community.windows
community.windows copied to clipboard
Unable to set idempotent firewall rule on windows firewall.
SUMMARY
When using
win_firewall_rule
it seems that when you try to re-run the ansible code, it fails, saying the rule exists but has different values.
ISSUE TYPE
- Bug Report
COMPONENT NAME
win_firewall_rule
ANSIBLE VERSION
ansible-playbook 2.2.2.0
config file =
configured module search path = Default w/o overrides
CONFIGURATION
- name: Firewall rule to allow ports 5000 and 5003
win_firewall_rule:
name: " FWRule"
localport: 5000,5003
action: allow
direction: in
protocol: tcp
state: present
enabled: yes
ignore_errors: yes
OS / ENVIRONMENT
Target OS version: Windows Server 2019
STEPS TO REPRODUCE
Run the playbook
EXPECTED RESULTS
I'd expect the firewall rule to apply the very first time (It does) Subsequent applies, it should see the rule exists and ignore it, or if it's different, to change it.
ACTUAL RESULTS
TASK [Firewall rule to allow ports 5000 and 5003] ***********************
fatal: [10.0.0.1]: FAILED! => {"changed": false, "difference": [" FWRule", "any"], "failed": true, "fwsettings": {"Action": "allow", "Direction": "in", "Enabled": "yes", "LocalIP": "any", "LocalPort": "5000,5003", "Profiles": "any", "Protocol": "tcp", "RemoteIP": "any", "RemotePort": "any", "Rule Name": " FWRule", "Service": "any"}, "msg": ["The rule ' FWRule' exists.", "The rule exists but has different values", "There was already a rule FWRule with different values, use force=True to overwrite it"]}
Additional information:
Deleting the rule from the server, and letting ansible re-run it yields:
TASK [Firewall rule to allow ports 5000 and 5003] ***********************
changed: [10.0.0.1]
Re-Running the task after this yields the same error:
The rule exists but has different values
Additionally, it seems to be ignoring the ignore_errors: yes
section.
@IanMoroney you are using a really old version of Ansible (2.2) and this module has gone through a lot of iterations since then. Can you please try this with a newer version of Ansible, i.e. 2.9 and verify it's still a problem for you.
Additionally, it seems to be ignoring the ignore_errors: yes section.
That's because you have set ignore_errors: yes
as a module option not a task option. The indentation for ignore_errors
should be at the same level as name
or win_firewall_rule
as it's a task option.
- name: Firewall rule to allow ports 5000 and 5003
win_firewall_rule:
name: " FWRule"
localport: 5000,5003
action: allow
direction: in
protocol: tcp
state: present
enabled: yes
ignore_errors: yes