diff --git a/library/mt_ip_firewall.py b/library/mt_ip_firewall.py index 02530d3..84f8a8d 100644 --- a/library/mt_ip_firewall.py +++ b/library/mt_ip_firewall.py @@ -71,19 +71,20 @@ from copy import copy def main(): module = AnsibleModule( - argument_spec=dict( - hostname = dict(required=True), - username = dict(required=True), - password = dict(required=True), - rule = dict(required=False, type='dict'), - parameter = dict(required=True, type='str'), - state = dict( - required = False, - default = "present", - choices = ['present', 'absent'], - type = 'str' - ), - ) + argument_spec=dict( + hostname = dict(required=True), + username = dict(required=True), + password = dict(required=True), + rule = dict(required=False, type='dict'), + parameter = dict(required=True, type='str'), + state = dict( + required = False, + default = "present", + choices = ['present', 'absent'], + type = 'str' + ), + ), + supports_check_mode=True ) hostname = module.params['hostname'] @@ -92,6 +93,7 @@ def main(): rule = module.params['rule'] state = module.params['state'] api_path = '/ip/firewall/' + module.params['parameter'] + check_mode = module.check_mode # ############################################## # Check if "place-before" is an integer # ############################################# @@ -99,10 +101,10 @@ def main(): desired_order = int(rule['place-before']) except: module.exit_json( - failed=True, - changed=False, - msg="place-before is not set or is not set to an integer", - ) + failed=True, + changed=False, + msg="place-before is not set or is not set to an integer", + ) changed = False msg = "" @@ -153,7 +155,8 @@ def main(): # if we don't have an existing rule to match # the desired we create a new one if not current_rule: - mk.api_add(api_path, rule) + if not check_mode: + mk.api_add(api_path, rule) changed = True, # if current_rule is true we need to ensure the changes else: @@ -176,10 +179,11 @@ def main(): if current_id is not None: out_params['.id'] = current_id - mk.api_edit( - base_path = api_path, - params = out_params - ) + if not check_mode: + mk.api_edit( + base_path = api_path, + params = out_params + ) # we don't need to show the .id in the changed message if '.id' in out_params: @@ -207,7 +211,8 @@ def main(): 'destination': desired_order } if params: - mk.api_command(api_path, params) + if not check_mode: + mk.api_command(api_path, params) changed_msg.append({ "moved": existing_order, "to": old_params, @@ -219,7 +224,8 @@ def main(): ##################################### elif state == "absent": if current_rule: - mk.api_remove(api_path, current_id) + if not check_mode: + mk.api_remove(api_path, current_id) changed = True changed_msg.append("removed rule: " + str(desired_order)) else: diff --git a/tests/integration/tests.yml b/tests/integration/tests.yml index 481753a..5778e9a 100644 --- a/tests/integration/tests.yml +++ b/tests/integration/tests.yml @@ -805,7 +805,11 @@ comment: 'Ansible - fw filter rule5' place-before: '4' register: check_idem - failed_when: ( check_idem | changed ) + failed_when: ( + not ansible_check_mode + ) and ( + ( check_idem | changed ) + ) tags: test-firewall - name: ALWAYS_CHANGES Test editing existing rule @@ -823,7 +827,11 @@ src-address: 192.168.0.0/16 place-before: '3' register: edit_filter_rule - failed_when: not ( edit_filter_rule | changed ) + failed_when: ( + not ansible_check_mode + ) and ( + not ( edit_filter_rule | changed ) + ) - name: NEVER_CHANGES Test editing existing rule check idempotency again mt_ip_firewall: @@ -840,7 +848,11 @@ src-address: 192.168.0.0/16 place-before: '3' register: edit_filter_rule_2 - failed_when: ( edit_filter_rule_2 | changed ) + failed_when: ( + not ansible_check_mode + ) and ( + ( edit_filter_rule_2 | changed ) + ) tags: test-firewall - name: add a rule to the bottom of the chain @@ -873,7 +885,11 @@ src-address: 192.150.0.0/16 place-before: '20' register: edit_filter_rule_3 - failed_when: not ( edit_filter_rule_3 | changed ) + failed_when: ( + not ansible_check_mode + ) and ( + not ( edit_filter_rule_3 | changed ) + ) - name: NEVER_CHANGES add a rule to the bottom of the chain, check_idempotency mt_ip_firewall: @@ -890,7 +906,11 @@ src-address: 192.150.0.0/16 place-before: '20' register: edit_filter_rule_4 - failed_when: ( edit_filter_rule_4 | changed ) + failed_when: ( + not ansible_check_mode + ) and ( + ( edit_filter_rule_4 | changed ) + ) - name: ALWAYS_CHANGES Test removing existing rule mt_ip_firewall: @@ -903,7 +923,11 @@ with_items: - place-before: '4' register: rem_filter_rule - failed_when: not ( rem_filter_rule | changed ) + failed_when: ( + not ansible_check_mode + ) and ( + not ( rem_filter_rule | changed ) + ) tags: firewall-filter ###################