Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vcd_nsxt_firewall does not manage ranges and individual IP addresses #1199

Open
carmine73 opened this issue Jan 25, 2024 · 6 comments
Open

vcd_nsxt_firewall does not manage ranges and individual IP addresses #1199

carmine73 opened this issue Jan 25, 2024 · 6 comments
Assignees
@Didainius
Labels
enhancement

Comments

@carmine73
Copy link

carmine73 commented Jan 25, 2024
edited
Loading

This is the new Improved Firewall Rules UI

VMware Cloud Director 10.5 provides enhanced user experience for firewall rule expressions. You can now create a single firewall rule and, optionally, position it at a specific position in the rules list, and reorder a single firewall rule without editing the entire list of existing firewall rules. You can also add ranges and individual IP addresses directly into the firewall rule Source and Destination text boxes. Firewall rules now have a loggingId element that corresponds to the NSX rule_id.

Also raw protocol/port can be used via UI (not just an application profile)

is this in roadmap for 3.12?
@carmine73
Copy link
Author

I see this has not been addressed by 3.12 :-(

@lvirbalas lvirbalas assigned dataclouder and unassigned Didainius Mar 26, 2024
@carmine73
Copy link
Author

any news on this?
thanks

@Didainius Didainius assigned Didainius and unassigned dataclouder Aug 19, 2024
@Didainius
Copy link
Collaborator

We're considering the V2 firewall rule API. The trick is we can't fully switch to V2 API in current resource vcd_nsxt_firewall as this API is only available starting with VCD 10.5.1. We still support older ones.

I do see that V2 has a better API for creating a resource vcd_nsxt_firewall_rule - a resource that would map 1 resource to 1 firewall rule (similar to how vcd_nsxt_distributed_firewall_rule) as opposed to current approach where one resource handles all firewall rules. The new API does look to have API for positioning. https://developer.broadcom.com/xapis/vmware-cloud-director-openapi/v38.1/data-structures/FirewallRuleRelativePosition/

How does this approach sound to you? Would you switch resources if we had this new one? Does it sound more convenient for you?

This was referenced Aug 27, 2024
Open
Open
@carmine73
Copy link
Author

I've to manage fw rules using terraform for tenants that are modified also using UI.
Maybe (but I have to work on it) the "1 resource to 1 rule" approach can be easier.
To do that would be nice to have a data source to read ALL fw rules with ruleId for each rule.

@Didainius
Copy link
Collaborator

I've to manage fw rules using terraform for tenants that are modified also using UI. Maybe (but I have to work on it) the "1 resource to 1 rule" approach can be easier. To do that would be nice to have a data source to read ALL fw rules with ruleId for each rule.

Ok, if you had a choice between to resources - the one that manages all rules, and the one that manages rules on by one - which would you prefer? (I can't promise this works out, but feedback is valuable)

@carmine73
Copy link
Author

carmine73 commented Aug 30, 2024
edited
Loading

Now I'm using for both (fw and dfw) the "monolithic" resource, but the solution I've found is not optimal.
Probably the rules one by one can be used better, since there is no risk to overwrite rules written by UI (and just a way to order them must be found).
One thing I see is that data.vcd_nsxt_distributed_firewall_rule does not show the UI index of the rule nor the id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Didainius Didainius

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dataclouder @Didainius @carmine73