scaleway
diff --git a/‎docs/resources/k8s_acl.md‎
Lines changed: 36 additions & 6 deletions b/‎docs/resources/k8s_acl.md‎
Lines changed: 36 additions & 6 deletions
diff --git a/‎internal/services/k8s/acl.go‎
Lines changed: 18 additions & 18 deletions b/‎internal/services/k8s/acl.go‎
Lines changed: 18 additions & 18 deletions
diff --git a/‎internal/services/k8s/acl_test.go‎
Lines changed: 8 additions & 82 deletions b/‎internal/services/k8s/acl_test.go‎
Lines changed: 8 additions & 82 deletions
@@ -5,9 +5,12 @@ page_title: "Scaleway: scaleway_k8s_acl"
 
 # Resource: scaleway_k8s_acl
 
-Creates and manages Scaleway Kubernetes cluster authorized IPs.
+Creates and manages Scaleway Kubernetes Cluster authorized IPs.
 For more information, please refer to the [API documentation](https://www.scaleway.com/en/developers/api/kubernetes/#path-access-control-list-add-new-acls)
 
+~> **Important:** When creating a Cluster, it comes with a default ACL rule allowing all ranges `0.0.0.0/0`.
+Defining custom ACLs with Terraform will overwrite this rule, but it will be recreated automatically when deleting the ACL resource.
+
 ## Example Usage
 
 ### Basic
@@ -36,17 +39,42 @@ resource "scaleway_k8s_acl" "acl_basic" {
 }
 ```
 
+### Full-isolation
+
+```terraform
+resource "scaleway_vpc_private_network" "acl_basic" {}
+
+resource "scaleway_k8s_cluster" "acl_basic" {
+	name = "acl-basic"
+	version = "1.32.2"
+	cni = "cilium"
+	delete_additional_resources = true
+	private_network_id = scaleway_vpc_private_network.acl_basic.id
+}
+
+resource "scaleway_k8s_acl" "acl_basic" {
+	cluster_id = scaleway_k8s_cluster.acl_basic.id
+	no_ip_allowed = true
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
 
-- `cluster_id` - (Required) UUID of the Cluster.
+- `cluster_id` - (Required) UUID of the Cluster. The ID of the cluster is also the ID of the ACL resource as there can only be one per cluster.
 
 ~> **Important:** Updates to `cluster_id` will recreate the ACL.
 
-- `acl_rules` - A list of ACLs (structure is described below)
+- `no_ip_allowed` - (Optional) If set to true, no IP will be allowed and the cluster will be in full-isolation.
+
+~> **Important:** This field cannot be set to true if the `acl_rules` is defined.
+
+- `acl_rules` - (Optional) A list of ACLs (structure is described below)
 
-- `region` - (Defaults to [provider](../index.md#region) `region`) The [region](../guides/regions_and_zones.md#regions) in which the ACL rule should be created.
+~> **Important:** This block cannot be defined if the `no_ip_allowed` field is set to true.
+
+- `region` - (Defaults to [provider](../index.md#arguments-reference) `region`) The [region](../guides/regions_and_zones.md#regions) in which the ACL rule should be created.
 
 The `acl_rules` block supports:
 
@@ -65,9 +93,11 @@ Only one rule with this field set to true can be added.
 
 In addition to all arguments above, the following attributes are exported:
 
-- `acl_rules.0.id` - The ID of each ACL rule.
+- `id` - The ID of the ACL resource. It is the same as the ID of the cluster.
+
+~> **Important:** Kubernetes ACLs' IDs are [regional](../guides/regions_and_zones.md#resource-ids), which means they are of the form `{region}/{id}`, e.g. `fr-par/11111111-1111-1111-1111-111111111111`
 
-~> **Important:** Kubernetes ACL rules' IDs are [regional](../guides/regions_and_zones.md#resource-ids), which means they are of the form `{region}/{id}`, e.g. `fr-par/11111111-1111-1111-1111-111111111111`
+- `acl_rules.#.id` - The ID of each individual ACL rule.
 
 ## Import
 
 
@@ -43,16 +43,18 @@ func ResourceACL() *schema.Resource {
 				DiffSuppressFunc: dsf.Locality,
 				Description:      "Cluster on which the ACL should be applied",
 			},
-			"no_ip_allowed_on_delete": {
-				Type:        schema.TypeBool,
-				Optional:    true,
-				Default:     false,
-				Description: "Determines whether deleting the resource should allow all IPs again or no IP at all",
+			"no_ip_allowed": {
+				Type:         schema.TypeBool,
+				Optional:     true,
+				Default:      false,
+				Description:  "If true, no IP will be allowed",
+				ExactlyOneOf: []string{"acl_rules"},
 			},
 			"acl_rules": {
-				Type:        schema.TypeList,
-				Required:    true,
-				Description: "The list of network rules that manage inbound traffic",
+				Type:         schema.TypeList,
+				Optional:     true,
+				Description:  "The list of network rules that manage inbound traffic",
+				ExactlyOneOf: []string{"no_ip_allowed"},
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"ip": {
@@ -167,7 +169,7 @@ func ResourceACLUpdate(ctx context.Context, d *schema.ResourceData, m interface{
 		return diag.FromErr(err)
 	}
 
-	if d.HasChange("acl_rules") {
+	if d.HasChange("acl_rules") || d.HasChange("no_ip_allowed") {
 		acls, err := expandACL(d.Get("acl_rules").([]interface{}))
 		if err != nil {
 			return diag.FromErr(err)
@@ -201,16 +203,14 @@ func ResourceACLDelete(ctx context.Context, d *schema.ResourceData, m interface{
 
 	rulesToSet := []*k8s.ACLRuleRequest(nil)
 
-	if d.Get("no_ip_allowed_on_delete").(bool) == false {
-		allowedIPs, err := types.ExpandIPNet("0.0.0.0/0")
-		if err != nil {
-			return diag.FromErr(err)
-		}
-		rulesToSet = append(rulesToSet, &k8s.ACLRuleRequest{
-			IP:          &allowedIPs,
-			Description: "Automatically generated after scaleway_k8s_acl resource deletion",
-		})
+	allowedIPs, err := types.ExpandIPNet("0.0.0.0/0")
+	if err != nil {
+		return diag.FromErr(err)
 	}
+	rulesToSet = append(rulesToSet, &k8s.ACLRuleRequest{
+		IP:          &allowedIPs,
+		Description: "Automatically generated after scaleway_k8s_acl resource deletion",
+	})
 
 	req := &k8s.SetClusterACLRulesRequest{
 		Region:    region,
 
@@ -44,7 +44,7 @@ func TestAccACL_Basic(t *testing.T) {
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "false"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed", "false"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "1"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.scaleway_ranges", "false"),
@@ -66,7 +66,6 @@ func TestAccACL_Basic(t *testing.T) {
 			
 					resource "scaleway_k8s_acl" "acl_basic" {
 						cluster_id = scaleway_k8s_cluster.acl_basic.id
-						no_ip_allowed_on_delete = true
 						acl_rules {
 							ip = "1.2.3.4/32"
 						}
@@ -77,7 +76,6 @@ func TestAccACL_Basic(t *testing.T) {
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "true"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "2"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.scaleway_ranges", "false"),
@@ -114,7 +112,6 @@ func TestAccACL_Basic(t *testing.T) {
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "false"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "2"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
 					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.scaleway_ranges", "false"),
@@ -126,37 +123,6 @@ func TestAccACL_Basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet("scaleway_k8s_acl.acl_basic", "acl_rules.1.id"),
 				),
 			},
-			{
-				Config: fmt.Sprintf(`
-					resource "scaleway_vpc_private_network" "acl_basic" {}
-
-					resource "scaleway_k8s_cluster" "acl_basic" {
-						name = "%s"
-						version = "%s"
-						cni = "cilium"
-						delete_additional_resources = true
-						private_network_id = scaleway_vpc_private_network.acl_basic.id 
-					}`, clusterName, latestK8sVersion),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckK8SClusterAllowedIPs(tt, "scaleway_k8s_cluster.acl_basic", "0.0.0.0/0"),
-				),
-			},
-		},
-	})
-}
-
-func TestAccACL_AllowedIPsOnDelete(t *testing.T) {
-	tt := acctest.NewTestTools(t)
-	defer tt.Cleanup()
-
-	clusterName := "k8s-acl-allowed-ips-on-delete"
-	latestK8sVersion := testAccK8SClusterGetLatestK8SVersion(tt)
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:          func() { acctest.PreCheck(t) },
-		ProviderFactories: tt.ProviderFactories,
-		CheckDestroy:      testAccCheckK8SClusterDestroy(tt),
-		Steps: []resource.TestStep{
 			{
 				Config: fmt.Sprintf(`
 					resource "scaleway_vpc_private_network" "acl_basic" {}
@@ -171,70 +137,30 @@ func TestAccACL_AllowedIPsOnDelete(t *testing.T) {
 			
 					resource "scaleway_k8s_acl" "acl_basic" {
 						cluster_id = scaleway_k8s_cluster.acl_basic.id
-						no_ip_allowed_on_delete = true
-						acl_rules {
-							ip = "1.2.3.4/32"
-						}
+						no_ip_allowed = true
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "true"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "1"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
+					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed", "true"),
+					resource.TestCheckNoResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#"),
+					testAccCheckK8SClusterAllowedIPs(tt, "scaleway_k8s_cluster.acl_basic", ""),
 				),
 			},
 			{
 				Config: fmt.Sprintf(`
 					resource "scaleway_vpc_private_network" "acl_basic" {}
-			
-					resource "scaleway_k8s_cluster" "acl_basic" {
-						name = "%s"
-						version = "%s"
-						cni = "cilium"
-						delete_additional_resources = true
-						private_network_id = scaleway_vpc_private_network.acl_basic.id
-					}`, clusterName, latestK8sVersion),
-				Check: testAccCheckK8SClusterAllowedIPs(tt, "scaleway_k8s_cluster.acl_basic", ""),
-			},
-			{
-				Config: fmt.Sprintf(`
-					resource "scaleway_vpc_private_network" "acl_basic" {}
-			
+
 					resource "scaleway_k8s_cluster" "acl_basic" {
 						name = "%s"
 						version = "%s"
 						cni = "cilium"
 						delete_additional_resources = true
-						private_network_id = scaleway_vpc_private_network.acl_basic.id
-					}
-			
-					resource "scaleway_k8s_acl" "acl_basic" {
-						cluster_id = scaleway_k8s_cluster.acl_basic.id
-						no_ip_allowed_on_delete = false
-						acl_rules {
-							ip = "1.2.3.4/32"
-						}
+						private_network_id = scaleway_vpc_private_network.acl_basic.id 
 					}`, clusterName, latestK8sVersion),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttrPair("scaleway_k8s_acl.acl_basic", "cluster_id", "scaleway_k8s_cluster.acl_basic", "id"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "no_ip_allowed_on_delete", "false"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.#", "1"),
-					resource.TestCheckResourceAttr("scaleway_k8s_acl.acl_basic", "acl_rules.0.ip", "1.2.3.4/32"),
+					testAccCheckK8SClusterAllowedIPs(tt, "scaleway_k8s_cluster.acl_basic", "0.0.0.0/0"),
 				),
 			},
-			{
-				Config: fmt.Sprintf(`
-					resource "scaleway_vpc_private_network" "acl_basic" {}
-			
-					resource "scaleway_k8s_cluster" "acl_basic" {
-						name = "%s"
-						version = "%s"
-						cni = "cilium"
-						delete_additional_resources = true
-						private_network_id = scaleway_vpc_private_network.acl_basic.id
-					}`, clusterName, latestK8sVersion),
-				Check: testAccCheckK8SClusterAllowedIPs(tt, "scaleway_k8s_cluster.acl_basic", "0.0.0.0/0"),
-			},
 		},
 	})
 }