The beta resource nsxt_policy_security_policy_rule has issues detecting when all services are removed from the rule
outside of Terraform (via the GUI), but are still defined in the code and remain in the state file. terraform plan does not show any changes and thus the actual deployed infrastructure will
be out of sync from Terraform.
For example, if I create a rule with the following code that includes one service:
Terraform will perform the following actions:
# nsxt_policy_security_policy_rule.test_rule1 will be created
+ resource "nsxt_policy_security_policy_rule" "test_rule1" {
+ action = "ALLOW"
+ destination_groups = [
+ "/infra/domains/default/groups/c68337e4-27e6-4752-9316-a820b517c36e",
]
+ destinations_excluded = false
+ direction = "IN_OUT"
+ disabled = true
+ display_name = "test_rule1"
+ id = (known after apply)
+ ip_version = "IPV4_IPV6"
+ logged = true
+ nsx_id = (known after apply)
+ path = (known after apply)
+ policy_path = "/infra/domains/default/security-policies/c134e1c0-c7fb-4d0a-92bc-3caad17ecec4"
+ revision = (known after apply)
+ rule_id = (known after apply)
+ sequence_number = 1
+ services = [
+ "/infra/services/HTTPS",
]
+ sources_excluded = false
}
Plan: 1 to add, 0 to change, 0 to destroy.
Next, I log into the NSX-T GUI and add another service to the rule and click Publish. When I run Terraform again, it detects the newly added service and wants to remove it to reflect what I've defined in code. So far so good.
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# nsxt_policy_security_policy_rule.test_rule1 will be updated in-place
~ resource "nsxt_policy_security_policy_rule" "test_rule1" {
id = "06e94a14-c37a-4e62-810c-df464894f522"
~ services = [
- "/infra/services/HTTP",
# (1 unchanged element hidden)
]
# (18 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
However, here's the issue: if I remove all services from the rule using the GUI (so that it becomes "Any"), Terraform DOES NOT detect that situation and thinks there no drift between the code and the infrastructure when there clearly is.
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Reproduction steps
Create a rule with the nsxt_policy_security_policy_rule resource that has one or more services associated with it.
Log into the NSX-T GUI and remove all services from that rule.
Run terraform plan and Terraform won't detect any changes.
Expected behavior
Terraform should detect that the service was removed from the rule outside and attempt to add it back in.
Additional context
Even though in my above example I used services, it appears that source_groups, and destination_groups also exhibit the same behavior. I'm not sure if other arguments/settings are affected.
The rules defined in the nsxt_policy_security_policy resource do not appear to be affected by this. That resource correctly detects when all previously configured services
have been removed in the GUI.
annakhm
commented
1 month ago
Describe the bug
The beta resource
nsxt_policy_security_policy_rulehas issues detecting when all services are removed from the rule outside of Terraform (via the GUI), but are still defined in the code and remain in the state file.terraform plandoes not show any changes and thus the actual deployed infrastructure will be out of sync from Terraform.For example, if I create a rule with the following code that includes one service:
Terraform will build the following:
Next, I log into the NSX-T GUI and add another service to the rule and click Publish. When I run Terraform again, it detects the newly added service and wants to remove it to reflect what I've defined in code. So far so good.
However, here's the issue: if I remove all services from the rule using the GUI (so that it becomes "Any"), Terraform DOES NOT detect that situation and thinks there no drift between the code and the infrastructure when there clearly is.
Reproduction steps
nsxt_policy_security_policy_ruleresource that has one or more services associated with it.terraform planand Terraform won't detect any changes.Expected behavior
Terraform should detect that the service was removed from the rule outside and attempt to add it back in.
Additional context
Even though in my above example I used
services, it appears thatsource_groups, anddestination_groupsalso exhibit the same behavior. I'm not sure if other arguments/settings are affected.The rules defined in the
nsxt_policy_security_policyresource do not appear to be affected by this. That resource correctly detects when all previously configured services have been removed in the GUI.