os_security_group_rule failing when using remote_group from another project

[oscardalmau]

SUMMARY

Using ansible module os_security_group _rule to add rules in OpenStack security groups. When adding a rule that uses the "remote_group" argument to use a security group from another project as a source (using the ID) it fails. I am using an OpenStack admin user to do it, in order to have a scope from all projects. It fails when executing the playbook in versions higher than 2.6.

ISSUE TYPE

• Bug Report

COMPONENT NAME

os_security_group_rule

ANSIBLE VERSION

ansible 2.9.7
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/oscar.dalmau/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

CONFIGURATION

nothing changed

OS / ENVIRONMENT

STEPS TO REPRODUCE

1- Create security group in tenant 1
2- Create security group in tenant 2
3- Execte playbook to add a rule in security group from tenant 1. The rule uses as a source the remote group from tenant 2.

- name: "Add rule to security group isolated test case"
    os_security_group_rule:
      auth: "{{ auth }}"
      security_group: test-slb-to-cap-pre-pool # SG from "oscar" tenant
      protocol: tcp
      port_range_min: 11520
      port_range_max: 11520
      remote_group: 5cc10673-6959-41dd-9aea-4dcb02bf145e # sg from another tenant - Fails in Ansible 2.9.7 - Only seems to work in ansible 2.6.16, 2.6.20 < 2.7

EXPECTED RESULTS

Rule added.

ACTUAL RESULTS

WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] **************************************************************************************************************************************************************************************************

TASK [Add rule to security group isolated test case] **************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TypeError: 'NoneType' object has no attribute 'getitem'
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File "/home/oscar.dalmau/.ansible/tmp/ansible-tmp-1590080682.09-20856-207658969172012/AnsiballZ_os_security_group_rule.py", line 102, in \n _ansiballz_main()\n File "/home/oscar.dalmau/.ansible/tmp/ansible-tmp-1590080682.09-20856-207658969172012/AnsiballZ_os_security_group_rule.py", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/home/oscar.dalmau/.ansible/tmp/ansible-tmp-1590080682.09-20856-207658969172012/AnsiballZ_os_security_group_rule.py", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.cloud.openstack.os_security_group_rule', init_globals=None, run_name='main', alter_sys=True)\n File "/usr/lib64/python2.7/runpy.py", line 176, in run_module\n fname, loader, pkg_name)\n File "/usr/lib64/python2.7/runpy.py", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code\n exec code in run_globals\n File "/tmp/ansible_os_security_group_rule_payload_QiWxQK/ansible_os_security_group_rule_payload.zip/ansible/modules/cloud/openstack/os_security_group_rule.py", line 369, in \n File "/tmp/ansible_os_security_group_rule_payload_QiWxQK/ansible_os_security_group_rule_payload.zip/ansible/modules/cloud/openstack/os_security_group_rule.py", line 337, in main\n File "/tmp/ansible_os_security_group_rule_payload_QiWxQK/ansible_os_security_group_rule_payload.zip/ansible/modules/cloud/openstack/os_security_group_rule.py", line 239, in _find_matching_rule\nTypeError: 'NoneType' object has no attribute 'getitem'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP ********************************************************************************************************************************************************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

[ansibot]

Files identified in the description:

• lib/ansible/modules/cloud/openstack/os_security_group_rule.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[sshnaidm]

@oscardalmai for 2.10 it's developed in https://github.com/openstack/ansible-collections-openstack and we open bugs in https://storyboard.openstack.org
Not sure though about porting to 2.9 and if it's still allowed.
I prepared a patch, but it requires usage of collection: https://review.opendev.org/#/c/730422/
Can you please try it and see if it fixes the problem?

[oscardalmau]

Thanks @sshnaidm. It works.

[sshnaidm]

@oscardalmai great! I'll merge the fix into collection then.
Again, not sure if 2.9 is still getting patches, if so - will make a PR.
For now you can install collection and use it: https://github.com/openstack/ansible-collections-openstack/blob/master/README.md

[oscardalmau]

Thanks @sshnaidm. Could you please share the PR so I can track if it's approved or not?

[sshnaidm]

@oscardalmai it should be #69726

[mkrizek]

The fix has been merged in a collection repo and backported in 2.9. Closing.