Support deprecated 'ports' field for backward compatibility

The 'ports' field in the legacy 'rule' block was documented as being
kept 'for backward compatibility only', but the provider was rejecting
it during rule creation/verification. This commit implements full
support for the deprecated field to match the documentation.

Changes:

1. Rule Expansion:
   - When a rule uses 'ports' with multiple values (e.g., ['80', '443']),
     the provider now creates separate CloudStack ACL rules for each port
   - Each expanded rule gets a unique, sequential rule number
   - Port ranges (e.g., '8000-8100') are supported and treated as single
     entries

2. Auto-Numbering Enhancement:
   - Updated assignRuleNumbers() to detect 'ports' usage and reserve
     enough sequential numbers for all expanded rules
   - Ensures subsequent rule blocks don't collide with expanded rules
   - Example: A rule with ports=['80','443'] reserves numbers N and N+1

3. Validation:
   - Added validation to prevent explicit 'rule_number' when 'ports'
     contains multiple values, since the provider must manage numbering
     for expansion
   - Moved validation to occur before auto-numbering so it can
     distinguish between user-provided and auto-assigned numbers
   - Clear error message guides users to either:
     * Use a single port in 'ports'
     * Omit 'rule_number' (let it auto-assign)
     * Migrate to the new 'port' field with explicit rule_number

4. Comprehensive Testing:
   - TestAccCloudStackNetworkACLRule_deprecated_ports: Basic functionality
     test verifying multiple ports and port ranges are expanded correctly
   - TestAccCloudStackNetworkACLRule_deprecated_ports_managed: Verifies
     that managed=true behavior works correctly with expanded rules,
     including deletion of out-of-band rules
   - TestAccCloudStackNetworkACLRule_deprecated_ports_not_managed: Verifies
     that managed=false preserves out-of-band rules when using deprecated
     ports field

All 15 NetworkACLRule acceptance tests pass, ensuring existing
configurations using the deprecated 'ports' field continue to work
as documented.

Author: bhouse-nexthop

cloudstack/resource_cloudstack_network_acl_rule.go

@@ -396,6 +396,7 @@ func isRulesetRule(rule map[string]interface{}) bool {
 // assignRuleNumbers assigns rule numbers to rules that don't have them
 // Rules are numbered sequentially starting from 1
 // If a rule has an explicit rule_number, nextNumber advances to ensure no duplicates
+// For rules using the deprecated 'ports' field with multiple ports, reserves enough numbers
 func assignRuleNumbers(rules []interface{}) []interface{} {
 	result := make([]interface{}, len(rules))
 	nextNumber := 1
@@ -419,7 +420,17 @@ func assignRuleNumbers(rules []interface{}) []interface{} {
 			// Auto-assign sequential number
 			ruleMap["rule_number"] = nextNumber
 			log.Printf("[DEBUG] Auto-assigned rule_number=%d to rule at index %d", nextNumber, i)
-			nextNumber++
+
+			// Check if this rule uses the deprecated 'ports' field with multiple ports
+			// If so, we need to reserve additional rule numbers for the expanded rules
+			if portsSet, ok := ruleMap["ports"].(*schema.Set); ok && portsSet.Len() > 1 {
+				// Reserve portsSet.Len() numbers (one for each port)
+				// The first port gets nextNumber, subsequent ports get nextNumber+1, nextNumber+2, etc.
+				nextNumber += portsSet.Len()
+				log.Printf("[DEBUG] Rule uses deprecated ports field with %d ports, reserved numbers up to %d", portsSet.Len(), nextNumber-1)
+			} else {
+				nextNumber++
+			}
 		}
 
 		result[i] = ruleMap
@@ -444,6 +455,14 @@ func resourceCloudStackNetworkACLRuleCreate(d *schema.ResourceData, meta interfa
 
 		log.Printf("[DEBUG] Processing %d rules from 'rule' field", len(nrs))
 
+		// Validate rules BEFORE assigning numbers, so we can detect user-provided rule_number
+		for _, rule := range nrs {
+			if err := verifyNetworkACLRuleParams(d, rule.(map[string]interface{})); err != nil {
+				log.Printf("[ERROR] Failed to verify rule parameters: %v", err)
+				return err
+			}
+		}
+
 		// Assign rule numbers to rules that don't have them
 		rulesWithNumbers := assignRuleNumbers(nrs)
 
@@ -564,11 +583,7 @@ func createNetworkACLRule(d *schema.ResourceData, meta interface{}, rule map[str
 
 	log.Printf("[DEBUG] Creating network ACL rule with protocol=%s, action=%s, traffic_type=%s", protocol, action, trafficType)
 
-	// Make sure all required parameters are there
-	if err := verifyNetworkACLRuleParams(d, rule); err != nil {
-		log.Printf("[ERROR] Failed to verify rule parameters: %v", err)
-		return err
-	}
+	// Note: Parameter verification is done before assignRuleNumbers in resourceCloudStackNetworkACLRuleCreate
 
 	// Create a new parameter struct
 	p := cs.NetworkACL.NewCreateNetworkACLParams(protocol)
@@ -637,15 +652,85 @@ func createNetworkACLRule(d *schema.ResourceData, meta interface{}, rule map[str
 
 	// If protocol is TCP or UDP, create the rule (with or without port)
 	if rule["protocol"].(string) == "tcp" || rule["protocol"].(string) == "udp" {
-		// Check if deprecated ports field is used and reject it
-		if portsSet, hasPortsSet := rule["ports"].(*schema.Set); hasPortsSet && portsSet.Len() > 0 {
-			log.Printf("[ERROR] Attempt to create rule with deprecated ports field")
-			return fmt.Errorf("The 'ports' field is no longer supported for creating new rules. Please use the 'port' field with separate rules for each port/range.")
-		}
-
+		// Check if deprecated ports field is used (for backward compatibility)
+		portsSet, hasPortsSet := rule["ports"].(*schema.Set)
 		portStr, hasPort := rule["port"].(string)
 
-		if hasPort && portStr != "" {
+		if hasPortsSet && portsSet.Len() > 0 {
+			// Handle deprecated ports field for backward compatibility
+			// Create a separate rule for each port in the set, each with a unique rule number
+			log.Printf("[DEBUG] Using deprecated ports field for backward compatibility, creating %d rules", portsSet.Len())
+
+			// Get the base rule number - this should always be set by assignRuleNumbers
+			baseRuleNum := 0
+			if ruleNum, ok := rule["rule_number"].(int); ok && ruleNum > 0 {
+				baseRuleNum = ruleNum
+			}
+
+			portIndex := 0
+			for _, port := range portsSet.List() {
+				portValue := port.(string)
+
+				// Check if this port already has a UUID
+				if _, hasUUID := getRuleUUID(rule, portValue); !hasUUID {
+					m := splitPorts.FindStringSubmatch(portValue)
+					if m == nil {
+						log.Printf("[ERROR] Invalid port format: %s", portValue)
+						return fmt.Errorf("%q is not a valid port value. Valid options are '80' or '80-90'", portValue)
+					}
+
+					startPort, err := strconv.Atoi(m[1])
+					if err != nil {
+						log.Printf("[ERROR] Failed to parse start port %s: %v", m[1], err)
+						return err
+					}
+
+					endPort := startPort
+					if m[2] != "" {
+						endPort, err = strconv.Atoi(m[2])
+						if err != nil {
+							log.Printf("[ERROR] Failed to parse end port %s: %v", m[2], err)
+							return err
+						}
+					}
+
+					// Create a new parameter object for this specific port with a unique rule number
+					portP := cs.NetworkACL.NewCreateNetworkACLParams(protocol)
+					portP.SetAclid(aclID)
+					portP.SetAction(action)
+					portP.SetCidrlist(cidrList)
+					portP.SetTraffictype(trafficType)
+					if desc, ok := rule["description"].(string); ok && desc != "" {
+						portP.SetReason(desc)
+					}
+
+					// Set a unique rule number for each port by adding the port index
+					// This ensures each expanded rule gets a unique number
+					uniqueRuleNum := baseRuleNum + portIndex
+					portP.SetNumber(uniqueRuleNum)
+					log.Printf("[DEBUG] Set unique rule_number=%d for port %s (base=%d, index=%d)", uniqueRuleNum, portValue, baseRuleNum, portIndex)
+
+					portP.SetStartport(startPort)
+					portP.SetEndport(endPort)
+					log.Printf("[DEBUG] Set port start=%d, end=%d for deprecated ports field", startPort, endPort)
+
+					r, err := Retry(4, retryableACLCreationFunc(cs, portP))
+					if err != nil {
+						log.Printf("[ERROR] Failed to create TCP/UDP rule for port %s: %v", portValue, err)
+						return err
+					}
+
+					ruleID := r.(*cloudstack.CreateNetworkACLResponse).Id
+					setRuleUUID(rule, portValue, ruleID)
+					log.Printf("[DEBUG] Created TCP/UDP rule for port %s with ID=%s (deprecated ports field)", portValue, ruleID)
+
+					portIndex++
+				} else {
+					log.Printf("[DEBUG] Port %s already has UUID, skipping", portValue)
+					portIndex++
+				}
+			}
+		} else if hasPort && portStr != "" {
 			// Handle single port
 			log.Printf("[DEBUG] Processing single port for TCP/UDP rule: %s", portStr)
 
@@ -1226,14 +1311,40 @@ func verifyNetworkACLRuleParams(d *schema.ResourceData, rule map[string]interfac
 		// No additional test are needed
 		log.Printf("[DEBUG] Protocol 'all' validated")
 	case "tcp", "udp":
-		// The deprecated 'ports' field is no longer supported in any scenario
+		// The deprecated 'ports' field is allowed for backward compatibility
+		// but users should migrate to the 'port' field
 		portsSet, hasPortsSet := rule["ports"].(*schema.Set)
 		portStr, hasPort := rule["port"].(string)
 
-		// Block deprecated ports field completely
+		// Allow deprecated ports field for backward compatibility
+		// The schema already marks it as deprecated with a warning
 		if hasPortsSet && portsSet.Len() > 0 {
-			log.Printf("[ERROR] Attempt to use deprecated ports field")
-			return fmt.Errorf("The 'ports' field is no longer supported. Please use the 'port' field instead.")
+			log.Printf("[DEBUG] Using deprecated ports field for backward compatibility")
+
+			// When using deprecated ports field with multiple values, rule_number cannot be specified
+			// because we auto-generate sequential rule numbers for each port
+			if portsSet.Len() > 1 {
+				if ruleNum, ok := rule["rule_number"]; ok && ruleNum != nil {
+					if number, ok := ruleNum.(int); ok && number > 0 {
+						log.Printf("[ERROR] Cannot specify rule_number when using deprecated ports field with multiple values")
+						return fmt.Errorf(
+							"Cannot specify 'rule_number' when using deprecated 'ports' field with multiple values. " +
+								"Rule numbers are auto-generated for each port (starting from the auto-assigned base number). " +
+								"Either use a single port in 'ports', or omit 'rule_number', or migrate to the 'port' field.")
+					}
+				}
+			}
+
+			// Validate each port in the set
+			for _, p := range portsSet.List() {
+				portValue := p.(string)
+				m := splitPorts.FindStringSubmatch(portValue)
+				if m == nil {
+					log.Printf("[ERROR] Invalid port format in ports field: %s", portValue)
+					return fmt.Errorf(
+						"%q is not a valid port value. Valid options are '80' or '80-90'", portValue)
+				}
+			}
 		}
 
 		// Validate the new port field if used
@@ -1245,8 +1356,11 @@ func verifyNetworkACLRuleParams(d *schema.ResourceData, rule map[string]interfac
 				return fmt.Errorf(
 					"%q is not a valid port value. Valid options are '80' or '80-90'", portStr)
 			}
-		} else {
-			log.Printf("[DEBUG] No port specified for TCP/UDP, allowing empty port")
+		}
+
+		// If neither port nor ports is specified, that's also valid (allows all ports)
+		if (!hasPort || portStr == "") && (!hasPortsSet || portsSet.Len() == 0) {
+			log.Printf("[DEBUG] No port specified for TCP/UDP, allowing all ports")
 		}
 	default:
 		_, err := strconv.ParseInt(protocol, 0, 0)