Open ZachHoiberg opened 1 year ago
MaxxLiu22
commented
1 year ago Hi @ZachHoiberg ,
Thank you for raising this issue, I can reproduce this issue on my side. Ansible result is based on API returned result, this API method always return "revision_changed": true, even there is no data change in body. I will report it to the API team for further investigation.
Thanks, Maxx
OptecTom
commented
1 year ago Hi @MaxxLiu22
In regard to the "revision_change": true , always being the case despite no change in body. I believe this is due to the unset parameters for each individual route map rule. Upon looking at the system logs in the FortiGate, we can see that all the "Config Attributes" match those that are unset by default.
Hopefully that helps when you pass it across the API team for further investigation.
Thanks, Tom
mihudec
commented
11 months ago Hi,
is seem to have hit the same bug. Has there been any update from the API team?
My lab setup:
FortiFirewall v7.0.11 build0489 Playbook
- name: Routing - RouteMaps
hosts:
- DC-FW-EXT
gather_facts: false
vars:
apply_names:
- RM-FortiGate-Out
tasks:
- name: Setup Route-Maps
fortinet.fortios.fortios_router_route_map:
vdom: "{{ vdom }}"
state: "{{ item.state }}"
access_token: "{{ fortios_access_token }}"
enable_log: true
router_route_map:
name: "{{ item.name }}"
comments: "{{ item.comments | default(omit) }}"
rule: "{{ item.rule }}"
loop: "{{ route_maps }}"
loop_control:
loop_var: item
label: "{{ item.name }}"
when:
- (item.name in apply_names)Vars
route_maps:
- name: RM-FortiGate-Out
rule:
- id: 1
match_ip_nexthop: PL-SelfOriginated
state: presentResults always have changed: true (failing idempotency check)
changed: [DC-FW-EXT] => (item=RM-FortiGate-Out) => {
"ansible_loop_var": "item",
"changed": true,
"diff": {},
"invocation": {
"module_args": {
"access_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"enable_log": true,
"member_path": null,
"member_state": null,
"router_route_map": {
"comments": null,
"name": "RM-FortiGate-Out",
"rule": [
{
"action": null,
"id": 1,
"match_as_path": null,
"match_community": null,
"match_community_exact": null,
"match_extcommunity": null,
"match_extcommunity_exact": null,
"match_flags": null,
"match_interface": null,
"match_ip6_address": null,
"match_ip6_nexthop": null,
"match_ip_address": null,
"match_ip_nexthop": "PL-SelfOriginated",
"match_metric": null,
"match_origin": null,
"match_route_type": null,
"match_tag": null,
"match_vrf": null,
"set_aggregator_as": null,
"set_aggregator_ip": null,
"set_aspath": null,
"set_aspath_action": null,
"set_atomic_aggregate": null,
"set_community": null,
"set_community_additive": null,
"set_community_delete": null,
"set_dampening_max_suppress": null,
"set_dampening_reachability_half_life": null,
"set_dampening_reuse": null,
"set_dampening_suppress": null,
"set_dampening_unreachability_half_life": null,
"set_extcommunity_rt": null,
"set_extcommunity_soo": null,
"set_flags": null,
"set_ip6_nexthop": null,
"set_ip6_nexthop_local": null,
"set_ip_nexthop": null,
"set_ip_prefsrc": null,
"set_local_preference": null,
"set_metric": null,
"set_metric_type": null,
"set_origin": null,
"set_originator_id": null,
"set_priority": null,
"set_route_tag": null,
"set_tag": null,
"set_weight": null
}
]
},
"state": "present",
"vdom": "root"
}
},
"item": {
"name": "RM-FortiGate-Out",
"rule": [
{
"id": 1,
"match_ip_nexthop": "PL-SelfOriginated"
}
],
"state": "present"
},
"meta": {
"build": 489,
"http_method": "PUT",
"http_status": 200,
"mkey": "RM-FortiGate-Out",
"name": "route-map",
"old_revision": "266a951558b628a89e52908a238a98ba",
"path": "router",
"revision": "0f687d97bcff62ec6c200b74a89f877c",
"revision_changed": true,
"serial": "XXXXXXXXXXXXXX",
"status": "success",
"vdom": "root",
"version": "v7.0.11"
}
}On a side note, I've noticed that the results diff field is alway an empty dict (even when config is changed). That might be because of the fortios_router function always returns an empty dict.
Thanks
Neither of the above passes idempotency checks for setting the set_community value on the Fortigate. I believe this is due to the configuration itself containing the quotation marks around the set_community string.
I've tried passing a literal quote on each side, such as \"65102\" but this results in a repo error.
"msg": "Error in repo",
I imagine this module can have those quotes added to the idempotency check. This may also be present on other route_map attributes that can be set, but I have only encountered it on set_community.