Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ibm_is_security_group_rule is not idempotent #76

Open
kdelee opened this issue Oct 26, 2021 · 3 comments
Open

ibm_is_security_group_rule is not idempotent #76

kdelee opened this issue Oct 26, 2021 · 3 comments

Comments

@kdelee
Copy link

kdelee commented Oct 26, 2021

https://github.com/IBM-Cloud/ansible-collection-ibm/blob/master/plugins/modules/ibm_is_security_group_rule.py

If you run this module multiple times with the same ports,

- name: "Configure Security Group Rule to open certain ports on the VSI"
  ibm.cloudcollection.ibm_is_security_group_rule:
    state: available
    group: "{{ vpc.default_security_group }}"
    region: "{{ ibmcloud_ic_region }}"
    direction: inbound
    remote: 0.0.0.0/0
    tcp:
      - port_max: "{{ item }}"
        port_min: "{{ item }}"
  loop: "{{ list_of_ports }}"

It just keeps adding more rules, even though the rules are the same. This is not idempotent behavior, and causes users to run into the max limit of 50 rules per security group
@kdelee kdelee mentioned this issue Oct 26, 2021
Open
@Razique
Copy link

Razique commented Feb 23, 2022
edited
Loading

@kdelee I could be wrong, but I've found that for many modules, idempotency is controlled via the usage of the id parameter:

   id:
        description:
            - (Required when updating or destroying existing resource) IBM Cloud Resource ID.
        required: False
        type: str

This however requires you to retrieve the ID before creating the resource. In your case, you'd need to use the ibm_is_security_group_info module and retrieve the resource via the resource.id key.

@jimccann-rh
Copy link

Confused as it seems you can not get it? rule_id is *nothing??

ok: [localhost] => {
"ansible_facts": {
"vpc_security_group": {
"crn": "crn:v1:bluemix:public:is:us-east:a/934a2fceb1944dd68f378c52b5f02dde::security-group:r014-3ebc609d-960a-41d2-b82d-69ccb0218188",
"id": "r014-3ebc609d-960a-41d2-b82d-69ccb0218188",
"name": "vpc-security-group-vmwareansible",
"resource_controller_url": "https://cloud.ibm.com/vpc/network/securityGroups",
"resource_crn": "crn:v1:bluemix:public:is:us-east:a/934a2fceb1944dd68f378c52b5f02dde::security-group:r014-3ebc609d-960a-41d2-b82d-69ccb0218188",
"resource_group_name": "VMwareAnsible",
"resource_name": "vpc-security-group-vmwareansible",
"rules": [
{
"code": 0,
"direction": "inbound",
"ip_version": "ipv4",
"port_max": 22,
"port_min": 22,
"protocol": "tcp",
"remote": "0.0.0.0/0",
"rule_id": "",
"type": 0
},
{
"code": 0,
"direction": "inbound",
"ip_version": "ipv4",
"port_max": 22,
"port_min": 22,
"protocol": "tcp",
"remote": "0.0.0.0/0",
"rule_id": "",
"type": 0
}
],
"tags": [],
"vpc": "r014-d79642d3-f6f0-4eaf-9d8f-7eccb14ac154"
}
},
"changed": false
}

@Razique
Copy link

Razique commented Sep 16, 2022

ID is there, try r014-3ebc609d-960a-41d2-b82d-69ccb0218188

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Razique @kdelee @jimccann-rh