cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

os_security_group_rule fix port matching when protocol is any (#59055)

Browse source 
* Added logic to match on protocol 'any'

I personally use this to remove the default created egress rules from
security groups.

* Fixes for ansible-test
This commit is contained in:
Jeffrey van Pelt 2019-11-25 14:05:34 +01:00 committed by ansibot
parent 5f8ec4d46e
commit f37dbf859b
1 changed files with 20 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
lib/ansible/modules/cloud/openstack/os_security_group_rule.py
View file

@ -17,7 +17,9 @@ DOCUMENTATION = '''
--- ---
module: os_security_group_rule module: os_security_group_rule
short_description: Add/Delete rule from an existing security group short_description: Add/Delete rule from an existing security group
author: "Benno Joy (@bennojoy)" author:
- "Benno Joy (@bennojoy)"
- "Jeffrey van Pelt (@Thulium-Drake)"
extends_documentation_fragment: openstack extends_documentation_fragment: openstack
version_added: "2.0" version_added: "2.0"
description: description:
@ -29,8 +31,8 @@ options:
required: true required: true
protocol: protocol:
description: description:
- IP protocols TCP UDP ICMP 112 (VRRP) 132 (SCTP) - IP protocols ANY TCP UDP ICMP 112 (VRRP) 132 (SCTP)
choices: ['tcp', 'udp', 'icmp', '112', '132', None] choices: ['any', 'tcp', 'udp', 'icmp', '112', '132', None]
port_range_min: port_range_min:
description: description:
- Starting port - Starting port
@ -127,6 +129,13 @@ EXAMPLES = '''
protocol: icmp protocol: icmp
remote_ip_prefix: 0.0.0.0/0 remote_ip_prefix: 0.0.0.0/0
project: myproj project: myproj
# Remove the default created egress rule for IPv4
- os_security_group_rule:
cloud: mordred
security_group: foo
protocol: any
remote_ip_prefix: 0.0.0.0/0
''' '''
RETURN = ''' RETURN = '''
@ -202,6 +211,10 @@ def _ports_match(protocol, module_min, module_max, rule_min, rule_max):
if module_max and int(module_max) == -1: if module_max and int(module_max) == -1:
module_max = None module_max = None
# Rules with 'any' protocol do not match ports
if protocol == 'any':
return True
# Check if the user is supplying -1 or None values for full TPC/UDP port range. # Check if the user is supplying -1 or None values for full TPC/UDP port range.
if protocol in ['tcp', 'udp'] or protocol is None: if protocol in ['tcp', 'udp'] or protocol is None:
if module_min and module_max and int(module_min) == int(module_max) == -1: if module_min and module_max and int(module_min) == int(module_max) == -1:
@ -273,7 +286,7 @@ def main():
# NOTE(Shrews): None is an acceptable protocol value for # NOTE(Shrews): None is an acceptable protocol value for
# Neutron, but Nova will balk at this. # Neutron, but Nova will balk at this.
protocol=dict(default=None, protocol=dict(default=None,
choices=[None, 'tcp', 'udp', 'icmp', '112', '132']), choices=[None, 'any', 'tcp', 'udp', 'icmp', '112', '132']),
port_range_min=dict(required=False, type='int'), port_range_min=dict(required=False, type='int'),
port_range_max=dict(required=False, type='int'), port_range_max=dict(required=False, type='int'),
remote_ip_prefix=dict(required=False, default=None), remote_ip_prefix=dict(required=False, default=None),
@ -330,6 +343,9 @@ def main():
module.exit_json(changed=_system_state_change(module, secgroup, remotegroup)) module.exit_json(changed=_system_state_change(module, secgroup, remotegroup))
if state == 'present': if state == 'present':
if module.params['protocol'] == 'any':
module.params['protocol'] = None
if not secgroup: if not secgroup:
module.fail_json(msg='Could not find security group %s' % module.fail_json(msg='Could not find security group %s' %
security_group) security_group)