cs_firewall: fix idempotence and tests for cloudstack v4.11 (#42458)

6 years ago · 0e6628395a
parent 07adeff665
commit 0e6628395a
2 changed files with 22 additions and 10 deletions
--- a/lib/ansible/modules/cloud/cloudstack/cs_firewall.py
+++ b/lib/ansible/modules/cloud/cloudstack/cs_firewall.py
@ -249,16 +249,24 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack):
                args['networkid'] = self.get_network(key='id')
                if not args['networkid']:
                    self.module.fail_json(msg="missing required argument for type egress: network")
+
+                # CloudStack 4.11 use the network cidr for 0.0.0.0/0 in egress
+                # That is why we need to replace it.
+                network_cidr = self.get_network(key='cidr')
+                egress_cidrs = [network_cidr if cidr == '0.0.0.0/0' else cidr for cidr in cidrs]
+
                firewall_rules = self.query_api('listEgressFirewallRules', **args)
            else:
                args['ipaddressid'] = self.get_ip_address('id')
                if not args['ipaddressid']:
                    self.module.fail_json(msg="missing required argument for type ingress: ip_address")
+                egress_cidrs = None
+
                firewall_rules = self.query_api('listFirewallRules', **args)

            if firewall_rules:
                for rule in firewall_rules:
-                    type_match = self._type_cidrs_match(rule, cidrs)
+                    type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs)

                    protocol_match = (
                        self._tcp_udp_match(rule, protocol, start_port, end_port) or
@ -294,8 +302,11 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack):
            icmp_type == rule['icmptype']
        )

-    def _type_cidrs_match(self, rule, cidrs):
-        return ",".join(cidrs) == rule['cidrlist']
+    def _type_cidrs_match(self, rule, cidrs, egress_cidrs):
+        if egress_cidrs is not None:
+            return ",".join(egress_cidrs) == rule['cidrlist'] or ",".join(cidrs) == rule['cidrlist']
+        else:
+            return ",".join(cidrs) == rule['cidrlist']

    def create_firewall_rule(self):
        firewall_rule = self.get_firewall_rule()
--- a/test/integration/targets/cs_firewall/tasks/main.yml
+++ b/test/integration/targets/cs_firewall/tasks/main.yml
@ -244,8 +244,8 @@
    that:
    - fw is successful
    - fw is changed
-    - fw.cidr == "0.0.0.0/0"
-    - fw.cidrs == [ '0.0.0.0/0' ]
+    - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24"
+    - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ]
    - fw.network == "{{ cs_firewall_network }}"
    - fw.protocol == "all"
    - fw.type == "egress"
@ -262,7 +262,8 @@
    that:
    - fw is successful
    - fw is not changed
-    - fw.cidr == "0.0.0.0/0"
+    - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24"
+    - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ]
    - fw.network == "{{ cs_firewall_network }}"
    - fw.protocol == "all"
    - fw.type == "egress"
@ -404,8 +405,8 @@
    that:
    - fw is successful
    - fw is changed
-    - fw.cidr == "0.0.0.0/0"
-    - fw.cidrs == [ '0.0.0.0/0' ]
+    - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24"
+    - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ]
    - fw.network == "{{ cs_firewall_network }}"
    - fw.protocol == "all"
    - fw.type == "egress"
@ -423,8 +424,8 @@
    that:
    - fw is successful
    - fw is changed
-    - fw.cidr == "0.0.0.0/0"
-    - fw.cidrs == [ '0.0.0.0/0' ]
+    - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24"
+    - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ]
    - fw.network == "{{ cs_firewall_network }}"
    - fw.protocol == "all"
    - fw.type == "egress"