Skip to content

TPT-3529: Handle non-existing rules for firewall updates #782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ezilber-akamai wants to merge 5 commits into
base: dev
Choose a base branch
from
+119 −33
Open

TPT-3529: Handle non-existing rules for firewall updates #782

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a9c827a
Handle non-existing rules for firewall updates
ezilber-akamai Apr 17, 2026
c1fdebf
Added retry and copilot comments
ezilber-akamai Apr 17, 2026
c92b492
Merge branch 'dev' into TPT-3529-fix-fw-rule-update
ezilber-akamai May 4, 2026
23ddc3d
Merge branch 'dev' into TPT-3529-fix-fw-rule-update
ezilber-akamai May 8, 2026
212ef71
Merge branch 'dev' into TPT-3529-fix-fw-rule-update
ezilber-akamai May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 12 additions & 11 deletions plugins/modules/firewall.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,20 +348,21 @@ def _update_rules(self, remote_rules: dict, local_rules: dict) -> dict:
if self._state != "update":
return local_rules

# Add new local rules to remote rules if they don't exist
# Amend existing rules and append new local rules
for direction in ["inbound", "outbound"]:
rlr = {
remote_rule["label"]
for remote_rule in remote_rules.get(direction, {})
remote_labeled = {
r["label"] for r in remote_rules.get(direction, [])
}
for local_rule in local_rules.get(direction, {}):
if local_rule["label"] not in rlr:
remote_rules[direction].append(local_rule)

for direction in ["inbound", "outbound"]:
local_rules[direction] = self._amend_rules(
remote_rules[direction], local_rules[direction]
# Start with amended existing remote rules
amended = self._amend_rules(
remote_rules.get(direction, []),
local_rules.get(direction, []),
)
# Append any new local rules not present in remote
for local_rule in local_rules.get(direction, []):
if local_rule["label"] not in remote_labeled:
amended.append(local_rule)
local_rules[direction] = amended
return local_rules

def _change_rules(self) -> Optional[dict]:
Expand Down
52 changes: 38 additions & 14 deletions tests/integration/targets/firewall_update/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@
- updated_firewall.firewall.rules.inbound | length == 1
- (updated_firewall.firewall.rules.inbound[0].addresses['ipv4'] is defined)
- (updated_firewall.firewall.rules.inbound[0].addresses['ipv6'] is not defined)

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -158,7 +158,7 @@
- updated_firewall.firewall.rules.inbound | length == 1
- (updated_firewall.firewall.rules.inbound[0].addresses['ipv4'] is not defined)
- (updated_firewall.firewall.rules.inbound[0].addresses['ipv6'] is defined)

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -238,7 +238,7 @@
- updated_firewall.firewall.rules.inbound | length == 1
- (updated_firewall.firewall.rules.inbound[0].addresses['ipv4'] is defined) and (updated_firewall.firewall.rules.inbound[0].addresses['ipv4'] == ['0.0.0.0/0'])
- (updated_firewall.firewall.rules.inbound[0].addresses['ipv6'] is defined) and (updated_firewall.firewall.rules.inbound[0].addresses['ipv6'] == ['ff00::/8'])

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -286,7 +286,7 @@
that:
- updated_firewall.changed
- updated_firewall.firewall.status == 'disabled'

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -326,7 +326,7 @@
that:
- updated_firewall.changed
- updated_firewall.firewall.status == 'enabled'

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -370,7 +370,7 @@
- updated_firewall.changed
- updated_firewall.firewall.rules.inbound_policy == 'ACCEPT'
- updated_firewall.firewall.rules.outbound_policy == 'ACCEPT'

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -447,7 +447,7 @@
- updated_firewall.firewall.rules.outbound_policy == 'DROP'
- updated_firewall.firewall.rules.outbound[0].addresses['ipv4'] == ['0.0.0.0/0']
- updated_firewall.firewall.rules.outbound[0].addresses['ipv6'] == ['ff00::/8']

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -507,7 +507,7 @@
- updated_firewall.firewall.rules.outbound[0].ports == '80,443'
- updated_firewall.firewall.rules.outbound[0].protocol == 'TCP'
- updated_firewall.firewall.rules.outbound[0].action == 'ACCEPT'

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -570,7 +570,7 @@
- updated_firewall.firewall.rules.outbound[0].protocol == 'TCP'
- updated_firewall.firewall.rules.outbound[0].action == 'ACCEPT'
- updated_firewall.firewall.rules.outbound_policy == 'DROP'

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -635,7 +635,7 @@
- updated_firewall.firewall.rules.outbound[0].action == 'ACCEPT'
- updated_firewall.firewall.rules.outbound[0].addresses['ipv4'] == ['0.0.0.0/0','8.8.8.8/32' ]
- updated_firewall.firewall.rules.outbound_policy == 'DROP'

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -700,7 +700,7 @@
- updated_firewall.firewall.rules.outbound[0].action == 'ACCEPT'
- updated_firewall.firewall.rules.outbound[0].addresses['ipv4'] == ['0.0.0.0/0','8.8.8.8/32' ]
- updated_firewall.firewall.rules.outbound_policy == 'DROP'

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -749,7 +749,7 @@
- updated_firewall.changed
- updated_firewall.firewall.rules.inbound[0].description == 'Amazing firewall rule.'
- updated_firewall.firewall.rules.outbound[0].description == 'Amazing firewall rule.'

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -798,7 +798,7 @@
assert:
that:
- firewall_info.devices|length == 0

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand Down Expand Up @@ -847,7 +847,7 @@
assert:
that:
- not updated_firewall.changed

- firewall_info.firewall.id == create.firewall.id
- firewall_info.devices|length == updated_firewall.devices|length
- firewall_info.firewall.status == updated_firewall.firewall.status
Expand All @@ -867,6 +867,30 @@
- (firewall_info.firewall.rules.outbound | length == 0 and updated_firewall.firewall.rules.outbound | length == 0) or ((firewall_info.firewall.rules.outbound[0].ports is not defined and updated_firewall.firewall.rules.outbound[0].ports is not defined) or (firewall_info.firewall.rules.outbound[0].ports == updated_firewall.firewall.rules.outbound[0].ports))
- (firewall_info.firewall.rules.outbound | length == 0 and updated_firewall.firewall.rules.outbound | length == 0) or ((firewall_info.firewall.rules.outbound[0].protocol is not defined and updated_firewall.firewall.rules.outbound[0].protocol is not defined) or (firewall_info.firewall.rules.outbound[0].protocol == updated_firewall.firewall.rules.outbound[0].protocol))
- (firewall_info.firewall.rules.outbound | length == 0 and updated_firewall.firewall.rules.outbound | length == 0) or ((firewall_info.firewall.rules.outbound[0].action is not defined and updated_firewall.firewall.rules.outbound[0].action is not defined) or (firewall_info.firewall.rules.outbound[0].action == updated_firewall.firewall.rules.outbound[0].action))

- name: Append a new inbound rule via update
linode.cloud.firewall:
state: update
api_version: v4beta
label: '{{ create.firewall.label }}'
rules:
inbound:
- label: new_rule
action: ACCEPT
protocol: TCP
addresses:
ipv4: ['2.2.2.2/32']
description: 'appended rule'
ports: '8080'
register: append_rule

- name: Assert new rule was appended
assert:
that:
- append_rule.changed
- append_rule.firewall.rules.inbound | length >= 2
- append_rule.firewall.rules.inbound | selectattr('label', 'equalto', 'new_rule') | list | length == 1

Comment thread
ezilber-akamai marked this conversation as resolved.
always:
- ignore_errors: yes
block:
Expand Down
Loading