Re: [PR] Deprecate usage of ports (port list) and add support to use updateNetworkAclItems API instead of recreating rules when modified [cloudstack-terraform-provider]

[via GitHub]

Pearl1594 commented on PR #242:
URL: 
https://github.com/apache/cloudstack-terraform-provider/pull/242#issuecomment-3403336661

   @CodeBleu I was testing you observation, by first creating ACL rules using 
the previous version 0.5.0
   ```
   resource "cloudstack_network_acl_rule" "default" {
     acl_id = cloudstack_network_acl.default.id
   
     rule {
       action       = "allow"
       cidr_list    = ["10.0.0.0/24"]
       protocol     = "tcp"
       ports        = ["80-81", "8080", "443", "2222-2224"]
       traffic_type = "ingress"
     }
   }
   
   ```
   After moving to the latest release, now 0.6.0-rc3, we first would have to 
delete the ports as you mentioned and then re-add the rules using port. This 
was done because we cannot use `ports` and `rule_number` together.
   Once ports are deleted, re-add them following the new schema (i.e, using 
`port`) 
   
   ```
   resource "cloudstack_network_acl_rule" "default" {
     acl_id = cloudstack_network_acl.default.id
   
     rule {
       action       = "allow"
       cidr_list    = ["10.0.0.0/24"]
       protocol     = "tcp"
       port         = "80-81"
       traffic_type = "ingress"
       rule_number  = 7
     }
   
     rule {
       action       = "allow"
       cidr_list    = ["10.0.0.0/24"]
       protocol     = "tcp"
       port         = "8080"
       traffic_type = "ingress"
     }
   
     rule {
       action       = "allow"
       cidr_list    = ["10.0.0.0/24"]
       protocol     = "tcp"
       port         = "443"
       traffic_type = "ingress"
       rule_number  = 5
     }
   
     rule {
       action       = "allow"
       cidr_list    = ["10.0.0.0/24"]
       protocol     = "tcp"
       port         = "2222-2224"
       traffic_type = "ingress"
     }
   }
   
   
   ```
   This resulted in the following order in ACS
   80-81 -> rule_number: 1
   8080   -> rule_number: 2
   443     -> rule_number: 5
   2222 - 2224 -> rule_number: 6
   
   At this point, in the terraform.tfstate file the rule_numbers for all rules 
except 443 is 0 (here is where the issue lies, as the read function isn't 
storing the rule number in the state) however since 443 had the rule_number 
explicitly set in the config, it gets updated, which is why went I on to change 
the rule number of the ACL rule for port 80-81 (which is currently 1) to 7, and 
it identified the change as 0 -> 7 , which is what you observed as well.
   
   And the resultant list of ACL rules on ACS looks like:
   
   <img width="1160" height="741" alt="image" 
src="https://github.com/user-attachments/assets/288195d7-73c0-4ebc-a630-ed8bc8818d8e";
 />
   
   So yes, there seems to be an issue, but do you think it's a blocker? I 
believe if all acl rules have rule number set we can work around the issue 
observed.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org