Skip to content

fix(vpc): set correct default policy value #3215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 16, 2025
Merged

fix(vpc): set correct default policy value #3215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c233a4c
fix(vpc): set correct default policy value
yfodil Jul 15, 2025
3a7985e
fix
yfodil Jul 15, 2025
1ddf13f
update tests
yfodil Jul 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/resources/vpc_acl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ resource "scaleway_vpc_acl" "acl01" {
The following arguments are supported:

- `vpc_id` - (Required) The VPC ID the ACL belongs to.
- `default_policy` - (Required) The action to take for packets which do not match any rules.
- `default_policy` - (Optional. Defaults to `accept`) The action to take for packets which do not match any rules.
- `is_ipv6` - (Optional) Defines whether this set of ACL rules is for IPv6 (false = IPv4). Each Network ACL can have rules for only one IP type.
- `rules` - (Optional) The list of Network ACL rules.
- `protocol` - (Optional) The protocol to which this rule applies. Default value: ANY.
Expand Down
7 changes: 4 additions & 3 deletions internal/services/vpc/acl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ func ResourceACL() *schema.Resource {
},
"default_policy": {
Type: schema.TypeString,
Required: true,
Optional: true,
Default: vpc.ActionAccept,
Description: "The action to take for packets which do not match any rules",
ValidateDiagFunc: verify.ValidateEnum[vpc.Action](),
},
Expand All @@ -43,7 +44,7 @@ func ResourceACL() *schema.Resource {
},
"rules": {
Type: schema.TypeList,
Required: true,
Optional: true,
Description: "The list of Network ACL rules",
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
Expand Down Expand Up @@ -201,7 +202,7 @@ func ResourceVPCACLDelete(ctx context.Context, d *schema.ResourceData, m any) di
_, err = vpcAPI.SetACL(&vpc.SetACLRequest{
VpcID: locality.ExpandID(ID),
Region: region,
DefaultPolicy: "drop",
DefaultPolicy: vpc.ActionAccept,
}, scw.WithContext(ctx))
if err != nil {
return diag.FromErr(err)
Expand Down
88 changes: 88 additions & 0 deletions internal/services/vpc/acl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,55 @@ import (
)

func TestAccACL_Basic(t *testing.T) {
tt := acctest.NewTestTools(t)
defer tt.Cleanup()
resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(t) },
ProviderFactories: tt.ProviderFactories,
CheckDestroy: isACLDestroyed(tt),
Steps: []resource.TestStep{
{
Config: `
resource "scaleway_vpc" "vpc01" {
name = "tf-vpc-acl-basic"
}

resource "scaleway_vpc_acl" "acl01" {
vpc_id = scaleway_vpc.vpc01.id
is_ipv6 = false
}
`,
Check: resource.ComposeTestCheckFunc(
isACLPresent(tt, "scaleway_vpc_acl.acl01"),
resource.TestCheckResourceAttrPair("scaleway_vpc_acl.acl01", "vpc_id", "scaleway_vpc.vpc01", "id"),
resource.TestCheckResourceAttr("scaleway_vpc_acl.acl01", "is_ipv6", "false"),
resource.TestCheckResourceAttr("scaleway_vpc_acl.acl01", "default_policy", "accept"),
),
},
{
Config: `
resource "scaleway_vpc" "vpc01" {
name = "tf-vpc-acl-basic"
}

resource "scaleway_vpc_acl" "acl01" {
vpc_id = scaleway_vpc.vpc01.id
is_ipv6 = false
default_policy = "drop"
}
`,
Check: resource.ComposeTestCheckFunc(
isACLPresent(tt, "scaleway_vpc_acl.acl01"),
resource.TestCheckResourceAttrPair("scaleway_vpc_acl.acl01", "vpc_id", "scaleway_vpc.vpc01", "id"),
resource.TestCheckResourceAttr("scaleway_vpc_acl.acl01", "is_ipv6", "false"),
resource.TestCheckResourceAttr("scaleway_vpc_acl.acl01", "default_policy", "drop"),
),
},
},
})
}

func TestAccACL_WithRules(t *testing.T) {
tt := acctest.NewTestTools(t)
defer tt.Cleanup()
resource.ParallelTest(t, resource.TestCase{
Expand Down Expand Up @@ -121,6 +170,16 @@ func TestAccACL_Basic(t *testing.T) {
resource.TestCheckResourceAttr("scaleway_vpc_acl.acl01", "rules.1.action", "accept"),
),
},
{
Config: `
resource "scaleway_vpc" "vpc01" {
name = "tf-vpc-acl"
}
`,
Check: resource.ComposeTestCheckFunc(
testAccCheckACLDefaultPolicy(tt, "scaleway_vpc.vpc01"),
),
},
},
})
}
Expand Down Expand Up @@ -178,3 +237,32 @@ func isACLDestroyed(tt *acctest.TestTools) resource.TestCheckFunc {
return nil
}
}

func testAccCheckACLDefaultPolicy(tt *acctest.TestTools, n string) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("resource not found: %s", n)
}

vpcAPI, region, ID, err := vpc.NewAPIWithRegionAndID(tt.Meta, rs.Primary.ID)
if err != nil {
return err
}

acl, err := vpcAPI.GetACL(&vpcSDK.GetACLRequest{
VpcID: ID,
Region: region,
IsIPv6: false,
})
if err != nil {
return err
}

if acl.DefaultPolicy.String() != vpcSDK.ActionAccept.String() {
return fmt.Errorf("expected default_policy to be %s, got %s", vpcSDK.ActionAccept.String(), acl.DefaultPolicy.String())
}

return nil
}
}
Loading
Loading