Fix managed mode to properly delete out-of-band ACL rules

When managed=true, the provider now correctly detects and deletes ACL rules
that were created outside of Terraform (out-of-band rules).

Implementation:
- Read function adds 'dummy' rules to state for out-of-band rules when managed=true
- These dummy rules contain the UUID of the out-of-band rule
- On next apply, Terraform detects the diff (dummy rule in state, not in config)
- Update function deletes the dummy rules, which deletes the actual out-of-band rules

This approach is consistent with the legacy resource_cloudstack_network_acl_rule.go
and ensures that managed ACLs stay in sync with the configuration.

Tests:
- Added TestAccCloudStackNetworkACLRuleset_managed to verify out-of-band deletion
- Verified TestAccCloudStackNetworkACLRuleset_not_managed still works correctly

Author: bhouse-nexthop

cloudstack/resource_cloudstack_network_acl_ruleset.go

@@ -453,17 +453,35 @@ func resourceCloudStackNetworkACLRulesetRead(d *schema.ResourceData, meta interf
 		}
 	}
 
-	// If this is a managed resource and there are unknown rules (out-of-band rules),
-	// log them but DON'T add them to the state. They will be deleted on the next apply.
+	// If this is a managed resource, add all unknown rules to dummy rules
+	// This allows Terraform to detect them and trigger an update to delete them
 	managed := d.Get("managed").(bool)
 	if managed && len(ruleMap) > 0 {
-		log.Printf("[WARN] Found %d out-of-band ACL rules for ACL %s that are not managed by Terraform. These will be deleted on the next apply.", len(ruleMap), d.Id())
+		log.Printf("[DEBUG] Found %d out-of-band ACL rules for ACL %s", len(ruleMap), d.Id())
 		for uuid, r := range ruleMap {
-			log.Printf("[WARN] Out-of-band rule: uuid=%s, rule_number=%d, protocol=%s, action=%s", uuid, r.Number, r.Protocol, r.Action)
+			log.Printf("[DEBUG] Adding dummy rule for out-of-band rule: uuid=%s, rule_number=%d", uuid, r.Number)
+
+			// Make a dummy rule to hold the unknown UUID
+			// We use the UUID as a unique identifier in the cidr_list
+			cidrs := &schema.Set{F: schema.HashString}
+			cidrs.Add(uuid)
+
+			rule := map[string]interface{}{
+				"cidr_list":    cidrs,
+				"protocol":     uuid, // Use UUID as protocol to make it unique
+				"uuid":         uuid,
+				"rule_number":  r.Number,
+				"action":       "allow",
+				"traffic_type": "ingress",
+				"icmp_type":    0,
+				"icmp_code":    0,
+				"description":  "",
+				"port":         "",
+			}
+
+			// Add the dummy rule to the rules set
+			rules.Add(rule)
 		}
-		// Note: We do NOT add these to the rules set. They should not be in the state.
-		// On the next terraform apply, the Update function will detect that these rules
-		// exist in the API but not in the config, and will delete them.
 	}
 
 	if rules.Len() > 0 {

cloudstack/resource_cloudstack_network_acl_ruleset_test.go

@@ -143,6 +143,28 @@ func testAccCheckOutOfBandACLRuleExists(aclID string) error {
 	return fmt.Errorf("Out-of-band rule (number 30) was deleted even though managed=false")
 }
 
+// testAccCheckOutOfBandACLRuleDeleted verifies that the out-of-band rule was deleted
+func testAccCheckOutOfBandACLRuleDeleted(aclID string) error {
+	client := testAccProvider.Meta().(*cloudstack.CloudStackClient)
+
+	p := client.NetworkACL.NewListNetworkACLsParams()
+	p.SetAclid(aclID)
+
+	resp, err := client.NetworkACL.ListNetworkACLs(p)
+	if err != nil {
+		return fmt.Errorf("Failed to list ACL rules: %v", err)
+	}
+
+	// Check that the out-of-band rule (rule number 30) was deleted
+	for _, rule := range resp.NetworkACLs {
+		if rule.Number == 30 {
+			return fmt.Errorf("Out-of-band rule (number 30) still exists even though managed=true")
+		}
+	}
+
+	return nil // Not found - success!
+}
+
 func TestAccCloudStackNetworkACLRuleset_basic(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -500,6 +522,8 @@ resource "cloudstack_network_acl_ruleset" "bar" {
 }`
 
 func TestAccCloudStackNetworkACLRuleset_managed(t *testing.T) {
+	var aclID string
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
@@ -513,13 +537,38 @@ func TestAccCloudStackNetworkACLRuleset_managed(t *testing.T) {
 						"cloudstack_network_acl_ruleset.managed", "managed", "true"),
 					resource.TestCheckResourceAttr(
 						"cloudstack_network_acl_ruleset.managed", "rule.#", "2"),
+					// Capture the ACL ID for later use
+					func(s *terraform.State) error {
+						rs, ok := s.RootModule().Resources["cloudstack_network_acl_ruleset.managed"]
+						if !ok {
+							return fmt.Errorf("Not found: cloudstack_network_acl_ruleset.managed")
+						}
+						aclID = rs.Primary.ID
+						return nil
+					},
+				),
+			},
+			{
+				// Add an out-of-band rule via the API
+				PreConfig: func() {
+					// Create a rule outside of Terraform
+					testAccCreateOutOfBandACLRule(t, aclID)
+				},
+				Config: testAccCloudStackNetworkACLRuleset_managed,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudStackNetworkACLRulesetExists("cloudstack_network_acl_ruleset.managed"),
+					// With managed=true, the out-of-band rule should be DELETED
+					// Verify only the 2 configured rules exist
+					resource.TestCheckResourceAttr(
+						"cloudstack_network_acl_ruleset.managed", "rule.#", "2"),
+					// Verify the out-of-band rule was deleted
+					func(s *terraform.State) error {
+						return testAccCheckOutOfBandACLRuleDeleted(aclID)
+					},
 				),
 			},
 		},
 	})
-
-	// After the test, manually create an out-of-band rule and verify it's detected
-	// This would require additional test infrastructure, so we'll skip for now
 }
 
 const testAccCloudStackNetworkACLRuleset_managed = `