win_firewall_rule: Implement idempotency, check-mode and diff support

[dagwieers]

SUMMARY

This PR includes the following changes:

• An idempotency fix when profile: any
• Documentation fixes (remove required: false)
• Parameter handling fixes
• RDP example that matches default RDP rule
• Renamed parameter 'enable' to 'enabled' (kept alias for compatibility)
• Renamed parameter 'profile' to 'profiles' (kept alias for compatibility)
• Implemented check-mode support
• Implemented diff support
• Adapted integration tests
• Returns proper command output on failure.

This fixes #23455 and #24976

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

win_firewall_rule

ANSIBLE VERSION

v2.3

[ansibot]

The test ansible-test sanity --test validate-modules failed with the following error:

lib/ansible/modules/windows/win_firewall_rule.py:0:0: E311 EXAMPLES is not valid YAML. Line 112 column 3

click here for bot help

[ansibot]

cc @timothyvandenbrande @ar7z1
click here for bot help

[mattclay]

Integration test failure: https://app.shippable.com/github/ansible/ansible/runs/17791/9/tests

Here's one example from test/integration/targets/win_firewall_rule/tasks/main.yml:39:

{
    "assertion": "add_firewall_rule_again.changed == false", 
    "changed": false, 
    "evaluated_to": false, 
    "failed": true
}

[ar7z1]

shipit

[ar7z1]

It seems it can be removed. Comparison operator -eq are case-insensitive by default:

By default, all comparison operators are case-insensitive. To make a comparison operator case-sensitive, precede the operator name with a c. For example, the case-sensitive version of -eq is -ceq. To make the case-insensitivity explicit, precede the operator with an i. For example, the explicitly case-insensitive version of -eq is -ieq.

[dagwieers]

Aha, good to know. Thanks !

[ar7z1]

@dagwieers Thank you for excellent work!
I can't understand what's wrong with the tests. I will have access to my dev machine in a few days. I'll try to debug the failed tests.

[jborean93]

shipit

[ar7z1]

@dagwieers I created a PR to your PR. ;-)

[dagwieers]

@ar7z1 I have retained the fix for the integration tests from your PR. So that this PR becomes mergeable again.

However I noticed my changes to "differences" do not make sense (useful for debugging, but output is not very clear), and do not use the normal provisions for showing diff output (-D/--diff). So we definitely need to revise this too. So I am going to fix my PR for that too.

[dagwieers]

Alright, after changes what needed to be changed I ended up rewriting most of the module.
Although the logic is still the same.

[skasai]

Question - Would this be the reason I can't set/update firewall rules with current win_firewall_rule? I am currently dipping my feet into Ansible and noticing when I did tests on machines, I wasn't creating the rule. Using the force option did delete pre-defined rule.

[dagwieers]

@skasai Yup, as I added to the notes in this PR:

• Modifying existing firewall rules is not possible, the module does allow replacing complete rules based on name, but that works by removing the existing rule completely, and recreating it with provided information (when using C(force)).

[dagwieers]

@nitzmahone Can you please merge this PR ? It is almost 2 months old, and people are still having issues with things that this PR fixes.

[skasai]

Yup, as I added to the notes in this PR:

Modifying existing firewall rules is not possible, the module does allow replacing complete rules based on name, but that works by removing the existing rule completely, and recreating it with provided information (when using C(force)).

Ok... I was playing around with this last night and today and scratching my head as to why it said changed and looking on the test machines, I see no added rule and wondering why it deleted the existing rule when I did force.

Even running with -vvvvvv, wasn't really indicative of what was going on.

I just found this this morning and was wondering why the module that is listed wasn't working as intended.

[dagwieers]

@skasai Was this with PR #23162 or with the version in v2.3 or devel ?

[skasai]

At the moment, not sure, since I know the version of Ansible is v2.3.0.0 right now and what I see near the end is this:

changed: ['machine'] => {
"changed": true,
"difference": [],
"failed": false,
"fwsettings": {
"Action": "allow",
"Direction": "in",
"Enabled": "yes",
"LocalIP": "any",
"LocalPort": "any",
"Profiles": "Private,Public",
"Protocol": "ICMPv4",
"RemoteIP": "'iprange'/24",
"RemotePort": "any",
"Rule Name": "ATest",
"Service": "any"
},
"msg": [
"No rule could be found",
"Created firewall rule ATest"
]
}
META: ran handlers
META: ran handlers

PLAY RECAP **********************************************************************
'machine' : ok=2 changed=1 unreachable=0 failed=0

This is on CentOS 7 doing a yum install so not devel. Not sure how to do PR or what not.

[dagwieers]

@skasai If you would have been running this code, it would have told you that you cannot provide a localport or remoteport when using a protocol other than TCP or UDP.

[skasai]

Figured as much. How would one pull down a PR then for testing? I saw exerpt code for files, but didn't seem to line up so I avoided trying to hand modify.

[dagwieers]

@skasai The easiest option is to take the file and put it in library/, however in this case we also modify the vmware library, so that's not going to work. If you don't know git very well, maybe it's best to wait for this to be released. At least you now know how to fix this :-)

[skasai]

Took me a while and a few mistakes but hand modified it based off the PR mods and it looks like this works. Was able to create the test firewall rule when earlier behavior showed no changes.

Do note that it treated 'existing rule' with 'force' as not counting as 'changed', but I suppose this is expected behavior?

[dagwieers]

Indeed, it compares the before and after, and only reports a change if there is a difference. Thanks for testing !

[skasai]

@dagwieers Ok. Although technically if you are forcing a change in values on an existing rule, technically, that is a change. :)

What I see is this:

"msg": [
    "The rule 'File and Printer Sharing (Echo Request - ICMPv4-In)' exists.", 
    "The rule 'File and Printer Sharing (Echo Request - ICMPv4-In)' exists but has different values", 
    "Removed the rule 'File and Printer Sharing (Echo Request - ICMPv4-In)'", 
    "Created firewall rule 'File and Printer Sharing (Echo Request - ICMPv4-In)'"
]

Run again:
"msg": [
"The rule 'File and Printer Sharing (Echo Request - ICMPv4-In)' exists.",
"An identical rule exists",
"Firewall rule 'File and Printer Sharing (Echo Request - ICMPv4-In)' was already created"
]

In both cases, Ansible did show 'changed': false.
ok: ['machine'] => {
"changed": false,
"diff": null,
"fwsettings": {
"Action": "Allow",
"Direction": "In",
"Edge traversal": "No",
"Enabled": "Yes",
"InterfaceTypes": "Any",
"LocalIP": "any",
"Profiles": "Private,Public",
"Protocol": "ICMPV4",
"RemoteIP": "'iprange'/24",
"Rule Name": "File and Printer Sharing (Echo Request - ICMPv4-In)",
"Security": "NotRequired"
},

[dagwieers]

@skasai That's a bug. Although looking at the code, it seems not possible to have changed=False in this case.

I did improve the output so it doesn't state twice that the rule exists.