vmware_guest_boot_manager changed default secure_boot_enabled value

[keirazhang]

SUMMARY

ISSUE TYPE

• Feature Idea

COMPONENT NAME

ANSIBLE VERSION

"ansible [core 2.12.1]",
        "  config file = /root/ansible-vsphere-gos-validation/ansible.cfg",
        "  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']",
        "  ansible python module location = /usr/lib/python3.9/site-packages/ansible",
        "  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections",
        "  executable location = /usr/bin/ansible",
        "  python version = 3.9.1 (default, Aug 19 2021, 02:58:42) [GCC 10.2.0]",
        "  jinja version = 3.0.1",
        "  libyaml = True"

COLLECTION VERSION

"Collection        Version",
        "----------------- -------",
        "ansible.netcommon 2.5.0  ",
        "ansible.posix     1.3.0  ",
        "ansible.utils     2.4.3  ",
        "ansible.windows   1.9.0  ",
        "community.crypto  2.1.0  ",
        "community.general 4.3.0  ",
        "community.vmware  2.1.0  ",
        "community.windows 1.9.0  "

CONFIGURATION

        "CALLBACKS_ENABLED(/home/worker/workspace/Ansible_Regression_Windows_11_64/ansible-vsphere-gos-validation/ansible.cfg) = ['timer']",
        "DEFAULT_CALLBACK_PLUGIN_PATH(/home/worker/workspace/Ansible_Regression_Windows_11_64/ansible-vsphere-gos-validation/ansible.cfg) = ['/home/worker/workspace/Ansible_Regression_Windows_11_64/ansible-vsphere-gos-validation/plugin']",
        "DISPLAY_SKIPPED_HOSTS(/home/worker/workspace/Ansible_Regression_Windows_11_64/ansible-vsphere-gos-validation/ansible.cfg) = False",
        "RETRY_FILES_ENABLED(/home/worker/workspace/Ansible_Regression_Windows_11_64/ansible-vsphere-gos-validation/ansible.cfg) = False"

OS / ENVIRONMENT

STEPS TO REPRODUCE

- hosts: localhost
  vars:
    vsphere_host_name: 
    vsphere_host_user: 
    vsphere_host_user_password:
    vm_name: 
  tasks:
    - name: Get VM boot facts before boot option changing
      vmware_guest_boot_info:
        validate_certs: False
        hostname: "{{ vsphere_host_name }}"
        username: "{{ vsphere_host_user }}"
        password: "{{ vsphere_host_user_password }}"
        name: "{{ vm_name }}"
      register: boot_facts_before_update

    - name: Display the VM boot options
      debug: var=boot_facts_before_update

    - name: Set VM boot options
      vmware_guest_boot_manager:
        validate_certs: False
        hostname: "{{ vsphere_host_name }}"
        username: "{{ vsphere_host_user }}"
        password: "{{ vsphere_host_user_password }}"
        name: "{{ vm_name }}"
        enter_bios_setup: True
      register: set_boot_opts

    - name: Display set boot options result
      debug: var=set_boot_opts
    
    - name: Get VM boot facts after boot option changing
      vmware_guest_boot_info:
        validate_certs: False
        hostname: "{{ vsphere_host_name }}"
        username: "{{ vsphere_host_user }}"
        password: "{{ vsphere_host_user_password }}"
        name: "{{ vm_name }}"
      register: boot_facts_after_update

    - name: Display the VM boot options
      debug: var=boot_facts_after_update

output:

PLAY [localhost] *******************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]

TASK [Get VM boot facts after boot option changing] ********************************************************************
ok: [localhost]

TASK [Display the VM boot options] *************************************************************************************
ok: [localhost] => {
    "boot_facts_before_update": {
        "changed": false,
        "failed": false,
        "vm_boot_info": {
            "current_boot_delay": 0,
            "current_boot_firmware": "efi",
            "current_boot_order": [],
            "current_boot_retry_delay": 10000,
            "current_boot_retry_enabled": false,
            "current_enter_bios_setup": false,
            "current_secure_boot_enabled": true
        }
    }
}

TASK [Set VM boot options] *********************************************************************************************
changed: [localhost]

TASK [Display set boot options result] *********************************************************************************
ok: [localhost] => {
    "set_boot_opts": {
        "changed": true,
        "failed": false,
        "vm_boot_status": {
            "current_boot_delay": 0,
            "current_boot_firmware": "efi",
            "current_boot_order": [],
            "current_boot_retry_delay": 0,
            "current_boot_retry_enabled": true,
            "current_enter_bios_setup": true,
            "current_secure_boot_enabled": false,
            "previous_boot_delay": 0,
            "previous_boot_firmware": "efi",
            "previous_boot_order": [],
            "previous_boot_retry_delay": 10000,
            "previous_boot_retry_enabled": false,
            "previous_enter_bios_setup": false,
            "previous_secure_boot_enabled": true
        }
    }
}

TASK [Get VM boot facts after boot option changing] ********************************************************************
ok: [localhost]

TASK [Display the VM boot options] *************************************************************************************
ok: [localhost] => {
    "boot_facts_after_update": {
        "changed": false,
        "failed": false,
        "vm_boot_info": {
            "current_boot_delay": 0,
            "current_boot_firmware": "efi",
            "current_boot_order": [],
            "current_boot_retry_delay": 0,
            "current_boot_retry_enabled": true,
            "current_enter_bios_setup": true,
            "current_secure_boot_enabled": false
        }
    }
}

EXPECTED RESULTS

After changing boot option enter_bios_setup with true, current_secure_boot_enabled should still be true.

ACTUAL RESULTS

After changing boot option enter_bios_setup with true, current_secure_boot_enabled became false.

[ansibullbot]

Files identified in the description: None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[mariolenz]

I don't think this is a bug. The default for secure_boot_enabled is False. If you don't set this to True the module works as intended (and documented) and disables secure boot.

So I suggest you either close this issue or change it to a feature request to not have a default for secure_boot_enabled.

I think there might be good reasons to not have a default for this. But I'm afraid changing this might break existing playbooks. So we would wait with this until version 3 of the collection.

What do you say, could you live with False as the default for secure_boot_enabled or should we change this in version 3?

[keirazhang]

Hi @mariolenz, thanks for your response.

For a VM with secureboot enabled before making changes to boot options, in this case,

"current_secure_boot_enabled": true

I think it is better to leave it as what it is when vmware_guest_boot_manager has no secure_boot_enabled set, and changing other boot option shouldn't change current_secure_boot_enabled meanwhile.

[mariolenz]

I think it is better to leave it as what it is when vmware_guest_boot_manager has no secure_boot_enabled set, and changing other boot option shouldn't change current_secure_boot_enabled meanwhile.

I agree. But as I've said, I don't think we'll change this within 2.x.

I've added your issue to the 3.0.0 milestone so we don't forget.

[keirazhang]

Thank you, @mariolenz.