Fix ACL ruleset Read function to prevent state mutation and handle out-of-band rules correctly

Two important fixes:

1. Create new rule maps instead of mutating existing state
   - The Read function was directly modifying rule maps from the state
   - This could cause Terraform to see spurious changes
   - Now creates fresh maps with updated values from the API

2. Don't persist out-of-band rules as dummy entries in state
   - Previously, unknown rules in managed mode were added as dummy rules
   - This polluted the state with fake entries
   - Now logs warnings about out-of-band rules but doesn't add them to state
   - The Update function will delete them on the next apply

Author: bhouse-nexthop

cloudstack/resource_cloudstack_network_acl_ruleset.go

@@ -343,35 +343,39 @@ func resourceCloudStackNetworkACLRulesetRead(d *schema.ResourceData, meta interf
 	// Read all rules that are configured
 	rs := d.Get("rule").(*schema.Set)
 	if rs.Len() > 0 {
-		for _, rule := range rs.List() {
-			rule := rule.(map[string]interface{})
+		for _, oldRule := range rs.List() {
+			oldRule := oldRule.(map[string]interface{})
 
-			id, ok := rule["uuid"]
+			id, ok := oldRule["uuid"]
 			if !ok || id.(string) == "" {
 				continue
 			}
 
 			// Get the rule
 			r, ok := ruleMap[id.(string)]
 			if !ok {
-				rule["uuid"] = ""
+				// Rule no longer exists in the API, skip it
 				continue
 			}
 
 			// Delete the known rule so only unknown rules remain in the ruleMap
 			delete(ruleMap, id.(string))
 
-			// Update the values
+			// Create a NEW map with the updated values (don't mutate the old one)
 			cidrs := &schema.Set{F: schema.HashString}
 			for _, cidr := range strings.Split(r.Cidrlist, ",") {
 				cidrs.Add(cidr)
 			}
-			rule["cidr_list"] = cidrs
-			rule["action"] = strings.ToLower(r.Action)
-			rule["protocol"] = r.Protocol
-			rule["traffic_type"] = strings.ToLower(r.Traffictype)
-			rule["rule_number"] = r.Number
-			rule["description"] = r.Reason
+
+			rule := map[string]interface{}{
+				"cidr_list":    cidrs,
+				"action":       strings.ToLower(r.Action),
+				"protocol":     r.Protocol,
+				"traffic_type": strings.ToLower(r.Traffictype),
+				"rule_number":  r.Number,
+				"description":  r.Reason,
+				"uuid":         r.Id,
+			}
 
 			// Set ICMP fields
 			if r.Protocol == "icmp" {
@@ -449,30 +453,17 @@ func resourceCloudStackNetworkACLRulesetRead(d *schema.ResourceData, meta interf
 		}
 	}
 
-	// If this is a managed resource, add all unknown rules to dummy rules
+	// If this is a managed resource and there are unknown rules (out-of-band rules),
+	// log them but DON'T add them to the state. They will be deleted on the next apply.
 	managed := d.Get("managed").(bool)
 	if managed && len(ruleMap) > 0 {
-		for uuid := range ruleMap {
-			// Make a dummy rule to hold the unknown UUID
-			cidrs := &schema.Set{F: schema.HashString}
-			cidrs.Add(uuid)
-
-			rule := map[string]interface{}{
-				"cidr_list":    cidrs,
-				"protocol":     uuid,
-				"uuid":         uuid,
-				"rule_number":  0,
-				"action":       "allow",
-				"traffic_type": "ingress",
-				"icmp_type":    0,
-				"icmp_code":    0,
-				"description":  "",
-				"port":         "",
-			}
-
-			// Add the dummy rule to the rules set
-			rules.Add(rule)
+		log.Printf("[WARN] Found %d out-of-band ACL rules for ACL %s that are not managed by Terraform. These will be deleted on the next apply.", len(ruleMap), d.Id())
+		for uuid, r := range ruleMap {
+			log.Printf("[WARN] Out-of-band rule: uuid=%s, rule_number=%d, protocol=%s, action=%s", uuid, r.Number, r.Protocol, r.Action)
 		}
+		// Note: We do NOT add these to the rules set. They should not be in the state.
+		// On the next terraform apply, the Update function will detect that these rules
+		// exist in the API but not in the config, and will delete them.
 	}
 
 	if rules.Len() > 0 {