From ad53e1f2ca37ec6036c24933b076ddd6663e7163 Mon Sep 17 00:00:00 2001 From: anton-sidelnikov Date: Mon, 11 Nov 2024 12:36:46 +0100 Subject: [PATCH 1/4] [Fix] fix update when source_port not set --- ...source_opentelekomcloud_fw_rule_v2_test.go | 98 +++++++++++++++++++ .../resource_opentelekomcloud_fw_rule_v2.go | 8 +- 2 files changed, 103 insertions(+), 3 deletions(-) diff --git a/opentelekomcloud/acceptance/fw/resource_opentelekomcloud_fw_rule_v2_test.go b/opentelekomcloud/acceptance/fw/resource_opentelekomcloud_fw_rule_v2_test.go index dfba7d24a..734001184 100644 --- a/opentelekomcloud/acceptance/fw/resource_opentelekomcloud_fw_rule_v2_test.go +++ b/opentelekomcloud/acceptance/fw/resource_opentelekomcloud_fw_rule_v2_test.go @@ -170,6 +170,30 @@ func TestAccFWRuleV2_TCPUpdate(t *testing.T) { }) } +// Customer issue https://github.com/opentelekomcloud/terraform-provider-opentelekomcloud/issues/2711 +func TestAccFWRuleV2_emptySourcePort(t *testing.T) { + rname := "opentelekomcloud_fw_rule_v2.egress_test" + resource.Test(t, resource.TestCase{ + PreCheck: func() { common.TestAccPreCheck(t) }, + ProviderFactories: common.TestAccProviderFactories, + CheckDestroy: testAccCheckFWRuleV2Destroy, + Steps: []resource.TestStep{ + { + Config: testAccFWRuleV2emptySourcePort(), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(rname, "protocol", "udp"), + ), + }, + { + Config: testAccFWRuleV2emptySourcePort_update(), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(rname, "protocol", "udp"), + ), + }, + }, + }) +} + func testAccCheckFWRuleV2Destroy(s *terraform.State) error { config := common.TestAccProvider.Meta().(*cfg.Config) networkingClient, err := config.NetworkingV2Client(env.OS_REGION_NAME) @@ -350,3 +374,77 @@ resource "opentelekomcloud_fw_rule_v2" "rule_1" { enabled = "true" } ` + +func testAccFWRuleV2emptySourcePort() string { + return fmt.Sprintf(` +%s + +resource "opentelekomcloud_fw_rule_v2" "egress_test" { + + description = "egress test" + action = "allow" + protocol = "udp" + source_ip_address = "192.168.1.0/29" + destination_ip_address = "0.0.0.0/0" + destination_port = "1234" + + enabled = "true" +} + +resource "opentelekomcloud_fw_policy_v2" "egress" { + name = "egress" + + rules = [opentelekomcloud_fw_rule_v2.egress_test.id] +} + +data "opentelekomcloud_networking_port_v2" "this" { + network_id = data.opentelekomcloud_vpc_subnet_v1.shared_subnet.network_id + device_owner = "network:router_interface_distributed" +} + +resource "opentelekomcloud_fw_firewall_group_v2" "this" { + name = "test" + egress_policy_id = opentelekomcloud_fw_policy_v2.egress.id + ports = [ + data.opentelekomcloud_networking_port_v2.this.id + ] +} +`, common.DataSourceSubnet) +} + +func testAccFWRuleV2emptySourcePort_update() string { + return fmt.Sprintf(` +%s + +resource "opentelekomcloud_fw_rule_v2" "egress_test" { + + description = "egress test" + action = "allow" + protocol = "udp" + source_ip_address = "192.168.1.0/24" + destination_ip_address = "0.0.0.0/0" + destination_port = "1234" + + enabled = "true" +} + +resource "opentelekomcloud_fw_policy_v2" "egress" { + name = "egress" + + rules = [opentelekomcloud_fw_rule_v2.egress_test.id] +} + +data "opentelekomcloud_networking_port_v2" "this" { + network_id = data.opentelekomcloud_vpc_subnet_v1.shared_subnet.network_id + device_owner = "network:router_interface_distributed" +} + +resource "opentelekomcloud_fw_firewall_group_v2" "this" { + name = "test" + egress_policy_id = opentelekomcloud_fw_policy_v2.egress.id + ports = [ + data.opentelekomcloud_networking_port_v2.this.id + ] +} +`, common.DataSourceSubnet) +} diff --git a/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go b/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go index a54431dba..ab3f80d76 100644 --- a/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go +++ b/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go @@ -205,7 +205,7 @@ func resourceFWRuleV2Update(ctx context.Context, d *schema.ResourceData, meta in sourcePort := d.Get("source_port").(string) updateOpts.SourcePort = &sourcePort if *updateOpts.SourcePort == "" { - updateOpts.SourcePort = nil + updateOpts.SourcePort = pointerto.String("0") } } if d.HasChange("protocol") { @@ -237,9 +237,11 @@ func resourceFWRuleV2Update(ctx context.Context, d *schema.ResourceData, meta in updateOpts.Enabled = &enabled } - if d.Get("protocol").(string) != "icmp" && (updateOpts.DestinationPort == nil && updateOpts.SourcePort == nil) { + if d.Get("protocol").(string) != "icmp" && (updateOpts.DestinationPort == nil) { // && updateOpts.SourcePort == nil) { updateOpts.DestinationPort = pointerto.String(d.Get("destination_port").(string)) - updateOpts.SourcePort = pointerto.String(d.Get("source_port").(string)) + if d.Get("source_port").(string) != "" { + updateOpts.SourcePort = pointerto.String(d.Get("source_port").(string)) + } } log.Printf("[DEBUG] Updating firewall rules: %#v", updateOpts) From 5b4671f4c2dc1cf62049815235c06fe23ce06236 Mon Sep 17 00:00:00 2001 From: anton-sidelnikov Date: Mon, 11 Nov 2024 12:43:30 +0100 Subject: [PATCH 2/4] [Style] rn --- .../fix-fw-rule-source-port-update-5019f21141505c3c.yaml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 releasenotes/notes/fix-fw-rule-source-port-update-5019f21141505c3c.yaml diff --git a/releasenotes/notes/fix-fw-rule-source-port-update-5019f21141505c3c.yaml b/releasenotes/notes/fix-fw-rule-source-port-update-5019f21141505c3c.yaml new file mode 100644 index 000000000..3ed53db06 --- /dev/null +++ b/releasenotes/notes/fix-fw-rule-source-port-update-5019f21141505c3c.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + **[IAM]** Fix updating rule when source_port is empty in ``resource/opentelekomcloud_fw_rule_v2`` (`#2715 `_) From c8e5900e7886ace6af754941a045b240fc5cc079 Mon Sep 17 00:00:00 2001 From: anton-sidelnikov Date: Mon, 11 Nov 2024 12:51:10 +0100 Subject: [PATCH 3/4] [Fix] rollback check --- .../services/fw/resource_opentelekomcloud_fw_rule_v2.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go b/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go index ab3f80d76..5772b3f4b 100644 --- a/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go +++ b/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go @@ -237,7 +237,7 @@ func resourceFWRuleV2Update(ctx context.Context, d *schema.ResourceData, meta in updateOpts.Enabled = &enabled } - if d.Get("protocol").(string) != "icmp" && (updateOpts.DestinationPort == nil) { // && updateOpts.SourcePort == nil) { + if d.Get("protocol").(string) != "icmp" && (updateOpts.DestinationPort == nil && updateOpts.SourcePort == nil) { updateOpts.DestinationPort = pointerto.String(d.Get("destination_port").(string)) if d.Get("source_port").(string) != "" { updateOpts.SourcePort = pointerto.String(d.Get("source_port").(string)) From b7d7b69c99146ebda7612255bca2bab3e081177e Mon Sep 17 00:00:00 2001 From: anton-sidelnikov Date: Mon, 11 Nov 2024 13:11:35 +0100 Subject: [PATCH 4/4] [Fix] rollback source_port setting --- .../services/fw/resource_opentelekomcloud_fw_rule_v2.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go b/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go index 5772b3f4b..b43530137 100644 --- a/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go +++ b/opentelekomcloud/services/fw/resource_opentelekomcloud_fw_rule_v2.go @@ -205,7 +205,7 @@ func resourceFWRuleV2Update(ctx context.Context, d *schema.ResourceData, meta in sourcePort := d.Get("source_port").(string) updateOpts.SourcePort = &sourcePort if *updateOpts.SourcePort == "" { - updateOpts.SourcePort = pointerto.String("0") + updateOpts.SourcePort = nil } } if d.HasChange("protocol") {