carmine73
commented
5 months ago I see this has not been addressed by 3.12 :-(
Open carmine73 opened 7 months ago
carmine73
commented
5 months ago I see this has not been addressed by 3.12 :-(
carmine73
commented
3 months ago any news on this? thanks
Didainius
commented
1 week ago We're considering the V2 firewall rule API. The trick is we can't fully switch to V2 API in current resource vcd_nsxt_firewall as this API is only available starting with VCD 10.5.1. We still support older ones.
I do see that V2 has a better API for creating a resource vcd_nsxt_firewall_rule - a resource that would map 1 resource to 1 firewall rule (similar to how vcd_nsxt_distributed_firewall_rule) as opposed to current approach where one resource handles all firewall rules. The new API does look to have API for positioning. https://developer.broadcom.com/xapis/vmware-cloud-director-openapi/v38.1/data-structures/FirewallRuleRelativePosition/
How does this approach sound to you? Would you switch resources if we had this new one? Does it sound more convenient for you?
carmine73
commented
1 week ago I've to manage fw rules using terraform for tenants that are modified also using UI. Maybe (but I have to work on it) the "1 resource to 1 rule" approach can be easier. To do that would be nice to have a data source to read ALL fw rules with ruleId for each rule.
Didainius
commented
1 week ago I've to manage fw rules using terraform for tenants that are modified also using UI. Maybe (but I have to work on it) the "1 resource to 1 rule" approach can be easier. To do that would be nice to have a data source to read ALL fw rules with ruleId for each rule.
Ok, if you had a choice between to resources - the one that manages all rules, and the one that manages rules on by one - which would you prefer? (I can't promise this works out, but feedback is valuable)
carmine73
commented
1 week ago Now I'm using for both (fw and dfw) the "monolithic" resource, but the solution I've found is not optimal.
Probably the rules one by one can be used better, since there is no risk to overwrite rules written by UI (and just a way to order them must be found).
One thing I see is that data.vcd_nsxt_distributed_firewall_rule does not show the UI index of the rule nor the id
This is the new Improved Firewall Rules UI
VMware Cloud Director 10.5 provides enhanced user experience for firewall rule expressions. You can now create a single firewall rule and, optionally, position it at a specific position in the rules list, and reorder a single firewall rule without editing the entire list of existing firewall rules. You can also add ranges and individual IP addresses directly into the firewall rule Source and Destination text boxes. Firewall rules now have a loggingId element that corresponds to the NSX rule_id.
Also raw protocol/port can be used via UI (not just an application profile)
is this in roadmap for 3.12?