provider/openstack: Toggle Creation of Default Security Group Rules (#12119)

This commit modifies the behavior implemented in #9799 by enabling the user to be able to toggle the creation of the default security group rules.
2017-03-05 07:18:00 -07:00 · 2017-03-05 07:18:00 -07:00 · 120e3af178
parent 7d6e2837e1
commit 120e3af178
3 changed files with 74 additions and 6 deletions
--- a/builtin/providers/openstack/resource_openstack_networking_secgroup_v2.go
+++ b/builtin/providers/openstack/resource_openstack_networking_secgroup_v2.go
@ -46,6 +46,11 @@ func resourceNetworkingSecGroupV2() *schema.Resource {
 				ForceNew: true,
 				Computed: true,
 			},
 			"delete_default_rules": &schema.Schema{
 				Type:     schema.TypeBool,
 				Optional: true,
 				ForceNew: true,
 			},
 		},
 	}
 }
@ -71,11 +76,14 @@ func resourceNetworkingSecGroupV2Create(d *schema.ResourceData, meta interface{}
 		return err
 	}
-	// Remove the default rules
+	// Delete the default security group rules if it has been requested.
-	for _, rule := range security_group.Rules {
+	deleteDefaultRules := d.Get("delete_default_rules").(bool)
-		if err := rules.Delete(networkingClient, rule.ID).ExtractErr(); err != nil {
+	if deleteDefaultRules {
-			return fmt.Errorf(
+		for _, rule := range security_group.Rules {
-				"There was a problem deleting a default security group rule: %s", err)
+			if err := rules.Delete(networkingClient, rule.ID).ExtractErr(); err != nil {
 				return fmt.Errorf(
 					"There was a problem deleting a default security group rule: %s", err)
 			}
 		}
 	}
--- a/builtin/providers/openstack/resource_openstack_networking_secgroup_v2_test.go
+++ b/builtin/providers/openstack/resource_openstack_networking_secgroup_v2_test.go
@ -23,7 +23,7 @@ func TestAccNetworkingV2SecGroup_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckNetworkingV2SecGroupExists(
 						"openstack_networking_secgroup_v2.secgroup_1", &security_group),
-					testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 0),
+					testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 2),
 				),
 			},
 			resource.TestStep{
@ -37,6 +37,26 @@ func TestAccNetworkingV2SecGroup_basic(t *testing.T) {
 	})
 }
 func TestAccNetworkingV2SecGroup_noDefaultRules(t *testing.T) {
 	var security_group groups.SecGroup
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckNetworkingV2SecGroupDestroy,
 		Steps: []resource.TestStep{
 			resource.TestStep{
 				Config: testAccNetworkingV2SecGroup_noDefaultRules,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckNetworkingV2SecGroupExists(
 						"openstack_networking_secgroup_v2.secgroup_1", &security_group),
 					testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 0),
 				),
 			},
 		},
 	})
 }
 func testAccCheckNetworkingV2SecGroupDestroy(s *terraform.State) error {
 	config := testAccProvider.Meta().(*Config)
 	networkingClient, err := config.networkingV2Client(OS_REGION_NAME)
@ -115,3 +135,11 @@ resource "openstack_networking_secgroup_v2" "secgroup_1" {
  description = "terraform security group acceptance test"
 }
 `
 const testAccNetworkingV2SecGroup_noDefaultRules = `
 resource "openstack_networking_secgroup_v2" "secgroup_1" {
 	name = "security_group_1"
 	description = "terraform security group acceptance test"
 	delete_default_rules = true
 }
 `
--- a/website/source/docs/providers/openstack/r/networking_secgroup_v2.html.markdown
+++ b/website/source/docs/providers/openstack/r/networking_secgroup_v2.html.markdown
@ -40,6 +40,10 @@ The following arguments are supported:
    wants to create a port for another tenant. Changing this creates a new
    security group.
 * `delete_default_rules` - (Optional) Whether or not to delete the default
    egress security rules. This is `false` by default. See the below note
    for more information.
 ## Attributes Reference
 The following attributes are exported:
@ -49,6 +53,34 @@ The following attributes are exported:
 * `description` - See Argument Reference above.
 * `tenant_id` - See Argument Reference above.
 ## Default Security Group Rules
 In most cases, OpenStack will create some egress security group rules for each
 new security group. These security group rules will not be managed by
 Terraform, so if you prefer to have *all* aspects of your infrastructure
 managed by Terraform, set `delete_default_rules` to `true` and then create
 separate security group rules such as the following:
 ```
 resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_v4" {
  direction = "egress"
  ethertype = "IPv4"
  security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}"
 }
 resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_v6" {
  direction = "egress"
  ethertype = "IPv6"
  security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}"
 }
 ```
 Please note that this behavior may differ depending on the configuration of
 the OpenStack cloud. The above illustrates the current default Neutron
 behavior. Some OpenStack clouds might provide additional rules and some might
 not provide any rules at all (in which case the `delete_default_rules` setting
 is moot).
 ## Import
 Security Groups can be imported using the `id`, e.g.