community.windows icon indicating copy to clipboard operation
community.windows copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Unable to set idempotent firewall rule on windows firewall.

Open IanMoroney opened this issue 4 years ago • 3 comments

SUMMARY

When using

win_firewall_rule

it seems that when you try to re-run the ansible code, it fails, saying the rule exists but has different values.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

win_firewall_rule

ANSIBLE VERSION
ansible-playbook 2.2.2.0
  config file =
  configured module search path = Default w/o overrides
CONFIGURATION
- name: Firewall rule to allow ports 5000 and 5003
      win_firewall_rule:
        name: " FWRule"
        localport: 5000,5003
        action: allow
        direction: in
        protocol: tcp
        state: present
        enabled: yes
        ignore_errors: yes
OS / ENVIRONMENT

Target OS version: Windows Server 2019

STEPS TO REPRODUCE
Run the playbook
EXPECTED RESULTS

I'd expect the firewall rule to apply the very first time (It does) Subsequent applies, it should see the rule exists and ignore it, or if it's different, to change it.

ACTUAL RESULTS
TASK [Firewall rule to allow ports 5000 and 5003] ***********************
fatal: [10.0.0.1]: FAILED! => {"changed": false, "difference": [" FWRule", "any"], "failed": true, "fwsettings": {"Action": "allow", "Direction": "in", "Enabled": "yes", "LocalIP": "any", "LocalPort": "5000,5003", "Profiles": "any", "Protocol": "tcp", "RemoteIP": "any", "RemotePort": "any", "Rule Name": " FWRule", "Service": "any"}, "msg": ["The rule ' FWRule' exists.", "The rule exists but has different values", "There was already a rule  FWRule with different values, use force=True to overwrite it"]}

IanMoroney avatar Jun 11 '20 08:06 IanMoroney

Additional information:

Deleting the rule from the server, and letting ansible re-run it yields:

TASK [Firewall rule to allow ports 5000 and 5003] ***********************
changed: [10.0.0.1]

Re-Running the task after this yields the same error:

The rule exists but has different values

IanMoroney avatar Jun 11 '20 08:06 IanMoroney

Additionally, it seems to be ignoring the ignore_errors: yes section.

IanMoroney avatar Jun 11 '20 08:06 IanMoroney

@IanMoroney you are using a really old version of Ansible (2.2) and this module has gone through a lot of iterations since then. Can you please try this with a newer version of Ansible, i.e. 2.9 and verify it's still a problem for you.

Additionally, it seems to be ignoring the ignore_errors: yes section.

That's because you have set ignore_errors: yes as a module option not a task option. The indentation for ignore_errors should be at the same level as name or win_firewall_rule as it's a task option.

- name: Firewall rule to allow ports 5000 and 5003
  win_firewall_rule:
    name: " FWRule"
    localport: 5000,5003
    action: allow
    direction: in
    protocol: tcp
    state: present
    enabled: yes
  ignore_errors: yes

jborean93 avatar Aug 12 '20 23:08 jborean93