win_firewall_rule: Implement idempotency, check-mode and diff support (#23162)

* win_firewall_rule: Small idempotency fix

This PR includes the following changes:
- an idempotency fix when `profile: any`
- better difference output to debug idempotency issues
- documentation fixes (remove `required: false`)
- Parameter handling fixes
- RDP example that matches default RDP rule
- Renamed parameter 'enable' to 'enabled' (kept alias)
- Renamed parameter 'profile' to 'profiles' (kept alias)

* Rewrite module completely

The logic is still intact, but various changes with a single goal:

- Make the module idempotent
- Implement check-mode
- Implement diff-mode
- Adapted integration tests

This fixes #18807 and #23455.

* Change casing to lowercase

* Improve the logic wrt. diff
This commit is contained in:
Dag Wieers 2017-05-31 01:10:34 +02:00 committed by Matt Davis
commit d958440bcb
3 changed files with 448 additions and 412 deletions

View file

@ -3,7 +3,7 @@
name: http
state: absent
action: "{{ item }}"
direction: In
direction: in
with_items:
- allow
- block
@ -11,90 +11,86 @@
- name: Add firewall rule
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
register: add_firewall_rule
- name: Check that creating new firewall rule succeeds with a change
assert:
that:
- add_firewall_rule.failed == false
- add_firewall_rule.changed == true
- name: Add same firewall rule (again)
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
register: add_firewall_rule_again
- name: Check that creating same firewall rule succeeds without a change
assert:
that:
- add_firewall_rule_again.failed == false
- add_firewall_rule_again.changed == false
- name: Remove firewall rule
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: absent
localport: 80
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
register: remove_firewall_rule
- name: Check that removing existing firewall rule succeeds with a change
assert:
that:
- remove_firewall_rule.failed == false
- remove_firewall_rule.changed == true
- name: Remove absent firewall rule
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: absent
localport: 80
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
register: remove_absent_firewall_rule
- name: Check that removing non existing firewall rule succeeds without a change
assert:
that:
- remove_absent_firewall_rule.failed == false
- remove_absent_firewall_rule.changed == false
- name: Add firewall rule
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
- name: Add different firewall rule
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
action: block
direction: In
protocol: TCP
direction: in
protocol: tcp
ignore_errors: yes
register: add_different_firewall_rule_without_force
@ -103,143 +99,136 @@
that:
- add_different_firewall_rule_without_force.failed == true
- add_different_firewall_rule_without_force.changed == false
- add_different_firewall_rule_without_force.difference == ["block"]
- name: Add different firewall rule with force setting
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
action: block
direction: In
protocol: TCP
direction: in
protocol: tcp
force: yes
register: add_different_firewall_rule_with_force
- name: Check that creating different firewall rule with enabling force setting succeeds
assert:
that:
- add_different_firewall_rule_with_force.failed == false
- add_different_firewall_rule_with_force.changed == true
- add_different_firewall_rule_with_force.difference == ["block"]
- name: Add firewall rule when remoteip is range
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.1-192.168.0.5
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
force: yes
- name: Add same firewall rule when remoteip is range (again)
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.1-192.168.0.5
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
register: add_firewall_rule_with_range_remoteip_again
- name: Check that creating same firewall rule when remoteip is range succeeds without a change
assert:
that:
- add_firewall_rule_with_range_remoteip_again.failed == false
- add_firewall_rule_with_range_remoteip_again.changed == false
- name: Add firewall rule when remoteip in CIDR notation
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.0/24
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
force: yes
- name: Add same firewall rule when remoteip in CIDR notation (again)
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.0/24
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
register: add_firewall_rule_with_cidr_remoteip_again
- name: Check that creating same firewall rule succeeds without a change when remoteip in CIDR notation
assert:
that:
- add_firewall_rule_with_cidr_remoteip_again.failed == false
- add_firewall_rule_with_cidr_remoteip_again.changed == false
- name: Add firewall rule when remoteip contains a netmask
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.0/255.255.255.0
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
force: yes
- name: Add same firewall rule when remoteip contains a netmask (again)
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.0/255.255.255.0
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
register: add_firewall_rule_remoteip_contains_netmask_again
- name: Check that creating same firewall rule succeeds without a change when remoteip contains a netmask
assert:
that:
- add_firewall_rule_remoteip_contains_netmask_again.failed == false
- add_firewall_rule_remoteip_contains_netmask_again.changed == false
- name: Add firewall rule when remoteip is IPv4
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.1
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
force: yes
- name: Add same firewall rule when remoteip is IPv4 (again)
win_firewall_rule:
name: http
enable: yes
enabled: yes
state: present
localport: 80
remoteip: 192.168.0.1
action: allow
direction: In
protocol: TCP
direction: in
protocol: tcp
register: add_firewall_rule_with_ipv4_remoteip_again
- name: Check that creating same firewall rule when remoteip is IPv4 succeeds without a change
assert:
that:
- add_firewall_rule_with_ipv4_remoteip_again.failed == false
- add_firewall_rule_with_ipv4_remoteip_again.changed == false