terraform-provider-nsxt icon indicating copy to clipboard operation
terraform-provider-nsxt copied to clipboard

Published 20 hours ago verified publisher icon vmware

Document "Any" value for destination_networks in nsxt_policy_nat_rule

Open adarobin opened this issue 11 months ago • 5 comments

Describe the bug

If I create an SNAT rule with nsxt_policy_nat_rule with destination_networks unset (which seems to act equivalent to "Any" in the UI), it creates an SNAT rule with Any as the destination as expected. However, on the next plan a change is shown for destination_networks:

 ~ resource "nsxt_policy_nat_rule" "snat" {
      ~ destination_networks = [
          - "0.0.0.0/0",
        ]
        id                   = "8da221e8-215f-409c-bb25-c7ffcc22944f"
        # (13 unchanged attributes hidden)

Attempting to apply this change will fail.

If I create a new SNAT rule with destination_networks = ["0.0.0.0/0"] an error is thrown from the API:

Failed to create NAT Rule 9a030fe3-75e0-4898-9a78-e237ba43535b: Address 0.0.0.0/0 overlaps with Segment path=[/orgs/default/projects/24986cf9-9bd0-43
db-8ece-89eec42eb9c9/infra/segments/36d3de73-8ab8-449b-b986-9cb45a168b05] that has subnet 10.240.2.0/29. (code 500105)

The workaround seems to be to leave destination_networks blank and add this block to the resource to prevent issues with future plan and apply:

lifecycle {
  ignore_changes = [destination_networks]
}

Reproduction steps

  1. Create SNAT rule with Any as the destination.
  2. Perform another plan
  3. A change is shown for destination_networks with a value of ["0.0.0.0/0"] ...

Expected behavior

An SNAT rule with a destination of Any can be created and a consistent value is used in destination_networks.

Additional context

resource "nsxt_policy_nat_rule" "snat" {
  dynamic "context" {
    for_each = var.project_id == null ? [] : [var.project_id]
    content {
      project_id = context.value
    }
  }

  display_name         = "SNAT out to Internet"
  action               = "SNAT"
  source_networks      = ["10.0.0.0/8"]
  # destination_networks = ["0.0.0.0/0"]
  translated_networks  = [bluecat_ip4_address.nat.address]
  gateway_path         = data.nsxt_policy_tier1_gateway.main.path
  logging              = true
  rule_priority        = 100
}

adarobin avatar Mar 15 '24 00:03 adarobin

Hi @adarobin, could you provide your NSX version please?

annakhm avatar Mar 22 '24 21:03 annakhm

Hi @annakhm I am on 4.1.2.1

adarobin avatar Mar 22 '24 21:03 adarobin

Hi @adarobin, unfortunately I can't reproduce this with this NSX version. My destination_networks, when not provided, shows empty as expected:

resource "nsxt_policy_nat_rule" "dnat1" {
    action               = "SNAT"
    destination_networks = []
    display_name         = "snat_rule1"
    ..

destination_networks attr is not set in response sent back from NSX for the rule.

Not sure what the could be the difference between our configuration. May I ask you to create the nat rule with logs set to debug and post the output?

TF_LOG="debug"
TF_LOG_PROVIDER_NSX_HTTP="debug"

annakhm avatar Mar 25 '24 23:03 annakhm

@annakhm I can't seem to reproduce it now either. I must have gotten my state file into a weird place when trying to set "0.0.0.0/0" as the Any value.

At this point, this is more of a documentation issue on what the appropriate value to use for Any is on the destination_networks attribute.

It would be nice if the provider documentation had a similar note to the API documentation, "NULL value for this field represents ANY network."

adarobin avatar Mar 26 '24 20:03 adarobin

Thank you @adarobin. Keeping this open to improve the docs.

annakhm avatar Mar 26 '24 22:03 annakhm