Fix managed mode to properly handle out-of-band ACL rules

When managed=true, the provider now correctly detects and deletes ACL rules
that were created outside of Terraform (out-of-band rules).

Implementation:
- Read function adds 'dummy' rules to state for out-of-band rules when managed=true
- These dummy rules contain the UUID of the out-of-band rule
- On next apply, Terraform detects the diff (dummy rule in state, not in config)
- Update function deletes the dummy rules, which deletes the actual out-of-band rules

This approach is consistent with the legacy resource_cloudstack_network_acl_rule.go
and ensures that managed ACLs stay in sync with the configuration.

Also fixes state mutation issues in the Read function by creating new maps
instead of modifying existing state data structures.

Tests:
- Added TestAccCloudStackNetworkACLRuleset_managed to verify out-of-band deletion
- Verified TestAccCloudStackNetworkACLRuleset_not_managed still works correctly

Author: bhouse-nexthop

cloudstack/resource_cloudstack_network_acl_ruleset.go

@@ -343,35 +343,39 @@ func resourceCloudStackNetworkACLRulesetRead(d *schema.ResourceData, meta interf
 	// Read all rules that are configured
 	rs := d.Get("rule").(*schema.Set)
 	if rs.Len() > 0 {
-		for _, rule := range rs.List() {
-			rule := rule.(map[string]interface{})
+		for _, oldRule := range rs.List() {
+			oldRule := oldRule.(map[string]interface{})
 
-			id, ok := rule["uuid"]
+			id, ok := oldRule["uuid"]
 			if !ok || id.(string) == "" {
 				continue
 			}
 
 			// Get the rule
 			r, ok := ruleMap[id.(string)]
 			if !ok {
-				rule["uuid"] = ""
+				// Rule no longer exists in the API, skip it
 				continue
 			}
 
 			// Delete the known rule so only unknown rules remain in the ruleMap
 			delete(ruleMap, id.(string))
 
-			// Update the values
+			// Create a NEW map with the updated values (don't mutate the old one)
 			cidrs := &schema.Set{F: schema.HashString}
 			for _, cidr := range strings.Split(r.Cidrlist, ",") {
 				cidrs.Add(cidr)
 			}
-			rule["cidr_list"] = cidrs
-			rule["action"] = strings.ToLower(r.Action)
-			rule["protocol"] = r.Protocol
-			rule["traffic_type"] = strings.ToLower(r.Traffictype)
-			rule["rule_number"] = r.Number
-			rule["description"] = r.Reason
+
+			rule := map[string]interface{}{
+				"cidr_list":    cidrs,
+				"action":       strings.ToLower(r.Action),
+				"protocol":     r.Protocol,
+				"traffic_type": strings.ToLower(r.Traffictype),
+				"rule_number":  r.Number,
+				"description":  r.Reason,
+				"uuid":         r.Id,
+			}
 
 			// Set ICMP fields
 			if r.Protocol == "icmp" {
@@ -450,18 +454,23 @@ func resourceCloudStackNetworkACLRulesetRead(d *schema.ResourceData, meta interf
 	}
 
 	// If this is a managed resource, add all unknown rules to dummy rules
+	// This allows Terraform to detect them and trigger an update to delete them
 	managed := d.Get("managed").(bool)
 	if managed && len(ruleMap) > 0 {
-		for uuid := range ruleMap {
+		log.Printf("[DEBUG] Found %d out-of-band ACL rules for ACL %s", len(ruleMap), d.Id())
+		for uuid, r := range ruleMap {
+			log.Printf("[DEBUG] Adding dummy rule for out-of-band rule: uuid=%s, rule_number=%d", uuid, r.Number)
+
 			// Make a dummy rule to hold the unknown UUID
+			// We use the UUID as a unique identifier in the cidr_list
 			cidrs := &schema.Set{F: schema.HashString}
 			cidrs.Add(uuid)
 
 			rule := map[string]interface{}{
 				"cidr_list":    cidrs,
-				"protocol":     uuid,
+				"protocol":     uuid, // Use UUID as protocol to make it unique
 				"uuid":         uuid,
-				"rule_number":  0,
+				"rule_number":  r.Number,
 				"action":       "allow",
 				"traffic_type": "ingress",
 				"icmp_type":    0,

cloudstack/resource_cloudstack_network_acl_ruleset_test.go

@@ -143,6 +143,28 @@ func testAccCheckOutOfBandACLRuleExists(aclID string) error {
 	return fmt.Errorf("Out-of-band rule (number 30) was deleted even though managed=false")
 }
 
+// testAccCheckOutOfBandACLRuleDeleted verifies that the out-of-band rule was deleted
+func testAccCheckOutOfBandACLRuleDeleted(aclID string) error {
+	client := testAccProvider.Meta().(*cloudstack.CloudStackClient)
+
+	p := client.NetworkACL.NewListNetworkACLsParams()
+	p.SetAclid(aclID)
+
+	resp, err := client.NetworkACL.ListNetworkACLs(p)
+	if err != nil {
+		return fmt.Errorf("Failed to list ACL rules: %v", err)
+	}
+
+	// Check that the out-of-band rule (rule number 30) was deleted
+	for _, rule := range resp.NetworkACLs {
+		if rule.Number == 30 {
+			return fmt.Errorf("Out-of-band rule (number 30) still exists even though managed=true")
+		}
+	}
+
+	return nil // Not found - success!
+}
+
 func TestAccCloudStackNetworkACLRuleset_basic(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -500,6 +522,8 @@ resource "cloudstack_network_acl_ruleset" "bar" {
 }`
 
 func TestAccCloudStackNetworkACLRuleset_managed(t *testing.T) {
+	var aclID string
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
@@ -513,13 +537,38 @@ func TestAccCloudStackNetworkACLRuleset_managed(t *testing.T) {
 						"cloudstack_network_acl_ruleset.managed", "managed", "true"),
 					resource.TestCheckResourceAttr(
 						"cloudstack_network_acl_ruleset.managed", "rule.#", "2"),
+					// Capture the ACL ID for later use
+					func(s *terraform.State) error {
+						rs, ok := s.RootModule().Resources["cloudstack_network_acl_ruleset.managed"]
+						if !ok {
+							return fmt.Errorf("Not found: cloudstack_network_acl_ruleset.managed")
+						}
+						aclID = rs.Primary.ID
+						return nil
+					},
+				),
+			},
+			{
+				// Add an out-of-band rule via the API
+				PreConfig: func() {
+					// Create a rule outside of Terraform
+					testAccCreateOutOfBandACLRule(t, aclID)
+				},
+				Config: testAccCloudStackNetworkACLRuleset_managed,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudStackNetworkACLRulesetExists("cloudstack_network_acl_ruleset.managed"),
+					// With managed=true, the out-of-band rule should be DELETED
+					// Verify only the 2 configured rules exist
+					resource.TestCheckResourceAttr(
+						"cloudstack_network_acl_ruleset.managed", "rule.#", "2"),
+					// Verify the out-of-band rule was deleted
+					func(s *terraform.State) error {
+						return testAccCheckOutOfBandACLRuleDeleted(aclID)
+					},
 				),
 			},
 		},
 	})
-
-	// After the test, manually create an out-of-band rule and verify it's detected
-	// This would require additional test infrastructure, so we'll skip for now
 }
 
 const testAccCloudStackNetworkACLRuleset_managed = `