azurerm_palo_alto_local_rulestack_rule - correctly populate protocol property

[teowa]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

Fix the issue when protocol_ports is set, the protocol property in Terraform state (populated with application-default) is inconsistent with API response (empty).

Terraform state (both protocol and protocol_ports are set):

resource "azurerm_palo_alto_local_rulestack_rule" "example" {
    action                    = "Allow"
    applications              = [
        "any",
    ]
    audit_comment             = null
    decryption_rule_type      = "None"
    description               = null
    enabled                   = true
    id                        = "/subscriptions/XXXX/resourceGroups/lrs-test-tf3/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/lrs-test-1/localRules/1000"
    inspection_certificate_id = null
    logging_enabled           = false
    name                      = "lr-test-1"
    negate_destination        = false
    negate_source             = false
    priority                  = 1000
    protocol                  = "application-default"
    protocol_ports            = [
        "TCP:8080",
        "UDP:5431",
    ]
    rulestack_id              = "/subscriptions/XXXX/resourceGroups/lrs-test-tf3/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/lrs-test-1"
    tags                      = {}

    destination {
        cidrs                           = [
            "192.168.16.0/24",
        ]
        countries                       = []
        feeds                           = []
        local_rulestack_fqdn_list_ids   = []
        local_rulestack_prefix_list_ids = []
    }

    source {
        cidrs                           = [
            "10.0.0.0/8",
        ]
        countries                       = []
        feeds                           = []
        local_rulestack_prefix_list_ids = []
    }
}

true API response (only protocol ports is set):

{
    "id": "/subscriptions/XXXX/resourceGroups/lrs-test-tf3/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/lrs-test-1/localRules/1000",
    "name": "1000",
    "type": "localRulestacks/localRules",
    "properties": {
        "ruleName": "lr-test-1",
        "priority": 1000,
        "ruleState": "ENABLED",
        "source": {
            "cidrs": [
                "10.0.0.0/8"
            ],
            "countries": [],
            "feeds": [],
            "prefixLists": []
        },
        "negateSource": "FALSE",
        "destination": {
            "cidrs": [
                "192.168.16.0/24"
            ],
            "countries": [],
            "feeds": [],
            "prefixLists": [],
            "fqdnLists": []
        },
        "negateDestination": "FALSE",
        "applications": [
            "any"
        ],
        "protocolPortList": [
            "TCP:8080",
            "UDP:5431"
        ],
        "actionType": "Allow",
        "enableLogging": "DISABLED",
        "decryptionRuleType": "None",
        "tags": [],
        "etag": "010d4f2a-350c-11ef-8703-96b8677701c7"
    }
}

But to deal with the API behaviour that protocol default value does not work if protocol_ports is set, a DiffSuppressFunc is added to below schema.

		"protocol": {
			Type:          pluginsdk.TypeString,
			Optional:      true,
			Default:       protocolApplicationDefault,
			ValidateFunc:  validate.ProtocolWithPort,
			ConflictsWith: []string{"protocol_ports"},
                }

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

TF_ACC=1 go test -v ./internal/services/paloalto -parallel 6 -run TestAccPaloAltoLocalRule_ -timeout 2h -ldflags="-X=github.com/hashicorp/terraform-provider-azurerm/version.ProviderVersion=acc"
=== RUN   TestAccPaloAltoLocalRule_basic
=== PAUSE TestAccPaloAltoLocalRule_basic
=== RUN   TestAccPaloAltoLocalRule_requiresImport
=== PAUSE TestAccPaloAltoLocalRule_requiresImport
=== RUN   TestAccPaloAltoLocalRule_withDestination
=== PAUSE TestAccPaloAltoLocalRule_withDestination
=== RUN   TestAccPaloAltoLocalRule_complete
=== PAUSE TestAccPaloAltoLocalRule_complete
=== RUN   TestAccPaloAltoLocalRule_update
=== PAUSE TestAccPaloAltoLocalRule_update
=== RUN   TestAccPaloAltoLocalRule_updateProtocol
=== PAUSE TestAccPaloAltoLocalRule_updateProtocol
=== CONT  TestAccPaloAltoLocalRule_basic
=== CONT  TestAccPaloAltoLocalRule_complete
=== CONT  TestAccPaloAltoLocalRule_updateProtocol
=== CONT  TestAccPaloAltoLocalRule_withDestination
=== CONT  TestAccPaloAltoLocalRule_requiresImport
=== CONT  TestAccPaloAltoLocalRule_update
--- PASS: TestAccPaloAltoLocalRule_basic (986.57s)
--- PASS: TestAccPaloAltoLocalRule_withDestination (1035.82s)
--- PASS: TestAccPaloAltoLocalRule_requiresImport (1069.00s)
--- PASS: TestAccPaloAltoLocalRule_updateProtocol (1301.80s)
--- PASS: TestAccPaloAltoLocalRule_complete (1367.64s)
--- PASS: TestAccPaloAltoLocalRule_update (1679.92s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/paloalto      1679.978s

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_palo_alto_local_rulestack_rule - correctly populate protocol property [GH-00000]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #0000

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[teowa]

some checks are added to acctest to ensure protocol is read as expected.

--- PASS: TestAccPaloAltoLocalRule_withDestination (1039.47s)
--- PASS: TestAccPaloAltoLocalRule_basic (1044.75s)
--- PASS: TestAccPaloAltoLocalRule_requiresImport (1055.73s)
--- PASS: TestAccPaloAltoLocalRule_updateProtocol (1297.63s)
--- PASS: TestAccPaloAltoLocalRule_complete (1367.47s)
--- PASS: TestAccPaloAltoLocalRule_update (1598.22s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/paloalto      1598.273s

[jackofallops]

Hi @teowa

I think we need to also make a schema behavioural change here for 4.0, behind the feature flag ofc. We should have an ExactlyOneOf for protocol and protocol_ports, we should remove the Default for protocol and add protocolApplicationDefault to the validation to be able to accept it from user configuration. This should provide suitable guard rails, and ensure the correct values are used so the DiffSuppress can be removed from 4.0. If you can take a look at this, I’ll continue review.

Thanks

[teowa]

Hi @jackofallops , thanks for the reviewing, I have added the 4.0 schema to remove default value for protocol. Please kindly take another look.

--- PASS: TestAccPaloAltoLocalRule_withDestination (1038.81s)
--- PASS: TestAccPaloAltoLocalRule_basic (1042.35s)
--- PASS: TestAccPaloAltoLocalRule_requiresImport (1050.79s)
--- PASS: TestAccPaloAltoLocalRule_updateProtocol (1298.03s)
--- PASS: TestAccPaloAltoLocalRule_complete (1356.56s)
--- PASS: TestAccPaloAltoLocalRule_update (1584.03s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/paloalto      1584.075s

[jackofallops]

Thanks @teowa - Can we also add a note with details of the change in requirement for 4.0 to the docs explaining the behavioural difference and that the default will no longer be set? Once that's clear in the docs, I think this will be good to merge.

Thanks

[teowa]

Thanks @jackofallops for reviewing, I have added notes in the docs and also allow protocol="application-default" in 3.0 version so there can be smoonth switch in the future.

[teowa]

remove waiting-response

[jackofallops]

Thanks @teowa - I think look looks good to go now. 👍

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.