Fix/security group rule (#1293)

* fix: delete rule timeout

* fix: comparePolicyAndSecurityGroupInfo

* fix unit test

* fix unit test

* update doc

Co-authored-by: mikatong <mikatong@tencent.com>

Author: tongyiming

tencentcloud/resource_tc_security_group_rule.go

@@ -62,6 +62,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
+	sdkErrors "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/errors"
 )
 
 func resourceTencentCloudSecurityGroupRule() *schema.Resource {
@@ -143,7 +144,7 @@ func resourceTencentCloudSecurityGroupRule() *schema.Resource {
 			"policy_index": {
 				Type:        schema.TypeInt,
 				Optional:    true,
-				Computed:    true,
+				ForceNew:    true,
 				Description: "The security group rule index number, the value of which dynamically changes as the security group rule changes.",
 			},
 			"source_sgid": {
@@ -327,10 +328,14 @@ func resourceTencentCloudSecurityGroupRuleCreate(d *schema.ResourceData, m inter
 		AddressTemplateGroupId:  addressTemplateGroupId,
 		ProtocolTemplateId:      protocolTemplateId,
 		ProtocolTemplateGroupId: protocolTemplateGroupId,
-		PolicyIndex:             policyIndex,
+	}
+	//Forward Compatibility
+	infoWithPolicyIndex := securityGroupRuleBasicInfoWithPolicyIndex{
+		info,
+		policyIndex,
 	}
 
-	ruleId, err := service.CreateSecurityGroupPolicy(ctx, info)
+	ruleId, err := service.CreateSecurityGroupPolicy(ctx, infoWithPolicyIndex)
 	if err != nil {
 		return err
 	}
@@ -412,9 +417,6 @@ func resourceTencentCloudSecurityGroupRuleRead(d *schema.ResourceData, m interfa
 			}
 			_ = d.Set("ip_protocol", inputProtocol)
 		}
-		if policy.PolicyIndex != nil {
-			_ = d.Set("policy_index", *policy.PolicyIndex)
-		}
 		if policy.Port != nil && *policy.Port != "" {
 			_ = d.Set("port_range", *policy.Port)
 		}
@@ -441,9 +443,19 @@ func resourceTencentCloudSecurityGroupRuleDelete(d *schema.ResourceData, m inter
 	service := VpcService{client: m.(*TencentCloudClient).apiV3Conn}
 
 	ruleId := d.Id()
-	err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
-		e := service.DeleteSecurityGroupPolicy(ctx, ruleId)
+	sgId, policyType, policy, err := service.DescribeSecurityGroupPolicy(ctx, ruleId)
+	if err != nil {
+		log.Printf("[CRITAL]%s security group rule query failed: %s\n ", logId, err.Error())
+		return err
+	}
+	err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
+		e := service.DeleteSecurityGroupPolicyByPolicyIndex(ctx, *policy.PolicyIndex, sgId, policyType)
 		if e != nil {
+			if ee, ok := e.(*sdkErrors.TencentCloudSDKError); ok {
+				if ee.GetCode() == "ResourceNotFound" {
+					return nil
+				}
+			}
 			return resource.RetryableError(fmt.Errorf("security group delete failed: %s", e.Error()))
 		}
 		return nil

tencentcloud/resource_tc_security_group_rule_test.go

@@ -29,13 +29,6 @@ func TestAccTencentCloudSecurityGroupRule_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("tencentcloud_security_group_rule.http-in", "type", "ingress"),
 					resource.TestCheckResourceAttr("tencentcloud_security_group_rule.http-in", "policy_index", "0"),
 					resource.TestCheckNoResourceAttr("tencentcloud_security_group_rule.http-in", "source_sgid"),
-
-					resource.TestCheckResourceAttr("tencentcloud_security_group_rule.http-in1", "cidr_ip", "1.1.1.2"),
-					resource.TestCheckResourceAttr("tencentcloud_security_group_rule.http-in1", "ip_protocol", "tcp"),
-					resource.TestCheckResourceAttr("tencentcloud_security_group_rule.http-in1", "description", ""),
-					resource.TestCheckResourceAttr("tencentcloud_security_group_rule.http-in1", "type", "ingress"),
-					resource.TestCheckResourceAttr("tencentcloud_security_group_rule.http-in1", "policy_index", "1"),
-					resource.TestCheckNoResourceAttr("tencentcloud_security_group_rule.http-in1", "source_sgid"),
 				),
 			},
 		},
@@ -261,15 +254,6 @@ resource "tencentcloud_security_group_rule" "http-in" {
   policy            = "accept"
   policy_index      = 0
 }
-resource "tencentcloud_security_group_rule" "http-in1" {
-	security_group_id = tencentcloud_security_group.foo.id
-	type              = "ingress"
-	cidr_ip           = "1.1.1.2"
-	ip_protocol       = "tcp"
-	port_range        = "80,8080"
-	policy            = "accept"
-	policy_index      = 1
-  }
 `
 
 const testAccSecurityGroupRuleConfigSSH = `

tencentcloud/service_tencentcloud_vpc.go

@@ -1295,7 +1295,7 @@ func (me *VpcService) DescribeSecurityGroupsAssociate(ctx context.Context, ids [
 	return response.Response.SecurityGroupAssociationStatisticsSet, nil
 }
 
-func (me *VpcService) CreateSecurityGroupPolicy(ctx context.Context, info securityGroupRuleBasicInfo) (ruleId string, err error) {
+func (me *VpcService) CreateSecurityGroupPolicy(ctx context.Context, info securityGroupRuleBasicInfoWithPolicyIndex) (ruleId string, err error) {
 	logId := getLogId(ctx)
 
 	createRequest := vpc.NewCreateSecurityGroupPoliciesRequest()
@@ -1358,7 +1358,7 @@ func (me *VpcService) CreateSecurityGroupPolicy(ctx context.Context, info securi
 		info.SourceSgId = common.StringPtr("")
 	}
 
-	ruleId, err = buildSecurityGroupRuleId(info)
+	ruleId, err = buildSecurityGroupRuleId(info.securityGroupRuleBasicInfo)
 	if err != nil {
 		return "", fmt.Errorf("build rule id error, reason: %v", err)
 	}
@@ -1476,6 +1476,10 @@ func (me *VpcService) DeleteSecurityGroupPolicy(ctx context.Context, ruleId stri
 		policy.ServiceTemplate.ServiceId = info.ProtocolTemplateId
 	}
 
+	if info.Description != nil && *info.Description != "" {
+		policy.PolicyDescription = info.Description
+	}
+
 	switch strings.ToLower(info.PolicyType) {
 	case "ingress":
 		request.SecurityGroupPolicySet.Ingress = []*vpc.SecurityGroupPolicy{policy}
@@ -1493,6 +1497,32 @@ func (me *VpcService) DeleteSecurityGroupPolicy(ctx context.Context, ruleId stri
 	return nil
 }
 
+func (me *VpcService) DeleteSecurityGroupPolicyByPolicyIndex(ctx context.Context, policyIndex int64, sgId, policyType string) error {
+	logId := getLogId(ctx)
+
+	request := vpc.NewDeleteSecurityGroupPoliciesRequest()
+	request.SecurityGroupId = helper.String(sgId)
+	request.SecurityGroupPolicySet = new(vpc.SecurityGroupPolicySet)
+
+	policy := new(vpc.SecurityGroupPolicy)
+	policy.PolicyIndex = helper.Int64(policyIndex)
+	switch strings.ToLower(policyType) {
+	case "ingress":
+		request.SecurityGroupPolicySet.Ingress = []*vpc.SecurityGroupPolicy{policy}
+
+	case "egress":
+		request.SecurityGroupPolicySet.Egress = []*vpc.SecurityGroupPolicy{policy}
+	}
+	ratelimit.Check(request.GetAction())
+	if _, err := me.client.UseVpcClient().DeleteSecurityGroupPolicies(request); err != nil {
+		log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%v]",
+			logId, request.GetAction(), request.ToJsonString(), err)
+		return err
+	}
+	return nil
+
+}
+
 func (me *VpcService) ModifySecurityGroupPolicy(ctx context.Context, ruleId string, desc *string) error {
 	logId := getLogId(ctx)
 
@@ -1792,7 +1822,11 @@ type securityGroupRuleBasicInfo struct {
 	AddressTemplateGroupId  *string `json:"address_template_group_id,omitempty"`
 	ProtocolTemplateId      *string `json:"protocol_template_id,omitempty"`
 	ProtocolTemplateGroupId *string `json:"protocol_template_group_id,omitempty"`
-	PolicyIndex             int64   `json:"policy_index"`
+}
+
+type securityGroupRuleBasicInfoWithPolicyIndex struct {
+	securityGroupRuleBasicInfo
+	PolicyIndex int64 `json:"policy_index"`
 }
 
 // Build an ID for a Security Group Rule (new version)
@@ -1879,23 +1913,44 @@ func parseSecurityGroupRuleId(ruleId string) (info securityGroupRuleBasicInfo, e
 }
 
 func comparePolicyAndSecurityGroupInfo(policy *vpc.SecurityGroupPolicy, info securityGroupRuleBasicInfo) bool {
+	if policy.PolicyDescription != nil && *policy.PolicyDescription != "" {
+		if info.Description == nil || *policy.PolicyDescription != *info.Description {
+			return false
+		}
+	} else {
+		if info.Description != nil && *info.Description != "" {
+			return false
+		}
+	}
 	// policy.CidrBlock will be nil if address template is set
 	if policy.CidrBlock != nil && *policy.CidrBlock != "" {
-		if *policy.CidrBlock != *info.CidrIp {
+		if info.CidrIp == nil || *policy.CidrBlock != *info.CidrIp {
+			return false
+		}
+	} else {
+		if info.CidrIp != nil && *info.CidrIp != "" {
 			return false
 		}
 	}
 
 	// policy.Port will be nil if protocol template is set
 	if policy.Port != nil && *policy.Port != "" {
-		if *policy.Port != *info.PortRange {
+		if info.PortRange == nil || *policy.Port != *info.PortRange {
+			return false
+		}
+	} else {
+		if info.PortRange != nil && *info.PortRange != "" && *info.PortRange != "ALL" {
 			return false
 		}
 	}
 
 	// policy.Protocol will be nil if protocol template is set
 	if policy.Protocol != nil && *policy.Protocol != "" {
-		if !strings.EqualFold(*policy.Protocol, *info.Protocol) {
+		if info.Protocol == nil || !strings.EqualFold(*policy.Protocol, *info.Protocol) {
+			return false
+		}
+	} else {
+		if info.Protocol != nil && *info.Protocol != "" && *info.Protocol != "ALL" {
 			return false
 		}
 	}
@@ -1915,22 +1970,40 @@ func comparePolicyAndSecurityGroupInfo(policy *vpc.SecurityGroupPolicy, info sec
 			log.Printf("%s %v test", *info.ProtocolTemplateId, policy.ServiceTemplate)
 			return false
 		}
+	} else {
+		if policy.ServiceTemplate != nil && policy.ServiceTemplate.ServiceId != nil && *policy.ServiceTemplate.ServiceId != "" {
+			return false
+		}
 	}
+
 	if info.ProtocolTemplateGroupId != nil && *info.ProtocolTemplateGroupId != "" {
 		if policy.ServiceTemplate == nil || policy.ServiceTemplate.ServiceGroupId == nil || *info.ProtocolTemplateGroupId != *policy.ServiceTemplate.ServiceGroupId {
 			log.Printf("%s %v test", *info.ProtocolTemplateGroupId, policy.ServiceTemplate)
 			return false
 		}
+	} else {
+		if policy.ServiceTemplate != nil && policy.ServiceTemplate.ServiceGroupId != nil && *policy.ServiceTemplate.ServiceGroupId != "" {
+			return false
+		}
 	}
+
 	if info.AddressTemplateGroupId != nil && *info.AddressTemplateGroupId != "" {
 		if policy.AddressTemplate == nil || policy.AddressTemplate.AddressGroupId == nil || *info.AddressTemplateGroupId != *policy.AddressTemplate.AddressGroupId {
 			return false
 		}
+	} else {
+		if policy.AddressTemplate != nil && policy.AddressTemplate.AddressGroupId != nil && *policy.AddressTemplate.AddressGroupId != "" {
+			return false
+		}
 	}
 	if info.AddressTemplateId != nil && *info.AddressTemplateId != "" {
 		if policy.AddressTemplate == nil || policy.AddressTemplate.AddressId == nil || *info.AddressTemplateId != *policy.AddressTemplate.AddressId {
 			return false
 		}
+	} else {
+		if policy.AddressTemplate != nil && policy.AddressTemplate.AddressId != nil && *policy.AddressTemplate.AddressId != "" {
+			return false
+		}
 	}
 
 	return true

website/docs/r/security_group_rule.html.markdown

@@ -70,7 +70,7 @@ The following arguments are supported:
 * `cidr_ip` - (Optional, String, ForceNew) An IP address network or segment, and conflict with `source_sgid` and `address_template`.
 * `description` - (Optional, String, ForceNew) Description of the security group rule.
 * `ip_protocol` - (Optional, String, ForceNew) Type of IP protocol. Valid values: `TCP`, `UDP` and `ICMP`. Default to all types protocol, and conflicts with `protocol_template`.
-* `policy_index` - (Optional, Int) The security group rule index number, the value of which dynamically changes as the security group rule changes.
+* `policy_index` - (Optional, Int, ForceNew) The security group rule index number, the value of which dynamically changes as the security group rule changes.
 * `port_range` - (Optional, String, ForceNew) Range of the port. The available value can be one, multiple or one segment. E.g. `80`, `80,90` and `80-90`. Default to all ports, and confilicts with `protocol_template`.
 * `protocol_template` - (Optional, List, ForceNew) ID of the address template, and conflict with `ip_protocol`, `port_range`.
 * `source_sgid` - (Optional, String, ForceNew) ID of the nested security group, and conflicts with `cidr_ip` and `address_template`.