Merge pull request #2070 from tencentcloudstack/fix/add-orderly-sg-ids

feat: add `orderly_security_group_ids` field to set the security group orderly

Author: lyu571

.changelog/2070.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_kubernetes_node_pool: add `orderly_security_group_ids` field to set the security group orderly.
+```

tencentcloud/resource_tc_kubernetes_node_pool.go

@@ -331,10 +331,21 @@ func composedKubernetesAsScalingConfigPara() map[string]*schema.Schema {
 			Description:   "ID list of keys.",
 		},
 		"security_group_ids": {
-			Type:        schema.TypeSet,
-			Optional:    true,
-			Elem:        &schema.Schema{Type: schema.TypeString},
-			Description: "Security groups to which a CVM instance belongs.",
+			Type:          schema.TypeSet,
+			Optional:      true,
+			Computed:      true,
+			Elem:          &schema.Schema{Type: schema.TypeString},
+			ConflictsWith: []string{"auto_scaling_config.0.orderly_security_group_ids"},
+			Deprecated:    "The order of elements in this field cannot be guaranteed. Use `orderly_security_group_ids` instead.",
+			Description:   "Security groups to which a CVM instance belongs.",
+		},
+		"orderly_security_group_ids": {
+			Type:          schema.TypeList,
+			Optional:      true,
+			Computed:      true,
+			Elem:          &schema.Schema{Type: schema.TypeString},
+			ConflictsWith: []string{"auto_scaling_config.0.security_group_ids"},
+			Description:   "Ordered security groups to which a CVM instance belongs.",
 		},
 		"enhanced_security_service": {
 			Type:     schema.TypeBool,
@@ -764,7 +775,16 @@ func composedKubernetesAsScalingConfigParaSerial(dMap map[string]interface{}, me
 	}
 
 	if v, ok := dMap["security_group_ids"]; ok {
-		request.SecurityGroupIds = helper.InterfacesStringsPoint(v.(*schema.Set).List())
+		if list := v.(*schema.Set).List(); len(list) > 0 {
+			errRet = fmt.Errorf("The parameter `security_group_ids` has an issue that the actual order of the security group may be inconsistent with the order of your tf code, which will cause your service to be inaccessible. Please use `orderly_security_group_ids` instead.")
+			return result, errRet
+		}
+	}
+
+	if v, ok := dMap["orderly_security_group_ids"]; ok {
+		if list := v.([]interface{}); len(list) > 0 {
+			request.SecurityGroupIds = helper.InterfacesStringsPoint(list)
+		}
 	}
 
 	request.EnhancedService = &as.EnhancedService{}
@@ -843,7 +863,7 @@ func composedKubernetesAsScalingConfigParaSerial(dMap map[string]interface{}, me
 	return result, errRet
 }
 
-func composeAsLaunchConfigModifyRequest(d *schema.ResourceData, launchConfigId string) *as.ModifyLaunchConfigurationAttributesRequest {
+func composeAsLaunchConfigModifyRequest(d *schema.ResourceData, launchConfigId string) (*as.ModifyLaunchConfigurationAttributesRequest, error) {
 	launchConfigRaw := d.Get("auto_scaling_config").([]interface{})
 	dMap := launchConfigRaw[0].(map[string]interface{})
 	request := as.NewModifyLaunchConfigurationAttributesRequest()
@@ -910,8 +930,21 @@ func composeAsLaunchConfigModifyRequest(d *schema.ResourceData, launchConfigId s
 		request.InternetAccessible.PublicIpAssigned = &publicIpAssigned
 	}
 
-	if v, ok := dMap["security_group_ids"]; ok {
-		request.SecurityGroupIds = helper.InterfacesStringsPoint(v.(*schema.Set).List())
+	if d.HasChange("auto_scaling_config.0.security_group_ids") {
+		if v, ok := dMap["security_group_ids"]; ok {
+			if list := v.(*schema.Set).List(); len(list) > 0 {
+				errRet := fmt.Errorf("The parameter `security_group_ids` has an issue that the actual order of the security group may be inconsistent with the order of your tf code, which will cause your service to be inaccessible. You can check whether the order of your current security groups meets your expectations through the TencentCloud Console, then use `orderly_security_group_ids` field to update them.")
+				return nil, errRet
+			}
+		}
+	}
+
+	if d.HasChange("auto_scaling_config.0.orderly_security_group_ids") {
+		if v, ok := dMap["orderly_security_group_ids"]; ok {
+			if list := v.([]interface{}); len(list) > 0 {
+				request.SecurityGroupIds = helper.InterfacesStringsPoint(list)
+			}
+		}
 	}
 
 	chargeType, ok := dMap["instance_charge_type"].(string)
@@ -986,7 +1019,7 @@ func composeAsLaunchConfigModifyRequest(d *schema.ResourceData, launchConfigId s
 
 	request.InstanceChargeType = &chargeType
 
-	return request
+	return request, nil
 }
 
 func desiredCapacityOutRange(d *schema.ResourceData) bool {
@@ -1186,7 +1219,11 @@ func resourceKubernetesNodePoolRead(d *schema.ResourceData, meta interface{}) er
 		if v, ok := d.GetOk("auto_scaling_config.0.password"); ok {
 			launchConfig["password"] = v.(string)
 		}
-		launchConfig["security_group_ids"] = helper.StringsInterfaces(launchCfg.SecurityGroupIds)
+
+		if launchCfg.SecurityGroupIds != nil {
+			launchConfig["security_group_ids"] = helper.StringsInterfaces(launchCfg.SecurityGroupIds)
+			launchConfig["orderly_security_group_ids"] = helper.StringsInterfaces(launchCfg.SecurityGroupIds)
+		}
 
 		enableSecurity := launchCfg.EnhancedService.SecurityService.Enabled
 		enableMonitor := launchCfg.EnhancedService.MonitorService.Enabled
@@ -1381,7 +1418,10 @@ func resourceKubernetesNodePoolUpdate(d *schema.ResourceData, meta interface{})
 		}
 		launchConfigId := *nodePool.LaunchConfigurationId
 		//  change as config here
-		request := composeAsLaunchConfigModifyRequest(d, launchConfigId)
+		request, composeError := composeAsLaunchConfigModifyRequest(d, launchConfigId)
+		if composeError != nil {
+			return composeError
+		}
 		_, err = client.UseAsClient().ModifyLaunchConfigurationAttributes(request)
 		if err != nil {
 			log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n",

tencentcloud/resource_tc_kubernetes_node_pool_test.go

@@ -103,7 +103,7 @@ func TestAccTencentCloudKubernetesNodePoolResource_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "manually_added_total", "0"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "tags.keep-test-np1", "test1"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "tags.keep-test-np2", "test2"),
-					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.security_group_ids.#", "1"),
+					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.orderly_security_group_ids.#", "2"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.host_name", "12.123.0.0"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.host_name_style", "ORIGINAL"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.enhanced_security_service", "false"),
@@ -138,7 +138,7 @@ func TestAccTencentCloudKubernetesNodePoolResource_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "termination_policies.0", "NEWEST_INSTANCE"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "tags.keep-test-np1", "testI"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "tags.keep-test-np3", "testIII"),
-					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.security_group_ids.#", "2"),
+					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.orderly_security_group_ids.#", "4"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.host_name", "12.123.1.1"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.host_name_style", "UNIQUE"),
 					resource.TestCheckResourceAttr(testTkeClusterNodePoolResourceKey, "auto_scaling_config.0.enhanced_security_service", "true"),
@@ -276,6 +276,10 @@ data "tencentcloud_security_groups" "sg" {
 data "tencentcloud_security_groups" "sg_as" {
   name = "keep-for-as"
 }
+
+data "tencentcloud_security_groups" "sg_keep" {
+  name = "keep-"
+}
 `
 
 const testAccTkeNodePoolCluster string = testAccTkeNodePoolClusterBasic + `
@@ -300,7 +304,7 @@ resource "tencentcloud_kubernetes_node_pool" "np_test" {
     instance_type      = var.ins_type
     system_disk_type   = "CLOUD_PREMIUM"
     system_disk_size   = "50"
-    security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id]
+    orderly_security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id, data.tencentcloud_security_groups.sg_keep.security_groups[0].security_group_id]
     cam_role_name = "TCB_QcsRole"
     data_disk {
       disk_type = "CLOUD_PREMIUM"
@@ -364,7 +368,7 @@ resource "tencentcloud_kubernetes_node_pool" "np_test" {
     instance_type      = var.ins_type
     system_disk_type   = "CLOUD_PREMIUM"
     system_disk_size   = "100"
-    security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id, data.tencentcloud_security_groups.sg_as.security_groups[0].security_group_id]
+    orderly_security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id, data.tencentcloud_security_groups.sg_as.security_groups[0].security_group_id, data.tencentcloud_security_groups.sg_keep.security_groups[0].security_group_id, data.tencentcloud_security_groups.sg_keep.security_groups[1].security_group_id]
 	instance_charge_type = "SPOTPAID"
     spot_instance_type = "one-time"
     spot_max_price = "1000"
@@ -439,7 +443,7 @@ resource "tencentcloud_kubernetes_node_pool" "np_test" {
     cam_role_name      = "TCB_QcsRole"
     system_disk_type   = "CLOUD_PREMIUM"
     system_disk_size   = "50"
-    security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id]
+    orderly_security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id]
 
     data_disk {
       disk_type = "CLOUD_PREMIUM"
@@ -479,7 +483,7 @@ resource "tencentcloud_kubernetes_node_pool" "np_test" {
     instance_type      = "GN6S.LARGE20"
     system_disk_type   = "CLOUD_PREMIUM"
     system_disk_size   = "100"
-    security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id, data.tencentcloud_security_groups.sg_as.security_groups[0].security_group_id]
+    orderly_security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id, data.tencentcloud_security_groups.sg_as.security_groups[0].security_group_id]
 	instance_charge_type = "SPOTPAID"
     spot_instance_type = "one-time"
     spot_max_price = "1000"

website/docs/r/kubernetes_node_pool.html.markdown

@@ -201,6 +201,7 @@ The `auto_scaling_config` object supports the following:
 * `internet_charge_type` - (Optional, String) Charge types for network traffic. Valid value: `BANDWIDTH_PREPAID`, `TRAFFIC_POSTPAID_BY_HOUR`, `TRAFFIC_POSTPAID_BY_HOUR` and `BANDWIDTH_PACKAGE`.
 * `internet_max_bandwidth_out` - (Optional, Int) Max bandwidth of Internet access in Mbps. Default is `0`.
 * `key_ids` - (Optional, List, ForceNew) ID list of keys.
+* `orderly_security_group_ids` - (Optional, List) Ordered security groups to which a CVM instance belongs.
 * `password` - (Optional, String, ForceNew) Password to access.
 * `public_ip_assigned` - (Optional, Bool) Specify whether to assign an Internet IP address.
 * `security_group_ids` - (Optional, Set) Security groups to which a CVM instance belongs.