provider/openstack: Toggle Creation of Default Security Group Rules

[jtopjian]

This commit modifies the behavior implemented in #9799 by enabling
the user to be able to toggle the creation of the default security
group rules.

Fixes #12102

non-commit note: This effectively changes the behavior introduced in #9799 to be opt-in instead of dictated, which I agree is a better solution. I tried to make the new argument intuitive as well as provide documentation about how to recreate the default rules. Caveats are mentioned for OpenStack environments that have deviated from the default behavior.

Between #9799 and now, there will be three sets of openstack_networking_secgroup_v2's in the wild, however, no changes should happen to existing deployments since there is not a default value specified and an explicit value of true must be given for the rules to be deleted.

In addition, no destructive behavior is expected (and by destructive, I mean the loss of data and stateful services). If someone chooses to add this argument with a value of true or false to their configuration, then the security group and the rules connected to it will be recreated. All resources that consume security groups are able to handle security group updates without being destroyed. If such a thing happens, it is a bug and should be reported.

[Kiemes]

@jtopjian I see that you are using boolean value for delete_default_rules. If I would like to set the value via a terraform variable this wouldn't be possible, would it?
As far as I can read from the documentation, variables cannot be from type bool. Or is type bool being inferred by you setting the default to false?
Just to make sure because I have not stubbled upon any other boolean variables in Terraform so far.
https://www.terraform.io/docs/configuration/syntax.html however suggests that using boolean values directly is allowed. Is just the documentation out of sync?

[jtopjian]

@Kiemes Booleans can be used. :)

In the variable documentation you referenced, check out the section that reads:

When passing boolean-like variables as parameters to resource configurations that expect boolean values, they are converted consistently

In this case, the following works just fine:

variable "ddr" {                                     
    default = true                                   
}                                                    
                                                     
resource "openstack_networking_secgroup_v2" "test" {
  name = "test"                                     
  description = "test"                              
  delete_default_rules = "${var.ddr}"                
}                                                    

You can test this out with any other parameter that is currently of type boolean, of which there are currently 25 in the OpenStack provider (not counting this new one).

However, I would imagine you will want to just omit delete_default_rules entirely so you don't run into the situation you described yesterday.

[Kiemes]

@jtopjian Thanks for the explanation. I actually expected you to do the right thing :) And I have to admit that I did not read the whole page.

And yes, we are going to use the default value false for delete_default_rules.

[stack72]

LGTM :)

[jtopjian]

@stack72 Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.