Fix TypeSet hash to prevent spurious diffs on unchanged rules

bhouse-nexthop · bhouse-nexthop · commit b65fe7c7cb5a · 2026-03-18T18:01:53.000Z
The rule TypeSet was using the default hash function which includes ALL
fields, including the computed 'uuid' field. This caused Terraform to show
spurious diffs where unchanged rules appeared as being removed and re-added
when other rules in the same ruleset were modified.

Root Cause:
- When rule A is updated (e.g., action changes), its UUID may change
- The TypeSet hash included the UUID, so the set's internal representation
  changed even for unchanged rules
- Terraform interpreted this as rules being removed and re-added, even
  though only their position in the set changed

Solution:
- Added custom hash function resourceCloudStackNetworkACLRulesetRuleHash
- Hash is based only on user-configurable fields that define rule identity:
  rule_number, action, protocol, traffic_type, cidr_list, port, icmp_type,
  icmp_code, description
- Explicitly excludes the computed 'uuid' field
- This ensures rules are identified by their configuration, not by their
  API-assigned UUID

Test: Added TestAccCloudStackNetworkACLRuleset_unchanged_rule_stability
which verifies that when one rule is modified, other unchanged rules
maintain stable UUIDs and don't show spurious diffs.

All 12 acceptance tests passing (153.2 seconds total)
diff --git a/cloudstack/resource_cloudstack_network_acl_ruleset.go b/cloudstack/resource_cloudstack_network_acl_ruleset.go
@@ -64,6 +64,7 @@ func resourceCloudStackNetworkACLRuleset() *schema.Resource {
 			"rule": {
 				Type:     schema.TypeSet,
 				Required: true,
+				Set:      resourceCloudStackNetworkACLRulesetRuleHash,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"rule_number": {
@@ -128,6 +129,49 @@ func resourceCloudStackNetworkACLRuleset() *schema.Resource {
 	}
 }
 
+// resourceCloudStackNetworkACLRulesetRuleHash computes a hash for a rule based on
+// its identifying attributes, excluding the computed uuid field. This ensures that
+// rules are identified by their configuration, not by their API-assigned UUID.
+func resourceCloudStackNetworkACLRulesetRuleHash(v interface{}) int {
+	var buf strings.Builder
+	m := v.(map[string]interface{})
+
+	// Include all fields that define the rule's identity from the user's perspective
+	// Explicitly exclude "uuid" which is computed and should not affect the hash
+
+	buf.WriteString(fmt.Sprintf("%d-", m["rule_number"].(int)))
+	buf.WriteString(fmt.Sprintf("%s-", m["action"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["protocol"].(string)))
+	buf.WriteString(fmt.Sprintf("%s-", m["traffic_type"].(string)))
+
+	// Hash the cidr_list set
+	if v, ok := m["cidr_list"]; ok {
+		cidrSet := v.(*schema.Set)
+		for _, cidr := range cidrSet.List() {
+			buf.WriteString(fmt.Sprintf("%s-", cidr.(string)))
+		}
+	}
+
+	// Include optional fields
+	if v, ok := m["port"]; ok && v.(string) != "" {
+		buf.WriteString(fmt.Sprintf("port:%s-", v.(string)))
+	}
+
+	if v, ok := m["icmp_type"]; ok && v.(int) != 0 {
+		buf.WriteString(fmt.Sprintf("icmp_type:%d-", v.(int)))
+	}
+
+	if v, ok := m["icmp_code"]; ok && v.(int) != 0 {
+		buf.WriteString(fmt.Sprintf("icmp_code:%d-", v.(int)))
+	}
+
+	if v, ok := m["description"]; ok && v.(string) != "" {
+		buf.WriteString(fmt.Sprintf("desc:%s-", v.(string)))
+	}
+
+	return schema.HashString(buf.String())
+}
+
 func resourceCloudStackNetworkACLRulesetCreate(d *schema.ResourceData, meta interface{}) error {
 	// We need to set this upfront in order to be able to save a partial state
 	d.SetId(d.Get("acl_id").(string))
diff --git a/cloudstack/resource_cloudstack_network_acl_ruleset_test.go b/cloudstack/resource_cloudstack_network_acl_ruleset_test.go
@@ -1560,6 +1560,143 @@ resource "cloudstack_network_acl_ruleset" "numeric_test" {
 }
 `
 
+func TestAccCloudStackNetworkACLRuleset_unchanged_rule_stability(t *testing.T) {
+	var rule42002UUID string
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudStackNetworkACLRulesetDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudStackNetworkACLRuleset_unchanged_rule_stability_step1,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudStackNetworkACLRulesetExists("cloudstack_network_acl_ruleset.stability_test"),
+					resource.TestCheckResourceAttr("cloudstack_network_acl_ruleset.stability_test", "rule.#", "2"),
+					// Capture the UUID of rule 42002 (the unchanged rule)
+					func(s *terraform.State) error {
+						rs := s.RootModule().Resources["cloudstack_network_acl_ruleset.stability_test"]
+						for k, v := range rs.Primary.Attributes {
+							// Find rule 42002's UUID
+							if strings.Contains(k, "rule.") && strings.Contains(k, ".rule_number") && v == "42002" {
+								// Extract the index and get the UUID
+								parts := strings.Split(k, ".")
+								if len(parts) >= 2 {
+									uuidKey := fmt.Sprintf("%s.%s.uuid", parts[0], parts[1])
+									rule42002UUID = rs.Primary.Attributes[uuidKey]
+									t.Logf("Rule 42002 UUID in step 1: %s", rule42002UUID)
+								}
+							}
+						}
+						return nil
+					},
+				),
+			},
+			{
+				Config: testAccCloudStackNetworkACLRuleset_unchanged_rule_stability_step2,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudStackNetworkACLRulesetExists("cloudstack_network_acl_ruleset.stability_test"),
+					resource.TestCheckResourceAttr("cloudstack_network_acl_ruleset.stability_test", "rule.#", "2"),
+					// Verify that rule 42002's UUID hasn't changed (it shouldn't since the rule is unchanged)
+					func(s *terraform.State) error {
+						rs := s.RootModule().Resources["cloudstack_network_acl_ruleset.stability_test"]
+						var currentUUID string
+						for k, v := range rs.Primary.Attributes {
+							if strings.Contains(k, "rule.") && strings.Contains(k, ".rule_number") && v == "42002" {
+								parts := strings.Split(k, ".")
+								if len(parts) >= 2 {
+									uuidKey := fmt.Sprintf("%s.%s.uuid", parts[0], parts[1])
+									currentUUID = rs.Primary.Attributes[uuidKey]
+									t.Logf("Rule 42002 UUID in step 2: %s", currentUUID)
+								}
+							}
+						}
+						if currentUUID != rule42002UUID {
+							return fmt.Errorf("Rule 42002 UUID changed from %s to %s, but the rule was unchanged!", rule42002UUID, currentUUID)
+						}
+						t.Logf("✓ Rule 42002 UUID remained stable: %s", currentUUID)
+						return nil
+					},
+				),
+			},
+		},
+	})
+}
+
+const testAccCloudStackNetworkACLRuleset_unchanged_rule_stability_step1 = `
+resource "cloudstack_vpc" "stability_test" {
+  name = "terraform-vpc-stability-test"
+  cidr = "10.0.0.0/8"
+  vpc_offering = "Default VPC offering"
+  zone = "Sandbox-simulator"
+}
+
+resource "cloudstack_network_acl" "stability_test" {
+  name = "terraform-acl-stability-test"
+  description = "terraform-acl-stability-test-text"
+  vpc_id = cloudstack_vpc.stability_test.id
+}
+
+resource "cloudstack_network_acl_ruleset" "stability_test" {
+  acl_id = cloudstack_network_acl.stability_test.id
+
+  rule {
+    rule_number = 42001
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "all"
+    traffic_type = "egress"
+    description = "to any vpc: allow egress"
+  }
+
+  rule {
+    rule_number = 42002
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "all"
+    traffic_type = "ingress"
+    description = "from anywhere: allow ingress"
+  }
+}
+`
+
+const testAccCloudStackNetworkACLRuleset_unchanged_rule_stability_step2 = `
+resource "cloudstack_vpc" "stability_test" {
+  name = "terraform-vpc-stability-test"
+  cidr = "10.0.0.0/8"
+  vpc_offering = "Default VPC offering"
+  zone = "Sandbox-simulator"
+}
+
+resource "cloudstack_network_acl" "stability_test" {
+  name = "terraform-acl-stability-test"
+  description = "terraform-acl-stability-test-text"
+  vpc_id = cloudstack_vpc.stability_test.id
+}
+
+resource "cloudstack_network_acl_ruleset" "stability_test" {
+  acl_id = cloudstack_network_acl.stability_test.id
+
+  rule {
+    rule_number = 42001
+    action = "deny"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "all"
+    traffic_type = "egress"
+    description = "to any vpc: deny egress"
+  }
+
+  rule {
+    rule_number = 42002
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "all"
+    traffic_type = "ingress"
+    description = "from anywhere: allow ingress"
+  }
+}
+`
+
 func TestAccCloudStackNetworkACLRuleset_remove(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
