search

vmware / terraform-provider-nsxt

Terraform VMware NSX-T provider
https://www.terraform.io/docs/providers/nsxt/
Other
129 stars 83 forks source link

Add 'nat_type' in resource 'nsxt_policy_nat_rule' (INTERNAL, USER, DEFAULT) #1301

Open NonoCX opened 1 month ago

NonoCX commented 1 month ago

Is your feature request related to a problem? Please describe.

With the API of NSX it can be possible to create NAT under 3 different categories/sections (INTERNAL, USER and DEFAULT).

https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/3.2.1/html/api_includes/method_PatchPolicyNatRule.html

All NAT under INTERNAL are takes priority over USER categorie/section.

We need to create nat rules under INTERNAL to force SNAT of our customers' traffic when it join our shared services.

But when i use the resource nsxt_policy_nat_rule it is not possible to create nat rule under INTERNAL categorie/section. All rules are created under USER section

Describe the solution you'd like

Please, is it possible to add a feature for specify where the nat rule must be create under the categorie/section (INTERNAL, USER and DEFAULT) ?

Describe alternatives you've considered

No response

Additional context

No response

salv-orlando commented 1 month ago

Thanks for the report @NonoCX

In NSX API for NAT rules the category is controlled by the sequence_number parameter. In the terraform provider this is configured with the rule_priority attribute (mayebe we should have kept the same name...).

For instance setting a rule_priority < 1024 should result in the NAT rule being assigned to the INTERNAL category.

If you did already try this and it's not working for you, we should treat this issue as a bug.

NonoCX commented 3 weeks ago

Hi

I think these are a bug because the rule_priority does not put the NAT rule in the correct section according to the value :

The valid range of rule_priority number is from 0 to 2147483647(MAX_INT).

  1. INTERNAL section rule_priority reserved from 0 - 1023 (1024 rules) valid sequence_number range 0 - 1023
  2. USER section rule_priority reserved from 1024 - 2147482623 (2147481600 rules) valid sequence_number range 0 - 2147481599
  3. DEFAULT section rule_priority reserved from 2147482624 - 2147483647 (1024 rules) valid sequence_number range 0 - 1023

Source : https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/3.2.1/html/api_includes/method_PatchPolicyNatRule.html

When a create NAT rule with rule_priority = 0

resource "nsxt_policy_nat_rule" "dnat1" {
  display_name          = "dnat_rule1"
  action                = "DNAT"
  source_networks       = ["9.1.1.1", "9.2.1.1"]
  destination_networks  = ["11.1.1.1"]
  translated_networks   = ["10.1.1.1"]
  gateway_path          = data.nsxt_policy_tier1_gateway.this.path
  logging               = false
  firewall_match        = "MATCH_INTERNAL_ADDRESS"

  rule_priority         = 0

  tag {
    scope = "color"
    tag   = "blue"
  }
}

The rule is created under USER section with sequence_number: 0 image The are nothing under INTERNAL section image

For test to create NAT under DEFAULT section, i was created a NAT rule with the max value of rule_priority rule_priority = 2147483647, i have a error because terraform put the NAT under USER section and the max value of rule_priority in USER section is 2147482623 image

To conclude : Terraform create NAT rule under USER section only.

I will open a bug