Added support for 'any' protocol in security group rules

Story: 2007849 Task: 40143 Story: 2008064 Task: 40747 Change-Id: I1e2f6dde4c7a17b6c5c9fcffad1b5748a1d44a15
2026-05-06 21:33:07 +00:00 · 2023-01-12 10:32:51 +01:00
parent 5aaa41c9c4
commit e34f259566
3 changed files with 205 additions and 11 deletions
--- a/plugins/modules/security_group.py
+++ b/plugins/modules/security_group.py
@@ -102,6 +102,9 @@ options:
      remote_ip_prefix:
        description:
          - Source IP address(es) in CIDR notation.
+          - When a netmask such as C(/32) is missing from I(remote_ip_prefix),
+            then this module will fail on updates with OpenStack error message
+            C(Security group rule already exists.).
          - Mutually exclusive with I(remote_group).
        type: str
  state:
@@ -349,12 +352,6 @@ class SecurityGroupModule(OpenStackModule):
               and security_group_rule['ethertype'] != prototype['ether_type']:
                return False

-            if 'protocol' in prototype \
-               and prototype['protocol'] in ['any', '0']:
-                if security_group_rule['protocol'] is not None:
-                    return False
-                skip_keys.append('protocol')
-
            if 'protocol' in prototype \
               and prototype['protocol'] in ['tcp', 'udp']:
                # Check if the user is supplying -1, 1 to 65535 or None values
@@ -445,9 +442,23 @@ class SecurityGroupModule(OpenStackModule):
        def _generate_security_group_rule(params):
            prototype = dict(
                (k, params[k])
-                for k in ['direction', 'protocol', 'remote_ip_prefix']
+                for k in ['direction', 'remote_ip_prefix']
                if params[k] is not None)

+            # When remote_ip_prefix is missing a netmask, then Neutron will add
+            # a netmask using Python library netaddr [0] and its IPNetwork
+            # class [1]. We do not want to introduce additional Python
+            # dependencies to our code base and neither want to replicate
+            # netaddr's parse_ip_network code here. So we do not handle
+            # remote_ip_prefix without a netmask and instead let Neutron handle
+            # it.
+            # [0] https://opendev.org/openstack/neutron/src/commit/\
+            #     43d94640568828f5e98bbb1e9df985ec3f1bb2d2/neutron/db/securitygroups_db.py#L775
+            # [1] https://github.com/netaddr/netaddr/blob/\
+            #     b1d8f016abee00c8a93e35b928acdc22797c800a/netaddr/ip/__init__.py#L841
+            # [2] https://github.com/netaddr/netaddr/blob/\
+            #     b1d8f016abee00c8a93e35b928acdc22797c800a/netaddr/ip/__init__.py#L773
+
            prototype['project_id'] = security_group.project_id
            prototype['security_group_id'] = security_group.id

@@ -469,6 +480,9 @@ class SecurityGroupModule(OpenStackModule):
                prototype['ether_type'] = ether_type

            protocol = params['protocol']
+            if protocol is not None and protocol not in ['any', '0']:
+                prototype['protocol'] = protocol
+
            port_range_max = params['port_range_max']
            port_range_min = params['port_range_min']