ansible · trishnaguha · Apr 6, 2018 · Apr 4, 2018 · Apr 4, 2018 · Apr 4, 2018
diff --git a/lib/ansible/modules/network/nxos/nxos_acl.py b/lib/ansible/modules/network/nxos/nxos_acl.py
@@ -203,6 +203,7 @@ def get_acl(module, acl_name, seq_number):
         for acl in all_acl_body:
             if acl.get('acl_name') == acl_name:
                 acl_body = acl
+                break
 
     try:
         acl_entries = acl_body['TABLE_seqno']['ROW_seqno']
@@ -226,7 +227,7 @@ def get_acl(module, acl_name, seq_number):
             temp['action'] = 'remark'
         else:
             temp['action'] = each.get('permitdeny')
-            temp['proto'] = each.get('proto', each.get('proto_str', each.get('ip')))
+            temp['proto'] = str(each.get('proto', each.get('proto_str', each.get('ip'))))
             temp['src'] = each.get('src_any', each.get('src_ip_prefix'))
             temp['src_port_op'] = each.get('src_port_op')
             temp['src_port1'] = each.get('src_port1_num')
@@ -458,13 +459,35 @@ def main():
     delta_options = {}
 
     if not existing_core.get('remark'):
-        delta_core = dict(
+        dcore = dict(
             set(proposed_core.items()).difference(
                 existing_core.items())
         )
-        delta_options = dict(
-            set(proposed_options.items()).difference(
-                existing_options.items())
+        if not dcore:
+            # check the diff in the other way just in case
+            dcore = dict(
+                set(existing_core.items()).difference(
     If there is any difference, what is in Ansible will be pushed (configured 
     options will be overridden).  This is to improve security, but at the 
     If there is any difference, what is in Ansible will be pushed (configured 
     options will be overridden).  This is to improve security, but at the 
+                    proposed_core.items())
+            )
+        delta_core = dcore
+        if delta_core:
+            delta_options = proposed_options
+        else:
+            doptions = dict(
+                set(proposed_options.items()).difference(
+                    existing_options.items())
+            )
+            # check the diff in the other way just in case
+            if not doptions:
+                doptions = dict(
+                    set(existing_options.items()).difference(
+                        proposed_options.items())
+                )
+            delta_options = doptions
+    else:
+        delta_core = dict(
+            set(proposed_core.items()).difference(
+                existing_core.items())
         )
 
     if state == 'present':

diff --git a/test/integration/targets/nxos_acl/tests/common/sanity.yaml b/test/integration/targets/nxos_acl/tests/common/sanity.yaml
@@ -10,12 +10,12 @@
   nxos_acl: &remove
     name: TEST_ACL
     seq: 10
-    state: absent
+    state: delete_acl
     provider: "{{ connection }}"
   ignore_errors: yes
 
-- name: "Configure ACL"
-  nxos_acl: &configure
+- name: "Configure ACE10"
+  nxos_acl: &conf10
     name: TEST_ACL
     seq: 10
     action: permit
@@ -27,6 +27,8 @@
     ack: 'enable'
     dscp: 'af43'
     dest: any
+    dest_port_op: neq
+    dest_port1: 1899
     urg: 'enable'
     psh: 'enable'
     established: 'enable'
@@ -44,13 +46,187 @@
       - "result.changed == true"
 
 - name: "Check Idempotence"
-  nxos_acl: *configure
+  nxos_acl: *conf10
   register: result
 
 - assert: &false
     that:
       - "result.changed == false"
 
+- name: "Change ACE10"
+  nxos_acl: &chg10
+    name: TEST_ACL
+    seq: 10
+    action: deny
+    proto: tcp
+    src: 1.1.1.1/24
+    src_port_op: range
+    src_port1: 1900
+    src_port2: 1910
+    ack: 'enable'
+    dscp: 'af43'
+    dest: any
+    dest_port_op: neq
+    dest_port1: 1899
+    urg: 'enable'
+    psh: 'enable'
+    established: 'enable'
+    log: 'enable'
+    fin: 'enable'
+    rst: 'enable'
+    syn: 'enable'
+    time_range: "{{time_range|default(omit)}}"
+    state: present
+    provider: "{{ connection }}"
+  register: result
+
+- assert: *true
+
+- name: "Check Idempotence"
+  nxos_acl: *chg10
+  register: result
+
+- assert: *false
+
+- name: "ace remark"
+  nxos_acl: &remark
+    name: TEST_ACL
+    seq: 20
+    action: remark
+    remark: test_remark
+    state: present
+    provider: "{{ connection }}"
+  register: result
+
+- assert: *true
+
+- name: "Check Idempotence"
+  nxos_acl: *remark
+  register: result
+
+- assert: *false
+
+- name: "change remark"
+  nxos_acl: &chgremark
+    name: TEST_ACL
+    seq: 20
+    action: remark
+    remark: changed_remark
+    state: present
+    provider: "{{ connection }}"
+  register: result
+
+- assert: *true
+
+- name: "Check Idempotence"
+  nxos_acl: *chgremark
+  register: result
+
+- assert: *false
+
+- name: "ace 30"
+  nxos_acl: &ace30
+    name: TEST_ACL
+    seq: 30
+    action: deny
+    proto: 24
+    src: any
+    dest: any
+    fragments: enable
+    precedence: network
+    state: present
+    provider: "{{ connection }}"
+  register: result
+
+- assert: *true
+
+- name: "Check Idempotence"
+  nxos_acl: *ace30
+  register: result
+
+- assert: *false
+
+- name: "change ace 30 options"
+  nxos_acl: &chgace30opt
+    name: TEST_ACL
+    seq: 30
+    action: deny
+    proto: 24
+    src: any
+    dest: any
+    precedence: network
+    state: present
+    provider: "{{ connection }}"
+  register: result
+
+- assert: *true
+
+- name: "Check Idempotence"
+  nxos_acl: *chgace30opt
+  register: result
+
+- assert: *false
+
+- name: "ace 40"
+  nxos_acl: &ace40
+    name: TEST_ACL
+    seq: 40
+    action: permit
+    proto: udp
+    src: any
+    src_port_op: neq
+    src_port1: 1200
+    dest: any
+    precedence: network
+    state: present
+    provider: "{{ connection }}"
+  register: result
+
+- assert: *true
+
+- name: "Check Idempotence"
+  nxos_acl: *ace40
+  register: result
+
+- assert: *false
+
+- name: "change ace 40"
+  nxos_acl: &chgace40
+    name: TEST_ACL
+    seq: 40
+    action: permit
+    proto: udp
+    src: any
+    dest: any
+    precedence: network
+    state: present
+    provider: "{{ connection }}"
+  register: result
+
+- assert: *true
+
+- name: "Check Idempotence"
+  nxos_acl: *chgace40
+  register: result
+
+- assert: *false
+
+- name: "remove ace 30"
+  nxos_acl: &remace30
+    name: TEST_ACL
+    seq: 30
+    state: absent
+    provider: "{{ connection }}"
+  register: result
+
+- assert: *true
+
+- name: "Check Idempotence"
+  nxos_acl: *remace30
+  register: result
+
+- assert: *false
+
 - name: "Remove ACL"
   nxos_acl: *remove
   register: result