Unable to create egress rules encompassing all ports without explicitly defining themΒ #202
Description
The createEgressFirewallRule API allows the creation of TCP/UDP rules involving all possible ports by simply omitting the startport and endport parameters. For instance, after the following API call:
π > create egressfirewallrule networkid=bf5b51ae-c1ae-4ec5-951b-35d90d936ba2 protocol="tcp"
{
"firewallrule": {
"cidrlist": "192.168.50.0/24",
"destcidrlist": "",
"id": "fed01adb-ed94-4c60-aede-8ac53cf9aeda",
"networkid": "bf5b51ae-c1ae-4ec5-951b-35d90d936ba2",
"protocol": "tcp",
"state": "Active",
"tags": [],
"traffictype": "Egress"
}
}All ports are encompassed by the egress rule:
However, when defining the following cloudstack_egress_firewall resource:
resource "cloudstack_egress_firewall" "egress_rules" {
network_id = cloudstack_network.network.id
rule {
cidr_list = [cloudstack_network.network.cidr]
protocol = "tcp"
}
depends_on = [cloudstack_instance.vm]
}The following error is returned by the provider:
cloudstack_egress_firewall.egress_rules: Creating...
β·
β Error: Provider produced inconsistent result after apply
β
β When applying changes to cloudstack_egress_firewall.egress_rules, provider "provider[\"registry.terraform.io/cloudstack/cloudstack\"]" produced an unexpected
β new value: Root object was present, but now absent.
β
β This is a bug in the provider, which should be reported in the provider's own issue tracker
A workaround is to explicitly set the ports argument of the rule block or to specify the value all as the protocol.
Thus, the user should be allowed to add a rule involving all ports by simply not specifying the ports argument, as it is possible via the API and UI.
If not possible to achieve so, then the cloudstack_egress_firewall documentation should be updated, clarifying that the ports argument is required for the TCP and UDP protocols.