terraform-provider-vcd icon indicating copy to clipboard operation
terraform-provider-vcd copied to clipboard

Published 20 hours ago verified publisher icon vmware

vcd_nsxv_firewall_rule use of "any" not translating to Any object type for source and destination

Open jlarmstrong opened this issue 4 years ago • 1 comments

Terraform Version

Terraform version: 0.12.19
vcd provider version: vcd = "~> 3.0"

Affected Resource(s)

  • vcd_nsxv_firewall_rule

Terraform Configuration Files

resource "vcd_nsxv_firewall_rule" "my-rule-1" {
  org          = "my-org"
  vdc          = "my-vdc"
  edge_gateway = "my-edge-gateway"
  source {
    ip_addresses       = ["any"]
  }
  destination {
    ip_addresses = ["192.168.1.110"]
  }
  service {
    protocol = "tcp"
    port     = "443"
  }
}

Debug Output

When trying to use ip_addresses = ["Any"] the following debug output is presented:

[DEBUG] vcd_nsxv_firewall_rule.<rulename>: apply errored, but we're indicating that via the Error pointer rather than returning it: unable to update firewall rule with ID 137256: error while updating firewall rule : vShield Edge Configuration failed on NSX Edge VM vm-69112. Kindly refer Edge and NSX Manager logs for more details. (API error: 10014)
2020/11/24 13:46:10 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: unable to update firewall rule with ID 137256: error while updating firewall rule : vShield Edge Configuration failed on NSX Edge VM vm-69112. Kindly refer Edge and NSX Manager logs for more details. (API error: 10014)
2020/11/24 13:46:10 [ERROR] <root>: eval: *terraform.EvalSequence, err: unable to update firewall rule with ID 137256: error while updating firewall rule : vShield Edge Configuration failed on NSX Edge VM vm-69112. Kindly refer Edge and NSX Manager logs for more details. (API error: 10014)
Error: unable to update firewall rule with ID 137256: error while updating firewall rule : vShield Edge Configuration failed on NSX Edge VM vm-69112. Kindly refer Edge and NSX Manager logs for more details. (API error: 10014)

Expected Behavior

NSX-V should have an Any source object instead of an ip address textual representation. This would be represented in other NSX-V and vCloud API calls as the proper global Any object/reference instead of the textual string reference.

Actual Behavior

This causes other systems to try to recognize this entry as an IP entry with a netmask/cidr. The rules do appear to work, but that may simply be because they are invalid and are translating to the default any source.

vCloud 10.0.x UI represenation of "any": Screenshot from 2020-11-24 13-29-59

vSphere NSX-V UI representation of "any": Screenshot from 2020-11-24 13-31-45

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Important Factoids

vCloud 10.0.x, NSX-V 6.4.8

jlarmstrong avatar Nov 24 '20 18:11 jlarmstrong

As a follow up stepped through testing other config options and the following option appears to give me the closest match to using the normal vcd web UI. The documentation could probably be updated to reflect this or the "any" / "Any" textual representation might be able to be changed to work similarly in the TF module instead of fighting against the VCD api?

  source {
    ip_addresses       = [] # equal to Any in the interface
  }

Screenshot from 2020-12-08 09-13-11

jlarmstrong avatar Dec 08 '20 14:12 jlarmstrong