From d155cfc6c45eb0f2c10500c21b5bafb2ce0dd9fc Mon Sep 17 00:00:00 2001
From: Curverneur <curverneur@curvania.de>
Date: Fri, 21 Nov 2025 23:53:57 +0100
Subject: [PATCH 1/3] added dest_cidr_list option to
 resource_cloudstack_egress_firewall and updated doc page accordingly

---
 .../resource_cloudstack_egress_firewall.go    | 30 +++++++++++++++++++
 website/docs/r/egress_firewall.html.markdown  | 11 ++++---
 2 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/cloudstack/resource_cloudstack_egress_firewall.go b/cloudstack/resource_cloudstack_egress_firewall.go
index e2a83e4c..11fc4d5d 100644
--- a/cloudstack/resource_cloudstack_egress_firewall.go
+++ b/cloudstack/resource_cloudstack_egress_firewall.go
@@ -70,6 +70,13 @@ func resourceCloudStackEgressFirewall() *schema.Resource {
 							Set:      schema.HashString,
 						},
 
+						"dest_cidr_list": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							Set:      schema.HashString,
+						},
+
 						"protocol": {
 							Type:     schema.TypeString,
 							Required: true,
@@ -194,6 +201,15 @@ func createEgressFirewallRule(d *schema.ResourceData, meta interface{}, rule map
 		p.SetCidrlist(cidrList)
 	}
 
+	// Set the destination CIDR list
+	var destcidrList []string
+	if rs := rule["cidr_list"].(*schema.Set); rs.Len() > 0 {
+		for _, cidr := range rule["dest_cidr_list"].(*schema.Set).List() {
+			destcidrList = append(destcidrList, cidr.(string))
+		}
+		p.SetDestcidrlist(destcidrList)
+	}
+
 	// If the protocol is ICMP set the needed ICMP parameters
 	if rule["protocol"].(string) == "icmp" {
 		p.SetIcmptype(rule["icmp_type"].(int))
@@ -319,11 +335,18 @@ func resourceCloudStackEgressFirewallRead(d *schema.ResourceData, meta interface
 					cidrs.Add(cidr)
 				}
 
+				// Create a set with all destination CIDR's
+				destcidrs := &schema.Set{F: schema.HashString}
+				for _, cidr := range strings.Split(r.Destcidrlist, ",") {
+					destcidrs.Add(cidr)
+				}
+
 				// Update the values
 				rule["protocol"] = r.Protocol
 				rule["icmp_type"] = r.Icmptype
 				rule["icmp_code"] = r.Icmpcode
 				rule["cidr_list"] = cidrs
+				rule["dest_cidr_list"] = destcidrs
 				rules.Add(rule)
 			}
 
@@ -357,9 +380,16 @@ func resourceCloudStackEgressFirewallRead(d *schema.ResourceData, meta interface
 							cidrs.Add(cidr)
 						}
 
+						// Create a set with all destination CIDR's
+						destcidrs := &schema.Set{F: schema.HashString}
+						for _, cidr := range strings.Split(r.Destcidrlist, ",") {
+							destcidrs.Add(cidr)
+						}
+
 						// Update the values
 						rule["protocol"] = r.Protocol
 						rule["cidr_list"] = cidrs
+						rule["dest_cidr_list"] = destcidrs
 						ports.Add(port)
 					}
 
diff --git a/website/docs/r/egress_firewall.html.markdown b/website/docs/r/egress_firewall.html.markdown
index 10badd17..35bf6dd5 100644
--- a/website/docs/r/egress_firewall.html.markdown
+++ b/website/docs/r/egress_firewall.html.markdown
@@ -17,9 +17,10 @@ resource "cloudstack_egress_firewall" "default" {
   network_id = "6eb22f91-7454-4107-89f4-36afcdf33021"
 
   rule {
-    cidr_list = ["10.0.0.0/8"]
-    protocol  = "tcp"
-    ports     = ["80", "1000-2000"]
+    cidr_list      = ["10.1.0.0/16"]
+    dest_cidr_list = ["10.2.0.0/16"]
+    protocol       = "tcp"
+    ports          = ["80", "1000-2000"]
   }
 }
 ```
@@ -43,7 +44,9 @@ The following arguments are supported:
 
 The `rule` block supports:
 
-* `cidr_list` - (Required) A CIDR list to allow access to the given ports.
+* `cidr_list` - (Required) the cidr list to forward traffic from.
+
+* `dest_cidr_list` - (Optional) the cidr list to forward traffic to.
 
 * `protocol` - (Required) The name of the protocol to allow. Valid options are:
     `tcp`, `udp` and `icmp`.

From dc603d23b7da866713d280fbf1dc8a69387bb6b8 Mon Sep 17 00:00:00 2001
From: Curverneur <curverneur@curvania.de>
Date: Mon, 24 Nov 2025 20:21:25 +0100
Subject: [PATCH 2/3] reverted some changes that required egress fw rules to be
 re-created; ensure the new feature is optional and fully backward-compatible

---
 .../resource_cloudstack_egress_firewall.go    | 30 -------------------
 1 file changed, 30 deletions(-)

diff --git a/cloudstack/resource_cloudstack_egress_firewall.go b/cloudstack/resource_cloudstack_egress_firewall.go
index 11fc4d5d..a1bc2179 100644
--- a/cloudstack/resource_cloudstack_egress_firewall.go
+++ b/cloudstack/resource_cloudstack_egress_firewall.go
@@ -201,15 +201,6 @@ func createEgressFirewallRule(d *schema.ResourceData, meta interface{}, rule map
 		p.SetCidrlist(cidrList)
 	}
 
-	// Set the destination CIDR list
-	var destcidrList []string
-	if rs := rule["cidr_list"].(*schema.Set); rs.Len() > 0 {
-		for _, cidr := range rule["dest_cidr_list"].(*schema.Set).List() {
-			destcidrList = append(destcidrList, cidr.(string))
-		}
-		p.SetDestcidrlist(destcidrList)
-	}
-
 	// If the protocol is ICMP set the needed ICMP parameters
 	if rule["protocol"].(string) == "icmp" {
 		p.SetIcmptype(rule["icmp_type"].(int))
@@ -329,24 +320,10 @@ func resourceCloudStackEgressFirewallRead(d *schema.ResourceData, meta interface
 				// Delete the known rule so only unknown rules remain in the ruleMap
 				delete(ruleMap, id.(string))
 
-				// Create a set with all CIDR's
-				cidrs := &schema.Set{F: schema.HashString}
-				for _, cidr := range strings.Split(r.Cidrlist, ",") {
-					cidrs.Add(cidr)
-				}
-
-				// Create a set with all destination CIDR's
-				destcidrs := &schema.Set{F: schema.HashString}
-				for _, cidr := range strings.Split(r.Destcidrlist, ",") {
-					destcidrs.Add(cidr)
-				}
-
 				// Update the values
 				rule["protocol"] = r.Protocol
 				rule["icmp_type"] = r.Icmptype
 				rule["icmp_code"] = r.Icmpcode
-				rule["cidr_list"] = cidrs
-				rule["dest_cidr_list"] = destcidrs
 				rules.Add(rule)
 			}
 
@@ -380,16 +357,9 @@ func resourceCloudStackEgressFirewallRead(d *schema.ResourceData, meta interface
 							cidrs.Add(cidr)
 						}
 
-						// Create a set with all destination CIDR's
-						destcidrs := &schema.Set{F: schema.HashString}
-						for _, cidr := range strings.Split(r.Destcidrlist, ",") {
-							destcidrs.Add(cidr)
-						}
-
 						// Update the values
 						rule["protocol"] = r.Protocol
 						rule["cidr_list"] = cidrs
-						rule["dest_cidr_list"] = destcidrs
 						ports.Add(port)
 					}
 

From 2c28875a76f5cb8653eefd72a9d1194c24fae6c4 Mon Sep 17 00:00:00 2001
From: Curverneur <curverneur@curvania.de>
Date: Tue, 25 Nov 2025 09:02:47 +0100
Subject: [PATCH 3/3] re-added accidentally removed cidr set from
 resourceCloudStackEgressFirewallRead

---
 cloudstack/resource_cloudstack_egress_firewall.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cloudstack/resource_cloudstack_egress_firewall.go b/cloudstack/resource_cloudstack_egress_firewall.go
index a1bc2179..024b7d05 100644
--- a/cloudstack/resource_cloudstack_egress_firewall.go
+++ b/cloudstack/resource_cloudstack_egress_firewall.go
@@ -320,10 +320,17 @@ func resourceCloudStackEgressFirewallRead(d *schema.ResourceData, meta interface
 				// Delete the known rule so only unknown rules remain in the ruleMap
 				delete(ruleMap, id.(string))
 
+				// Create a set with all CIDR's
+				cidrs := &schema.Set{F: schema.HashString}
+				for _, cidr := range strings.Split(r.Cidrlist, ",") {
+					cidrs.Add(cidr)
+				}
+
 				// Update the values
 				rule["protocol"] = r.Protocol
 				rule["icmp_type"] = r.Icmptype
 				rule["icmp_code"] = r.Icmpcode
+				rule["cidr_list"] = cidrs
 				rules.Add(rule)
 			}