Page MenuHomeVyOS Platform
Create Task
Maniphest T7701

Ansible shows change when there is no change
Closed, ResolvedPublicBUG
Actions

Description

If i delete a non-existing firewall rule and an existing rule starts with the same numbers as the ID i deleted, ansible will show a change, even if it does not change the config.

---
- name: Test vyos idempotency
  hosts: devhost
  tasks:
    - name: Create a test rule
      vyos.vyos.vyos_config:
        lines:
          - set firewall ipv4 input filter rule 999 description "testrule"
          - set firewall ipv4 input filter rule 999 action accept

    - name:  Delete non-existing rule
      vyos.vyos.vyos_config:
        lines:
          - delete firewall ipv4 input filter rule 8

    - name:  Delete non-existing rule with id that starts similar to an existing one
      vyos.vyos.vyos_config:
        lines:
          - delete firewall ipv4 input filter rule 9

The Third step will always show a change, even if there was no rule deleted, the second step will just show an "ok" since it did not change anything.

Tested with:




ansible [core 2.17.12]
  python version = 3.12.3 (main, Jun 18 2025, 17:59:45) [GCC 13.3.0] (/usr/bin/python3)
  jinja version = 3.1.2

 
vyos.vyos                                6.0.0



Details
Version 
1.4 
Is it a breaking change? 
Stricter validation 
Issue type 
Bug (incorrect behavior) 
Event Timeline
nicolasberens created this task.Aug 8 2025, 1:24 PM
pasik subscribed.Aug 9 2025, 11:07 AM
evgmol claimed this task.Aug 10 2025, 6:39 AM
evgmol added a comment.Aug 10 2025, 6:50 AM
Hi @nicolasberens 

That is interesting - when I use rule 5 for example - there is also no change



- name:  Delete non-existing rule with id that starts similar to an existing one
  vyos.vyos.vyos_config:
    lines:
      - delete firewall ipv4 input filter rule 5



output:



ok: [vyos142] => {
    "changed": false,
    "commands": [],
    "filtered": [],
    "invocation": {
        "module_args": {
            "backup": false,
            "backup_options": null,
            "comment": "configured by vyos_config",
            "config": null,
            "lines": [
                "delete firewall ipv4 input filter rule 5"
            ],
            "match": "line",
            "save": false,
            "src": null
        }
    }
}



So it appears that match is too greedy and does not distinguish '9', or '999'
evgmol added a comment.Aug 11 2025, 11:22 AM
@nicolasberens Raising PR https://github.com/vyos/vyos.vyos/pull/430 to make vyos_config and cliconf less greedy
dmbaturin closed this task as Resolved.Sep 22 2025, 12:32 PM
dmbaturin triaged this task as High priority.
dmbaturin subscribed.
https://github.com/vyos/vyos.vyos/pull/430 is merged.