iosxr_ipv4/6_access_list

[rjoensen]

Hello,

Good job on this one, it works great, but it seems to have some minor issues.

1) Making changes to a sequence, e.g. changing it from permit_source_host to permit_source_address seems to mess up the sequence completely. Also, moving source_port_eq or destination_port_eq around also messes up the sequence applied to the router. The work around here is to comment out the sequence in your configuration, apply, and then uncomment with your new changes, and it works just fine.

2) if you use source/destination_port_eq lets say "53", the router will configure this as "domain" and the terraform tfstate will want this to be "DNS" and then when you rerun terraform apply for your entire module, it will complain about this. If you change the config to say "DNS" instead of "53" it goes away. Would be nice to not see this error at all maybe?

3) When using deny/permit_destination_address/host in your config, it adds everything just fine, but when you rerun the resource, it constantly tries to update these values as if they are incorrect somewhere. Maybe not necessarily an issue, but it's annoying when you are working with a full config, and/or making changes to ACLs.

Reporting these for you to review and improve if possible.

Appreciate all your work on this!

Best wishes, rjoensen

[danischm]

1. When you say "messes up", are you referring to the plan output or the actual configuration applied? There are certain limitations with Terraform when it comes to displaying planned changes in list attributes, while the actual config being applied should be correct. Could you maybe share an example config/sequence to illustrate the issue?

2. Due to the way the provider is built, this kind of normalization is likely something we will not do at the resource level. It can easily be done in a TF module and/or code though (example: https://github.com/netascode/terraform-aci-filter/blob/8fd5f96eeaede93fcd89b2d89b0faa8b0a673e18/main.tf#L21).

3. Could you share an example config?

[rjoensen]

Hello,

I apologize for the delayed response on this.

My work around for 1 right now is just to delete the sequence first, and then re-add it, which does the trick.

As for 2, I have been able to work around this as well, by simply applying, and then re-running apply and seeing the config drift, and then changing the terraform config to match that.

This is a response to 3)

It turns out that I was doing this wrong, I was using permit_destination_address instead of permit_destination_host.

I did stumble upon another issue with the ACL, and that is permit/deny based on subnets. You can do this through permit/deny_destination/source_address and then use the wildcard_mask. However, this is a little bit messy and unnecessary.

Example resource: { sequence_number = 650 deny_protocol = "ipv4" deny_source_address = "192.168.1.0" deny_source_wildcard_mask = "0.252.255.255" deny_destination_any = "true" }

In the NCS configuration this turns into: 650 deny ipv4 192.168.1.0 0.252.255.255 any

However, if I sit in the cli, I can simply just edit this ACL, and configure it as following: 650 deny ipv4 192.168.1.0/24 any

This is much cleaner and easier to work with.

But I seem to be unable to use subnets when using the iosxr_ipv4_access_list resource and ipv6 for that matter.

Best wishes, rjoensen

[danischm]

have you tried this?

deny_source_address = "192.168.1.0"
deny_source_prefix_length = 24

[rjoensen]

Hello,

This fixes it. My bad for not seeing this in your documentation. Thank you for pointing it out!

Best wishes, rjoensen