We found in Fuel when trying to leverage nova_security_group and nova_security_rule that they are not idempotent (see Bug 1570862). I tested with the latest version of the code and was able to replicate the non-idempotent nature of these providers.
First run...
Notice: /Stage[main]/Main/Nova_security_group[global_ssh]/ensure: created
Notice: /Stage[main]/Main/Nova_security_group[global_http]/ensure: created
Notice: /Stage[main]/Main/Nova_security_group[allow_all]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[all_02]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[http_02]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[all_03]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[ssh_01]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[all_01]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[http_01]/ensure: created
Second run...
Info: Applying configuration version '1460844864'
Notice: /Stage[main]/Main/Nova_security_group[global_ssh]/description: defined 'description' as 'Allow SSH traffic'
Notice: /Stage[main]/Main/Nova_security_group[global_http]/description: defined 'description' as 'Allow HTTP traffic'
Notice: /Stage[main]/Main/Nova_security_group[allow_all]/description: defined 'description' as 'Allow all traffic'
Error: Execution of '/bin/nova secgroup-add-rule allow_all udp 1 65535 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-d19b85b4-1bef-4780-a5db-3734c7ac2b9f)
Error: /Stage[main]/Main/Nova_security_rule[all_02]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule allow_all udp 1 65535 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-d19b85b4-1bef-4780-a5db-3734c7ac2b9f)
Error: Execution of '/bin/nova secgroup-add-rule global_http tcp 443 443 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 3 (HTTP 400) (Request-ID: req-c97d8b23-a15e-42bb-b11e-642a0ea7b195)
Error: /Stage[main]/Main/Nova_security_rule[http_02]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule global_http tcp 443 443 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 3 (HTTP 400) (Request-ID: req-c97d8b23-a15e-42bb-b11e-642a0ea7b195)
Error: Execution of '/bin/nova secgroup-add-rule allow_all icmp 1 255 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-233366fc-f8f5-45c2-aca1-786e0dfcd3ea)
Error: /Stage[main]/Main/Nova_security_rule[all_03]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule allow_all icmp 1 255 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-233366fc-f8f5-45c2-aca1-786e0dfcd3ea)
Error: Execution of '/bin/nova secgroup-add-rule global_ssh tcp 22 22 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 2 (HTTP 400) (Request-ID: req-ac4119d7-cc7e-4d0f-98b8-872cf4fba85f)
Error: /Stage[main]/Main/Nova_security_rule[ssh_01]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule global_ssh tcp 22 22 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 2 (HTTP 400) (Request-ID: req-ac4119d7-cc7e-4d0f-98b8-872cf4fba85f)
Error: Execution of '/bin/nova secgroup-add-rule allow_all tcp 1 65535 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-7bda21e0-d7cc-4ef1-9ecf-3e25c52f23f5)
Error: /Stage[main]/Main/Nova_security_rule[all_01]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule allow_all tcp 1 65535 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-7bda21e0-d7cc-4ef1-9ecf-3e25c52f23f5)
Error: Execution of '/bin/nova secgroup-add-rule global_http tcp 80 80 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 3 (HTTP 400) (Request-ID: req-e28ec016-b0b4-41c9-b2cd-fbec0f9d6771)
Error: /Stage[main]/Main/Nova_security_rule[http_01]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule global_http tcp 80 80 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 3 (HTTP 400) (Request-ID: req-e28ec016-b0b4-41c9-b2cd-fbec0f9d6771)
Notice: Finished catalog run in 100.31 seconds
Fix proposed to branch: master /review. openstack. org/306787
Review: https:/