Bug with opentelekomcloud_fw_rule_v2 resource

[Starimmigrant]

Hi, we encountered a bug with the opentelekomcloud_fw_rule_v2 resource. When changing the description or the SourceIPAddress/DestinationIPAddress, the firewall rule will be updated, but the source_port/destination_port will also be set to any instead of the defined port in the resource. Executing terraform apply a second time sets the ports from any to the specified port again.

This behavior can be potentially dangerous, as you can imagine.

Terraform provider version

Terraform v1.8.5 on linux_amd64 provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.36.12.

Affected Resource(s)

• opentelekomcloud_fw_rule_v2

Terraform Configuration Files

variable "access_key" {
  description = "otc access key"
}

variable "secret_key" {
  description = "otc secret key"
}

terraform {
  required_version = ">= 1.3.6"

  required_providers {
    opentelekomcloud = {
      source  = "opentelekomcloud/opentelekomcloud"
      version = ">= 1.32.0"
    }
  }
}

provider "opentelekomcloud" {
  access_key  = var.access_key
  secret_key  = var.secret_key
  domain_name = "..."
  auth_url    = "..."
  tenant_name = "..."
}

Steps to Reproduce

resource "opentelekomcloud_vpc_v1" "this" {
  name = "test"
  cidr = "192.168.100.0/24"

  tags = {}
}

resource "opentelekomcloud_vpc_subnet_v1" "subnet" {

  name   = "test"
  cidr   = "192.168.100.0/29"
  vpc_id = opentelekomcloud_vpc_v1.this.id

  gateway_ip = "192.168.100.1"
}

resource "opentelekomcloud_fw_rule_v2" "ingress_rules" {

  description            = "allow ssh from world"
  action                 = "allow"
  protocol               = "tcp"
  source_ip_address      = "0.0.0.0/0"
  destination_ip_address = "192.168.100.0/29"
  source_port            = "22"
  destination_port       = "22"

  enabled = "true"
}

resource "opentelekomcloud_fw_rule_v2" "egress_rules" {

  description            = "allow ssh to world"
  action                 = "allow"
  protocol               = "tcp"
  source_ip_address      = "192.168.100.0/29"
  destination_ip_address = "0.0.0.0/0"
  destination_port       = "22"

  enabled = "true"
}

resource "opentelekomcloud_fw_policy_v2" "ingress" {
  name = "ingress"

  rules = [opentelekomcloud_fw_rule_v2.ingress_rules.id]
}

resource "opentelekomcloud_fw_policy_v2" "egress" {
  name = "egress"

  rules = [opentelekomcloud_fw_rule_v2.egress_rules.id]
}

data "opentelekomcloud_networking_port_v2" "this" {
  network_id   = opentelekomcloud_vpc_subnet_v1.subnet.network_id
  device_owner = "network:router_interface_distributed"
}

resource "opentelekomcloud_fw_firewall_group_v2" "firewall_group_1" {
  name              = "test-firewall"
  ingress_policy_id = opentelekomcloud_fw_policy_v2.ingress.id
  egress_policy_id  = opentelekomcloud_fw_policy_v2.egress.id
  ports = [
    data.opentelekomcloud_networking_port_v2.this.id
  ]
}

We suspect that changing other attribute parameters, except description and the source_ip_address/destination_ip_address, will still trigger this bug.

To reproduce the bug, apply the Terraform code once and then change any of the aforementioned parameters. In my example, I changed the description by adding some spaces to the string.

Then, I applied the code again and received this output:

As you can see, the port is missing and needs to be added again. I also checked the OTC console, and the ports are set to any!

Important Factoids

I think the issue can be found here

In the struct where DestinationPort and SourcePort are defined, you can see that these are the only ones where the omitempty tag is missing. I don't know if it's by mistake or for a reason.

When the resource is updated here the values for DestinationPort and SourcePort are set to nil instead of being left unchanged.

[artem-lifshits]

Hello @Starimmigrant thank you for a thorough report!

You're right, DestinationPort and SourcePort are not set to omitempty for a reason (changing from tcp to icmp requires explicitly defining destination and source port as nil).

Fix will be ready on next release.