New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FWaaS_V2]: Add fw_policy_v2 #1584
[FWaaS_V2]: Add fw_policy_v2 #1584
Conversation
Add data_source_openstack_fw_policy_v2 with tests. Add import_openstack_fw_policy_v2_test. Add resource_openstack_fw_policy_v2 with tests. Add policy_v2 docs. Add policy_v2 to sources maps.
return diag.Errorf("Error creating OpenStack networking client: %s", err) | ||
} | ||
|
||
var updateOpts policies.UpdateOpts |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd make it a pointer and check for nil before the update. Since potentially there could be empty POST requests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@nikParasyr |
@Koodt keep them on this one its ok. split them in the next PR for fw groups |
} | ||
|
||
if v, ok := d.GetOk("shared"); ok { | ||
listOpts.Shared = v.(*bool) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this code will panic with panic: interface conversion: interface {} is bool, not *bool
. I'd recommend to add an extra functional test to track this. Also please take a look to your other PRs and make sure this issue doesn't exist there as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add test with AdminOnly for all PRs
I don't see panic not in my IDE, not in runtime, not in tests.
Do you speak about possible panic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it's an actual panic, because you're trying to assert a bool
to *bool
. Terraform schema data types were never a pointer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reproduced and understood
Thank you
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
…estAccFWPolicyV2_shared, TestAccFWRuleV2_shared, fix indents, remove unused value_specs
return diag.Errorf("Error creating OpenStack networking client: %s", err) | ||
} | ||
|
||
audited := d.Get("audited").(bool) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does it make sense to align the audited := d.Get("audited").(bool)
and the if r, ok := d.GetOk("shared"); ok {
approaches to a single one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
func fwPolicyV2DeleteFunc(networkingClient *gophercloud.ServiceClient, id string) resource.StateRefreshFunc { | ||
return func() (interface{}, string, error) { | ||
err := policies.Delete(networkingClient, id).Err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you need to add an ErrDefault404
check here as well. There is a chance that the policy can be deleted manually between checks and this will cause TF to hang.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@nikParasyr @kayrus I will be revert policies.RemoveRule in resourceFWRuleV2Delete |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks much much better now, thank you very much for your patience. See my recent comments and can you also align the d.Get("shared").(bool)
bool styles in the openstack_fw_rule_v2
resource?
|
||
pages, err := policies.List(networkingClient, listOpts).AllPages() | ||
if err != nil { | ||
return diag.FromErr(err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return diag.FromErr(err) | |
return diag.Errorf("Unable to list openstack_fw_policy_v2 policies: %s", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add this change in data_source_openstack_fw_rule_v2 too
"audited": { | ||
Type: schema.TypeBool, | ||
Optional: true, | ||
Default: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this does make sense :
The same note for openstack_fw_rule_v2 shared
argument.
return diag.FromErr(CheckDeleted(d, err, "Error retrieving openstack_fw_rule_v2")) | ||
} | ||
|
||
if len(rule.FirewallPolicyID) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it's a good idea to delete rules, which were already attached to a policy. If the resource is controlled by terraform, terraform dependency manager must delete resources according to a dependency, if not, it should fail after a timeout. I'd implement force_destroy
or force_delete
argument for this case. @nikParasyr we already have force_destroy
for containers and force_delete
for compute nodes. Which one would you think is better? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in addition to
err = rules.Delete(networkingClient, d.Id()).ExtractErr()
Don't you need to introduce a similar approach of calling the fwPolicyV2DeleteFunc
function but for rules? And also check for the err.(gophercloud.ErrDefault404)
:)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think It's a bug. TF ignore rule/policy dependencies.
When we wants to detach and delete attached rules, TF for first time delete rules, and after delete rule associations
TestAccFWPolicyV2_deleteRules crashes if we not delete rule from policy prevously.
First step
resource "openstack_fw_rule_v2" "tcp_allow" {
protocol = "tcp"
action = "allow"
}
resource "openstack_fw_rule_v2" "udp_deny" {
protocol = "udp"
action = "deny"
}
resource "openstack_fw_policy_v2" "policy_1" {
name = "policy_1"
description = "terraform acceptance test"
audited = true
rules = [
"${openstack_fw_rule_v2.udp_deny.id}",
"${openstack_fw_rule_v2.tcp_allow.id}"
]
}
Second Step
resource "openstack_fw_rule_v2" "udp_deny" {
protocol = "udp"
action = "deny"
}
resource "openstack_fw_policy_v2" "policy_1" {
name = "policy_1"
description = "terraform acceptance test"
rules = [
"${openstack_fw_rule_v2.udp_deny.id}"
]
}
Result
{"NeutronError": {"type": "FirewallRuleInUse", "message": "Firewall rule a8829851-68db-42c9-ba41-d2982a537fd4 is being used.", "detail": ""}}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is an async operation, this may happen. Have you tried with the fwPolicyV2DeleteFunc
like approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd implement force_destroy or force_delete argument for this case.
agreed. force_delete
i'd say
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then I think it makes sense to create a separate resource, which will associate the rule with a policy. Blindly removing all the rule associations doesn't look like a good approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no idea how we will manage the order of the rules in the presence of such a function.
This is not blindly removing. We do it only with deletion of the rule and we'll remove all associations for the rule, not for the policy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I have no idea how we will manage the list of rules for the policy.
We will need to create a separate resource, which will associate the strictly ordered rule's list with a policy.
How will we import a policy with already created rule's list?
It seems to me that this will be a more complex and confusing flow than deleting an association for a rule, which we will delete anyway
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a separate resource, which will associate the rule with a policy
This probably introduces a lot of issues as you need to order the associations.
I think TF dependency graph works fine when both rule & policy are to be deleted. The problem as @Koodt mentioned occurs when in the same apply a rule is removed and the policy it is attached to is updated, because TF will run the delete rule first (and at that point of time the association is still in place) and then update the policy (which would remove the association).
AFAIK, and this only based on docs as i dont have a dev environment with fw_v2, a rule is associated to a single policy, so we are not removing all associations, only one. So from my side this approach is good.
@kayrus if you prefer, and as we discussed above, we could introduce a force_delete
flag on the resource, and only when it is set to true
the delete function will also remove the association.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep it as is for now since we have clarified most of the corner cases. If this issue is raised again, we will consider what actions we can take to address it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for your patience.
@kayrus what about close of the conversations? |
To be honest I'd prefer to keep them open :) It's useful especially during the search on the page, otherwise it's hard to find the needed word or sentence. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. @Koodt thanks for you work and patience. you can proceed with the fw_v2 group resource and data source PRs (seperate ones)
33459b9
into
terraform-provider-openstack:main
Add data_source_openstack_fw_policy_v2 with tests. Add import_openstack_fw_policy_v2_test.
Add resource_openstack_fw_policy_v2 with tests.
Add policy_v2 docs.
Add policy_v2 to sources maps.
Close 2/3 part of #115