azure_rm_securitygroup doesn't show idempotent behaviour

[tfmark]

I incorrectly raised this in the ansible repo (ansible/ansible#74343) and it was closed. Copy/pasting here.

Summary

This might be related to ansible/ansible#26411 which was fixed a few years ago.

I am using azure.azcollection.azure_rm_securitygroup and passing in lists for both destination_port_range and source_address_prefix parameters.

Running the playbook twice should give me ok but is giving me changed.

Edit!

Taking a look at rule vs old_rule in the compare_rules function shows the difference is indeed stringy ports (similar to an issue closed a few years ago):

old_rule:

   "destination_port_ranges":[
      "80",
      "443"
   ],

rule:

   "destination_port_ranges":[
      80,
      443
   ]

So if I do:

    vars:
      inbound_ports:
      - "{{ http_port | string }}"
      - "{{ https_port | string }}"

then I get the ok I was expecting.

Issue Type

Bug Report

Component Name

azure_rm_securitygroup

Ansible Version

$ ansible --version
ansible 2.9.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/mark/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.5 (default, Jan 27 2021, 15:41:15) [GCC 9.3.0]

Configuration

$ ansible-config dump --only-changed
<none>

OS / Environment

$ uname -a
Linux LAPTOP-C174AA6M 5.4.72-microsoft-standard-WSL2 #1 SMP Wed Oct 28 23:40:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Steps to Reproduce

---
# note: this is a redacted version of my real playbook, most variables come from group_vars etc rather than the playbook itself in real life
- name: Add azure network rules
  hosts: all
  vars:
    http_port: 80
    https_port: 443
    app_environment: dev
  tasks:
  - name: Allow clients access to baz on 80/443
    azure.azcollection.azure_rm_securitygroup:
      profile: "{{ app_environment }}"
      resource_group: foo
      name: bar
      rules:
      - name: XXX-web-traffic-whitelist-{{ item.name }}
        protocol: Tcp
        destination_port_range: "{{ inbound_ports }}"
        access: Allow
        priority: "{{ item.number | int + 4000 }}"
        source_address_prefix: "{{ item.ips }}"
        direction: Inbound
    delegate_to: 127.0.0.1
    loop: "{{ clients }}"
    loop_control:
      label: "Allow XXX-web-traffic-whitelist-{{ item.name }} ({{ item.number }})"
    vars:
      inbound_ports:
      - "{{ http_port }}"
      - "{{ https_port }}"
      clients:
      - name: ABC
        number: 1
        ips:
        - 12.34.56.78/32
        - 23.45.67.89/32
      - name: DEF
        number: 2
        ips:
        - 45.56.78.90/32
        - 1.2.3.0/24

Expected Results

(second run)

PLAY [Add azure network rules] ***************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************
ok: [nat-vm-1]

TASK [Allow clients access to NAT on 80/443] *************************************************************************************************************************************
ok: [nat-vm-1 -> 127.0.0.1] => (item=Allow XXXX-web-traffic-whitelist-ABC (1))
ok: [nat-vm-1 -> 127.0.0.1] => (item=Allow XXXX-web-traffic-whitelist-DEF (2))

PLAY RECAP ***********************************************************************************************************************************************************************
nat-vm-1                   : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Actual Results

(second run)

PLAY [Add azure network rules] ***************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************
ok: [nat-vm-1]

TASK [Allow clients access to NAT on 80/443] *************************************************************************************************************************************
changed: [nat-vm-1 -> 127.0.0.1] => (item=Allow XXXX-web-traffic-whitelist-ABC (1))
changed: [nat-vm-1 -> 127.0.0.1] => (item=Allow XXXX-web-traffic-whitelist-DEF (2))

PLAY RECAP ***********************************************************************************************************************************************************************
nat-vm-1                   : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Code of Conduct

• I agree to follow the Ansible Code of Conduct