vyos · omnom62 · Aug 19, 2025 · Aug 21, 2025 · Aug 22, 2025 · Aug 22, 2025
@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - vyos_firewall_global - Added 'diff' support
@@ -33,7 +33,10 @@
 from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.utils.version import (
     LooseVersion,
 )
-from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.vyos import get_os_version
+from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.vyos import (
+    get_os_version,
+    load_config,
+)
 
 
 class Firewall_global(ConfigBase):
@@ -74,6 +77,13 @@ def execute_module(self):
         warnings = list()
         commands = list()
 
+        try:
+            self._module.params["comment"]
+        except KeyError:
+            comment = []
+        else:
+            comment = self._module.params["comment"]
+
         if self.state in self.ACTION_STATES:
             existing_firewall_global_facts = self.get_firewall_global_facts()
         else:
@@ -82,6 +92,12 @@ def execute_module(self):
         if self.state in self.ACTION_STATES or self.state == "rendered":
             commands.extend(self.set_config(existing_firewall_global_facts))
 
+        if commands and self._module._diff:
+            commit = not self._module.check_mode
+            diff = load_config(self._module, commands, commit=commit, comment=comment)
+            if diff:
+                result["diff"] = {"prepared": str(diff)}
+
         if commands and self.state in self.ACTION_STATES:
             if not self._module.check_mode:
                 self._connection.edit_config(commands)

@@ -10,11 +10,16 @@
       vyos.vyos.vyos_firewall_global: &id001
         config:
         state: deleted
+      diff: true
 
     - name: Assert that the before dicts were correctly generated
       assert:
         that:
           - "{{ populate == result['before'] }}"
+          - item in result.diff.prepared
+      loop: "{{ deleted_diff }}"
+      loop_control:
+        loop_var: item
 
     - name: Assert that the correct set of commands were generated
       assert:
@@ -29,12 +34,14 @@
     - name: Delete attributes of given interfaces (IDEMPOTENT)
       register: result
       vyos.vyos.vyos_firewall_global: *id001
+      diff: true
 
     - name: Assert that the previous task was idempotent
       assert:
         that:
           - result.changed == false
           - result.commands|length == 0
+          - result['diff'] is not defined
 
     - name: Assert that the before dicts were correctly generated
       assert:

@@ -2,6 +2,8 @@
 - debug:
     msg: START vyos_firewall_global merged integration tests on connection={{ ansible_connection }}
 
+- include_tasks: _get_version.yaml
+
 - include_tasks: _remove_config.yaml
 
 - block:
@@ -28,15 +30,33 @@
     - name: Merge the provided configuration with the existing running configuration (IDEMPOTENT)
       register: result
       vyos.vyos.vyos_firewall_global: *id001
+      diff: true
 
     - name: Assert that the previous task was idempotent
       assert:
         that:
           - result['changed'] == false
+          - result['diff'] is not defined
 
     - name: Assert that before dicts were correctly generated
       assert:
         that:
           - "{{ merged['after'] == result['before'] }}"
+
+    - name: Prepare device configurationsfor diff mode test
+      register: result
+      vyos.vyos.vyos_firewall_global:
+        config: "{{ merged['diff_config'] }}"
+        state: merged
+      diff: true
+
+    - name: Assert that correct diff of commands were generated
+      assert:
+        that:
+          - item in result.diff.prepared
+      loop: "{{ merged_diff }}"
+      loop_control:
+        loop_var: item
+
   always:
     - include_tasks: _remove_config.yaml
@@ -29,15 +29,33 @@
     - name: Replace device configurations of listed firewall  with provided configurarions (IDEMPOTENT)
       register: result
       vyos.vyos.vyos_firewall_global: *id001
+      diff: true
 
     - name: Assert that task was idempotent
       assert:
         that:
           - result['changed'] == false
+          - result['diff'] is not defined
 
     - name: Assert that before dict is correctly generated
       assert:
         that:
           - "{{ replaced['after'] == result['before'] }}"
+
+    - name: Replace device configurations and test diff mode
+      register: result
+      vyos.vyos.vyos_firewall_global:
+        config: "{{ replaced['diff_config'] }}"
+        state: replaced
+      diff: true
+
+    - name: Assert that correct diff of commands were generated
+      assert:
+        that:
+          - item in result.diff.prepared
+      loop: "{{ replaced_diff }}"
+      loop_control:
+        loop_var: item
+
   always:
     - include_tasks: _remove_config.yaml
@@ -70,6 +70,39 @@ merged:
           description: This group has the Management network addresses
           members:
             - address: 192.0.1.0/24
+  diff_config:
+    validation: strict
+    log_martians: true
+    syn_cookies: true
+    twa_hazards_protection: true
+    ping:
+      all: true
+      broadcast: true
+    state_policy:
+      - connection_type: established
+        action: accept
+        log: true
+      - connection_type: invalid
+        action: reject
+    route_redirects:
+      - afi: ipv4
+        ip_src_route: true
+        icmp_redirects:
+          send: true
+          receive: false
+    group:
+      address_group:
+        - name: MGMT-HOSTS
+          description: This group has the Management hosts address list
+          members:
+            - address: 192.0.1.1
+            - address: 192.0.1.3
+            - address: 192.0.1.5
+      network_group:
+        - name: MGMT
+          description: This group has the Management network addresses
+          members:
+            - address: 1.1.1.1/32
 
 populate:
   validation: strict
@@ -188,6 +221,44 @@ replaced:
           description: This group has the Management network addresses
           members:
             - address: 192.0.1.0/24
+  diff_config:
+    validation: strict
+    log_martians: true
+    syn_cookies: true
+    twa_hazards_protection: true
+    ping:
+      all: true
+      broadcast: true
+    state_policy:
+      - connection_type: established
+        action: accept
+        log: true
+      - connection_type: invalid
+        action: reject
+    route_redirects:
+      - afi: ipv4
+        ip_src_route: true
+        icmp_redirects:
+          send: true
+          receive: false
+    group:
+      address_group:
+        - name: SALES-HOSTS
+          description: Sales office hosts address list
+          members:
+            - address: 192.0.2.1
+            - address: 192.0.2.2
+            - address: 192.0.2.3
+        - name: ENG-HOSTS
+          description: Sales office hosts address list
+          members:
+            - address: 192.0.3.1
+            - address: 192.0.3.2
+      network_group:
+        - name: MGMT
+          description: This group has the Management network addresses
+          members:
+            - address: 1.1.1.1/32
 
 rendered:
   commands: "{{ rendered_commands }}"

@@ -83,3 +83,13 @@ deleted_commands:
   - "delete firewall"
 
 parsed_config_file: "_parsed_config_1_3.cfg"
+
+replaced_diff:
+  - "+network 1.1.1.1/32"
+  - "-network 192.0.1.0/24"
+
+merged_diff:
+  - "+network 1.1.1.1/32"
+
+deleted_diff:
+  - "-            network 192.0.1.0/24"
@@ -83,3 +83,13 @@ deleted_commands:
   - "delete firewall"
 
 parsed_config_file: "_parsed_config_1_4.cfg"
+
+replaced_diff:
+  - '+ network "1.1.1.1/32"'
+  - '- network "192.0.1.0/24"'
+
+merged_diff:
+  - '+ network "1.1.1.1/32"'
+
+deleted_diff:
+  - '-             network "192.0.1.0/24"'