Firewalld module and check / diff modes

[James Birkett]

When using the templates module, I find running ansible-playbook --check --diff really useful. If anything has been added to or removed from the config file on the server for any reason, ansible shows it shows me the diff.

My question is if there is any way to achieve similar functionality when using the firewalld module. Let's say for example I have a play like this:

- name: Add source addresses to zone

  firewalld:

    source: "{{ item }}"

    zone: privateAccess

    state: enabled

    permanent: true

  with_items:

    - 10.0.0.0/8          # VPN range

    - 198.51.100.137/32   # main office IP address

    - 203.0.113.0/24      # datacentre public network range

If someone removed one of those IP addresses from the zone for some reason, --check --diff mode will tell me they're missing, but unlike the case with the templates module, if someone added their home IP address to the privateAccess zone on the server manually, running the playbook in --check --diff mode won't tell me that this item has changed.

If I want to ensure that only those IP address ranges specified are configured as source addresses for the zone I could of course delete the zone and re-create it from scratch, but if I did that, --check mode no-longer works at all; the delete zone, create zone and add source addresses to zone steps will always report that they have changed.

Is there a way to make --check --diff mode report that IP addresses were present in the zone on the server that are not specified in the ansible playbook?

Thanks very much,

-- 

James Birkett