community.general icon indicating copy to clipboard operation
community.general copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Adding ufw rules always shows changed even though nothing did change

Open asperling opened this issue 1 year ago • 2 comments

Summary

Hi, not sure if it's something on my end but following the documentation and the examples given here I put together a simple role to setup a ufw based firewall. The results if checked on the target machine are indeed correct but every time the playbook runs (even with only this role and no additional task) the limit and allow rule both show as changed. In my understanding that shouldn't be the case.

Issue Type

Bug Report

Component Name

ufw

Ansible Version

$ ansible --version
ansible [core 2.13.3]
  config file = /Users/achim/Code/tooltime/server-setup/ansible.cfg
  configured module search path = ['/Users/achim/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/6.3.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/achim/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]
  jinja version = 3.1.2
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
# /opt/homebrew/Cellar/ansible/6.3.0/libexec/lib/python3.10/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 5.5.0

Configuration

$ ansible-config dump --only-changed
10.11.12.136               : ok=3    changed=2    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
DEFAULT_BECOME(/Users/achim/Code/tooltime/server-setup/ansible.cfg) = True
DEFAULT_BECOME_METHOD(/Users/achim/Code/tooltime/server-setup/ansible.cfg) = sudo
DEFAULT_BECOME_USER(/Users/achim/Code/tooltime/server-setup/ansible.cfg) = root
DEFAULT_HOST_LIST(/Users/achim/Code/tooltime/server-setup/ansible.cfg) = ['/Users/achim/Code/tooltime/server-setup/infrastructure/hosts']
DEFAULT_REMOTE_USER(/Users/achim/Code/tooltime/server-setup/ansible.cfg) = tooltime
HOST_KEY_CHECKING(/Users/achim/Code/tooltime/server-setup/ansible.cfg) = False

OS / Environment

Ubuntu Server 22.04 - fresh install

Steps to Reproduce

roles/ufw/tasks/main.yml

---
- name: Allow SSH connections
  community.general.ufw:
    rule: "allow"
    port: "22"
    proto: "tcp"
- name: Rate limit SSH connections
  community.general.ufw:
    rule: "limit"
    port: "22"
    proto: "tcp"
- name: Enable firewall
  community.general.ufw:
    state: enabled
    policy: reject
    logging: on

playbook.yml

---
- name: Simple playbook
  hosts: all
  roles:
    - ufw

Expected Results

I would expect that running the given playbook/role twice would result in changes during the first run (such as enabling rules and firewall) but no changes during the second run.

Actual Results

PLAY [Simple playbook] *******************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************
ok: [10.10.10.10]

TASK [common : Allow SSH connections] *********************************************************************************************************************************************
changed: [10.10.10.10]

TASK [common : Rate limit SSH connections] ****************************************************************************************************************************************
changed: [10.10.10.10]

TASK [common : Enable firewall] ***************************************************************************************************************************************************
ok: [10.10.10.10]

PLAY RECAP ************************************************************************************************************************************************************************
10.10.10.10               : ok=4    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

... on every run.

Code of Conduct

  • [X] I agree to follow the Ansible Code of Conduct

asperling avatar Sep 01 '22 12:09 asperling

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot avatar Sep 01 '22 12:09 ansibullbot

cc @ahtik @ovcharenko @pyykkis click here for bot help

ansibullbot avatar Sep 01 '22 12:09 ansibullbot

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot avatar Nov 04 '22 12:11 ansibullbot