Modifying na_sg_org_group does not update s3_policy when managing management_policy simultaneously

[mmslkr]

SUMMARY

Modifying na_sg_org_group does not update s3_policy when managing management_policy simultaneously.

ISSUE TYPE

• Bug Report

COMPONENT NAME

na_sg_org_group

ANSIBLE VERSION

  config file = /vol1/homes/lkr/s3-tenant-management/ansible.cfg
  configured module search path = ['/vol1/homes/lkr/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /vol1/homes/lkr/ansible_2.10/lib/python3.6/site-packages/ansible
  executable location = /vol1/homes/lkr/ansible_2.10/bin/ansible
  python version = 3.6.12 (default, Sep 15 2020, 12:49:50) [GCC 4.8.5 20150623 (Red Hat 4.8.5-37)]

COLLECTION VERSION

------------------ -------
netapp.storagegrid 21.8.0

CONFIGURATION

DEFAULT_CALLBACK_WHITELIST(/vol1/homes/lkr/s3-tenant-management/ansible.cfg) = ['profile_tasks']
HOST_KEY_CHECKING(/vol1/homes/lkr/s3-tenant-management/ansible.cfg) = False

OS / ENVIRONMENT

not relevant

STEPS TO REPRODUCE

Create a group including any management_policy and s3_policy setting. Then change the s3_policy. See example:

---
- hosts: localhost
  collections:
    - netapp.storagegrid
  gather_facts: no
  tasks:
  - name: Include needed variables
    include_vars:
      dir: "vars/"

  - name: Get user authorization token
    uri:
      url: "{{ grid_admin_base_url }}/api/v3/authorize"
      method: POST
      body: {
        "accountId": "{{ tenant_account_id }}",
        "username": "{{ tenant_username }}",
        "password": "{{ tenant_password }}",
        "cookie": false,
        "csrfToken": false
      }
      body_format: json
      validate_certs: false
    register: auth
    check_mode: False

  - name: Manage Group
    na_sg_org_group:
      api_url: "{{ grid_admin_base_url }}"
      auth_token: "{{ auth.json.data }}"
      validate_certs: false
      state: "present"
      display_name: "test-group"
      unique_name: "group/test-group"
      management_policy:
        manage_all_containers: false
      s3_policy: "{{ item }}"
    loop:
      - {"Statement":[{"Effect":"Deny","Action":"s3:*","Resource":"arn:aws:s3:::*"}]}
      - {"Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::*"}]}

EXPECTED RESULTS

Group is modified with new S3 policy.

ACTUAL RESULTS

Ansible reports the group as unchanged.

TASK [Manage Group] ********************************************************************************************************************************************************
changed: [localhost] => (item={'Statement': [{'Effect': 'Deny', 'Action': 's3:*', 'Resource': 'arn:aws:s3:::*'}]})
ok: [localhost] => (item={'Statement': [{'Effect': 'Allow', 'Action': 's3:*', 'Resource': 'arn:aws:s3:::*'}]})

First "changed" is creating the group, second should be "changed" as well.

This does not happen when management_policy is not managed.