Eliminate spurious diffs in ACL ruleset when modifying individual rules

bhouse-nexthop · bhouse-nexthop · commit ec063c3d0e9c · 2026-03-18T21:54:44.000Z
When modifying a single rule in a ruleset, Terraform's TypeSet would show all
rules as being replaced due to hash changes, even though only one rule actually
changed. This created confusing diffs that made it hard to see what was actually
being modified.

This commit implements a CustomizeDiff function that:
- Compares old and new rule sets by matching on rule_number (the natural key)
- Performs field-by-field comparison of each rule
- Suppresses the diff if rules are functionally identical (same rule_number with same values)
- Only shows diffs for rules that actually changed

Key changes:
- Added CustomizeDiff to resource schema
- Changed 'rule' attribute from Required to Optional+Computed (required for SetNew to work)
- Added resourceCloudStackNetworkACLRulesetCustomizeDiff function
- Added compareACLRules helper for deep field comparison
- Added TestAccCloudStackNetworkACLRuleset_no_spurious_diff to verify the fix

All existing tests continue to pass.
diff --git a/cloudstack/resource_cloudstack_network_acl_ruleset.go b/cloudstack/resource_cloudstack_network_acl_ruleset.go
@@ -20,6 +20,7 @@
 package cloudstack
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"strconv"
@@ -41,6 +42,7 @@ func resourceCloudStackNetworkACLRuleset() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			State: resourceCloudStackNetworkACLRulesetImport,
 		},
+		CustomizeDiff: resourceCloudStackNetworkACLRulesetCustomizeDiff,
 
 		Schema: map[string]*schema.Schema{
 			"acl_id": {
@@ -63,7 +65,8 @@ func resourceCloudStackNetworkACLRuleset() *schema.Resource {
 
 			"rule": {
 				Type:     schema.TypeSet,
-				Required: true,
+				Optional: true,
+				Computed: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"rule_number": {
@@ -128,6 +131,102 @@ func resourceCloudStackNetworkACLRuleset() *schema.Resource {
 	}
 }
 
+func resourceCloudStackNetworkACLRulesetCustomizeDiff(ctx context.Context, d *schema.ResourceDiff, meta interface{}) error {
+	// Only apply this logic during updates, not creates
+	if d.Id() == "" {
+		return nil
+	}
+
+	old, new := d.GetChange("rule")
+	oldSet := old.(*schema.Set)
+	newSet := new.(*schema.Set)
+
+	// If the sets are empty or have different lengths, there's a real change
+	if oldSet.Len() == 0 || newSet.Len() == 0 || oldSet.Len() != newSet.Len() {
+		return nil
+	}
+
+	// Create maps indexed by rule_number (the natural key)
+	oldMap := make(map[int]map[string]interface{})
+	for _, v := range oldSet.List() {
+		m := v.(map[string]interface{})
+		ruleNum := m["rule_number"].(int)
+		oldMap[ruleNum] = m
+	}
+
+	newMap := make(map[int]map[string]interface{})
+	for _, v := range newSet.List() {
+		m := v.(map[string]interface{})
+		ruleNum := m["rule_number"].(int)
+		newMap[ruleNum] = m
+	}
+
+	// Check if the rules are functionally identical when matched by rule_number
+	functionallyIdentical := true
+	for ruleNum, newRule := range newMap {
+		oldRule, exists := oldMap[ruleNum]
+		if !exists {
+			// New rule added
+			functionallyIdentical = false
+			break
+		}
+
+		// Compare all fields except uuid
+		if !compareACLRules(oldRule, newRule) {
+			functionallyIdentical = false
+			break
+		}
+	}
+
+	// Also check if any rules were removed
+	for ruleNum := range oldMap {
+		if _, exists := newMap[ruleNum]; !exists {
+			functionallyIdentical = false
+			break
+		}
+	}
+
+	// If the rules are functionally identical (same rule_numbers with same values),
+	// suppress the diff by keeping the old state
+	if functionallyIdentical {
+		return d.SetNew("rule", old)
+	}
+
+	return nil
+}
+
+func compareACLRules(old, new map[string]interface{}) bool {
+	// Compare all fields except uuid (which is computed and may differ)
+	fields := []string{"rule_number", "action", "protocol", "icmp_type", "icmp_code", "port", "traffic_type", "description"}
+
+	for _, field := range fields {
+		oldVal := old[field]
+		newVal := new[field]
+
+		// Handle nil/empty string equivalence
+		if oldVal == nil && newVal == "" {
+			continue
+		}
+		if oldVal == "" && newVal == nil {
+			continue
+		}
+
+		if oldVal != newVal {
+			return false
+		}
+	}
+
+	// Compare cidr_list (TypeSet)
+	oldCIDR := old["cidr_list"].(*schema.Set)
+	newCIDR := new["cidr_list"].(*schema.Set)
+
+	if !oldCIDR.Equal(newCIDR) {
+		return false
+	}
+
+	return true
+}
+
 func resourceCloudStackNetworkACLRulesetCreate(d *schema.ResourceData, meta interface{}) error {
 	// We need to set this upfront in order to be able to save a partial state
 	d.SetId(d.Get("acl_id").(string))
diff --git a/cloudstack/resource_cloudstack_network_acl_ruleset_test.go b/cloudstack/resource_cloudstack_network_acl_ruleset_test.go
@@ -1520,6 +1520,147 @@ resource "cloudstack_network_acl_ruleset" "protocol_test" {
 }
 `
 
+func TestAccCloudStackNetworkACLRuleset_no_spurious_diff(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudStackNetworkACLRulesetDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudStackNetworkACLRuleset_no_spurious_diff_initial,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudStackNetworkACLRulesetExists("cloudstack_network_acl_ruleset.no_spurious_diff"),
+					resource.TestCheckResourceAttr(
+						"cloudstack_network_acl_ruleset.no_spurious_diff", "rule.#", "3"),
+				),
+			},
+			{
+				Config: testAccCloudStackNetworkACLRuleset_no_spurious_diff_change_one_rule,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudStackNetworkACLRulesetExists("cloudstack_network_acl_ruleset.no_spurious_diff"),
+					resource.TestCheckResourceAttr(
+						"cloudstack_network_acl_ruleset.no_spurious_diff", "rule.#", "3"),
+					// Verify rule 20 was updated
+					resource.TestCheckTypeSetElemNestedAttrs(
+						"cloudstack_network_acl_ruleset.no_spurious_diff", "rule.*", map[string]string{
+							"rule_number": "20",
+							"port":        "8080", // Changed from 80
+						}),
+					// Verify rules 10 and 30 still exist with their original values
+					resource.TestCheckTypeSetElemNestedAttrs(
+						"cloudstack_network_acl_ruleset.no_spurious_diff", "rule.*", map[string]string{
+							"rule_number": "10",
+							"port":        "22",
+						}),
+					resource.TestCheckTypeSetElemNestedAttrs(
+						"cloudstack_network_acl_ruleset.no_spurious_diff", "rule.*", map[string]string{
+							"rule_number": "30",
+							"port":        "443",
+						}),
+				),
+			},
+		},
+	})
+}
+
+const testAccCloudStackNetworkACLRuleset_no_spurious_diff_initial = `
+resource "cloudstack_vpc" "no_spurious_diff" {
+  name = "terraform-vpc-no-spurious-diff"
+  cidr = "10.0.0.0/8"
+  vpc_offering = "Default VPC offering"
+  zone = "Sandbox-simulator"
+}
+
+resource "cloudstack_network_acl" "no_spurious_diff" {
+  name = "terraform-acl-no-spurious-diff"
+  description = "terraform-acl-no-spurious-diff-text"
+  vpc_id = cloudstack_vpc.no_spurious_diff.id
+}
+
+resource "cloudstack_network_acl_ruleset" "no_spurious_diff" {
+  acl_id = cloudstack_network_acl.no_spurious_diff.id
+
+  rule {
+    rule_number = 10
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "tcp"
+    port = "22"
+    traffic_type = "ingress"
+    description = "SSH"
+  }
+
+  rule {
+    rule_number = 20
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "tcp"
+    port = "80"
+    traffic_type = "ingress"
+    description = "HTTP"
+  }
+
+  rule {
+    rule_number = 30
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "tcp"
+    port = "443"
+    traffic_type = "ingress"
+    description = "HTTPS"
+  }
+}
+`
+
+const testAccCloudStackNetworkACLRuleset_no_spurious_diff_change_one_rule = `
+resource "cloudstack_vpc" "no_spurious_diff" {
+  name = "terraform-vpc-no-spurious-diff"
+  cidr = "10.0.0.0/8"
+  vpc_offering = "Default VPC offering"
+  zone = "Sandbox-simulator"
+}
+
+resource "cloudstack_network_acl" "no_spurious_diff" {
+  name = "terraform-acl-no-spurious-diff"
+  description = "terraform-acl-no-spurious-diff-text"
+  vpc_id = cloudstack_vpc.no_spurious_diff.id
+}
+
+resource "cloudstack_network_acl_ruleset" "no_spurious_diff" {
+  acl_id = cloudstack_network_acl.no_spurious_diff.id
+
+  rule {
+    rule_number = 10
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "tcp"
+    port = "22"
+    traffic_type = "ingress"
+    description = "SSH"
+  }
+
+  rule {
+    rule_number = 20
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "tcp"
+    port = "8080"  # Changed from 80
+    traffic_type = "ingress"
+    description = "HTTP"
+  }
+
+  rule {
+    rule_number = 30
+    action = "allow"
+    cidr_list = ["0.0.0.0/0"]
+    protocol = "tcp"
+    port = "443"
+    traffic_type = "ingress"
+    description = "HTTPS"
+  }
+}
+`
+
 func TestAccCloudStackNetworkACLRuleset_import(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
