Change security group rules only when instructed to do so

Security group rules in module openstack.cloud.security_group are changed/updated only when option 'security_group_rules' was defined explicitly. This follows our policy of "apply no change" when module options in our Ansible modules have not been set. Story: 2010691 Task: 47795 Change-Id: I4a0cda46cb160b5321913b63ff1123d8b8a19705
2026-05-06 13:23:06 +00:00 · 2023-04-06 08:51:13 +02:00
parent 568adcb890
commit ab6f2e45c6
2 changed files with 54 additions and 4 deletions
--- a/plugins/modules/security_group.py
+++ b/plugins/modules/security_group.py
@@ -34,8 +34,8 @@ options:
        security group with a default set of rules.
      - Security group rules which are listed in I(security_group_rules)
        but not defined in this security group will be created.
-      - Existing security group rules which are not listed in
-        I(security_group_rules) will be deleted.
+      - When I(security_group_rules) is not set, existing security group rules
+        which are not listed in I(security_group_rules) will be deleted.
      - When updating a security group, one has to explicitly list rules from
        Neutron's defaults in I(security_group_rules) if those rules should be
        kept. Rules which are not listed in I(security_group_rules) will be
@@ -331,6 +331,12 @@ class SecurityGroupModule(OpenStackModule):

    def _build_update_security_group_rules(self, security_group):

+        if self.params['security_group_rules'] is None:
+            # Consider a change of security group rules only when option
+            # 'security_group_rules' was defined explicitly, because undefined
+            # options in our Ansible modules denote "apply no change"
+            return {}
+
        def find_security_group_rule_match(prototype, security_group_rules):
            matches = [r for r in security_group_rules
                       if is_security_group_rule_match(prototype, r)]