[FWaaS_V2]: Add fw_policy_v2 #1584
Conversation
Add data_source_openstack_fw_policy_v2 with tests. Add import_openstack_fw_policy_v2_test. Add resource_openstack_fw_policy_v2 with tests. Add policy_v2 docs. Add policy_v2 to sources maps.
| return diag.Errorf("Error creating OpenStack networking client: %s", err) | ||
| } | ||
|
|
||
| var updateOpts policies.UpdateOpts |
There was a problem hiding this comment.
I'd make it a pointer and check for nil before the update. Since potentially there could be empty POST requests.
There was a problem hiding this comment.
Good point. Thank you!
|
@nikParasyr |
|
@Koodt keep them on this one its ok. split them in the next PR for fw groups |
| } | ||
|
|
||
| if v, ok := d.GetOk("shared"); ok { | ||
| listOpts.Shared = v.(*bool) |
There was a problem hiding this comment.
this code will panic with panic: interface conversion: interface {} is bool, not *bool. I'd recommend to add an extra functional test to track this. Also please take a look to your other PRs and make sure this issue doesn't exist there as well.
There was a problem hiding this comment.
Add test with AdminOnly for all PRs
I don't see panic not in my IDE, not in runtime, not in tests.
Do you speak about possible panic?
There was a problem hiding this comment.
No, it's an actual panic, because you're trying to assert a bool to *bool. Terraform schema data types were never a pointer.
There was a problem hiding this comment.
Reproduced and understood
Thank you
…estAccFWPolicyV2_shared, TestAccFWRuleV2_shared, fix indents, remove unused value_specs
| return diag.Errorf("Error creating OpenStack networking client: %s", err) | ||
| } | ||
|
|
||
| audited := d.Get("audited").(bool) |
There was a problem hiding this comment.
does it make sense to align the audited := d.Get("audited").(bool) and the if r, ok := d.GetOk("shared"); ok { approaches to a single one?
|
|
||
| func fwPolicyV2DeleteFunc(networkingClient *gophercloud.ServiceClient, id string) resource.StateRefreshFunc { | ||
| return func() (interface{}, string, error) { | ||
| err := policies.Delete(networkingClient, id).Err |
There was a problem hiding this comment.
you need to add an ErrDefault404 check here as well. There is a chance that the policy can be deleted manually between checks and this will cause TF to hang.
|
@nikParasyr @kayrus I will be revert policies.RemoveRule in resourceFWRuleV2Delete |
|
|
||
| pages, err := policies.List(networkingClient, listOpts).AllPages() | ||
| if err != nil { | ||
| return diag.FromErr(err) |
There was a problem hiding this comment.
| return diag.FromErr(err) | |
| return diag.Errorf("Unable to list openstack_fw_policy_v2 policies: %s", err) |
There was a problem hiding this comment.
Add this change in data_source_openstack_fw_rule_v2 too
| "audited": { | ||
| Type: schema.TypeBool, | ||
| Optional: true, | ||
| Default: false, |
There was a problem hiding this comment.
I don't think this does make sense :
The same note for openstack_fw_rule_v2 shared argument.
| return diag.FromErr(CheckDeleted(d, err, "Error retrieving openstack_fw_rule_v2")) | ||
| } | ||
|
|
||
| if len(rule.FirewallPolicyID) > 0 { |
There was a problem hiding this comment.
I don't think it's a good idea to delete rules, which were already attached to a policy. If the resource is controlled by terraform, terraform dependency manager must delete resources according to a dependency, if not, it should fail after a timeout. I'd implement force_destroy or force_delete argument for this case. @nikParasyr we already have force_destroy for containers and force_delete for compute nodes. Which one would you think is better? :)
There was a problem hiding this comment.
in addition to
err = rules.Delete(networkingClient, d.Id()).ExtractErr()
Don't you need to introduce a similar approach of calling the fwPolicyV2DeleteFunc function but for rules? And also check for the err.(gophercloud.ErrDefault404) :)
There was a problem hiding this comment.
I think It's a bug. TF ignore rule/policy dependencies.
When we wants to detach and delete attached rules, TF for first time delete rules, and after delete rule associations
TestAccFWPolicyV2_deleteRules crashes if we not delete rule from policy prevously.
First step
resource "openstack_fw_rule_v2" "tcp_allow" {
protocol = "tcp"
action = "allow"
}
resource "openstack_fw_rule_v2" "udp_deny" {
protocol = "udp"
action = "deny"
}
resource "openstack_fw_policy_v2" "policy_1" {
name = "policy_1"
description = "terraform acceptance test"
audited = true
rules = [
"${openstack_fw_rule_v2.udp_deny.id}",
"${openstack_fw_rule_v2.tcp_allow.id}"
]
}
Second Step
resource "openstack_fw_rule_v2" "udp_deny" {
protocol = "udp"
action = "deny"
}
resource "openstack_fw_policy_v2" "policy_1" {
name = "policy_1"
description = "terraform acceptance test"
rules = [
"${openstack_fw_rule_v2.udp_deny.id}"
]
}
Result
{"NeutronError": {"type": "FirewallRuleInUse", "message": "Firewall rule a8829851-68db-42c9-ba41-d2982a537fd4 is being used.", "detail": ""}}
There was a problem hiding this comment.
Since this is an async operation, this may happen. Have you tried with the fwPolicyV2DeleteFunc like approach?
There was a problem hiding this comment.
I'd implement force_destroy or force_delete argument for this case.
agreed. force_delete i'd say
There was a problem hiding this comment.
Then I think it makes sense to create a separate resource, which will associate the rule with a policy. Blindly removing all the rule associations doesn't look like a good approach.
There was a problem hiding this comment.
I have no idea how we will manage the order of the rules in the presence of such a function.
This is not blindly removing. We do it only with deletion of the rule and we'll remove all associations for the rule, not for the policy.
There was a problem hiding this comment.
Also, I have no idea how we will manage the list of rules for the policy.
We will need to create a separate resource, which will associate the strictly ordered rule's list with a policy.
How will we import a policy with already created rule's list?
It seems to me that this will be a more complex and confusing flow than deleting an association for a rule, which we will delete anyway
There was a problem hiding this comment.
a separate resource, which will associate the rule with a policy
This probably introduces a lot of issues as you need to order the associations.
I think TF dependency graph works fine when both rule & policy are to be deleted. The problem as @Koodt mentioned occurs when in the same apply a rule is removed and the policy it is attached to is updated, because TF will run the delete rule first (and at that point of time the association is still in place) and then update the policy (which would remove the association).
AFAIK, and this only based on docs as i dont have a dev environment with fw_v2, a rule is associated to a single policy, so we are not removing all associations, only one. So from my side this approach is good.
@kayrus if you prefer, and as we discussed above, we could introduce a force_delete flag on the resource, and only when it is set to true the delete function will also remove the association.
There was a problem hiding this comment.
Let's keep it as is for now since we have clarified most of the corner cases. If this issue is raised again, we will consider what actions we can take to address it.
|
@kayrus what about close of the conversations? |
|
To be honest I'd prefer to keep them open :) It's useful especially during the search on the page, otherwise it's hard to find the needed word or sentence. |
There was a problem hiding this comment.
LGTM. @Koodt thanks for you work and patience. you can proceed with the fw_v2 group resource and data source PRs (seperate ones)
nikParasyr
merged commit 33459b9
into
terraform-provider-openstack:main
Add data_source_openstack_fw_policy_v2 with tests. Add import_openstack_fw_policy_v2_test.
Add resource_openstack_fw_policy_v2 with tests.
Add policy_v2 docs.
Add policy_v2 to sources maps.
Close 2/3 part of #115