Fix ec2_group for numbered protocols (GRE) (#42765)

* Fix spurious `changed=True` when int is passed as tag * Fix for all AWS module using compare_aws_tags * Handle improperly stringified protocols and allow inconsistency between None/-1 on non-tcp protocols * Add integration test that reproduces the same bug * Return false if the comparsison is not equal (cherry picked from commit 20f21779d3)
6 years ago · f0eebf9187
parent 66759810a0
commit f0eebf9187
4 changed files with 101 additions and 5 deletions
--- a/lib/ansible/module_utils/ec2.py
+++ b/lib/ansible/module_utils/ec2.py
@ -714,7 +714,7 @@ def compare_aws_tags(current_tags_dict, new_tags_dict, purge_tags=True):
            tag_keys_to_unset.append(key)
    for key in set(new_tags_dict.keys()) - set(tag_keys_to_unset):
-        if new_tags_dict[key] != current_tags_dict.get(key):
+        if to_text(new_tags_dict[key]) != current_tags_dict.get(key):
            tag_key_value_pairs_to_set[key] = new_tags_dict[key]
    return tag_key_value_pairs_to_set, tag_keys_to_unset
--- a/lib/ansible/modules/cloud/amazon/ec2_group.py
+++ b/lib/ansible/modules/cloud/amazon/ec2_group.py
@ -292,6 +292,7 @@ owner_id:
 import json
 import re
 import itertools
 from time import sleep
 from collections import namedtuple
 from ansible.module_utils.aws.core import AnsibleAWSModule, is_boto3_error_code
@ -317,7 +318,13 @@ current_account_id = None
 def rule_cmp(a, b):
    """Compare rules without descriptions"""
    for prop in ['port_range', 'protocol', 'target', 'target_type']:
-        if getattr(a, prop) != getattr(b, prop):
+        if prop == 'port_range' and to_text(a.protocol) == to_text(b.protocol):
            # equal protocols can interchange `(-1, -1)` and `(None, None)`
            if a.port_range in ((None, None), (-1, -1)) and b.port_range in ((None, None), (-1, -1)):
                continue
            elif getattr(a, prop) != getattr(b, prop):
                return False
        elif getattr(a, prop) != getattr(b, prop):
            return False
    return True
@ -390,7 +397,7 @@ def rule_from_group_permission(perm):
            # there may be several IP ranges here, which is ok
            yield Rule(
                ports_from_permission(perm),
-                perm['IpProtocol'],
+                to_text(perm['IpProtocol']),
                r[target_subkey],
                target_type,
                r.get('Description')
@ -416,7 +423,7 @@ def rule_from_group_permission(perm):
            yield Rule(
                ports_from_permission(perm),
-                perm['IpProtocol'],
+                to_text(perm['IpProtocol']),
                target,
                'group',
                pair.get('Description')
@ -803,6 +810,15 @@ def wait_for_rule_propagation(module, group, desired_ingress, desired_egress, pu
            current_rules = set(sum([list(rule_from_group_permission(p)) for p in group[rule_key]], []))
            if purge and len(current_rules ^ set(desired_rules)) == 0:
                return group
            elif purge:
                conflicts = current_rules ^ set(desired_rules)
                # For cases where set comparison is equivalent, but invalid port/proto exist
                for a, b in itertools.combinations(conflicts, 2):
                    if rule_cmp(a, b):
                        conflicts.discard(a)
                        conflicts.discard(b)
                if not len(conflicts):
                    return group
            elif current_rules.issuperset(desired_rules) and not purge:
                return group
            sleep(10)
@ -1039,11 +1055,19 @@ def main():
                    rule['proto'] = '-1'
                    rule['from_port'] = None
                    rule['to_port'] = None
                try:
                    int(rule.get('proto', 'tcp'))
                    rule['proto'] = to_text(rule.get('proto', 'tcp'))
                    rule['from_port'] = None
                    rule['to_port'] = None
                except ValueError:
                    # rule does not use numeric protocol spec
                    pass
                named_tuple_rule_list.append(
                    Rule(
                        port_range=(rule['from_port'], rule['to_port']),
-                        protocol=rule.get('proto', 'tcp'),
+                        protocol=to_text(rule.get('proto', 'tcp')),
                        target=target, target_type=target_type,
                        description=rule.get('rule_desc'),
                    )
--- a/test/integration/targets/ec2_group/tasks/main.yml
+++ b/test/integration/targets/ec2_group/tasks/main.yml
@ -42,6 +42,7 @@
          Name: "{{ resource_prefix }}-vpc"
          Description: "Created by ansible-test"
      register: vpc_result
    - include: ./numeric_protos.yml
    - include: ./rule_group_create.yml
    - include: ./egress_tests.yml
    - include: ./data_validation.yml
--- a/test/integration/targets/ec2_group/tasks/numeric_protos.yml
+++ b/test/integration/targets/ec2_group/tasks/numeric_protos.yml
@ -0,0 +1,71 @@
 ---
 - block:
    - name: set up aws connection info
      set_fact:
        group_tmp_name: '{{ec2_group_name}}-numbered-protos'
        aws_connection_info: &aws_connection_info
          aws_access_key: "{{ aws_access_key }}"
          aws_secret_key: "{{ aws_secret_key }}"
          security_token: "{{ security_token }}"
          region: "{{ aws_region }}"
      no_log: yes
    - name: Create a group with numbered protocol (GRE)
      ec2_group:
        name: '{{ group_tmp_name }}'
        vpc_id: '{{ vpc_result.vpc.id }}'
        description: '{{ ec2_group_description }}'
        rules:
        - proto: 47
          to_port: -1
          from_port: -1
          cidr_ip: 0.0.0.0/0
        <<: *aws_connection_info
        state: present
      register: result
    - name: Create a group with a quoted proto
      ec2_group:
        name: '{{ group_tmp_name }}'
        vpc_id: '{{ vpc_result.vpc.id }}'
        description: '{{ ec2_group_description }}'
        rules:
        - proto: '47'
          to_port: -1
          from_port: -1
          cidr_ip: 0.0.0.0/0
        <<: *aws_connection_info
        state: present
      register: result
    - assert:
        that:
          - result is not changed
    - name: Add a tag with a numeric value
      ec2_group:
        name: '{{ group_tmp_name }}'
        vpc_id: '{{ vpc_result.vpc.id }}'
        description: '{{ ec2_group_description }}'
        tags:
          foo: 1
        <<: *aws_connection_info
    - name: Read a tag with a numeric value
      ec2_group:
        name: '{{ group_tmp_name }}'
        vpc_id: '{{ vpc_result.vpc.id }}'
        description: '{{ ec2_group_description }}'
        tags:
          foo: 1
        <<: *aws_connection_info
      register: result
    - assert:
        that:
          - result is not changed
  always:
    - name: tidy up egress rule test security group
      ec2_group:
        name: '{{group_tmp_name}}'
        state: absent
        vpc_id: '{{ vpc_result.vpc.id }}'
        <<: *aws_connection_info
      ignore_errors: yes