[BUG] idempotency of rule fails on datasource_programs ruleset

[alien999999999]

Verify first that your issue is not already reported here.
Where possible also test if the latest release and main branch are affected too.
Complete all sections as described!

Describe the bug

Executing this rule repeatedly gets you an extra rule every time

Component Name

Component Name: rule

Ansible Version

$ ansible --version
ansible [core 2.15.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.5 (main, Oct 25 2023, 16:19:59) [GCC 8.5.0 20210514 (Red Hat 8.5.0-20)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

Checkmk Version and Edition

Checkmk Raw Edition 2.2.0p21

Collection Version

$ ansible-galaxy collection list

To Reproduce
Steps to reproduce the behavior:

1. Use yaml below
2. execute it multiple times
3. See that there are multiple identical rules

Expected behavior

ok [checkmk]

Actual behavior

changed [checkmk]

Minimum reproduction example

- name: add tag group
  checkmk.general.tag_group:
          name: ssh
          title: SSH
          topic: Tags
          tags:
                  - id: ssh_none
                    title: Normal agent(no SSH)
                  - id: ssh_secure
                    title: Reach agent through SSH(Secure)
- name: add ssh rule
  checkmk.general.rule:
          ruleset: datasource_programs
          rule:
                  location:
                          folder: "/"
                  conditions:
                          host_tags:
                                  - key: ssh
                                    operator: is
                                    value: ssh_secure
                  properties:
                          description: ssh datasource for ssh_secure host tags
                  value_raw: "'ssh -T root@$HOSTNAME$'"
          state: present

Additional context

[robin-checkmk]

This is related to #186.

You can try to add more conditions to ensure idempotency. We are aware, that the current state is not great, but it is out of our hands. We can only provide viable workarounds.

Try this:

- name: add ssh rule
  checkmk.general.rule:
          ruleset: datasource_programs
          rule:
                  location:
                          folder: "/"
                  conditions:
                          host_labels: []
                          service_labels: []
                          host_tags:
                                  - key: ssh
                                    operator: is
                                    value: ssh_secure
                  properties:
                          description: ssh datasource for ssh_secure host tags
                  value_raw: "'ssh -T root@$HOSTNAME$'"
          state: present

[alien999999999]

ok, i'll try, but i'll be going on holiday for a week, so it'll have to wait a bit :-)

[alien999999999]

I added host_labels and service_labels , but sadly, that didn't fix the issue; similar issues with special_agents:vsphere and snmp_communities

should i use more conditions to try and fix this, or does it not work because the labels are empty?

maybe i should just delete the rules.mk file and start over every time? but i'd rather not do that...

[alien999999999]

it seems adding disabled: false may solve the issues... i don't get why this and the labels cannot have default values? but it also does not complain if these are not added...
I would like this to change that the labels en disabled actually have default values that still work for the workaround idempotency please

[alien999999999]

So, i have it(idempotency workaround) working for the "datasource_programs" rule, but not for snmp_communities and special_agents:vsphere , but the only difference really is the rule and that i'm using host_name instead of host_tags? :

- name: add ssh rule      
  checkmk.general.rule:   
          ruleset: datasource_programs
          rule:
                  location:
                          folder: "/"
                  conditions:
                          host_labels: []
                          service_labels: []
                          host_tags: 
                                  - key: ssh
                                    operator: is
                                    value: ssh_secure
                  properties:             
                          comment: "Ansible managed"
                          description: ssh datasource for ssh_secure host tags
                          disabled: false
                  value_raw: "'ssh -T root@$HOSTNAME$'"
          state: present

- name: Add SNMP rule
  checkmk.general.rule:
          ruleset: snmp_communities
          rule:
                  location:
                          folder: "/"
                  conditions:
                          host_labels: []
                          service_labels: []
                          host_tags: []
                          host_name:
                                  operator: one_of
                                  match_on:
                                          - "{{ host.name }}"
                  properties:
                          comment: "Ansible managed"
                          description: password for snmp {{ host.name }}
                          disabled: false
                  value_raw: "('{{ host.snmp }}')"
          state: present
  when: host.snmp is defined
- name: Add ESX rule      
  checkmk.general.rule:   
          ruleset: special_agents:vsphere
          rule:
                  location:
                          folder: "/"
                  conditions:
                          host_labels: []
                          service_labels: []
                          host_tags: []
                          host_name:
                                  operator: one_of
                                  match_on:
                                          - "{{ host.name }}"
                  properties:
                          comment: "Ansible managed"
                          description: password for ESX {{ host.name }}
                          disabled: false
                  value_raw: "{ 'direct': True, 'infos': ['hostsystem', 'virtualmachine', 'datastore', 'counters'], 'secret': '{{ host.esx }}', 'skip_placeholder_vms': True, 'spaces': 'underscore', 'use_pysphere': False, 'user': 'root', 'ssl': False, 'snapshots_on_host': False}"
          state: present
  when: host.esx is defined

[robin-checkmk]

@alien999999999 as has already been explained in other issues, this is a general problem and neither specific to distinct rule sets, nor something we can quickly fix. Hence, I will close this issue and ask you to review the initially linked issue and maybe refer to the forum to exchange ideas and workarounds.

Thank you for your understanding.

[alien999999999]

I reread the initially linked issue and contrary to it's title (and original issue) it did end up being about this. It seems to me the workarounds for idempotency on rules (because checkmk code is not great about this atm) work for some rulesets, but some rulesets have different requirements for idempotency; or just plainly not work... I think the only real way to ensure idempotency on rules is to redesign this part of checkmk; start by adding a unique id; it may at least enable some easier idempotency workarounds

[robin-checkmk]

We are actually currently reworking the rule module in this collection to better account for the already existing rule IDs in Checkmk. That still does not solve all the issues, but rest assured, we are doing our best to improve with every release. Sometimes they are baby steps, but we are certainly moving forward! 👟