cs_firewall: fix idempotence and tests for cloudstack v4.11 (#42458)

2025-04-26 04:11:25 -07:00 · 2018-07-08 00:51:46 +02:00 · 2018-07-08 00:51:46 +02:00 · 0e6628395a
commit 0e6628395a
parent 07adeff665
2 changed files with 22 additions and 10 deletions
--- a/lib/ansible/modules/cloud/cloudstack/cs_firewall.py
+++ b/lib/ansible/modules/cloud/cloudstack/cs_firewall.py
@ -249,16 +249,24 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack):
                args['networkid'] = self.get_network(key='id')
                if not args['networkid']:
                    self.module.fail_json(msg="missing required argument for type egress: network")
+
+                # CloudStack 4.11 use the network cidr for 0.0.0.0/0 in egress
+                # That is why we need to replace it.
+                network_cidr = self.get_network(key='cidr')
+                egress_cidrs = [network_cidr if cidr == '0.0.0.0/0' else cidr for cidr in cidrs]
+
                firewall_rules = self.query_api('listEgressFirewallRules', **args)
            else:
                args['ipaddressid'] = self.get_ip_address('id')
                if not args['ipaddressid']:
                    self.module.fail_json(msg="missing required argument for type ingress: ip_address")
+                egress_cidrs = None
+
                firewall_rules = self.query_api('listFirewallRules', **args)

            if firewall_rules:
                for rule in firewall_rules:
-                    type_match = self._type_cidrs_match(rule, cidrs)
+                    type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs)

                    protocol_match = (
                        self._tcp_udp_match(rule, protocol, start_port, end_port) or
@ -294,8 +302,11 @@ class AnsibleCloudStackFirewall(AnsibleCloudStack):
            icmp_type == rule['icmptype']
        )

-    def _type_cidrs_match(self, rule, cidrs):
-        return ",".join(cidrs) == rule['cidrlist']
+    def _type_cidrs_match(self, rule, cidrs, egress_cidrs):
+        if egress_cidrs is not None:
+            return ",".join(egress_cidrs) == rule['cidrlist'] or ",".join(cidrs) == rule['cidrlist']
+        else:
+            return ",".join(cidrs) == rule['cidrlist']

    def create_firewall_rule(self):
        firewall_rule = self.get_firewall_rule()