ios_route_maps module unexpectedly removes or negates ACLs, unnecessary negate, maybe causing intermittent issues in production

[ginsul]

SUMMARY

When using ios.ios_route_maps with an ACL in a route map, the configuration negates or removes the ACL unexpectedly. This behavior may cause intermittent issues in production environments. (removing acl 185 and 186, it should be just remove acl 186)

route-map TO_OUT permit 10
 match ip address 185 186
 set as-path prepend 1321

become

route-map TO_OUT permit 10
 match ip address 185
 set as-path prepend 1321

    "changed": true,
    "commands": [
        "route-map TO_OUT permit 10",
        "no match ip address 185 186",
        "match ip address 185"

expect to :

    "changed": true,
    "commands": [
        "route-map TO_OUT permit 10",
        "no match ip address 186"

ISSUE TYPE

• Bug Report

COMPONENT NAME

ios.ios_route_maps

ANSIBLE VERSION

ansible --version
ansible [core 2.12.6]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/usr/local/lib/python3.8/site-packages/napalm_ansible/modules', '/data/hpe/hpe-cw7-ansible-main/library']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.10 (default, Jun 19 2022, 06:17:58) [GCC 5.4.0 20160609]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

ansible-galaxy collection list | grep ios
cisco.ios                     2.8.1

CONFIGURATION

ansible-config dump --only-changed
DEFAULT_ACTION_PLUGIN_PATH(/etc/ansible/ansible.cfg) = ['/usr/local/lib/python3.8/site-packages/napalm_ansible/plugins/action']
DEFAULT_MODULE_PATH(/etc/ansible/ansible.cfg) = ['/usr/local/lib/python3.8/site-packages/napalm_ansible/modules', '/data/hpe/hpe-cw7-ansible-main/library']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

cisco IOS-XE CSR1000V

STEPS TO REPRODUCE

When applying a configuration using the ios_route_maps module, it removes or negates ACLs defined in the route map unexpectedly.

- hosts: cisco
  gather_facts: no
  connection: network_cli
  vars:
    - ansible_python_interpreter: /usr/local/bin/python3.8
    - ansible_user: u
    - ansible_password: u123
    - ansible_network_os: ios

  tasks:
    - name: Use Route Maps resource module to gather existing configuration
      cisco.ios.ios_route_maps:
        config:
          - route_map: TO_OUT
            entries:
              - sequence: 10
                action: permit
                match:
                  ip:
                    address:
                      acls:
                        - "185"
                set:
                  as_path:
                    prepend:
                      as_number:
                        - "1321"
        state: replaced

EXPECTED RESULTS

ACL 185 should not be removed or negated, and the configuration should be applied correctly.
Because it's already, it should be just

    "changed": true,
    "commands": [
        "route-map TO_OUT permit 10",
        "no match ip address 186"

ACTUAL RESULTS

    "changed": true,
    "commands": [
        "route-map TO_OUT permit 10",
        "no match ip address 185 186",
        "match ip address 185"

route-map TO_OUT permit 10
 match ip address 185 186
 set as-path prepend 1321