search

IBM-Cloud / ansible-collection-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
70 stars 73 forks source link

ibm_is_security_group_rule is not idempotent #76

Open kdelee opened 2 years ago

kdelee commented 2 years ago

https://github.com/IBM-Cloud/ansible-collection-ibm/blob/master/plugins/modules/ibm_is_security_group_rule.py

If you run this module multiple times with the same ports, 

- name: "Configure Security Group Rule to open certain ports on the VSI"
  ibm.cloudcollection.ibm_is_security_group_rule:
    state: available
    group: "{{ vpc.default_security_group }}"
    region: "{{ ibmcloud_ic_region }}"
    direction: inbound
    remote: 0.0.0.0/0
    tcp:
      - port_max: "{{ item }}"
        port_min: "{{ item }}"
  loop: "{{ list_of_ports }}"

It just keeps adding more rules, even though the rules are the same. This is not idempotent behavior, and causes users to run into the max limit of 50 rules per security group

Razique commented 2 years ago

@kdelee I could be wrong, but I've found that for many modules, idempotency is controlled via the usage of the id parameter:

   id:
        description:
            - (Required when updating or destroying existing resource) IBM Cloud Resource ID.
        required: False
        type: str

This however requires you to retrieve the ID before creating the resource. In your case, you'd need to use the ibm_is_security_group_info module and retrieve the resource via the resource.id key.

jimccann-rh commented 2 years ago

Confused as it seems you can not get it? rule_id is *nothing??

ok: [localhost] => { "ansible_facts": { "vpc_security_group": { "crn": "crn:v1:bluemix:public:is:us-east:a/934a2fceb1944dd68f378c52b5f02dde::security-group:r014-3ebc609d-960a-41d2-b82d-69ccb0218188", "id": "r014-3ebc609d-960a-41d2-b82d-69ccb0218188", "name": "vpc-security-group-vmwareansible", "resource_controller_url": "https://cloud.ibm.com/vpc/network/securityGroups", "resource_crn": "crn:v1:bluemix:public:is:us-east:a/934a2fceb1944dd68f378c52b5f02dde::security-group:r014-3ebc609d-960a-41d2-b82d-69ccb0218188", "resource_group_name": "VMwareAnsible", "resource_name": "vpc-security-group-vmwareansible", "rules": [ { "code": 0, "direction": "inbound", "ip_version": "ipv4", "port_max": 22, "port_min": 22, "protocol": "tcp", "remote": "0.0.0.0/0", "rule_id": "", "type": 0 }, { "code": 0, "direction": "inbound", "ip_version": "ipv4", "port_max": 22, "port_min": 22, "protocol": "tcp", "remote": "0.0.0.0/0", "rule_id": "", "type": 0 } ], "tags": [], "vpc": "r014-d79642d3-f6f0-4eaf-9d8f-7eccb14ac154" } }, "changed": false }

Razique commented 2 years ago

ID is there, try r014-3ebc609d-960a-41d2-b82d-69ccb0218188