provider/openstack: Toggle Creation of Default Security Group Rules (#12119)

This commit modifies the behavior implemented in #9799 by enabling the user to be able to toggle the creation of the default security group rules.
2017-03-05 07:18:00 -07:00 · 2017-03-05 07:18:00 -07:00 · 120e3af178
parent 7d6e2837e1
commit 120e3af178
3 changed files with 74 additions and 6 deletions
--- a/builtin/providers/openstack/resource_openstack_networking_secgroup_v2.go
+++ b/builtin/providers/openstack/resource_openstack_networking_secgroup_v2.go
@ -46,6 +46,11 @@ func resourceNetworkingSecGroupV2() *schema.Resource {
 				ForceNew: true,
 				Computed: true,
 			},
+			"delete_default_rules": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: true,
+			},
 		},
 	}
 }
@ -71,13 +76,16 @@ func resourceNetworkingSecGroupV2Create(d *schema.ResourceData, meta interface{}
 		return err
 	}

-	// Remove the default rules
+	// Delete the default security group rules if it has been requested.
+	deleteDefaultRules := d.Get("delete_default_rules").(bool)
+	if deleteDefaultRules {
 		for _, rule := range security_group.Rules {
 			if err := rules.Delete(networkingClient, rule.ID).ExtractErr(); err != nil {
 				return fmt.Errorf(
 					"There was a problem deleting a default security group rule: %s", err)
 			}
 		}
+	}

 	log.Printf("[DEBUG] OpenStack Neutron Security Group created: %#v", security_group)

--- a/builtin/providers/openstack/resource_openstack_networking_secgroup_v2_test.go
+++ b/builtin/providers/openstack/resource_openstack_networking_secgroup_v2_test.go
@ -23,7 +23,7 @@ func TestAccNetworkingV2SecGroup_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckNetworkingV2SecGroupExists(
 						"openstack_networking_secgroup_v2.secgroup_1", &security_group),
-					testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 0),
+					testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 2),
 				),
 			},
 			resource.TestStep{
@ -37,6 +37,26 @@ func TestAccNetworkingV2SecGroup_basic(t *testing.T) {
 	})
 }

+func TestAccNetworkingV2SecGroup_noDefaultRules(t *testing.T) {
+	var security_group groups.SecGroup
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckNetworkingV2SecGroupDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccNetworkingV2SecGroup_noDefaultRules,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckNetworkingV2SecGroupExists(
+						"openstack_networking_secgroup_v2.secgroup_1", &security_group),
+					testAccCheckNetworkingV2SecGroupRuleCount(&security_group, 0),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckNetworkingV2SecGroupDestroy(s *terraform.State) error {
 	config := testAccProvider.Meta().(*Config)
 	networkingClient, err := config.networkingV2Client(OS_REGION_NAME)
@ -115,3 +135,11 @@ resource "openstack_networking_secgroup_v2" "secgroup_1" {
  description = "terraform security group acceptance test"
 }
 `
+
+const testAccNetworkingV2SecGroup_noDefaultRules = `
+resource "openstack_networking_secgroup_v2" "secgroup_1" {
+	name = "security_group_1"
+	description = "terraform security group acceptance test"
+	delete_default_rules = true
+}
+`
--- a/website/source/docs/providers/openstack/r/networking_secgroup_v2.html.markdown
+++ b/website/source/docs/providers/openstack/r/networking_secgroup_v2.html.markdown
@ -40,6 +40,10 @@ The following arguments are supported:
    wants to create a port for another tenant. Changing this creates a new
    security group.

+* `delete_default_rules` - (Optional) Whether or not to delete the default
+    egress security rules. This is `false` by default. See the below note
+    for more information.
+
 ## Attributes Reference

 The following attributes are exported:
@ -49,6 +53,34 @@ The following attributes are exported:
 * `description` - See Argument Reference above.
 * `tenant_id` - See Argument Reference above.

+## Default Security Group Rules
+
+In most cases, OpenStack will create some egress security group rules for each
+new security group. These security group rules will not be managed by
+Terraform, so if you prefer to have *all* aspects of your infrastructure
+managed by Terraform, set `delete_default_rules` to `true` and then create
+separate security group rules such as the following:
+
+```
+resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_v4" {
+  direction = "egress"
+  ethertype = "IPv4"
+  security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_v6" {
+  direction = "egress"
+  ethertype = "IPv6"
+  security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}"
+}
+```
+
+Please note that this behavior may differ depending on the configuration of
+the OpenStack cloud. The above illustrates the current default Neutron
+behavior. Some OpenStack clouds might provide additional rules and some might
+not provide any rules at all (in which case the `delete_default_rules` setting
+is moot).
+
 ## Import

 Security Groups can be imported using the `id`, e.g.