feat: Add automatic project inheritance for cloudstack_network_acl from VPC

Implement automatic project inheritance for cloudstack_network_acl resource:
- Network ACL inherits project from vpc_id when no explicit project is set
- Uses projectid=-1 for universal VPC lookup across projects
- Updates state with inherited project during read operations
- Schema updated to mark project as Computed

Changes:
- Modified resourceCloudStackNetworkACLCreate to fetch VPC and inherit project
- Modified resourceCloudStackNetworkACLRead to handle universal project search
- Updated schema to mark project as Computed: true
- Added TestAccCloudStackNetworkACL_vpcProjectInheritance test case
- Updated documentation with inheritance behavior and example

All 5 network ACL acceptance tests passing.

Author: bhouse-nexthop

cloudstack/resource_cloudstack_network_acl.go

@@ -54,6 +54,7 @@ func resourceCloudStackNetworkACL() *schema.Resource {
 			"project": {
 				Type:     schema.TypeString,
 				Optional: true,
+				Computed: true,
 				ForceNew: true,
 			},
 
@@ -70,9 +71,25 @@ func resourceCloudStackNetworkACLCreate(d *schema.ResourceData, meta interface{}
 	cs := meta.(*cloudstack.CloudStackClient)
 
 	name := d.Get("name").(string)
+	vpcID := d.Get("vpc_id").(string)
+
+	// If no project is explicitly set, try to inherit it from the VPC
+	// and set it in the state so the Read function can use it
+	if _, ok := d.GetOk("project"); !ok {
+		// Get the VPC to retrieve its project
+		// Use projectid=-1 to search across all projects
+		vpc, count, err := cs.VPC.GetVPCByID(vpcID, cloudstack.WithProject("-1"))
+		if err == nil && count > 0 && vpc.Projectid != "" {
+			log.Printf("[DEBUG] Inheriting project %s from VPC %s", vpc.Projectid, vpcID)
+			// Set the project in the resource data for state management
+			d.Set("project", vpc.Project)
+		}
+	}
 
 	// Create a new parameter struct
-	p := cs.NetworkACL.NewCreateNetworkACLListParams(name, d.Get("vpc_id").(string))
+	// Note: CreateNetworkACLListParams doesn't support SetProjectid
+	// The ACL will be created in the same project as the VPC automatically
+	p := cs.NetworkACL.NewCreateNetworkACLListParams(name, vpcID)
 
 	// Set the description
 	if description, ok := d.GetOk("description"); ok {
@@ -100,6 +117,7 @@ func resourceCloudStackNetworkACLRead(d *schema.ResourceData, meta interface{})
 		d.Id(),
 		cloudstack.WithProject(d.Get("project").(string)),
 	)
+
 	if err != nil {
 		if count == 0 {
 			log.Printf(
@@ -115,6 +133,16 @@ func resourceCloudStackNetworkACLRead(d *schema.ResourceData, meta interface{})
 	d.Set("description", f.Description)
 	d.Set("vpc_id", f.Vpcid)
 
+	// If project is not already set in state, try to get it from the VPC
+	if d.Get("project").(string) == "" {
+		// Get the VPC to retrieve its project
+		vpc, vpcCount, vpcErr := cs.VPC.GetVPCByID(f.Vpcid, cloudstack.WithProject("-1"))
+		if vpcErr == nil && vpcCount > 0 && vpc.Project != "" {
+			log.Printf("[DEBUG] Setting project %s from VPC %s for ACL %s", vpc.Project, f.Vpcid, f.Name)
+			setValueOrID(d, "project", vpc.Project, vpc.Projectid)
+		}
+	}
+
 	return nil
 }
 

cloudstack/resource_cloudstack_network_acl_test.go

@@ -66,6 +66,29 @@ func TestAccCloudStackNetworkACL_import(t *testing.T) {
 	})
 }
 
+func TestAccCloudStackNetworkACL_vpcProjectInheritance(t *testing.T) {
+	var acl cloudstack.NetworkACLList
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudStackNetworkACLDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudStackNetworkACL_vpcProjectInheritance,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudStackNetworkACLExists(
+						"cloudstack_network_acl.foo", &acl),
+					// Verify the project was inherited from the VPC
+					resource.TestCheckResourceAttr(
+						"cloudstack_network_acl.foo", "project", "terraform"),
+					testAccCheckCloudStackNetworkACLProjectInherited(&acl),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckCloudStackNetworkACLExists(
 	n string, acl *cloudstack.NetworkACLList) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -110,6 +133,19 @@ func testAccCheckCloudStackNetworkACLBasicAttributes(
 	}
 }
 
+func testAccCheckCloudStackNetworkACLProjectInherited(
+	acl *cloudstack.NetworkACLList) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// The ACL itself doesn't have project info, but we verify it was created
+		// successfully which means it inherited the project from the VPC
+		if acl.Name != "terraform-acl" {
+			return fmt.Errorf("Expected ACL name to be 'terraform-acl', got: %s", acl.Name)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckCloudStackNetworkACLDestroy(s *terraform.State) error {
 	cs := testAccProvider.Meta().(*cloudstack.CloudStackClient)
 
@@ -144,3 +180,19 @@ resource "cloudstack_network_acl" "foo" {
   description = "terraform-acl-text"
   vpc_id = cloudstack_vpc.foo.id
 }`
+
+const testAccCloudStackNetworkACL_vpcProjectInheritance = `
+resource "cloudstack_vpc" "foo" {
+  name = "terraform-vpc"
+  cidr = "10.0.0.0/8"
+  vpc_offering = "Default VPC offering"
+  project = "terraform"
+  zone = "Sandbox-simulator"
+}
+
+resource "cloudstack_network_acl" "foo" {
+  name = "terraform-acl"
+  description = "terraform-acl-text"
+  vpc_id = cloudstack_vpc.foo.id
+  # Note: project is NOT specified here - it should be inherited from the VPC
+}`

website/docs/r/network_acl.html.markdown

@@ -12,13 +12,36 @@ Creates a Network ACL for the given VPC.
 
 ## Example Usage
 
+### Basic Network ACL
+
 ```hcl
 resource "cloudstack_network_acl" "default" {
   name   = "test-acl"
   vpc_id = "76f6e8dc-07e3-4971-b2a2-8831b0cc4cb4"
 }
 ```
 
+### Network ACL with Automatic Project Inheritance
+
+```hcl
+# Create a VPC in a project
+resource "cloudstack_vpc" "project_vpc" {
+  name         = "project-vpc"
+  cidr         = "10.0.0.0/16"
+  vpc_offering = "Default VPC offering"
+  project      = "my-project"
+  zone         = "zone-1"
+}
+
+# Network ACL automatically inherits project from VPC
+resource "cloudstack_network_acl" "project_acl" {
+  name        = "project-acl"
+  description = "ACL for project VPC"
+  vpc_id      = cloudstack_vpc.project_vpc.id
+  # project is automatically inherited from the VPC
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -30,7 +53,8 @@ The following arguments are supported:
     new resource to be created.
 
 * `project` - (Optional) The name or ID of the project to deploy this
-    instance to. Changing this forces a new resource to be created.
+    instance to. Changing this forces a new resource to be created. If not
+    specified, the project will be automatically inherited from the VPC.
 
 * `vpc_id` - (Required) The ID of the VPC to create this ACL for. Changing this
    forces a new resource to be created.