jennings
commented
2 years ago Firewall rules aren't a separate resource from the network, so "create" and "delete" doesn't actually create or delete a resource. When Terraform "creates" the rules, it would just overwrite whatever rules existed and the Terraform diff would not display this.
Another option would be to make this a nested set property of meraki_network:
resource "meraki_network" "n" {
organization_id = 12345
name = "network"
l3_firewall_rule {
comment = "Allow TCP traffic to subnet with HTTP servers."
policy = "allow"
protocol = "tcp"
dest_port = "443"
dest_cidr = "192.168.1.0/24"
src_port = "Any"
src_cidr = "Any"
syslog_enabled = false
}
l7_firewall_rule {
policy = "deny"
type = "host"
value = "google.com"
}
l7_firewall_rule {
policy = "deny"
type = "port"
value = "23"
}
}
Pros:
- Better matches the Meraki data model
- Can't accidentally overwrite existing rules because if you add an
lx_firewall_ruleblock, Terraform will show a diff when applying
Cons:
- Can only edit rules if the whole
meraki_networkis managed by Terraform
Questions:
- Should it use
rule { ... }syntax orrules = [ { ... } ]syntax? The latter lets you userules = []to say "there should be no rules", while the absence of the attribute means "do not manage the rules"
Layer 3: https://developer.cisco.com/meraki/api-v1/#!update-network-appliance-firewall-l-3-firewall-rules
Layer 7: https://developer.cisco.com/meraki/api-v1/#!update-network-appliance-firewall-l-7-firewall-rules
Proposed syntax:
The swagger doc lists this under appliance/firewall/l7firewallrules, but the URL scheme begins with network. Should this be the very verbose
meraki_network_appliance_firewall_l7firewallrules?