From 4092157610b8b9b4372afb28c447ef2136785c89 Mon Sep 17 00:00:00 2001
From: graysonwu <wgrayson@vmware.com>
Date: Fri, 8 Dec 2023 01:04:39 -0800
Subject: [PATCH] test

Signed-off-by: graysonwu <wgrayson@vmware.com>
---
 ...source_nsxt_policy_security_policy_rule.go |  85 +++++++
 nsxt/policy_common.go                         |   1 +
 nsxt/provider.go                              |   1 +
 ...rce_nsxt_policy_security_policy_no_rule.go |   2 +-
 ...sxt_policy_security_policy_no_rule_test.go | 167 +++++++++++++
 ...source_nsxt_policy_security_policy_rule.go |  26 +-
 ...e_nsxt_policy_security_policy_rule_test.go | 229 ++++++++++++++++++
 7 files changed, 504 insertions(+), 7 deletions(-)
 create mode 100644 nsxt/data_source_nsxt_policy_security_policy_rule.go
 create mode 100644 nsxt/resource_nsxt_policy_security_policy_no_rule_test.go
 create mode 100644 nsxt/resource_nsxt_policy_security_policy_rule_test.go

diff --git a/nsxt/data_source_nsxt_policy_security_policy_rule.go b/nsxt/data_source_nsxt_policy_security_policy_rule.go
new file mode 100644
index 000000000..85d958408
--- /dev/null
+++ b/nsxt/data_source_nsxt_policy_security_policy_rule.go
@@ -0,0 +1,85 @@
+/* Copyright © 2023 VMware, Inc. All Rights Reserved.
+   SPDX-License-Identifier: MPL-2.0 */
+
+package nsxt
+
+import (
+	"fmt"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	securitypolicies "github.com/vmware/terraform-provider-nsxt/api/infra/domains/security_policies"
+	"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
+	"strings"
+)
+
+func dataSourceNsxtPolicySecurityPolicyRule() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceNsxtPolicySecurityPolicyRuleRead,
+
+		Schema: map[string]*schema.Schema{
+			"id":           getDataSourceIDSchema(),
+			"display_name": getDataSourceDisplayNameSchema(),
+			"description":  getDataSourceDescriptionSchema(),
+			"path":         getPathSchema(),
+			"policy_path":  getPolicyPathSchema(true, false, "Security Policy path"),
+			"context":      getContextSchema(),
+		},
+	}
+}
+
+func dataSourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interface{}) error {
+	connector := getPolicyConnector(m)
+
+	policyPath := d.Get("policy_path").(string)
+	domain := getDomainFromResourcePath(policyPath)
+	policyID := getPolicyIDFromPath(policyPath)
+
+	client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector)
+	objID := d.Get("id").(string)
+	var obj model.Rule
+	if objID != "" {
+		// Get by id
+		objGet, err := client.Get(domain, policyID, objID)
+
+		if err != nil {
+			return handleDataSourceReadError(d, "SecurityPolicyRule", objID, err)
+		}
+		obj = objGet
+	} else {
+		// Get by full name/prefix
+		displayName := d.Get("display_name").(string)
+		objList, err := client.List(domain, policyID, nil, nil, nil, nil, nil, nil)
+		if err != nil {
+			return handleListError("SecurityPolicyRule", err)
+		}
+		// go over the list to find the correct one (prefer a perfect match. If not - prefix match)
+		var perfectMatch []model.Rule
+		var prefixMatch []model.Rule
+		for _, objInList := range objList.Results {
+			if strings.HasPrefix(*objInList.DisplayName, displayName) {
+				prefixMatch = append(prefixMatch, objInList)
+			}
+			if *objInList.DisplayName == displayName {
+				perfectMatch = append(perfectMatch, objInList)
+			}
+		}
+		if len(perfectMatch) > 0 {
+			if len(perfectMatch) > 1 {
+				return fmt.Errorf("Found multiple SecurityPolicyRule with name '%s'", displayName)
+			}
+			obj = perfectMatch[0]
+		} else if len(prefixMatch) > 0 {
+			if len(prefixMatch) > 1 {
+				return fmt.Errorf("Found multiple SecurityPolicyRule with name starting with '%s'", displayName)
+			}
+			obj = prefixMatch[0]
+		} else {
+			return fmt.Errorf("SecurityPolicyRule with name '%s' was not found", displayName)
+		}
+	}
+
+	d.SetId(*obj.Id)
+	d.Set("display_name", obj.DisplayName)
+	d.Set("description", obj.Description)
+	d.Set("path", obj.Path)
+	return nil
+}
diff --git a/nsxt/policy_common.go b/nsxt/policy_common.go
index 22402f752..62d2cba39 100644
--- a/nsxt/policy_common.go
+++ b/nsxt/policy_common.go
@@ -296,6 +296,7 @@ func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxID
 			Required:    true,
 		}
 		ruleSchema["context"] = getContextSchema()
+		ruleSchema["path"] = getPathSchema()
 	} else {
 		ruleSchema["sequence_number"] = &schema.Schema{
 			Type:        schema.TypeInt,
diff --git a/nsxt/provider.go b/nsxt/provider.go
index 544ca28d1..51a659b4b 100644
--- a/nsxt/provider.go
+++ b/nsxt/provider.go
@@ -294,6 +294,7 @@ func Provider() *schema.Provider {
 			"nsxt_policy_host_transport_node":         dataSourceNsxtPolicyHostTransportNode(),
 			"nsxt_manager_cluster_node":               dataSourceNsxtManagerClusterNode(),
 			"nsxt_policy_host_transport_node_profile": dataSourceNsxtPolicyHostTransportNodeProfile(),
+			"nsxt_policy_security_policy_rule":        dataSourceNsxtPolicySecurityPolicyRule(),
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
diff --git a/nsxt/resource_nsxt_policy_security_policy_no_rule.go b/nsxt/resource_nsxt_policy_security_policy_no_rule.go
index f38e4636d..212a77f4d 100644
--- a/nsxt/resource_nsxt_policy_security_policy_no_rule.go
+++ b/nsxt/resource_nsxt_policy_security_policy_no_rule.go
@@ -1,4 +1,4 @@
-/* Copyright © 2019 VMware, Inc. All Rights Reserved.
+/* Copyright © 2023 VMware, Inc. All Rights Reserved.
    SPDX-License-Identifier: MPL-2.0 */
 
 package nsxt
diff --git a/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go b/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go
new file mode 100644
index 000000000..2ee0d2196
--- /dev/null
+++ b/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go
@@ -0,0 +1,167 @@
+/* Copyright © 2023 VMware, Inc. All Rights Reserved.
+   SPDX-License-Identifier: MPL-2.0 */
+
+package nsxt
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccResourceNsxtPolicySecurityPolicyNoRule_basic(t *testing.T) {
+	testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t, false, func() {
+		testAccPreCheck(t)
+	})
+}
+
+func TestAccResourceNsxtPolicySecurityPolicyNoRule_multitenancy(t *testing.T) {
+	testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t, true, func() {
+		testAccPreCheck(t)
+		testAccOnlyMultitenancy(t)
+	})
+}
+
+func testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t *testing.T, withContext bool, preCheck func()) {
+	testResourceName := "nsxt_policy_security_policy_no_rule.test"
+
+	name := getAccTestResourceName()
+	updatedName := getAccTestResourceName()
+	locked := "true"
+	updatedLocked := "false"
+	seqNum := "1"
+	updatedSeqNum := "2"
+	tcpStrict := "true"
+	updatedTcpStrict := "false"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  preCheck,
+		Providers: testAccProviders,
+		CheckDestroy: func(state *terraform.State) error {
+			return testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state, updatedName)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext, name, locked, seqNum, tcpStrict),
+				Check: resource.ComposeTestCheckFunc(
+					testAccNsxtPolicySecurityPolicyExists(testResourceName, defaultDomain),
+					resource.TestCheckResourceAttr(testResourceName, "display_name", name),
+					resource.TestCheckResourceAttr(testResourceName, "locked", locked),
+					resource.TestCheckResourceAttr(testResourceName, "sequence_number", seqNum),
+					resource.TestCheckResourceAttr(testResourceName, "tcp_strict", tcpStrict),
+				),
+			},
+			{
+				Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext, updatedName, updatedLocked, updatedSeqNum, updatedTcpStrict),
+				Check: resource.ComposeTestCheckFunc(
+					testAccNsxtPolicySecurityPolicyExists(testResourceName, defaultDomain),
+					resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName),
+					resource.TestCheckResourceAttr(testResourceName, "locked", updatedLocked),
+					resource.TestCheckResourceAttr(testResourceName, "sequence_number", updatedSeqNum),
+					resource.TestCheckResourceAttr(testResourceName, "tcp_strict", updatedTcpStrict),
+				),
+			},
+		},
+	})
+}
+
+func TestAccResourceNsxtPolicySecurityPolicyNoRule_importBasic(t *testing.T) {
+	name := getAccTestResourceName()
+	testResourceName := "nsxt_policy_security_policy_no_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		CheckDestroy: func(state *terraform.State) error {
+			return testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state, name)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(false, name, "true", "1", "true"),
+			},
+			{
+				ResourceName:      testResourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName),
+			},
+		},
+	})
+}
+
+func TestAccResourceNsxtPolicySecurityPolicyNoRule_importBasic_multitenancy(t *testing.T) {
+	name := getAccTestResourceName()
+	testResourceName := "nsxt_policy_security_policy_no_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccOnlyMultitenancy(t)
+		},
+		Providers: testAccProviders,
+		CheckDestroy: func(state *terraform.State) error {
+			return testAccNsxtPolicySecurityPolicyCheckDestroy(state, name, defaultDomain)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(true, name, "true", "1", "true"),
+			},
+			{
+				ResourceName:      testResourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName),
+			},
+		},
+	})
+}
+
+func testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state *terraform.State, displayName string) error {
+	connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients))
+	for _, rs := range state.RootModule().Resources {
+
+		if rs.Type != "nsxt_policy_security_policy_no_rule" {
+			continue
+		}
+
+		resourceID := rs.Primary.Attributes["id"]
+		domain := rs.Primary.Attributes["domain"]
+		exists, err := resourceNsxtPolicySecurityPolicyExistsInDomain(testAccGetSessionContext(), resourceID, domain, connector)
+		if err != nil {
+			return err
+		}
+		if exists {
+			return fmt.Errorf("Policy SecurityPolicy %s still exists", displayName)
+		}
+	}
+	return nil
+}
+
+func testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext bool, name, locked, seqNum, tcpStrict string) string {
+	context := ""
+	if withContext {
+		context = testAccNsxtPolicyMultitenancyContext()
+	}
+	return testAccNsxtPolicySecurityPolicyDeps() + fmt.Sprintf(`
+resource "nsxt_policy_security_policy_no_rule" "test" {
+%s
+  display_name    = "%s"
+  description     = "Acceptance Test"
+  domain = "default"
+  category        = "Application"
+  locked          = %s
+  sequence_number = %s
+  stateful        = "true"
+  tcp_strict      = %s
+  scope           = [nsxt_policy_group.group1.path]
+
+  tag {
+    scope = "color"
+    tag   = "orange"
+  }
+
+  depends_on = [nsxt_policy_group.group1]
+}`, context, name, locked, seqNum, tcpStrict)
+}
diff --git a/nsxt/resource_nsxt_policy_security_policy_rule.go b/nsxt/resource_nsxt_policy_security_policy_rule.go
index 09c81f839..b8462b24b 100644
--- a/nsxt/resource_nsxt_policy_security_policy_rule.go
+++ b/nsxt/resource_nsxt_policy_security_policy_rule.go
@@ -5,11 +5,11 @@ package nsxt
 
 import (
 	"fmt"
-	"log"
-
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client"
 	"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
+	"log"
+	"strings"
 
 	"github.com/vmware/terraform-provider-nsxt/api/infra/domains/security_policies"
 	utl "github.com/vmware/terraform-provider-nsxt/api/utl"
@@ -22,7 +22,7 @@ func resourceNsxtPolicySecurityPolicyRule() *schema.Resource {
 		Update: resourceNsxtPolicySecurityPolicyRuleUpdate,
 		Delete: resourceNsxtPolicySecurityPolicyRuleDelete,
 		Importer: &schema.ResourceImporter{
-			State: nsxtDomainResourceImporter,
+			State: nsxtSecurityPolicyRuleImporter,
 		},
 		Schema: getSecurityPolicyAndGatewayRuleSchema(false, false, true, true),
 	}
@@ -103,11 +103,11 @@ func securityPolicyRuleSchemaToModel(d *schema.ResourceData, id string) model.Ru
 
 func resourceNsxtPolicySecurityPolicyRuleExistsPartial(policyPath string) func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) {
 	return func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) {
-		return resourceNsxtPolicySecurityPolicyRuleExistsInDomain(sessionContext, id, policyPath, connector)
+		return resourceNsxtPolicySecurityPolicyRuleExists(sessionContext, id, policyPath, connector)
 	}
 }
 
-func resourceNsxtPolicySecurityPolicyRuleExistsInDomain(sessionContext utl.SessionContext, id string, policyPath string, connector client.Connector) (bool, error) {
+func resourceNsxtPolicySecurityPolicyRuleExists(sessionContext utl.SessionContext, id string, policyPath string, connector client.Connector) (bool, error) {
 	client := securitypolicies.NewRulesClient(sessionContext, connector)
 
 	domain := getDomainFromResourcePath(policyPath)
@@ -135,7 +135,6 @@ func resourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interfac
 	policyPath := d.Get("policy_path").(string)
 	domain := getDomainFromResourcePath(policyPath)
 	policyID := getPolicyIDFromPath(policyPath)
-
 	client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector)
 	rule, err := client.Get(domain, policyID, id)
 	if err != nil {
@@ -149,6 +148,7 @@ func resourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interfac
 func securityPolicyRuleModelToSchema(d *schema.ResourceData, rule model.Rule) {
 	d.Set("display_name", rule.DisplayName)
 	d.Set("description", rule.Description)
+	d.Set("path", rule.Path)
 	d.Set("notes", rule.Notes)
 	d.Set("logged", rule.Logged)
 	d.Set("log_label", rule.Tag)
@@ -214,3 +214,17 @@ func resourceNsxtPolicySecurityPolicyRuleDelete(d *schema.ResourceData, m interf
 	client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector)
 	return client.Delete(domain, policyID, id)
 }
+
+func nsxtSecurityPolicyRuleImporter(d *schema.ResourceData, m interface{}) ([]*schema.ResourceData, error) {
+	importID := d.Id()
+	// Example of Rule path: /infra/domains/default/security-policies/04e862ad-ddce-434c-8453-229e2740982e/rules/b971bdc3-9e8f-442d-a694-846cbbb46ca5
+	if strings.Count(importID, "/") != 7 {
+		return nil, fmt.Errorf("Invalid SecurityPolicyRule path %s", importID)
+	}
+	rd, err := nsxtPolicyPathResourceImporterHelper(d, m)
+	if err != nil {
+		return rd, err
+	}
+	d.Set("policy_path", importID[:strings.Index(importID, "rule")-1])
+	return []*schema.ResourceData{d}, nil
+}
diff --git a/nsxt/resource_nsxt_policy_security_policy_rule_test.go b/nsxt/resource_nsxt_policy_security_policy_rule_test.go
new file mode 100644
index 000000000..b55129e16
--- /dev/null
+++ b/nsxt/resource_nsxt_policy_security_policy_rule_test.go
@@ -0,0 +1,229 @@
+/* Copyright © 2023 VMware, Inc. All Rights Reserved.
+   SPDX-License-Identifier: MPL-2.0 */
+
+package nsxt
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccResourceNsxtPolicySecurityPolicyRule_basic(t *testing.T) {
+	testAccResourceNsxtPolicySecurityPolicyRuleBasic(t, false, func() {
+		testAccPreCheck(t)
+	})
+}
+
+func TestAccResourceNsxtPolicySecurityPolicyRule_multitenancy(t *testing.T) {
+	testAccResourceNsxtPolicySecurityPolicyRuleBasic(t, true, func() {
+		testAccPreCheck(t)
+		testAccOnlyMultitenancy(t)
+	})
+}
+
+func testAccResourceNsxtPolicySecurityPolicyRuleBasic(t *testing.T, withContext bool, preCheck func()) {
+	testResourceName := "nsxt_policy_security_policy_rule.test"
+
+	name := getAccTestResourceName()
+	updatedName := getAccTestResourceName()
+	direction := "IN"
+	updatedDirection := "OUT"
+	proto := "IPV4"
+	updatedProto := "IPV4_IPV6"
+	action := "ALLOW"
+	updatedAction := "DROP"
+	seqNum := "1"
+	updatedSeqNum := "2"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  preCheck,
+		Providers: testAccProviders,
+		CheckDestroy: func(state *terraform.State) error {
+			return testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state, updatedName)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNsxtPolicySecurityPolicyRuleTemplate(withContext, name, action, direction, proto, seqNum),
+				Check: resource.ComposeTestCheckFunc(
+					testAccNsxtPolicySecurityPolicyRuleExists(testResourceName),
+					resource.TestCheckResourceAttr(testResourceName, "display_name", name),
+					resource.TestCheckResourceAttr(testResourceName, "action", action),
+					resource.TestCheckResourceAttr(testResourceName, "direction", direction),
+					resource.TestCheckResourceAttr(testResourceName, "ip_version", proto),
+					resource.TestCheckResourceAttr(testResourceName, "sequence_number", seqNum),
+				),
+			},
+			{
+				Config: testAccNsxtPolicySecurityPolicyRuleTemplate(withContext, updatedName, updatedAction, updatedDirection, updatedProto, updatedSeqNum),
+				Check: resource.ComposeTestCheckFunc(
+					testAccNsxtPolicySecurityPolicyRuleExists(testResourceName),
+					resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName),
+					resource.TestCheckResourceAttr(testResourceName, "action", updatedAction),
+					resource.TestCheckResourceAttr(testResourceName, "direction", updatedDirection),
+					resource.TestCheckResourceAttr(testResourceName, "ip_version", updatedProto),
+					resource.TestCheckResourceAttr(testResourceName, "sequence_number", updatedSeqNum),
+				),
+			},
+		},
+	})
+}
+
+func TestAccResourceNsxtPolicySecurityPolicyRule_importBasic(t *testing.T) {
+	name := getAccTestResourceName()
+	testResourceName := "nsxt_policy_security_policy_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		CheckDestroy: func(state *terraform.State) error {
+			return testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state, name)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNsxtPolicySecurityPolicyRuleTemplate(false, name, "ALLOW", "IN", "IPV4", "1"),
+			},
+			{
+				ResourceName:      testResourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName),
+			},
+		},
+	})
+}
+
+func TestAccResourceNsxtPolicySecurityPolicyRule_importBasic_multitenancy(t *testing.T) {
+	name := getAccTestResourceName()
+	testResourceName := "nsxt_policy_security_policy_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccOnlyMultitenancy(t)
+		},
+		Providers: testAccProviders,
+		CheckDestroy: func(state *terraform.State) error {
+			return testAccNsxtPolicySecurityPolicyCheckDestroy(state, name, defaultDomain)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNsxtPolicySecurityPolicyRuleTemplate(true, name, "ALLOW", "IN", "IPV4", "1"),
+			},
+			{
+				ResourceName:      testResourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName),
+			},
+		},
+	})
+}
+
+func testAccNsxtPolicySecurityPolicyRuleExists(resourceName string) resource.TestCheckFunc {
+	return func(state *terraform.State) error {
+
+		connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients))
+
+		rs, ok := state.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Policy SecurityPolicyRule resource %s not found in resources", resourceName)
+		}
+
+		resourceID := rs.Primary.ID
+		if resourceID == "" {
+			return fmt.Errorf("Policy SecurityPolicyRule resource ID not set in resources")
+		}
+
+		policyPath := rs.Primary.Attributes["policy_path"]
+		exists, err := resourceNsxtPolicySecurityPolicyRuleExists(testAccGetSessionContext(), resourceID, policyPath, connector)
+		if err != nil {
+			return err
+		}
+		if !exists {
+			return fmt.Errorf("Error while retrieving policy SecurityPolicyRule ID %s under SecurityPolicy %s", resourceID, policyPath)
+		}
+		return nil
+	}
+}
+
+func testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state *terraform.State, displayName string) error {
+	connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients))
+	for _, rs := range state.RootModule().Resources {
+
+		if rs.Type != "nsxt_policy_security_policy_rule" {
+			continue
+		}
+
+		resourceID := rs.Primary.Attributes["id"]
+		policyPath := rs.Primary.Attributes["policy_path"]
+		exists, err := resourceNsxtPolicySecurityPolicyRuleExists(testAccGetSessionContext(), resourceID, policyPath, connector)
+		if err != nil {
+			return err
+		}
+		if exists {
+			return fmt.Errorf("Policy SecurityPolicyRule %s still exists", displayName)
+		}
+	}
+	return nil
+}
+
+func testAccNsxtPolicySecurityPolicyRuleDeps(withContext bool) string {
+	context := ""
+	if withContext {
+		context = testAccNsxtPolicyMultitenancyContext()
+	}
+	return testAccNsxtPolicySecurityPolicyDeps() + fmt.Sprintf(`
+resource "nsxt_policy_security_policy_no_rule" "policy1" {
+%s
+  display_name    = "no-rule-policy"
+  description     = "Acceptance Test"
+  category        = "Application"
+  locked          = false
+  sequence_number = 3
+  stateful        = true
+  tcp_strict      = false
+  scope           = [nsxt_policy_group.group1.path]
+
+  tag {
+    scope = "color"
+    tag   = "orange"
+  }
+
+  depends_on = [nsxt_policy_group.group1]
+}`, context)
+}
+
+func testAccNsxtPolicySecurityPolicyRuleTemplate(withContext bool, name, action, direction, ipVersion, seqNum string) string {
+	context := ""
+	if withContext {
+		context = testAccNsxtPolicyMultitenancyContext()
+	}
+	return testAccNsxtPolicySecurityPolicyRuleDeps(withContext) + fmt.Sprintf(`
+resource "nsxt_policy_security_policy_rule" "test" {
+%s
+  display_name    = "%s"
+  policy_path     = nsxt_policy_security_policy_no_rule.policy1.path
+  action          = "%s"
+  direction       = "%s"
+  ip_version      = "%s"
+  source_groups   = [nsxt_policy_group.group2.path]
+  sequence_number = %s
+
+  tag {
+    scope = "color"
+    tag   = "orange"
+  }
+
+  depends_on = [nsxt_policy_security_policy_no_rule.policy1, nsxt_policy_group.group2]
+}
+
+data "nsxt_policy_security_policy_rule" "test" {
+%s
+  display_name    = "%s"
+  policy_path = nsxt_policy_security_policy_no_rule.policy1.path
+  depends_on = [nsxt_policy_security_policy_rule.test]
+}`, context, name, action, direction, ipVersion, seqNum, context, name)
+}