diff --git a/builtin/providers/openstack/resource_openstack_networking_secgroup_v2.go b/builtin/providers/openstack/resource_openstack_networking_secgroup_v2.go index 5d7f65153..0023193ab 100644 --- a/builtin/providers/openstack/resource_openstack_networking_secgroup_v2.go +++ b/builtin/providers/openstack/resource_openstack_networking_secgroup_v2.go @@ -46,6 +46,11 @@ func resourceNetworkingSecGroupV2() *schema.Resource { ForceNew: true, Computed: true, }, + "delete_default_rules": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + ForceNew: true, + }, }, } } @@ -71,11 +76,14 @@ func resourceNetworkingSecGroupV2Create(d *schema.ResourceData, meta interface{} return err } - // Remove the default rules - for _, rule := range security_group.Rules { - if err := rules.Delete(networkingClient, rule.ID).ExtractErr(); err != nil { - return fmt.Errorf( - "There was a problem deleting a default security group rule: %s", err) + // Delete the default security group rules if it has been requested. + deleteDefaultRules := d.Get("delete_default_rules").(bool) + if deleteDefaultRules { + for _, rule := range security_group.Rules { + if err := rules.Delete(networkingClient, rule.ID).ExtractErr(); err != nil { + return fmt.Errorf( + "There was a problem deleting a default security group rule: %s", err) + } } } diff --git a/builtin/providers/openstack/resource_openstack_networking_secgroup_v2_test.go b/builtin/providers/openstack/resource_openstack_networking_secgroup_v2_test.go index a10b62ebe..b4ac4b43e 100644 --- a/builtin/providers/openstack/resource_openstack_networking_secgroup_v2_test.go +++ b/builtin/providers/openstack/resource_openstack_networking_secgroup_v2_test.go @@ -23,7 +23,7 @@ func TestAccNetworkingV2SecGroup_basic(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckNetworkingV2SecGroupExists( "openstack_networking_secgroup_v2.secgroup_1", &security_group), - testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 0), + testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 2), ), }, resource.TestStep{ @@ -37,6 +37,26 @@ func TestAccNetworkingV2SecGroup_basic(t *testing.T) { }) } +func TestAccNetworkingV2SecGroup_noDefaultRules(t *testing.T) { + var security_group groups.SecGroup + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckNetworkingV2SecGroupDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccNetworkingV2SecGroup_noDefaultRules, + Check: resource.ComposeTestCheckFunc( + testAccCheckNetworkingV2SecGroupExists( + "openstack_networking_secgroup_v2.secgroup_1", &security_group), + testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 0), + ), + }, + }, + }) +} + func testAccCheckNetworkingV2SecGroupDestroy(s *terraform.State) error { config := testAccProvider.Meta().(*Config) networkingClient, err := config.networkingV2Client(OS_REGION_NAME) @@ -115,3 +135,11 @@ resource "openstack_networking_secgroup_v2" "secgroup_1" { description = "terraform security group acceptance test" } ` + +const testAccNetworkingV2SecGroup_noDefaultRules = ` +resource "openstack_networking_secgroup_v2" "secgroup_1" { + name = "security_group_1" + description = "terraform security group acceptance test" + delete_default_rules = true +} +` diff --git a/website/source/docs/providers/openstack/r/networking_secgroup_v2.html.markdown b/website/source/docs/providers/openstack/r/networking_secgroup_v2.html.markdown index 67873e6a7..6d3d8d330 100644 --- a/website/source/docs/providers/openstack/r/networking_secgroup_v2.html.markdown +++ b/website/source/docs/providers/openstack/r/networking_secgroup_v2.html.markdown @@ -40,6 +40,10 @@ The following arguments are supported: wants to create a port for another tenant. Changing this creates a new security group. +* `delete_default_rules` - (Optional) Whether or not to delete the default + egress security rules. This is `false` by default. See the below note + for more information. + ## Attributes Reference The following attributes are exported: @@ -49,6 +53,34 @@ The following attributes are exported: * `description` - See Argument Reference above. * `tenant_id` - See Argument Reference above. +## Default Security Group Rules + +In most cases, OpenStack will create some egress security group rules for each +new security group. These security group rules will not be managed by +Terraform, so if you prefer to have *all* aspects of your infrastructure +managed by Terraform, set `delete_default_rules` to `true` and then create +separate security group rules such as the following: + +``` +resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_v4" { + direction = "egress" + ethertype = "IPv4" + security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_v6" { + direction = "egress" + ethertype = "IPv6" + security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}" +} +``` + +Please note that this behavior may differ depending on the configuration of +the OpenStack cloud. The above illustrates the current default Neutron +behavior. Some OpenStack clouds might provide additional rules and some might +not provide any rules at all (in which case the `delete_default_rules` setting +is moot). + ## Import Security Groups can be imported using the `id`, e.g.