diff --git a/lib/ansible/modules/cloud/cloudstack/cs_firewall.py b/lib/ansible/modules/cloud/cloudstack/cs_firewall.py index 5f02f073393..04841e3c13e 100644 --- a/lib/ansible/modules/cloud/cloudstack/cs_firewall.py +++ b/lib/ansible/modules/cloud/cloudstack/cs_firewall.py @@ -249,16 +249,24 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack): args['networkid'] = self.get_network(key='id') if not args['networkid']: self.module.fail_json(msg="missing required argument for type egress: network") + + # CloudStack 4.11 use the network cidr for 0.0.0.0/0 in egress + # That is why we need to replace it. + network_cidr = self.get_network(key='cidr') + egress_cidrs = [network_cidr if cidr == '0.0.0.0/0' else cidr for cidr in cidrs] + firewall_rules = self.query_api('listEgressFirewallRules', **args) else: args['ipaddressid'] = self.get_ip_address('id') if not args['ipaddressid']: self.module.fail_json(msg="missing required argument for type ingress: ip_address") + egress_cidrs = None + firewall_rules = self.query_api('listFirewallRules', **args) if firewall_rules: for rule in firewall_rules: - type_match = self._type_cidrs_match(rule, cidrs) + type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs) protocol_match = ( self._tcp_udp_match(rule, protocol, start_port, end_port) or @@ -294,8 +302,11 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack): icmp_type == rule['icmptype'] ) - def _type_cidrs_match(self, rule, cidrs): - return ",".join(cidrs) == rule['cidrlist'] + def _type_cidrs_match(self, rule, cidrs, egress_cidrs): + if egress_cidrs is not None: + return ",".join(egress_cidrs) == rule['cidrlist'] or ",".join(cidrs) == rule['cidrlist'] + else: + return ",".join(cidrs) == rule['cidrlist'] def create_firewall_rule(self): firewall_rule = self.get_firewall_rule() diff --git a/test/integration/targets/cs_firewall/tasks/main.yml b/test/integration/targets/cs_firewall/tasks/main.yml index 5b569f22edf..67fe13ff117 100644 --- a/test/integration/targets/cs_firewall/tasks/main.yml +++ b/test/integration/targets/cs_firewall/tasks/main.yml @@ -244,8 +244,8 @@ that: - fw is successful - fw is changed - - fw.cidr == "0.0.0.0/0" - - fw.cidrs == [ '0.0.0.0/0' ] + - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24" + - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ] - fw.network == "{{ cs_firewall_network }}" - fw.protocol == "all" - fw.type == "egress" @@ -262,7 +262,8 @@ that: - fw is successful - fw is not changed - - fw.cidr == "0.0.0.0/0" + - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24" + - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ] - fw.network == "{{ cs_firewall_network }}" - fw.protocol == "all" - fw.type == "egress" @@ -404,8 +405,8 @@ that: - fw is successful - fw is changed - - fw.cidr == "0.0.0.0/0" - - fw.cidrs == [ '0.0.0.0/0' ] + - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24" + - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ] - fw.network == "{{ cs_firewall_network }}" - fw.protocol == "all" - fw.type == "egress" @@ -423,8 +424,8 @@ that: - fw is successful - fw is changed - - fw.cidr == "0.0.0.0/0" - - fw.cidrs == [ '0.0.0.0/0' ] + - fw.cidr == "0.0.0.0/0" or fw.cidr == "10.1.1.0/24" + - fw.cidrs == [ '0.0.0.0/0' ] or fw.cidrs == [ '10.1.1.0/24' ] - fw.network == "{{ cs_firewall_network }}" - fw.protocol == "all" - fw.type == "egress"