mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-10-22 20:13:59 -07:00
win_firewall_rule: Implement idempotency, check-mode and diff support (#23162)
* win_firewall_rule: Small idempotency fix This PR includes the following changes: - an idempotency fix when `profile: any` - better difference output to debug idempotency issues - documentation fixes (remove `required: false`) - Parameter handling fixes - RDP example that matches default RDP rule - Renamed parameter 'enable' to 'enabled' (kept alias) - Renamed parameter 'profile' to 'profiles' (kept alias) * Rewrite module completely The logic is still intact, but various changes with a single goal: - Make the module idempotent - Implement check-mode - Implement diff-mode - Adapted integration tests This fixes #18807 and #23455. * Change casing to lowercase * Improve the logic wrt. diff
This commit is contained in:
parent
0e160d5c7e
commit
d958440bcb
3 changed files with 448 additions and 412 deletions
|
@ -3,7 +3,7 @@
|
|||
name: http
|
||||
state: absent
|
||||
action: "{{ item }}"
|
||||
direction: In
|
||||
direction: in
|
||||
with_items:
|
||||
- allow
|
||||
- block
|
||||
|
@ -11,90 +11,86 @@
|
|||
- name: Add firewall rule
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
register: add_firewall_rule
|
||||
|
||||
- name: Check that creating new firewall rule succeeds with a change
|
||||
assert:
|
||||
that:
|
||||
- add_firewall_rule.failed == false
|
||||
- add_firewall_rule.changed == true
|
||||
|
||||
- name: Add same firewall rule (again)
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
register: add_firewall_rule_again
|
||||
|
||||
- name: Check that creating same firewall rule succeeds without a change
|
||||
assert:
|
||||
that:
|
||||
- add_firewall_rule_again.failed == false
|
||||
- add_firewall_rule_again.changed == false
|
||||
|
||||
- name: Remove firewall rule
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: absent
|
||||
localport: 80
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
register: remove_firewall_rule
|
||||
|
||||
- name: Check that removing existing firewall rule succeeds with a change
|
||||
assert:
|
||||
that:
|
||||
- remove_firewall_rule.failed == false
|
||||
- remove_firewall_rule.changed == true
|
||||
|
||||
- name: Remove absent firewall rule
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: absent
|
||||
localport: 80
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
register: remove_absent_firewall_rule
|
||||
|
||||
- name: Check that removing non existing firewall rule succeeds without a change
|
||||
assert:
|
||||
that:
|
||||
- remove_absent_firewall_rule.failed == false
|
||||
- remove_absent_firewall_rule.changed == false
|
||||
|
||||
- name: Add firewall rule
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
|
||||
- name: Add different firewall rule
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
action: block
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
ignore_errors: yes
|
||||
register: add_different_firewall_rule_without_force
|
||||
|
||||
|
@ -103,143 +99,136 @@
|
|||
that:
|
||||
- add_different_firewall_rule_without_force.failed == true
|
||||
- add_different_firewall_rule_without_force.changed == false
|
||||
- add_different_firewall_rule_without_force.difference == ["block"]
|
||||
|
||||
- name: Add different firewall rule with force setting
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
action: block
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
force: yes
|
||||
register: add_different_firewall_rule_with_force
|
||||
|
||||
- name: Check that creating different firewall rule with enabling force setting succeeds
|
||||
assert:
|
||||
that:
|
||||
- add_different_firewall_rule_with_force.failed == false
|
||||
- add_different_firewall_rule_with_force.changed == true
|
||||
- add_different_firewall_rule_with_force.difference == ["block"]
|
||||
|
||||
- name: Add firewall rule when remoteip is range
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
remoteip: 192.168.0.1-192.168.0.5
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
force: yes
|
||||
|
||||
- name: Add same firewall rule when remoteip is range (again)
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
remoteip: 192.168.0.1-192.168.0.5
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
register: add_firewall_rule_with_range_remoteip_again
|
||||
|
||||
- name: Check that creating same firewall rule when remoteip is range succeeds without a change
|
||||
assert:
|
||||
that:
|
||||
- add_firewall_rule_with_range_remoteip_again.failed == false
|
||||
- add_firewall_rule_with_range_remoteip_again.changed == false
|
||||
|
||||
- name: Add firewall rule when remoteip in CIDR notation
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
remoteip: 192.168.0.0/24
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
force: yes
|
||||
|
||||
- name: Add same firewall rule when remoteip in CIDR notation (again)
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
remoteip: 192.168.0.0/24
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
register: add_firewall_rule_with_cidr_remoteip_again
|
||||
|
||||
- name: Check that creating same firewall rule succeeds without a change when remoteip in CIDR notation
|
||||
assert:
|
||||
that:
|
||||
- add_firewall_rule_with_cidr_remoteip_again.failed == false
|
||||
- add_firewall_rule_with_cidr_remoteip_again.changed == false
|
||||
|
||||
- name: Add firewall rule when remoteip contains a netmask
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
remoteip: 192.168.0.0/255.255.255.0
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
force: yes
|
||||
|
||||
- name: Add same firewall rule when remoteip contains a netmask (again)
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
remoteip: 192.168.0.0/255.255.255.0
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
register: add_firewall_rule_remoteip_contains_netmask_again
|
||||
|
||||
- name: Check that creating same firewall rule succeeds without a change when remoteip contains a netmask
|
||||
assert:
|
||||
that:
|
||||
- add_firewall_rule_remoteip_contains_netmask_again.failed == false
|
||||
- add_firewall_rule_remoteip_contains_netmask_again.changed == false
|
||||
|
||||
- name: Add firewall rule when remoteip is IPv4
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
remoteip: 192.168.0.1
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
force: yes
|
||||
|
||||
- name: Add same firewall rule when remoteip is IPv4 (again)
|
||||
win_firewall_rule:
|
||||
name: http
|
||||
enable: yes
|
||||
enabled: yes
|
||||
state: present
|
||||
localport: 80
|
||||
remoteip: 192.168.0.1
|
||||
action: allow
|
||||
direction: In
|
||||
protocol: TCP
|
||||
direction: in
|
||||
protocol: tcp
|
||||
register: add_firewall_rule_with_ipv4_remoteip_again
|
||||
|
||||
- name: Check that creating same firewall rule when remoteip is IPv4 succeeds without a change
|
||||
assert:
|
||||
that:
|
||||
- add_firewall_rule_with_ipv4_remoteip_again.failed == false
|
||||
- add_firewall_rule_with_ipv4_remoteip_again.changed == false
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue