Correct indentation in ACL comparator (#564)

bewing · roverflow · Ruchip16 · web-flow · commit 5f9357da5c1f · 2025-06-05T19:02:02.000+05:30
* Add unit test for #512 * Correct indentation of ACL comparator Only check for missing wanted ACLs after processing all had ACLs, not just the first one. Addresses #512 * Add changelog entry for replaced acls idempotency * Correct ACL replaced idempotency check An idempotency check should ensure that there is NO change and NO commands. --------- Co-authored-by: Vinay M <63404819+roverflow@users.noreply.github.com> Co-authored-by: Ruchi Pakhle <72685035+Ruchip16@users.noreply.github.com> Co-authored-by: Sagar Paul <sagpaul@redhat.com>
diff --git a/changelogs/fragments/fix_acls_replace_idemp.yaml b/changelogs/fragments/fix_acls_replace_idemp.yaml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - Fixed idempotency when using `replaced` state on host with multiple ACLs present.
diff --git a/plugins/module_utils/network/eos/config/acls/acls.py b/plugins/module_utils/network/eos/config/acls/acls.py
@@ -278,23 +278,23 @@ def _state_replaced(self, want, have):
                                         config_cmds.append(
                                             list(itertools.chain(*cmds)),
                                         )
-                            if name not in ace_names:
-                                for w_ace in want_ace:
-                                    w = [
-                                        {
-                                            "afi": afi,
-                                            "acls": [
-                                                {
-                                                    "name": name,
-                                                    "aces": [w_ace],
-                                                },
-                                            ],
-                                        },
-                                    ]
-                                    cmds = set_commands(w, have)
-                                    config_cmds.append(
-                                        list(itertools.chain(*cmds)),
-                                    )
+                        if name not in ace_names:
+                            for w_ace in want_ace:
+                                w = [
+                                    {
+                                        "afi": afi,
+                                        "acls": [
+                                            {
+                                                "name": name,
+                                                "aces": [w_ace],
+                                            },
+                                        ],
+                                    },
+                                ]
+                                cmds = set_commands(w, have)
+                                config_cmds.append(
+                                    list(itertools.chain(*cmds)),
+                                )
 
         if remove_cmds:
             remove_cmds = list(itertools.chain(*remove_cmds))
diff --git a/tests/integration/targets/eos_acls/tests/common/replaced.yaml b/tests/integration/targets/eos_acls/tests/common/replaced.yaml
@@ -113,8 +113,8 @@
 
     - ansible.builtin.assert:
         that:
-          - result.changed == true
-          - result.commands|length == 2
+          - result.changed == false
+          - result.commands|length == 0
           - ansible_facts.network_resources.acls|symmetric_difference(result.before)
             == []
   always:
diff --git a/tests/unit/modules/network/eos/fixtures/eos_acls_idempotent.cfg b/tests/unit/modules/network/eos/fixtures/eos_acls_idempotent.cfg
@@ -0,0 +1,12 @@
+ip access-list TEST-LIST-1
+   10 remark test
+   20 permit tcp 192.0.2.0/24 any eq https log
+!
+ip access-list TEST-LIST-2
+   10 remark test
+   20 permit tcp 192.0.2.0/24 any eq https log
+!
+ip access-list TEST-LIST-3
+   10 remark test
+   20 permit tcp 192.0.2.0/24 any eq https log
+!
diff --git a/tests/unit/modules/network/eos/test_eos_acls.py b/tests/unit/modules/network/eos/test_eos_acls.py
@@ -397,6 +397,61 @@ def test_eos_acls_deletedafis(self):
         commands = ["no ip access-list test1"]
         self.execute_module(changed=True, commands=commands)
 
+    def test_eos_two_acls_idempotent(self):
+        set_module_args(
+            dict(
+                config=[
+                    dict(
+                        afi="ipv4",
+                        acls=[
+                            dict(
+                                name="TEST-LIST-1",
+                                aces=[
+                                    dict(
+                                        sequence="10",
+                                        remark="test",
+                                    ),
+                                    dict(
+                                        sequence="20",
+                                        grant="permit",
+                                        source=dict(subnet_address="192.0.2.0/24"),
+                                        destination=dict(
+                                            any="true",
+                                            port_protocol=dict(eq="https"),
+                                        ),
+                                        protocol="tcp",
+                                        log="true",
+                                    ),
+                                ],
+                            ),
+                            dict(
+                                name="TEST-LIST-2",
+                                aces=[
+                                    dict(
+                                        sequence="10",
+                                        remark="test",
+                                    ),
+                                    dict(
+                                        sequence="20",
+                                        grant="permit",
+                                        log="true",
+                                        destination=dict(
+                                            any="true",
+                                            port_protocol=dict(eq="https"),
+                                        ),
+                                        protocol="tcp",
+                                        source=dict(subnet_address="192.0.2.0/24"),
+                                    ),
+                                ],
+                            ),
+                        ],
+                    ),
+                ],
+                state="replaced",
+            ),
+        )
+        self.execute_module(changed=False, commands=[], filename="eos_acls_idempotent.cfg")
+
     def test_eos_acls_gathered(self):
         set_module_args(dict(config=[], state="gathered"))
         result = self.execute_module(

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+bugfixes:`
	`3`	+ - Fixed idempotency when using `replaced` state on host with multiple ACLs present.