Fix managed=true unknown-rule handling for ruleset

bhouse-nexthop · bhouse-nexthop · commit bdfa4306d369 · 2026-03-10T14:46:02.000Z
- Adjust dummy rule format for ruleset to use 'uuid' string instead of 'uuids' map
- Add rule_number to dummy rules for ruleset (required field)
- Find highest existing rule_number and assign dummy rules starting from max+1
- Prevents conflicts between dummy rules and user-defined rules
- Addresses review comment about managed mode incompatibility with ruleset
diff --git a/cloudstack/resource_cloudstack_network_acl_rule.go b/cloudstack/resource_cloudstack_network_acl_rule.go
@@ -954,21 +954,48 @@ func resourceCloudStackNetworkACLRuleRead(d *schema.ResourceData, meta interface
 	// If this is a managed firewall, add all unknown rules into dummy rules
 	managed := d.Get("managed").(bool)
 	if managed && len(ruleMap) > 0 {
+		// Find the highest rule_number to avoid conflicts when creating dummy rules
+		maxRuleNumber := 0
+		for _, rule := range rules {
+			if ruleMap, ok := rule.(map[string]interface{}); ok {
+				if ruleNum, ok := ruleMap["rule_number"].(int); ok && ruleNum > maxRuleNumber {
+					maxRuleNumber = ruleNum
+				}
+			}
+		}
+
+		// Start assigning dummy rule numbers after the highest existing rule_number
+		dummyRuleNumber := maxRuleNumber + 1
+
 		for uuid := range ruleMap {
 			// We need to create and add a dummy value to a list as the
 			// cidr_list is a required field and thus needs a value
 			cidrs := []interface{}{uuid}
 
 			// Make a dummy rule to hold the unknown UUID
-			rule := map[string]interface{}{
-				"cidr_list": cidrs,
-				"protocol":  uuid,
-				"uuids":     map[string]interface{}{uuid: uuid},
+			// Format differs between 'rule' and 'ruleset'
+			var rule map[string]interface{}
+			if usingRuleset {
+				// For ruleset: use 'uuid' string and include rule_number
+				rule = map[string]interface{}{
+					"cidr_list":   cidrs,
+					"protocol":    uuid,
+					"uuid":        uuid,
+					"rule_number": dummyRuleNumber,
+				}
+				dummyRuleNumber++
+			} else {
+				// For rule: use 'uuids' map
+				rule = map[string]interface{}{
+					"cidr_list": cidrs,
+					"protocol":  uuid,
+					"uuids":     map[string]interface{}{uuid: uuid},
+				}
 			}
 
 			// Add the dummy rule to the rules list
 			rules = append(rules, rule)
-			log.Printf("[DEBUG] Added managed dummy rule for UUID %s", uuid)
+			log.Printf("[DEBUG] Added managed dummy rule for UUID %s (usingRuleset=%t)", uuid, usingRuleset)
 		}
 	}
 
