Skip to content

Fix lgpo.set state idempotency when element ids are used (#68489)#69370

Merged
dwoz merged 1 commit into
saltstack:3006.xfrom
dwoz:fix/issue-68489
Jun 8, 2026
Merged

Fix lgpo.set state idempotency when element ids are used (#68489)#69370
dwoz merged 1 commit into
saltstack:3006.xfrom
dwoz:fix/issue-68489

Conversation

@dwoz

@dwoz dwoz commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Makes the lgpo.set state idempotent when the requested policy uses ADMX
element ids for sub-element keys. Previously the state succeeded on the first
run and then reported "Failed to set the following policies" on every
subsequent run for any policy with sub-elements.

What issues does this PR fix or reference?

Fixes #68489

Previous Behavior

The state compared a requested dict keyed by ADMX element id with a current
dict (read back via lgpo.get_policy) keyed by the ADML display name. The
two keys differ, so the comparison declared a change. lgpo.set returned
True (no work to do), the post-set diff was empty, and the state returned
result=False, comment="Failed to set the following policies: …".

New Behavior

The comparison normalizes both the requested and current sub-element dicts
to the canonical ADMX element_id (using the policy_elements
metadata already retrieved via lgpo.get_policy_info) before
_compare_policies runs. Both alias forms now compare equal, so repeated
state runs are idempotent.

Merge requirements satisfied?

  • Docs (no documented behavior changes)
  • Changelog (changelog/68489.fixed.md)
  • Tests written/updated (new unit + regression tests in
    tests/pytests/unit/states/test_win_lgpo.py)

Commits signed with GPG?

No

Fix lgpo.set state idempotency when element ids are used
03b886c 
The state's policy comparison treated a requested dict keyed by ADMX
element id and a current dict keyed by the ADML display name as
different, even though lgpo.set accepts both forms as aliases. The
result: on the first run the state set the policy and reported success,
but on every subsequent run it called lgpo.set again, saw an empty
post-set diff, and returned "Failed to set the following policies".

Normalize both sides of the comparison to the canonical element id via
policy_lookup[name]["policy_elements"] before _compare_policies runs so
runs are idempotent regardless of which alias the user wrote.

Fixes saltstack#68489
@dwoz dwoz requested a review from a team as a code owner June 7, 2026 05:53
@dwoz dwoz added this to the Sulphur v3006.26 milestone Jun 7, 2026
@dwoz dwoz added the test:full Run the full test suite label Jun 7, 2026
@dwoz dwoz merged commit e1080a0 into saltstack:3006.x Jun 8, 2026
1228 of 1242 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@twangboy twangboy twangboy approved these changes

Assignees

No one assigned

Labels

test:full Run the full test suite

Projects

None yet

Milestone

Sulphur v3006.26

Development

Successfully merging this pull request may close these issues.

2 participants

@dwoz @twangboy