
With this commit, we make sure we have the userdata when we need to.
* new AWS module for ec2 VPC vgw facts
* fixed documentation as suggested by reviewers
* changed iteritems to items for py 3
* improvements to bring in line with #19787
* corrected documentation
* updated doco and exception path
The same ssh key may be registered with different names. Before we only looked at the names and marked as changed when names differ. However internally cloudstack seems to ignore the change, if the fingerprints are identical.
As a result we also have to compare the fingerprints and only mark the keys as changed if the fingerprints differ.
