feat(security-group): handle edge cases

Author: keerthi-gp

common/github.com/IBM/vpc-go-sdk/vpcv1/vpc_v1.go

@@ -30021,7 +30021,9 @@ func (vpc *VpcV1) GetVPCDefaultNetworkACLWithContext(ctx context.Context, getVPC
 	}
 	builder.AddHeader("Accept", "application/json")
 
-	builder.AddQuery("version", fmt.Sprint(*vpc.Version))
+	builder.AddQuery("version", getTomorrowDate())
+	builder.AddQuery("maturity", "development")
+	builder.AddQuery("future_version", "true")
 	builder.AddQuery("generation", fmt.Sprint(*vpc.Generation))
 
 	request, err := builder.Build()

ibm/service/vpc/resource_ibm_is_networkacls.go

@@ -450,7 +450,7 @@ func ResourceIBMISNetworkACLValidator() *validate.ResourceValidator {
 			MaxValueLength:             128})
 	validateSchema = append(validateSchema,
 		validate.ValidateSchema{
-			Identifier:                 isSecurityGroupRuleProtocol,
+			Identifier:                 isNetworkACLRuleProtocol,
 			ValidateFunctionIdentifier: validate.ValidateAllowedStringValue,
 			Type:                       validate.TypeString,
 			AllowedValues:              protocol})
@@ -504,7 +504,7 @@ func nwaclCreate(context context.Context, d *schema.ResourceData, meta interface
 	if rls, ok := d.GetOk(isNetworkACLRules); ok {
 		rules = rls.([]interface{})
 	}
-	err = validateInlineRules(rules)
+	err = validateInlineRules(d, rules)
 	if err != nil {
 		return flex.DiscriminatedTerraformErrorf(err, err.Error(), "ibm_is_network_acl", "create", "validate-inline-rules").GetDiag()
 	}
@@ -531,7 +531,7 @@ func nwaclCreate(context context.Context, d *schema.ResourceData, meta interface
 		return tfErr.GetDiag()
 	}
 
-	err = createInlineRules(sess, nwaclid, rules)
+	err = createInlineRules(d, sess, nwaclid, rules)
 	if err != nil {
 		tfErr := flex.TerraformErrorf(err, fmt.Sprintf("createInlineRules failed: %s", err.Error()), "ibm_is_network_acl", "create")
 		log.Printf("[DEBUG]\n%s", tfErr.GetDebugMessage())
@@ -865,7 +865,7 @@ func nwaclUpdate(context context.Context, d *schema.ResourceData, meta interface
 		}
 	}
 	if d.HasChange(isNetworkACLRules) {
-		err := validateInlineRules(rules)
+		err := validateInlineRules(d, rules)
 		if err != nil {
 			tfErr := flex.TerraformErrorf(err, fmt.Sprintf("validateInlineRules failed: %s", err.Error()), "ibm_is_network_acl", "update")
 			log.Printf("[DEBUG]\n%s", tfErr.GetDebugMessage())
@@ -879,7 +879,7 @@ func nwaclUpdate(context context.Context, d *schema.ResourceData, meta interface
 			return tfErr.GetDiag()
 		}
 		//Create the rules as per the def
-		err = createInlineRules(sess, id, rules)
+		err = createInlineRules(d, sess, id, rules)
 		if err != nil {
 			tfErr := flex.TerraformErrorf(err, fmt.Sprintf("createInlineRules failed: %s", err.Error()), "ibm_is_network_acl", "update")
 			log.Printf("[DEBUG]\n%s", tfErr.GetDebugMessage())
@@ -1022,8 +1022,8 @@ func clearRules(nwaclC *vpcv1.VpcV1, nwaclid string) error {
 	return nil
 }
 
-func validateInlineRules(rules []interface{}) error {
-	for _, rule := range rules {
+func validateInlineRules(d *schema.ResourceData, rules []interface{}) error {
+	for i, rule := range rules {
 		rulex := rule.(map[string]interface{})
 		action := rulex[isNetworkACLRuleAction].(string)
 		if (action != "allow") && (action != "deny") {
@@ -1042,41 +1042,42 @@ func validateInlineRules(rules []interface{}) error {
 		}
 
 		protocol := rulex[isNetworkACLRuleProtocol]
-		icmpType := rulex[isNetworkACLRuleICMPType]
-		icmpCode := rulex[isNetworkACLRuleICMPCode]
-		portMin := rulex[isNetworkACLRulePortMin]
-		portMax := rulex[isNetworkACLRulePortMax]
-		srcPortMin := rulex[isNetworkACLRuleSourcePortMin]
-		srcPortMax := rulex[isNetworkACLRuleSourcePortMax]
-
+		icmpType := fmt.Sprintf("rules.%d.type", i)
+		icmpCode := fmt.Sprintf("rules.%d.code", i)
+		portMin := fmt.Sprintf("rules.%d.port_min", i)
+		portMax := fmt.Sprintf("rules.%d.port_max", i)
+		srcPortMin := fmt.Sprintf("rules.%d.source_port_min", i)
+		srcPortMax := fmt.Sprintf("rules.%d.source_port_max", i)
+		var okIcmpType, okIcmpCode bool
 		if protocol != "icmp" && protocol != "" {
-			if icmpType != nil && icmpType != 0 {
+			if _, ok := d.GetOk(icmpType); ok {
 				return fmt.Errorf("attribute 'type' conflicts with protocol %q; 'type' is only valid for icmp protocol", protocol)
 			}
-			if icmpCode != nil && icmpCode != 0 {
+			if _, ok := d.GetOk(icmpCode); ok {
 				return fmt.Errorf("attribute 'code' conflicts with protocol %q; 'code' is only valid for icmp protocol", protocol)
 			}
 		}
 
 		if protocol == "icmp" {
-			if (icmpType != nil && icmpCode == nil) || (icmpType == nil && icmpCode != nil) {
+			_, okIcmpType = d.GetOk(icmpType)
+			_, okIcmpCode = d.GetOk(icmpCode)
+			if (okIcmpType && !okIcmpCode) || (!okIcmpType && okIcmpCode) {
 				return fmt.Errorf("'code' and 'type' must both be specified together for icmp protocol")
 			}
 		}
 
 		if protocol != "tcp" && protocol != "udp" && protocol != "" {
-			fmt.Println("Inside Print the protocol value ", protocol)
-			if portMin != nil && portMin != 0 {
+			if _, ok := d.GetOk(portMin); ok {
 				return fmt.Errorf("attribute 'port_min' conflicts with protocol %s; ports apply only to tcp/udp protocol", protocol)
 			}
-			if portMax != nil && portMax != 0 {
+			if _, ok := d.GetOk(portMax); ok {
 				return fmt.Errorf("attribute 'port_max' conflicts with protocol %s; ports apply only to tcp/udp protocol", protocol)
 			}
 
-			if srcPortMin != nil && srcPortMin != 0 {
+			if _, ok := d.GetOk(srcPortMin); ok {
 				return fmt.Errorf("attribute 'source_port_min' conflicts with protocol %s; ports apply only to tcp/udp protocol", protocol)
 			}
-			if srcPortMax != nil && srcPortMax != 0 {
+			if _, ok := d.GetOk(srcPortMax); ok {
 				return fmt.Errorf("attribute 'source_port_max' conflicts with protocol %s; ports apply only to tcp/udp protocol", protocol)
 			}
 		}
@@ -1085,7 +1086,7 @@ func validateInlineRules(rules []interface{}) error {
 	return nil
 }
 
-func createInlineRules(nwaclC *vpcv1.VpcV1, nwaclid string, rules []interface{}) error {
+func createInlineRules(d *schema.ResourceData, nwaclC *vpcv1.VpcV1, nwaclid string, rules []interface{}) error {
 	before := ""
 
 	for i := 0; i <= len(rules)-1; i++ {
@@ -1143,12 +1144,14 @@ func createInlineRules(nwaclC *vpcv1.VpcV1, nwaclid string, rules []interface{})
 				}
 			}
 		} else if protocol == "icmp" {
+			icmpType := fmt.Sprintf("rules.%d.type", i)
+			icmpCode := fmt.Sprintf("rules.%d.code", i)
 			ruleTemplate.Protocol = &protocol
-			if val, ok := rulex["type"]; ok {
+			if val, ok := d.GetOk(icmpType); ok {
 				icmptype = int64(val.(int))
 				ruleTemplate.Type = &icmptype
 			}
-			if val, ok := rulex["code"]; ok {
+			if val, ok := d.GetOk(icmpCode); ok {
 				icmpcode = int64(val.(int))
 				ruleTemplate.Code = &icmpcode
 			}

ibm/service/vpc/resource_ibm_is_networkacls_test.go

@@ -99,7 +99,7 @@ func TestNetworkACLGen2(t *testing.T) {
 					resource.TestCheckResourceAttr(
 						"ibm_is_network_acl.isExampleACL", "name", "is-example-acl"),
 					resource.TestCheckResourceAttr(
-						"ibm_is_network_acl.isExampleACL", "rules.#", "5"),
+						"ibm_is_network_acl.isExampleACL", "rules.#", "6"),
 					resource.TestCheckResourceAttr(
 						"ibm_is_network_acl.isExampleACL", "tags.#", "2"),
 				),
@@ -231,7 +231,17 @@ func testAccCheckIBMISNetworkACLConfig1() string {
 		  # port_min =
 		}
 		rules {
-		  name        = "inbound"
+		  name        = "icmnew"
+		  action      = "allow"
+		  source      = "0.0.0.0/0"
+		  destination = "0.0.0.0/0"
+		  direction   = "inbound"
+		  protocol    = "icmp"
+		  code 		  = 8
+		  type 		  = 1
+		}
+		rules {
+		  name        = "anyprotocol"
 		  action      = "allow"
 		  source      = "0.0.0.0/0"
 		  destination = "0.0.0.0/0"
@@ -240,16 +250,15 @@ func testAccCheckIBMISNetworkACLConfig1() string {
 		} 
 		
 		rules {
-		  name        = "inbound"
+		  name        = "icmptcpudp"
 		  action      = "allow"
 		  source      = "0.0.0.0/0"
 		  destination = "0.0.0.0/0"
 		  direction   = "inbound"
 		  protocol    = "icmp_tcp_udp"
 		}
-		
 		rules {
-		  name        = "inbound"
+		  name        = "individual"
 		  action      = "allow"
 		  source      = "0.0.0.0/0"
 		  destination = "0.0.0.0/0"

ibm/service/vpc/resource_ibm_is_security_group_rule_test.go

@@ -217,6 +217,7 @@ func testAccCheckIBMISsecurityGroupRuleConfig(vpcname, name string) string {
 		local 	   = "192.168.3.4"
 		tcp {
 		}
+	  }
 
 	  resource "ibm_is_security_group_rule" "testacc_security_group_rule_any" {
 		depends_on = [ibm_is_security_group_rule.testacc_security_group_rule_tcp]
@@ -238,7 +239,34 @@ func testAccCheckIBMISsecurityGroupRuleConfig(vpcname, name string) string {
 		direction  = "inbound"
 		remote     = "127.0.0.1"
 		protocol   = "number_99"
+	  }
+	  resource "ibm_is_security_group_rule" "testacc_security_group_rule_icmp_new" {
+		depends_on = [ibm_is_security_group_rule.testacc_security_group_rule_tcp]
+		group      = ibm_is_security_group.testacc_security_group.id
+		direction  = "inbound"
+		remote     = "127.0.0.1"
+		protocol   = "icmp"
+		code = 20
+		type = 30
+	  }	
+	  resource "ibm_is_security_group_rule" "testacc_security_group_rule_tcp_new" {
+		depends_on = [ibm_is_security_group_rule.testacc_security_group_rule_tcp]
+		group      = ibm_is_security_group.testacc_security_group.id
+		direction  = "inbound"
+		remote     = "127.0.0.1"
+		protocol   = "tcp"
+		port_min = 8080
+		port_max = 8080
 	  }		
+	  resource "ibm_is_security_group_rule" "testacc_security_group_rule_udp_new" {
+		depends_on = [ibm_is_security_group_rule.testacc_security_group_rule_tcp]
+		group      = ibm_is_security_group.testacc_security_group.id
+		direction  = "inbound"
+		remote     = "127.0.0.1"
+		protocol   = "udp"
+		port_min = 8080
+		port_max = 8080
+	  }
 	}
  `, vpcname, name)
 

ibm/service/vpc/resource_ibm_is_subnet_network_acl_attachment.go

@@ -115,6 +115,11 @@ func ResourceIBMISSubnetNetworkACLAttachment() *schema.Resource {
 							Computed:    true,
 							Description: "Direction of traffic to enforce, either inbound or outbound",
 						},
+						isNetworkACLRuleProtocol: {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The name of the network protocol",
+						},
 						isNetworkACLRuleICMP: {
 							Type:     schema.TypeList,
 							Computed: true,

ibm/service/vpc/resource_ibm_is_vpc.go

@@ -911,7 +911,7 @@ func deleteDefaultNetworkACLRules(sess *vpcv1.VpcV1, vpcID string) error {
 
 	if result.Rules != nil {
 		for _, sourceRule := range result.Rules {
-			sourceRuleVal := sourceRule.(*vpcv1.NetworkACLRuleItemNetworkACLRuleProtocolAny)
+			sourceRuleVal := sourceRule.(*vpcv1.NetworkACLRuleItemNetworkACLRuleProtocolIcmptcpudp)
 			if sourceRuleVal.ID != nil {
 				getNetworkAclRuleOptions := &vpcv1.GetNetworkACLRuleOptions{
 					NetworkACLID: result.ID,
@@ -947,7 +947,7 @@ func deleteDefaultSecurityGroupRules(sess *vpcv1.VpcV1, vpcID string) error {
 
 	if result.Rules != nil {
 		for _, sourceRule := range result.Rules {
-			sourceRuleVal := sourceRule.(*vpcv1.SecurityGroupRuleProtocolAny)
+			sourceRuleVal := sourceRule.(*vpcv1.SecurityGroupRuleProtocolIcmptcpudp)
 			if sourceRuleVal.ID != nil {
 				getSecurityGroupRuleOptions := &vpcv1.GetSecurityGroupRuleOptions{
 					SecurityGroupID: result.ID,