Running in check mode always reports changes, even if there are none.

[hexmoose]

Hi,

I've noticed some behavior when using these modules with the --check flag that doesn't seem right. Check mode always returns a status of changed, even when no changes are present, as confirmed by running the same playbook again without --check. This makes it difficult to identify resources that will be changed before actually applying the change. The issue may be present in other modules as well, but I have tested this behavior using nsxt_transport_zones and nsxt_policy_segment.

Here's a sample playbook execution that demonstrates the behavior:

ansible@a4475a97ed39:/app$ ansible-playbook -i inventories/org/hosts.yml playbooks/nsx.yml -l org-nsx-mgmt-vip.mydomain.com -v --check
Using /app/ansible.cfg as config file

PLAY [org_mgmt_vm_nsx] **************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************
ok: [org-nsx-mgmt-vip.mydomain.com]

TASK [nsx : Create transport zones] ***************************************************************************************************
changed: [org-nsx-mgmt-vip.mydomain.com] => (item={'name': 'edge-vlan-transportzone', 'description': 'edge-vlan-transportzone', 'transport_zone_display_name': 'edge-vlan-transportzone', 'transport_type': 'VLAN'}) => {"ansible_loop_var": "item", "changed": true, "debug_out": "{\"resource_type\": \"TransportZone\", \"display_name\": \"edge-vlan-transportzone\", \"description\": \"edge-vlan-transportzone\", \"transport_type\": \"VLAN\", \"uplink_teaming_policy_names\": [\"uplink-1\", \"uplink-2\"]}", "id": "12345", "item": {"description": "edge-vlan-transportzone", "name": "edge-vlan-transportzone", "transport_type": "VLAN", "transport_zone_display_name": "edge-vlan-transportzone"}}

PLAY RECAP ****************************************************************************************************************************
org-nsx-mgmt-vip.mydomain.com : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Running the same code again without the --check flag reports no changes:

ansible@a4475a97ed39:/app$ ansible-playbook -i inventories/org/hosts.yml playbooks/nsx.yml -l org-nsx-mgmt-vip.mydomain.com -v
Using /app/ansible.cfg as config file

PLAY [org_mgmt_vm_nsx] **************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************
ok: [org-nsx-mgmt-vip.mydomain.com]

TASK [nsx : Create transport zones] ***************************************************************************************************
ok: [org-nsx-mgmt-vip.mydomain.com] => (item={'name': 'edge-vlan-transportzone', 'description': 'edge-vlan-transportzone', 'transport_zone_display_name': 'edge-vlan-transportzone', 'transport_type': 'VLAN'}) => {"ansible_loop_var": "item", "changed": false, "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "item": {"description": "edge-vlan-transportzone", "name": "edge-vlan-transportzone", "transport_type": "VLAN", "transport_zone_display_name": "edge-vlan-transportzone"}, "message": "Transport zone with display_name edge-vlan-transportzone already exist."}

PLAY RECAP ****************************************************************************************************************************
org-nsx-mgmt-vip.mydomain.com : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Here are snippets of the relevant ansible configurations.

---
- name: Create transport zones
  vmware.ansible_for_nsxt.nsxt_transport_zones:
    hostname: "{{ inventory_hostname }}"
    username: "{{ nsx_username }}"
    password: "{{ nsx_password }}"
    validate_certs: true
    resource_type: TransportZone
    display_name: "{{ item.name }}"
    description: "{{ item.description }}"
    transport_type: "{{ item.transport_type }}"
    uplink_teaming_policy_names:
    - uplink-1
    - uplink-2
    state: present
  loop: "{{ transport_zones }}"

---
transport_zones:
- name: edge-vlan-transportzone
  description: edge-vlan-transportzone
  transport_zone_display_name: edge-vlan-transportzone
  transport_type: VLAN

I'm using the current master branch (f75c698e24073305a968ce2f70739fee77a14bb2) and ansible version:

ansible-playbook [core 2.11.3]
  config file = /app/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ansible/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ansible/.local/bin/ansible-playbook
  python version = 3.9.6 (default, Jun 29 2021, 19:18:53) [GCC 8.3.0]
  jinja version = 3.0.1
  libyaml = True

Taking a brief look at the module code, it appears to support check mode.

https://github.com/vmware/ansible-for-nsxt/blob/f75c698e24073305a968ce2f70739fee77a14bb2/plugins/modules/nsxt_transport_zones.py#L203

It looks like the changed state may be hardcoded to True?

https://github.com/vmware/ansible-for-nsxt/blob/f75c698e24073305a968ce2f70739fee77a14bb2/plugins/modules/nsxt_transport_zones.py#L227

Thank you for taking a look at this and any help you can provide!

[notti1205]

I'm having a similier problem to this by nsxt_policy_tier0 module. The parameter changed is set to True also in case of no diff so this means always changed.

https://github.com/vmware/ansible-for-nsxt/blob/dfbbd0463f834046d2dcd32e70d3e26d6120613a/plugins/module_utils/nsxt_base_resource.py#L572