resource(vpc_firewall_rules): support new api changes

Pulled in the Go SDK changes from
oxidecomputer/oxide.go#304 which contained
changes to the VPC firewall rules APIs.

Updated the `oxide_vpc_firewall_rules` resource to account for these
changes.

Author: sudomateo

.changelog/0.13.0.toml

@@ -1,6 +1,6 @@
 [[breaking]]
-title = ""
-description = ""
+title = "`oxide_vpc_firewall_rules`"
+description = "Updated the schema for the `protocols` attribute to allow for more control over ICMP traffic. [#474](https://github.com/oxidecomputer/terraform-provider-oxide/pull/474)"
 
 [[features]]
 title = ""

docs/resources/oxide_vpc_firewall_rules.md

@@ -15,6 +15,8 @@ rules when updating this resource.
 
 ## Example Usage
 
+### Basic Example
+
 ```hcl
 resource "oxide_vpc_firewall_rules" "example" {
   vpc_id = "6556fc6a-63c0-420b-bb23-c3205410f5cc"
@@ -34,7 +36,50 @@ resource "oxide_vpc_firewall_rules" "example" {
           }
         ]
         ports     = ["443"]
-        protocols = ["TCP"]
+        protocols = ["tcp"]
+      },
+      targets = [
+        {
+          type  = "subnet"
+          value = "default"
+        }
+      ]
+    }
+  ]
+}
+```
+
+### ICMP Example
+
+```hcl
+resource "oxide_vpc_firewall_rules" "example" {
+  vpc_id = "6556fc6a-63c0-420b-bb23-c3205410f5cc"
+  rules = [
+    {
+      action      = "allow"
+      description = "Allow ICMP"
+      name        = "allow-icmp"
+      direction   = "inbound"
+      priority    = 50
+      status      = "enabled"
+      filters = {
+        protocols = [
+          # All ICMP.
+          {
+            type = "icmp",
+          },
+          # Echo Reply types.
+          {
+            type = "icmp",
+            icmp_type = 0
+          },
+          # Echo Reply types with codes 1-3.
+          {
+            type = "icmp",
+            icmp_type = 0
+            icmp_code = "1-3"
+          },
+        ]
       },
       targets = [
         {
@@ -86,7 +131,7 @@ Required:
 Optional:
 
 - `hosts` (Set) If present, the sources (if incoming) or destinations (if outgoing) this rule applies to. (see [below for nested schema](#nestedatt--hosts))
-- `protocols` (Array of Strings) If present, the networking protocols this rule applies to. Possible values are: TCP, UDP and ICMP.
+- `protocols` (Set) If present, the networking protocols this rule applies to. (see [below for nested schema](#nestedatt--protocols))
 - `ports` (Array of Strings) If present, the destination ports this rule applies to. Can be a mix of single ports (e.g., `"443"`) and port ranges (e.g., `"30000-32768"`).
 
 <a id="nestedatt--hosts"></a>
@@ -103,6 +148,19 @@ Required:
 	- For type ip: IP address
 	- For type ip_net: IPv4 or IPv6 subnet
 
+<a id="nestedatt--protocols"></a>
+
+### Nested Schema for `protocols`
+
+Required:
+
+- `type` (String) The protocol type. Must be one of `tcp`, `udp`, or `icmp`.
+
+Optional:
+
+- `icmp_type` (Number) ICMP type (e.g., 0 for Echo Reply). Only valid when `type` is `icmp`.
+- `icmp_code` (String) ICMP code (e.g., 0) or range (e.g., 1-3). Omit to filter all traffic of the specified `icmp_type`. Only valid when type is `icmp` and `icmp_type` is provided.
+
 <a id="nestedatt--targets"></a>
 
 ### Nested Schema for `targets`

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0
 	github.com/hashicorp/terraform-plugin-testing v1.13.2
-	github.com/oxidecomputer/oxide.go v0.5.0
+	github.com/oxidecomputer/oxide.go v0.5.1-0.20250719004549-7255536641a1
 	github.com/stretchr/testify v1.10.0
 )
 

go.sum

@@ -136,8 +136,8 @@ github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zx
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/oxidecomputer/oxide.go v0.5.0 h1:bT5FPUmczVcS84NCLdJZ5PAWHMhINz99QQVLImnd5Sc=
-github.com/oxidecomputer/oxide.go v0.5.0/go.mod h1:4gfHlxdBQLs/34UbChPvINd+pGNAnGlASRGEd4xIz1Y=
+github.com/oxidecomputer/oxide.go v0.5.1-0.20250719004549-7255536641a1 h1:fdKQaoRt2FDN3OYWT4pJGgDqqmfb2eq5KYYigN+HDIw=
+github.com/oxidecomputer/oxide.go v0.5.1-0.20250719004549-7255536641a1/go.mod h1:4gfHlxdBQLs/34UbChPvINd+pGNAnGlASRGEd4xIz1Y=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=

internal/provider/resource_vpc_firewall_rules.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/hashicorp/terraform-plugin-framework-timeouts/resource/timeouts"
+	"github.com/hashicorp/terraform-plugin-framework-validators/int32validator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/setvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
@@ -77,16 +78,22 @@ type vpcFirewallRulesResourceRuleTargetModel struct {
 }
 
 type vpcFirewallRulesResourceRuleFiltersModel struct {
-	Hosts     []vpcFirewallRuleHostFilterModel `tfsdk:"hosts"`
-	Ports     types.Set                        `tfsdk:"ports"`
-	Protocols types.Set                        `tfsdk:"protocols"`
+	Hosts     []vpcFirewallRuleHostFilterModel     `tfsdk:"hosts"`
+	Ports     types.Set                            `tfsdk:"ports"`
+	Protocols []vpcFirewallRuleProtocolFilterModel `tfsdk:"protocols"`
 }
 
 type vpcFirewallRuleHostFilterModel struct {
 	Type  types.String `tfsdk:"type"`
 	Value types.String `tfsdk:"value"`
 }
 
+type vpcFirewallRuleProtocolFilterModel struct {
+	Type     types.String `tfsdk:"type"`
+	IcmpType types.Int32  `tfsdk:"icmp_type"`
+	IcmpCode types.String `tfsdk:"icmp_code"`
+}
+
 // Metadata returns the resource type name.
 func (r *vpcFirewallRulesResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
 	resp.TypeName = "oxide_vpc_firewall_rules"
@@ -188,18 +195,41 @@ func (r *vpcFirewallRulesResource) Schema(ctx context.Context, _ resource.Schema
 										setvalidator.SizeAtLeast(1),
 									},
 								},
-								"protocols": schema.SetAttribute{
-									Description: "If present, the networking protocols this rule applies to. Possible values are: TCP, UDP and ICMP.",
+								"protocols": schema.SetNestedAttribute{
+									Description: "The protocols in a firewall rule's filter.",
 									Optional:    true,
-									ElementType: types.StringType,
+									NestedObject: schema.NestedAttributeObject{
+										Attributes: map[string]schema.Attribute{
+											"type": schema.StringAttribute{
+												Required:    true,
+												Description: "The protocol type. Must be one of `tcp`, `udp`, or `icmp`.",
+												Validators: []validator.String{
+													stringvalidator.OneOf(
+														string(oxide.VpcFirewallRuleProtocolTypeTcp),
+														string(oxide.VpcFirewallRuleProtocolTypeUdp),
+														string(oxide.VpcFirewallRuleProtocolTypeIcmp),
+													),
+												},
+											},
+											"icmp_type": schema.Int32Attribute{
+												Optional:    true,
+												Description: "ICMP type. Only valid when type is `icmp`.",
+												Validators: []validator.Int32{
+													int32validator.Between(0, 255),
+												},
+											},
+											"icmp_code": schema.StringAttribute{
+												Optional:    true,
+												Description: "ICMP code (e.g., 0) or range (e.g., 1-3). Omit to filter all traffic of the specified `icmp_type`. Only valid when type is `icmp` and `icmp_type` is provided.",
+												Validators: []validator.String{
+													stringvalidator.AlsoRequires(path.Expressions{
+														path.MatchRelative().AtParent().AtName("icmp_type"),
+													}...),
+												},
+											},
+										},
+									},
 									Validators: []validator.Set{
-										setvalidator.ValueStringsAre(stringvalidator.Any(
-											stringvalidator.OneOf(
-												string(oxide.VpcFirewallRuleProtocolTcp),
-												string(oxide.VpcFirewallRuleProtocolUdp),
-												string(oxide.VpcFirewallRuleProtocolIcmp),
-											),
-										)),
 										setvalidator.SizeAtLeast(1),
 									},
 								},
@@ -609,14 +639,25 @@ func newFiltersModelFromResponse(filter oxide.VpcFirewallRuleFilter) (*vpcFirewa
 		return nil, diags
 	}
 
-	var protocols = []attr.Value{}
+	var protocolModels = []vpcFirewallRuleProtocolFilterModel{}
 	for _, protocol := range filter.Protocols {
-		protocols = append(protocols, types.StringValue(string(protocol)))
-	}
-	protocolSet, diags := types.SetValue(types.StringType, protocols)
-	diags.Append(diags...)
-	if diags.HasError() {
-		return nil, diags
+		protocolModel := vpcFirewallRuleProtocolFilterModel{
+			Type: types.StringValue(string(protocol.Type)),
+			IcmpCode: func() types.String {
+				if protocol.Value.Code == "" {
+					return types.StringNull()
+				}
+				return types.StringValue(string(protocol.Value.Code))
+			}(),
+			IcmpType: func() types.Int32 {
+				if protocol.Value.IcmpType == nil {
+					return types.Int32Null()
+				}
+				return types.Int32Value(int32(*protocol.Value.IcmpType))
+			}(),
+		}
+
+		protocolModels = append(protocolModels, protocolModel)
 	}
 
 	model := vpcFirewallRulesResourceRuleFiltersModel{}
@@ -631,10 +672,10 @@ func newFiltersModelFromResponse(filter oxide.VpcFirewallRuleFilter) (*vpcFirewa
 		model.Ports = types.SetNull(types.StringType)
 	}
 
-	if len(protocolSet.Elements()) > 0 {
-		model.Protocols = protocolSet
+	if len(protocolModels) > 0 {
+		model.Protocols = protocolModels
 	} else {
-		model.Protocols = types.SetNull(types.StringType)
+		model.Protocols = nil
 	}
 
 	return &model, nil
@@ -674,9 +715,22 @@ func newFilterTypeFromModel(model *vpcFirewallRulesResourceRuleFiltersModel) oxi
 	}
 
 	protocols := []oxide.VpcFirewallRuleProtocol{}
-	for _, protocol := range model.Protocols.Elements() {
-		p, _ := strconv.Unquote(protocol.String())
-		protocols = append(protocols, oxide.VpcFirewallRuleProtocol(p))
+	for _, protocolModel := range model.Protocols {
+		protocol := oxide.VpcFirewallRuleProtocol{
+			Type: oxide.VpcFirewallRuleProtocolType(protocolModel.Type.ValueString()),
+			Value: oxide.VpcFirewallIcmpFilter{
+				Code: oxide.IcmpParamRange(protocolModel.IcmpCode.ValueString()),
+				IcmpType: func() *int {
+					if protocolModel.IcmpType.IsNull() {
+						return nil
+					}
+
+					return oxide.NewPointer(int(protocolModel.IcmpType.ValueInt32()))
+				}(),
+			},
+		}
+
+		protocols = append(protocols, protocol)
 	}
 
 	return oxide.VpcFirewallRuleFilter{