ansible-collection-ibm icon indicating copy to clipboard operation
ansible-collection-ibm copied to clipboard

Published 20 hours ago verified publisher icon IBM-Cloud

ibm_is_security_group_rule is not idempotent

Open kdelee opened this issue 2 years ago • 3 comments

https://github.com/IBM-Cloud/ansible-collection-ibm/blob/master/plugins/modules/ibm_is_security_group_rule.py

If you run this module multiple times with the same ports,

- name: "Configure Security Group Rule to open certain ports on the VSI"
  ibm.cloudcollection.ibm_is_security_group_rule:
    state: available
    group: "{{ vpc.default_security_group }}"
    region: "{{ ibmcloud_ic_region }}"
    direction: inbound
    remote: 0.0.0.0/0
    tcp:
      - port_max: "{{ item }}"
        port_min: "{{ item }}"
  loop: "{{ list_of_ports }}"

It just keeps adding more rules, even though the rules are the same. This is not idempotent behavior, and causes users to run into the max limit of 50 rules per security group

kdelee avatar Oct 26 '21 15:10 kdelee

@kdelee I could be wrong, but I've found that for many modules, idempotency is controlled via the usage of the id parameter:

   id:
        description:
            - (Required when updating or destroying existing resource) IBM Cloud Resource ID.
        required: False
        type: str

This however requires you to retrieve the ID before creating the resource. In your case, you'd need to use the ibm_is_security_group_info module and retrieve the resource via the resource.id key.

Razique avatar Feb 23 '22 23:02 Razique

Confused as it seems you can not get it? rule_id is *nothing??

ok: [localhost] => { "ansible_facts": { "vpc_security_group": { "crn": "crn:v1:bluemix:public:is:us-east:a/934a2fceb1944dd68f378c52b5f02dde::security-group:r014-3ebc609d-960a-41d2-b82d-69ccb0218188", "id": "r014-3ebc609d-960a-41d2-b82d-69ccb0218188", "name": "vpc-security-group-vmwareansible", "resource_controller_url": "https://cloud.ibm.com/vpc/network/securityGroups", "resource_crn": "crn:v1:bluemix:public:is:us-east:a/934a2fceb1944dd68f378c52b5f02dde::security-group:r014-3ebc609d-960a-41d2-b82d-69ccb0218188", "resource_group_name": "VMwareAnsible", "resource_name": "vpc-security-group-vmwareansible", "rules": [ { "code": 0, "direction": "inbound", "ip_version": "ipv4", "port_max": 22, "port_min": 22, "protocol": "tcp", "remote": "0.0.0.0/0", "rule_id": "", "type": 0 }, { "code": 0, "direction": "inbound", "ip_version": "ipv4", "port_max": 22, "port_min": 22, "protocol": "tcp", "remote": "0.0.0.0/0", "rule_id": "", "type": 0 } ], "tags": [], "vpc": "r014-d79642d3-f6f0-4eaf-9d8f-7eccb14ac154" } }, "changed": false }

jimccann-rh avatar Sep 16 '22 20:09 jimccann-rh

ID is there, try r014-3ebc609d-960a-41d2-b82d-69ccb0218188

Razique avatar Sep 16 '22 20:09 Razique