Evaluate using dynamic groups inside of `AddressObject`

[Kircheneer]

Environment

• Nautobot version: 1.4.4
• nautobot-plugin-firewall-model version: 1.1.0

Proposed Functionality

Allow AddressObjectGroup to source its members from a dynamic group. This could for example be a new ForeignKey field on the model pointing to DynamicGroup.

Use Case

All prefixes with the role user-lan should have access to a set of services. Instead of manually updating the policy rule (or NAT policy rule) whenever there are changes, we could instead use dynamic groups to automatically accomplish that.

[whitej6]

At this time the performance limitations with dynamic groups makes this a non-starter at scale. We should keep the issue and reevaluate pending performance improvements for dynamic groups.

Dynamic Groups start having performance degradation over the 500 groups count on a single content type.

[nniehoff]

I feel like the development and added functionality this would bring to this plugin would be worth it to keep moving forward, even if there is a warning or a opt in configuration parameter to enable this. Hopefully when the feature is ready in this plugin Nautobot Core would have an update... Because I really want this feature

[whitej6]

I have some work on logical grouping which is solving this from a different PoV. I see this really relevant when it comes to controller based systems and how each group is treated as unique and how the group has access to certain items depending on where it's at within the tree. From a firewall object modeling perspective some of the patterns in dynamic groups does not solve this problem case and introduces a level of complexity in managing uniqueness.

I'm open to discussions around the topic and personally would love to swap out <type>ObjectGroup to a generic upstream group & how we can assign X content types to the same group. I am committed to keeping this issue open until we have a more elegant solution available in the plugin/core.