search

vmware / terraform-provider-nsxt

Terraform VMware NSX-T provider
https://www.terraform.io/docs/providers/nsxt/
Other
129 stars 83 forks source link

DFW mess after 2nd deployment. nsxt_policy_predefined_security_policy on VMC #728

Open sebastiangrugel opened 2 years ago

sebastiangrugel commented 2 years ago

Describe the bug

When im doing deployment code DFW rules are created without problems. But when im doing "terraform plan" or terraform apply 2nd time... somehow terraform recognize some external changes "Note: Objects have changed outside of Terraform" what we not did. Maybe something happend on VMC itself ?

Example code:

`# Policy data "nsxt_policy_security_policy" "policy-vmc-example" { display_name = "ExamplePolicy2022"

is_default = true

category = "Application" domain = "cgw" }

data "nsxt_policy_group" "aws-vpc-bastionhost" { display_name = "VPC_Nordcloud_EC2" domain = "cgw" }

data "nsxt_policy_group" "vmc-gr-mc-training-network" { display_name = "gr-MC-Training1" domain = "cgw" }

data "nsxt_policy_group" "vmc-gr-vpc-network" { display_name = "Connected-VPC-Network" domain = "cgw" }

resource "nsxt_policy_predefined_security_policy" "dhcp-open" { path = data.nsxt_policy_security_policy.policy-vmc-example.path

rule {
display_name       = "From-EC2-to-VMC-Network"
source_groups = [data.nsxt_policy_group.aws-vpc-bastionhost.path]
destination_groups = [data.nsxt_policy_group.vmc-gr-mc-training-network.path]
action             = "ALLOW"
services           = []
logged             = true

}

}

resource "nsxt_policy_predefined_security_policy" "fw-vmc-internet" { path = data.nsxt_policy_security_policy.policy-vmc-example.path

rule {
display_name       = "From-VMC-Network-to-Internet"
source_groups = [data.nsxt_policy_group.vmc-gr-mc-training-network.path]
destination_groups = []
action             = "ALLOW"
services           = []
logged             = true

}

}`

Reproduction in images: 1st deployment (that same code) image 2nd deployment (that same code) image 3rd deployment(that same code) image

Reproduction steps

1. Before 1st deployment configure groups used in FW rules
2. First deployment of code (with success)
3. 2nd deployment "terraform apply -auto-approve"has some issue (2nd rule is removed and in that same RULE ID name, souce and destination are replaced from 2nd rule.
4. 3rd deployment "terraform apply -auto-approve" again in that same rule ID name, source and destination are changed again.
...

Expected behavior

Rules should stay that same to time when i change something in code.

Additional context

SDDC Version: | 1.16v4 -- | --
annakhm commented 2 years ago

Hi @sebastiangrugel, I notice that in your configuration same predefined policy seems to be used in two separate nsxt_policy_predefined_security_policy resources:

path = data.nsxt_policy_security_policy.policy-vmc-example.path

A single nsxt_policy_predefined_security_policy resource should be used to manage all rules for this policy. Hope this helps!

github-actions[bot] commented 1 year ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!