Patching firewall rules

[tbroden84]

WHY are these changes introduced?

Original firewall resource replaced all firewall rules during create/update. Meaning all rules used in the resource always overwrite the current rule set. Enable utilization of the PACTH endpoint in API backend, to change the behaviour for the resource with new argument patch. This will instead append or update the rules present in the resource and leave all other firewall rules intact.

WHAT is this pull request doing?

• Adds new data source for firewall settings, keeping track on all firewall rules enabled.
• Adds patch argument to cloudamqp_security_firewall. When set to true, use PATCH API endpoint and only affect rules in the resource.
• Update docs.

Require:

• Add new endpoint to PATCH firewall rules 84codes/go-api#36
• https://github.com/84codes/account-console/pull/28

HOW can this pull request be tested?

Test scenarios used with managed VPC and instance.

1. Multiple patched firewall rules requests being executed. Will trigger after post.bootstrap finished, in the end firewall rule set contains both.

2. Enabled PrivateLink and multiple patched firewall rules resources requests being executed. Will trigger after post.bootstrap finished. PrivateLink gets enabled, automatic PrivateLink rule set activated and both firewall resource rule sets gets activated.

resource "cloudamqp_security_firewall" "mgmt_int" {
  instance_id = cloudamqp_instance.instance.id
  patch = true
  rules {
      ip = "0.0.0.0/0"
      description = "MGMT interface"
      ports       = []
      services    = ["HTTPS"]
  }
}

resource "cloudamqp_security_firewall" "extra_rules" {
  instance_id = cloudamqp_instance.instance.id
  patch = true

  rules {
    ip          = "10.1.0.0/16"
    ports       = []
    services    = ["AMQPS"]
  }

  rules {
    ip          = "10.2.0.0/16"
    ports       = []
    services    = ["AMQPS"]
  }
}

[dentarg]

Do we need to add the new resource cloudamqp_security_firewall_rules? How is it different from resource_cloudamqp_security_firewall?

cloudamqp_security_firewall_rules will always append and cloudamqp_security_firewall will always replace?

[tbroden84]

Basically just that I tried out difference between single/multi rules when doing the patching.

• cloudamqp_security_firewall will always replace everything
• cloudamqp_security_firewall_rule append/patch single rule
• cloudamqp_security_firewall_rules append/patch single or multiple rules

With this in place then have something to discuss around.

Did also do some test runs when using cloudamqp_security_firewall_rule and enable PrivateLink and how it would affect things.

[dentarg]

Had another thought, do we need cloudamqp_security_firewall_rule or could that be covered by cloudamqp_security_firewall_rules with just one element? As you just wrote it can be used to patch (add) a single rule

Going further, could we instead of adding these two new resources, extend the existing cloudamqp_security_firewall resource? Giving it an option controlling the behavior (replace vs append, defaulting to replace to not break anything)

[tbroden84]

Yes possible to use cloudamqp_security_firewall_rules resource for both single and multiple.

But your idea about add it to cloudamqp_security_firewall would definitely be preferable. Will check it out.

[kristianschneider]

This one seems to have gone stale. Whats the status on this ?

[dentarg]

It is held up but sorting out issues in the backend, that we haven't been able to prioritise.