From f4783f8cda701b6800403d50840240da6469fd38 Mon Sep 17 00:00:00 2001
From: Pavel Boldyrev <627562+bpg@users.noreply.github.com>
Date: Sun, 9 Apr 2023 19:59:40 -0400
Subject: [PATCH] fix(firewall): Add support for `firewall` flag for LXC/VM net
 adapters (#295)

---
 .../virtual_environment_container.md          |  7 ++--
 docs/resources/virtual_environment_vm.md      |  2 ++
 proxmoxtf/resource/container.go               | 27 +++++++++++++++
 proxmoxtf/resource/vm.go                      | 34 ++++++++++++++-----
 4 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/docs/resources/virtual_environment_container.md b/docs/resources/virtual_environment_container.md
index 5c6d976e0..0d9637fd9 100644
--- a/docs/resources/virtual_environment_container.md
+++ b/docs/resources/virtual_environment_container.md
@@ -142,6 +142,8 @@ output "ubuntu_container_public_key" {
       to `vmbr0`).
     - `enabled` - (Optional) Whether to enable the network device (defaults
       to `true`).
+    - `firewall` - (Optional) Whether this interface's firewall rules should be
+        used (defaults to `false`).
     - `mac_address` - (Optional) The MAC address.
     - `mtu` - (Optional) Maximum transfer unit of the interface. Cannot be
       larger than the bridge's MTU.
@@ -170,10 +172,11 @@ output "ubuntu_container_public_key" {
   meta-argument to ignore changes to this attribute.
 - `template` - (Optional) Whether to create a template (defaults to `false`).
 - `unprivileged` - (Optional) Whether the container runs as unprivileged on
-the host (defaults to `false`).
+  the host (defaults to `false`).
 - `vm_id` - (Optional) The virtual machine identifier
 - `features` - (Optional) The container features
-  - `nesting` - (Optional) Whether the container is nested (defaults to `false`)
+    - `nesting` - (Optional) Whether the container is nested (defaults
+      to `false`)
 
 ## Attribute Reference
 
diff --git a/docs/resources/virtual_environment_vm.md b/docs/resources/virtual_environment_vm.md
index c2e91d62e..b4d633bcf 100644
--- a/docs/resources/virtual_environment_vm.md
+++ b/docs/resources/virtual_environment_vm.md
@@ -327,6 +327,8 @@ output "ubuntu_vm_public_key" {
       to `vmbr0`).
     - `enabled` - (Optional) Whether to enable the network device (defaults
       to `true`).
+    - `firewall` - (Optional) Whether this interface's firewall rules should be
+        used (defaults to `false`).
     - `mac_address` - (Optional) The MAC address.
     - `model` - (Optional) The network device model (defaults to `virtio`).
         - `e1000` - Intel E1000.
diff --git a/proxmoxtf/resource/container.go b/proxmoxtf/resource/container.go
index 7cab36585..e52935d45 100644
--- a/proxmoxtf/resource/container.go
+++ b/proxmoxtf/resource/container.go
@@ -47,6 +47,7 @@ const (
 	dvResourceVirtualEnvironmentContainerMemorySwap                        = 0
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceBridge            = "vmbr0"
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceEnabled           = true
+	dvResourceVirtualEnvironmentContainerNetworkInterfaceFirewall          = false
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress        = ""
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit         = 0
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceVLANID            = 0
@@ -98,6 +99,7 @@ const (
 	mkResourceVirtualEnvironmentContainerNetworkInterface                  = "network_interface"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge            = "bridge"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled           = "enabled"
+	mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall          = "firewall"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress        = "mac_address"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceName              = "name"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit         = "rate_limit"
@@ -510,6 +512,12 @@ func Container() *schema.Resource {
 							Optional:    true,
 							Default:     dvResourceVirtualEnvironmentContainerNetworkInterfaceEnabled,
 						},
+						mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall: {
+							Type:        schema.TypeBool,
+							Description: "Whether this interface's firewall rules should be used.",
+							Optional:    true,
+							Default:     dvResourceVirtualEnvironmentContainerNetworkInterfaceFirewall,
+						},
 						mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress: {
 							Type:        schema.TypeString,
 							Description: "The MAC address",
@@ -888,6 +896,9 @@ func containerCreateClone(ctx context.Context, d *schema.ResourceData, m interfa
 
 		bridge := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge].(string)
 		enabled := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled].(bool)
+		firewall := types.CustomBool(
+			networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall].(bool),
+		)
 		macAddress := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress].(string)
 		name := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceName].(string)
 		rateLimit := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit].(float64)
@@ -899,6 +910,7 @@ func containerCreateClone(ctx context.Context, d *schema.ResourceData, m interfa
 		}
 
 		networkInterfaceObject.Enabled = enabled
+		networkInterfaceObject.Firewall = &firewall
 
 		if len(initializationIPConfigIPv4Address) > ni {
 			if initializationIPConfigIPv4Address[ni] != "" {
@@ -1418,6 +1430,11 @@ func containerGetExistingNetworkInterface(
 		}
 
 		networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled] = true
+		if nv.Firewall != nil {
+			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = *nv.Firewall
+		} else {
+			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = false
+		}
 
 		if nv.MACAddress != nil {
 			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress] = *nv.MACAddress
@@ -1776,6 +1793,12 @@ func containerRead(ctx context.Context, d *schema.ResourceData, m interface{}) d
 
 		networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled] = true
 
+		if nv.Firewall != nil {
+			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = *nv.Firewall
+		} else {
+			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = false
+		}
+
 		if nv.MACAddress != nil {
 			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress] = *nv.MACAddress
 		} else {
@@ -2150,6 +2173,9 @@ func containerUpdate(ctx context.Context, d *schema.ResourceData, m interface{})
 
 			bridge := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge].(string)
 			enabled := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled].(bool)
+			firewall := types.CustomBool(
+				networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall].(bool),
+			)
 			macAddress := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress].(string)
 			name := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceName].(string)
 			rateLimit := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit].(float64)
@@ -2161,6 +2187,7 @@ func containerUpdate(ctx context.Context, d *schema.ResourceData, m interface{})
 			}
 
 			networkInterfaceObject.Enabled = enabled
+			networkInterfaceObject.Firewall = &firewall
 
 			if len(initializationIPConfigIPv4Address) > ni {
 				if initializationIPConfigIPv4Address[ni] != "" {
diff --git a/proxmoxtf/resource/vm.go b/proxmoxtf/resource/vm.go
index ef0aad25c..58dfff528 100644
--- a/proxmoxtf/resource/vm.go
+++ b/proxmoxtf/resource/vm.go
@@ -83,6 +83,7 @@ const (
 	dvResourceVirtualEnvironmentVMName                              = ""
 	dvResourceVirtualEnvironmentVMNetworkDeviceBridge               = "vmbr0"
 	dvResourceVirtualEnvironmentVMNetworkDeviceEnabled              = true
+	dvResourceVirtualEnvironmentVMNetworkDeviceFirewall             = false
 	dvResourceVirtualEnvironmentVMNetworkDeviceMACAddress           = ""
 	dvResourceVirtualEnvironmentVMNetworkDeviceModel                = "virtio"
 	dvResourceVirtualEnvironmentVMNetworkDeviceRateLimit            = 0
@@ -198,6 +199,7 @@ const (
 	mkResourceVirtualEnvironmentVMNetworkDevice                     = "network_device"
 	mkResourceVirtualEnvironmentVMNetworkDeviceBridge               = "bridge"
 	mkResourceVirtualEnvironmentVMNetworkDeviceEnabled              = "enabled"
+	mkResourceVirtualEnvironmentVMNetworkDeviceFirewall             = "firewall"
 	mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress           = "mac_address"
 	mkResourceVirtualEnvironmentVMNetworkDeviceModel                = "model"
 	mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit            = "rate_limit"
@@ -982,6 +984,12 @@ func VM() *schema.Resource {
 							Optional:    true,
 							Default:     dvResourceVirtualEnvironmentVMNetworkDeviceEnabled,
 						},
+						mkResourceVirtualEnvironmentVMNetworkDeviceFirewall: {
+							Type:        schema.TypeBool,
+							Description: "Whether this interface's firewall rules should be used",
+							Optional:    true,
+							Default:     dvResourceVirtualEnvironmentVMNetworkDeviceEnabled,
+						},
 						mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress: {
 							Type:        schema.TypeString,
 							Description: "The MAC address",
@@ -2602,17 +2610,19 @@ func vmGetNetworkDeviceObjects(d *schema.ResourceData) proxmox.CustomNetworkDevi
 	for i, networkDeviceEntry := range networkDevice {
 		block := networkDeviceEntry.(map[string]interface{})
 
-		bridge, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceBridge].(string)
-		enabled, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled].(bool)
-		macAddress, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress].(string)
-		model, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceModel].(string)
-		rateLimit, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit].(float64)
-		vlanID, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceVLANID].(int)
-		mtu, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceMTU].(int)
+		bridge := block[mkResourceVirtualEnvironmentVMNetworkDeviceBridge].(string)
+		enabled := block[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled].(bool)
+		firewall := types.CustomBool(block[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall].(bool))
+		macAddress := block[mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress].(string)
+		model := block[mkResourceVirtualEnvironmentVMNetworkDeviceModel].(string)
+		rateLimit := block[mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit].(float64)
+		vlanID := block[mkResourceVirtualEnvironmentVMNetworkDeviceVLANID].(int)
+		mtu := block[mkResourceVirtualEnvironmentVMNetworkDeviceMTU].(int)
 
 		device := proxmox.CustomNetworkDevice{
-			Enabled: enabled,
-			Model:   model,
+			Enabled:  enabled,
+			Firewall: &firewall,
+			Model:    model,
 		}
 
 		if bridge != "" {
@@ -3478,6 +3488,12 @@ func vmReadCustom(
 
 			networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled] = nd.Enabled
 
+			if nd.Firewall != nil {
+				networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall] = *nd.Firewall
+			} else {
+				networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall] = false
+			}
+
 			if nd.MACAddress != nil {
 				macAddresses[ni] = *nd.MACAddress
 			} else {