Change security group rules only when instructed to do so

Security group rules in module openstack.cloud.security_group
are changed/updated only when option 'security_group_rules' was
defined explicitly. This follows our policy of "apply no change"
when module options in our Ansible modules have not been set.

Story: 2010691
Task: 47795
Change-Id: I4a0cda46cb160b5321913b63ff1123d8b8a19705

ci/roles/security_group/tasks/rules.yml

@@ -32,7 +32,9 @@
 - name: Assert return values of security_group_rule_info module
   assert:
     that:
-      - security_group_rules.security_group_rules | length == 0
+      - security_group_rules.security_group_rules | length in [1, 2]
+      - security_group_rules.security_group_rules | map(attribute='ether_type') | list | sort in
+        [['IPv4'], ['IPv6'], ['IPv4', 'IPv6']]
 
 - name: Delete security group
   openstack.cloud.security_group:
@@ -58,6 +60,47 @@
     that:
       - security_group is not changed
 
+- name: Create security group without security group rules
+  openstack.cloud.security_group:
+    cloud: "{{ cloud }}"
+    name: ansible_security_group
+    security_group_rules: []
+  register: security_group
+
+- name: Assert return values of security_group module
+  assert:
+    that:
+      - security_group is changed
+
+- name: Create security group without security group rules again
+  openstack.cloud.security_group:
+    cloud: "{{ cloud }}"
+    name: ansible_security_group
+    security_group_rules: []
+  register: security_group
+
+- name: Assert return values of security_group module
+  assert:
+    that:
+      - security_group is not changed
+
+- name: Fetch security group rules
+  openstack.cloud.security_group_rule_info:
+    cloud: "{{ cloud }}"
+    security_group: ansible_security_group
+  register: security_group_rules
+
+- name: Assert return values of security_group_rule_info module
+  assert:
+    that:
+      - security_group_rules.security_group_rules | length == 0
+
+- name: Delete security group without security group rules
+  openstack.cloud.security_group:
+    cloud: "{{ cloud }}"
+    name: ansible_security_group
+    state: absent
+
 - name: Create security group including security group rules
   openstack.cloud.security_group:
     cloud: "{{ cloud }}"
@@ -263,10 +306,11 @@
     name: ansible_security_group
     state: absent
 
-- name: Create security group
+- name: Create security group without security group rules
   openstack.cloud.security_group:
     cloud: "{{ cloud }}"
     name: ansible_security_group
+    security_group_rules: []
     state: present
   register: security_group
 

plugins/modules/security_group.py

@@ -34,8 +34,8 @@ options:
         security group with a default set of rules.
       - Security group rules which are listed in I(security_group_rules)
         but not defined in this security group will be created.
-      - Existing security group rules which are not listed in
+      - When I(security_group_rules) is not set, existing security group rules
-        I(security_group_rules) will be deleted.
+        which are not listed in I(security_group_rules) will be deleted.
       - When updating a security group, one has to explicitly list rules from
         Neutron's defaults in I(security_group_rules) if those rules should be
         kept. Rules which are not listed in I(security_group_rules) will be
@@ -331,6 +331,12 @@ class SecurityGroupModule(OpenStackModule):
 
     def _build_update_security_group_rules(self, security_group):
 
+        if self.params['security_group_rules'] is None:
+            # Consider a change of security group rules only when option
+            # 'security_group_rules' was defined explicitly, because undefined
+            # options in our Ansible modules denote "apply no change"
+            return {}
+
         def find_security_group_rule_match(prototype, security_group_rules):
             matches = [r for r in security_group_rules
                        if is_security_group_rule_match(prototype, r)]