Change security group rules only when instructed to do so

Security group rules in module openstack.cloud.security_group are changed/updated only when option 'security_group_rules' was defined explicitly. This follows our policy of "apply no change" when module options in our Ansible modules have not been set. Story: 2010691 Task: 47795 Change-Id: I4a0cda46cb160b5321913b63ff1123d8b8a19705
2026-05-07 13:53:15 +00:00 · 2023-04-06 08:51:13 +02:00
parent 568adcb890
commit ab6f2e45c6
2 changed files with 54 additions and 4 deletions
--- a/ci/roles/security_group/tasks/rules.yml
+++ b/ci/roles/security_group/tasks/rules.yml
@@ -32,7 +32,9 @@
 - name: Assert return values of security_group_rule_info module
  assert:
    that:
-      - security_group_rules.security_group_rules | length == 0
+      - security_group_rules.security_group_rules | length in [1, 2]
+      - security_group_rules.security_group_rules | map(attribute='ether_type') | list | sort in
+        [['IPv4'], ['IPv6'], ['IPv4', 'IPv6']]

 - name: Delete security group
  openstack.cloud.security_group:
@@ -58,6 +60,47 @@
    that:
      - security_group is not changed

+- name: Create security group without security group rules
+  openstack.cloud.security_group:
+    cloud: "{{ cloud }}"
+    name: ansible_security_group
+    security_group_rules: []
+  register: security_group
+
+- name: Assert return values of security_group module
+  assert:
+    that:
+      - security_group is changed
+
+- name: Create security group without security group rules again
+  openstack.cloud.security_group:
+    cloud: "{{ cloud }}"
+    name: ansible_security_group
+    security_group_rules: []
+  register: security_group
+
+- name: Assert return values of security_group module
+  assert:
+    that:
+      - security_group is not changed
+
+- name: Fetch security group rules
+  openstack.cloud.security_group_rule_info:
+    cloud: "{{ cloud }}"
+    security_group: ansible_security_group
+  register: security_group_rules
+
+- name: Assert return values of security_group_rule_info module
+  assert:
+    that:
+      - security_group_rules.security_group_rules | length == 0
+
+- name: Delete security group without security group rules
+  openstack.cloud.security_group:
+    cloud: "{{ cloud }}"
+    name: ansible_security_group
+    state: absent
+
 - name: Create security group including security group rules
  openstack.cloud.security_group:
    cloud: "{{ cloud }}"
@@ -263,10 +306,11 @@
    name: ansible_security_group
    state: absent

- name: Create security group
+- name: Create security group without security group rules
  openstack.cloud.security_group:
    cloud: "{{ cloud }}"
    name: ansible_security_group
+    security_group_rules: []
    state: present
  register: security_group