add check mode to firewall module

2025-07-09 01:34:24 +02:00 · 2017-06-01 17:40:53 -07:00 · 2017-06-01 17:40:53 -07:00 · caa99b3e5d
commit caa99b3e5d
parent 48f593bae2
2 changed files with 60 additions and 30 deletions
--- a/library/mt_ip_firewall.py
+++ b/library/mt_ip_firewall.py
@ -71,19 +71,20 @@ from copy import copy
 def main():

  module = AnsibleModule(
-      argument_spec=dict(
-          hostname  = dict(required=True),
-          username  = dict(required=True),
-          password  = dict(required=True),
-          rule      = dict(required=False, type='dict'),
-          parameter = dict(required=True, type='str'),
-          state = dict(
-              required  = False,
-              default   = "present",
-              choices   = ['present', 'absent'],
-              type      = 'str'
-          ),
-      )
+    argument_spec=dict(
+      hostname  = dict(required=True),
+      username  = dict(required=True),
+      password  = dict(required=True),
+      rule      = dict(required=False, type='dict'),
+      parameter = dict(required=True, type='str'),
+      state = dict(
+        required  = False,
+        default   = "present",
+        choices   = ['present', 'absent'],
+        type      = 'str'
+      ),
+    ),
+    supports_check_mode=True
  )

  hostname     = module.params['hostname']
@ -92,6 +93,7 @@ def main():
  rule = module.params['rule']
  state        = module.params['state']
  api_path     = '/ip/firewall/' + module.params['parameter']
+  check_mode      = module.check_mode
 # ##############################################
 # Check if "place-before" is an integer
 # #############################################
@ -99,10 +101,10 @@ def main():
    desired_order = int(rule['place-before'])
  except:
    module.exit_json(
-        failed=True,
-        changed=False,
-        msg="place-before is not set or is not set to an integer",
-      )
+      failed=True,
+      changed=False,
+      msg="place-before is not set or is not set to an integer",
+    )
  changed = False
  msg = ""

@ -153,7 +155,8 @@ def main():
    # if we don't have an existing rule to match
    # the desired we create a new one
    if not current_rule:
-      mk.api_add(api_path, rule)
+      if not check_mode:
+        mk.api_add(api_path, rule)
      changed = True,
    # if current_rule is true we need to ensure the changes
    else:
@ -176,10 +179,11 @@ def main():
        if current_id is not None:
          out_params['.id'] = current_id

-          mk.api_edit(
-              base_path = api_path,
-              params    = out_params
-          )
+          if not check_mode:
+            mk.api_edit(
+                base_path = api_path,
+                params    = out_params
+            )

          # we don't need to show the .id in the changed message
          if '.id' in out_params:
@ -207,7 +211,8 @@ def main():
          'destination': desired_order
          }
        if params:
-          mk.api_command(api_path, params)
+          if not check_mode:
+            mk.api_command(api_path, params)
          changed_msg.append({
              "moved": existing_order,
              "to": old_params,
@ -219,7 +224,8 @@ def main():
 #####################################
  elif state == "absent":
    if current_rule:
-      mk.api_remove(api_path, current_id)
+      if not check_mode:
+        mk.api_remove(api_path, current_id)
      changed = True
      changed_msg.append("removed rule: " + str(desired_order))
  else:
--- a/tests/integration/tests.yml
+++ b/tests/integration/tests.yml
@ -805,7 +805,11 @@
              comment: 'Ansible - fw filter rule5'
              place-before: '4'
          register: check_idem
-          failed_when: ( check_idem | changed )
+          failed_when: (
+              not ansible_check_mode
+            ) and (
+              ( check_idem | changed )
+            )
          tags: test-firewall

        - name: ALWAYS_CHANGES Test editing existing rule
@ -823,7 +827,11 @@
              src-address: 192.168.0.0/16
              place-before: '3'
          register: edit_filter_rule
-          failed_when: not ( edit_filter_rule | changed )
+          failed_when: (
+              not ansible_check_mode
+            ) and (
+              not ( edit_filter_rule | changed )
+            )

        - name: NEVER_CHANGES Test editing existing rule check idempotency again
          mt_ip_firewall:
@ -840,7 +848,11 @@
              src-address: 192.168.0.0/16
              place-before: '3'
          register: edit_filter_rule_2
-          failed_when: ( edit_filter_rule_2 | changed )
+          failed_when: (
+              not ansible_check_mode
+            ) and (
+              ( edit_filter_rule_2 | changed )
+            )
          tags: test-firewall

        - name: add a rule to the bottom of the chain
@ -873,7 +885,11 @@
              src-address: 192.150.0.0/16
              place-before: '20'
          register: edit_filter_rule_3
-          failed_when: not ( edit_filter_rule_3 | changed )
+          failed_when: (
+              not ansible_check_mode
+            ) and (
+              not ( edit_filter_rule_3 | changed )
+            )

        - name: NEVER_CHANGES add a rule to the bottom of the chain, check_idempotency
          mt_ip_firewall:
@ -890,7 +906,11 @@
              src-address: 192.150.0.0/16
              place-before: '20'
          register: edit_filter_rule_4
-          failed_when: ( edit_filter_rule_4 | changed )
+          failed_when: (
+              not ansible_check_mode
+            ) and (
+              ( edit_filter_rule_4 | changed )
+            )

        - name: ALWAYS_CHANGES Test removing existing rule
          mt_ip_firewall:
@ -903,7 +923,11 @@
          with_items:
            - place-before: '4'
          register: rem_filter_rule
-          failed_when: not ( rem_filter_rule | changed )
+          failed_when: (
+              not ansible_check_mode
+            ) and (
+              not ( rem_filter_rule | changed )
+            )

        tags: firewall-filter
      ###################