cs_network_acl_rule: implement cidr/cidrs as list (#56083)

lib/ansible/modules/cloud/cloudstack/cs_network_acl_rule.py

@@ -23,11 +23,12 @@ options:
     type: str
     required: true
     aliases: [ acl ]
-  cidr:
+  cidrs:
     description:
-      - CIDR of the rule.
-    type: str
-    default: 0.0.0.0/0
+      - CIDRs of the rule.
+    type: list
+    default: [ 0.0.0.0/0 ]
+    aliases: [ cidr ]
   rule_position:
     description:
       - The position of the network ACL rule.
@@ -134,7 +135,7 @@ EXAMPLES = '''
     cidr: 0.0.0.0/0
   delegate_to: localhost
 
-- name: create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16
+- name: create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16 and 10.22.0.0/16
   cs_network_acl_rule:
     network_acl: web
     rule_position: 1
@@ -142,20 +143,10 @@ EXAMPLES = '''
     traffic_type: ingress
     action_policy: deny
     start_port: 8000
-    end_port: 8000
-    cidr: 10.20.0.0/16
-  delegate_to: localhost
-
-- name: create a network ACL rule
-  cs_network_acl_rule:
-    network_acl: web
-    rule_position: 1
-    vpc: my vpc
-    traffic_type: ingress
-    action_policy: deny
-    start_port: 8000
-    end_port: 8000
-    cidr: 10.20.0.0/16
+    end_port: 9000
+    cidrs:
+    - 10.20.0.0/16
+    - 10.22.0.0/16
   delegate_to: localhost
 
 - name: remove a network ACL rule
@@ -179,6 +170,12 @@ cidr:
   returned: success
   type: str
   sample: 0.0.0.0/0
+cidrs:
+  description: CIDRs of the network ACL rule.
+  returned: success
+  type: list
+  sample: [ 0.0.0.0/0 ]
+  version_added: '2.9'
 rule_position:
   description: Position of the network ACL rule.
   returned: success
@@ -357,7 +354,7 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
             'icmpcode': self.module.params.get('icmp_code'),
             'icmptype': self.module.params.get('icmp_type'),
             'traffictype': self.module.params.get('traffic_type'),
-            'cidrlist': self.module.params.get('cidr'),
+            'cidrlist': self.module.params.get('cidrs'),
         }
         if not self.module.check_mode:
             res = self.query_api('createNetworkACL', **args)
@@ -379,7 +376,7 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
             'icmpcode': self.module.params.get('icmp_code'),
             'icmptype': self.module.params.get('icmp_type'),
             'traffictype': self.module.params.get('traffic_type'),
-            'cidrlist': self.module.params.get('cidr'),
+            'cidrlist': ",".join(self.module.params.get('cidrs')),
         }
         if self.has_changed(args, network_acl_rule):
             self.result['changed'] = True
@@ -395,6 +392,8 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
     def get_result(self, network_acl_rule):
         super(AnsibleCloudStackNetworkAclRule, self).get_result(network_acl_rule)
         if network_acl_rule:
+            if 'cidrlist' in network_acl_rule:
+                self.result['cidrs'] = network_acl_rule['cidrlist'].split(',') or [network_acl_rule['cidrlist']]
             if network_acl_rule['protocol'] not in ['tcp', 'udp', 'icmp', 'all']:
                 self.result['protocol_number'] = int(network_acl_rule['protocol'])
                 self.result['protocol'] = 'by_number'
@@ -409,7 +408,7 @@ def main():
         network_acl=dict(required=True, aliases=['acl']),
         rule_position=dict(required=True, type='int', aliases=['number']),
         vpc=dict(required=True),
-        cidr=dict(default='0.0.0.0/0'),
+        cidrs=dict(type='list', default=['0.0.0.0/0'], aliases=['cidr']),
         protocol=dict(choices=['tcp', 'udp', 'icmp', 'all', 'by_number'], default='tcp'),
         protocol_number=dict(type='int'),
         traffic_type=dict(choices=['ingress', 'egress'], aliases=['type'], default='ingress'),

test/integration/targets/cs_network_acl_rule/tasks/main.yml

@@ -174,7 +174,9 @@
     traffic_type: egress
     action_policy: deny
     port: 81
-    cidr: 0.0.0.0/0
+    cidrs:
+    - 1.2.3.0/24
+    - 3.2.1.0/24
     zone: "{{ cs_common_zone_adv }}"
   register: acl_rule
   check_mode: true
@@ -189,6 +191,7 @@
     - acl_rule.end_port == 80
     - acl_rule.action_policy == "allow"
     - acl_rule.cidr == "0.0.0.0/0"
+    - acl_rule.cidrs == [ "0.0.0.0/0" ]
     - acl_rule.traffic_type == "ingress"
     - acl_rule.rule_position == 1
 
@@ -201,7 +204,9 @@
     action_policy: deny
     port: 81
     protocol: udp
-    cidr: 0.0.0.0/0
+    cidrs:
+    - 1.2.3.0/24
+    - 3.2.1.0/24
     zone: "{{ cs_common_zone_adv }}"
   register: acl_rule
 - name: verify test change network acl rule
@@ -214,7 +219,8 @@
     - acl_rule.start_port == 81
     - acl_rule.end_port == 81
     - acl_rule.action_policy == "deny"
-    - acl_rule.cidr == "0.0.0.0/0"
+    - acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
+    - acl_rule.cidrs == [ "1.2.3.0/24", "3.2.1.0/24" ]
     - acl_rule.traffic_type == "egress"
     - acl_rule.protocol == "udp"
     - acl_rule.rule_position == 1
@@ -228,7 +234,9 @@
     action_policy: deny
     port: 81
     protocol: udp
-    cidr: 0.0.0.0/0
+    cidrs:
+    - 1.2.3.0/24
+    - 3.2.1.0/24
     zone: "{{ cs_common_zone_adv }}"
   register: acl_rule
 - name: verify test change network acl idempotence
@@ -241,7 +249,8 @@
     - acl_rule.start_port == 81
     - acl_rule.end_port == 81
     - acl_rule.action_policy == "deny"
-    - acl_rule.cidr == "0.0.0.0/0"
+    - acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
+    - acl_rule.cidrs == [ "1.2.3.0/24", "3.2.1.0/24" ]
     - acl_rule.traffic_type == "egress"
     - acl_rule.protocol == "udp"
     - acl_rule.rule_position == 1
@@ -270,7 +279,7 @@
     - acl_rule.start_port == 81
     - acl_rule.end_port == 81
     - acl_rule.action_policy == "deny"
-    - acl_rule.cidr == "0.0.0.0/0"
+    - acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
     - acl_rule.traffic_type == "egress"
     - acl_rule.protocol == "udp"
     - acl_rule.rule_position == 1