Add rule number to the terraform state by Pearl1594 · Pull Request #245 · apache/cloudstack-terraform-provider
Thanks @CodeBleu - taking your feedback, I tried to see if it was possible to map if the rules in the new schema (with port) matches existing ones and update it should there be any change, but was hitting with multiple issues, so I went ahead with a workflow of replacing the rules.
So this is how it works now
- Created an ACL with 4 rules using provider version 0.5.0 - such that this is how the state looks
$ terraform state show cloudstack_network_acl_rule.default
# cloudstack_network_acl_rule.default:
resource "cloudstack_network_acl_rule" "default" {
acl_id = "bc83887d-b84e-45c4-b1ee-8a5de3162368"
id = "bc83887d-b84e-45c4-b1ee-8a5de3162368"
managed = false
parallelism = 2
rule {
action = "allow"
cidr_list = [
"10.0.0.0/24",
]
icmp_code = 0
icmp_type = 0
ports = [
"2222-2224",
"443",
"80-81",
"8080",
]
protocol = "tcp"
traffic_type = "ingress"
uuids = {
"2222-2224" = "ee243655-bcc6-40cf-8596-53c2083fd1de"
"443" = "57bba974-11b5-4dad-a714-7197bd8dd6c7"
"80-81" = "68b1db70-2cde-4912-95b6-4860ca49c2ce"
"8080" = "83b61cf7-45d6-46e1-965a-af08ef8cc0c0"
}
}
}
I then applied the new config, where I separated ports to the new schema - i.e., use port: And this is how it looks
$ terraform apply
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│ - hashicorp.com/dev/cloudstack in /home/pdsilva/sb/terraform/local-providers/hashicorp.com/dev/cloudstack/1.0.0/linux_amd64
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
cloudstack_vpc.default: Refreshing state... [id=9c3d41ae-95fd-4ec4-929d-e9328c79d2e6]
cloudstack_network_acl.default: Refreshing state... [id=bc83887d-b84e-45c4-b1ee-8a5de3162368]
cloudstack_network_acl_rule.default: Refreshing state... [id=bc83887d-b84e-45c4-b1ee-8a5de3162368]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
# cloudstack_network_acl_rule.default must be replaced
-/+ resource "cloudstack_network_acl_rule" "default" {
~ id = "bc83887d-b84e-45c4-b1ee-8a5de3162368" -> (known after apply)
# (3 unchanged attributes hidden)
~ rule { # forces replacement
~ icmp_code = 0 -> (known after apply)
~ icmp_type = 0 -> (known after apply)
+ port = "80-81"
- ports = [
- "2222-2224",
- "443",
- "80-81",
- "8080",
] -> null
~ rule_number = 4 -> (known after apply)
~ uuids = {
- "2222-2224" = "ee243655-bcc6-40cf-8596-53c2083fd1de"
- "443" = "57bba974-11b5-4dad-a714-7197bd8dd6c7"
- "80-81" = "68b1db70-2cde-4912-95b6-4860ca49c2ce"
- "8080" = "83b61cf7-45d6-46e1-965a-af08ef8cc0c0"
} -> (known after apply)
# (5 unchanged attributes hidden)
}
+ rule { # forces replacement
+ action = "allow"
+ cidr_list = [
+ "10.0.0.0/24",
]
+ icmp_code = (known after apply)
+ icmp_type = (known after apply)
+ port = "8080"
+ protocol = "tcp"
+ rule_number = (known after apply)
+ traffic_type = "ingress"
+ uuids = (known after apply)
}
+ rule { # forces replacement
+ action = "allow"
+ cidr_list = [
+ "10.0.0.0/24",
]
+ icmp_code = (known after apply)
+ icmp_type = (known after apply)
+ port = "443"
+ protocol = "tcp"
+ rule_number = 5
+ traffic_type = "ingress"
+ uuids = (known after apply)
}
+ rule { # forces replacement
+ action = "allow"
+ cidr_list = [
+ "10.0.0.0/24",
]
+ icmp_code = (known after apply)
+ icmp_type = (known after apply)
+ port = "2222-2224"
+ protocol = "tcp"
+ rule_number = (known after apply)
+ traffic_type = "ingress"
+ uuids = (known after apply)
}
}
Plan: 1 to add, 0 to change, 1 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
cloudstack_network_acl_rule.default: Destroying... [id=bc83887d-b84e-45c4-b1ee-8a5de3162368]
cloudstack_network_acl_rule.default: Destruction complete after 2s
cloudstack_network_acl_rule.default: Creating...
cloudstack_network_acl_rule.default: Creation complete after 2s [id=bc83887d-b84e-45c4-b1ee-8a5de3162368]
Apply complete! Resources: 1 added, 0 changed, 1 destroyed.
This results in the following in acs:
Then I attempt to update rule number 1:
l$ terraform apply
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│ - hashicorp.com/dev/cloudstack in /home/pdsilva/sb/terraform/local-providers/hashicorp.com/dev/cloudstack/1.0.0/linux_amd64
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
cloudstack_vpc.default: Refreshing state... [id=9c3d41ae-95fd-4ec4-929d-e9328c79d2e6]
cloudstack_network_acl.default: Refreshing state... [id=bc83887d-b84e-45c4-b1ee-8a5de3162368]
cloudstack_network_acl_rule.default: Refreshing state... [id=bc83887d-b84e-45c4-b1ee-8a5de3162368]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# cloudstack_network_acl_rule.default will be updated in-place
~ resource "cloudstack_network_acl_rule" "default" {
id = "bc83887d-b84e-45c4-b1ee-8a5de3162368"
# (3 unchanged attributes hidden)
~ rule {
+ description = "updating rule number from 1 -> 7"
~ rule_number = 1 -> 7
# (9 unchanged attributes hidden)
}
# (3 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
cloudstack_network_acl_rule.default: Modifying... [id=bc83887d-b84e-45c4-b1ee-8a5de3162368]
cloudstack_network_acl_rule.default: Modifications complete after 1s [id=bc83887d-b84e-45c4-b1ee-8a5de3162368]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Outputs:
acl_id = "bc83887d-b84e-45c4-b1ee-8a5de3162368"
vpc_id = "9c3d41ae-95fd-4ec4-929d-e9328c79d2e6"
Successfully updated rule 1 , and is seen on ACS as well:
Do you see this as an acceptable workflow @CodeBleu ?