No NSX Security Policy Rule created and no error, just not create
Closed this issue · 3 comments
Hi there,
I am using sky-uk/nsx provider to create nsx security policy rule. There return with no error but no policy rule created too. I quite new with terraform. May anyone please advise more about what happen and what should I do next.
here some of tf configuration file
resource "nsx_security_tag" "web" {
name = "99_tf-tag-test-99"
desc = "99_Security Tag for TEST 99 created with Terraform"
}
resource "nsx_security_tag_attachment" "client_vm" {
name = "99_tf-security-tag-attachment"
tagid = ["${nsx_security_tag.web.id}"]
moid = "${vsphere_virtual_machine.vm.moid}"
}
resource "nsx_service" "http" {
name = "99_tf_service_http_80"
scopeid = "globalroot-0"
description = "TCP port 80 - http"
protocol = "TCP"
ports = "80"
}
resource "nsx_service" "https" {
name = "99_tf_service_https_443"
scopeid = "globalroot-0"
description = "TCP port 443 - https"
protocol = "TCP"
ports = "443"
}
resource "nsx_security_policy" "web" {
name = "99_tf_TEST_security_policy"
description = "99_TEST security policy for web role"
precedence = "4000"
}
resource "nsx_security_policy_rule" "web" {
name = "99_tf_TEST_security_policy_rule"
securitypolicyname = "${nsx_security_policy.web.name}"
action = "BLOCK"
direction = "INBOUND"
serviceids = ["${nsx_service.http.name}","${nsx_service.https.name}"]
}
Result
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
nsx_security_policy.web: Creating...
description: "" => "99_TEST security policy for web role"
name: "" => "99_tf_TEST_security_policy"
precedence: "" => "4000"
nsx_security_tag.web: Creating...
desc: "" => "99_Security Tag for TEST 99 created with Terraform"
name: "" => "99_tf-tag-test-99"
nsx_service.http: Creating...
description: "" => "TCP port 80 - http"
name: "" => "99_tf_service_http_80"
ports: "" => "80"
protocol: "" => "TCP"
scopeid: "" => "globalroot-0"
nsx_service.https: Creating...
description: "" => "TCP port 443 - https"
name: "" => "99_tf_service_https_443"
ports: "" => "443"
protocol: "" => "TCP"
scopeid: "" => "globalroot-0"
nsx_security_policy.web: Creation complete after 1s (ID: policy-54)
nsx_security_tag.web: Creation complete after 1s (ID: securitytag-74)
....
nsx_service.http: Creation complete after 3s (ID: application-450)
nsx_service.https: Creation complete after 3s (ID: application-449)
nsx_security_policy_rule.web: Creating...
action: "" => "BLOCK"
direction: "" => "INBOUND"
name: "" => "99_tf_TEST_security_policy_rule"
securitypolicyname: "" => "99_tf_TEST_security_policy"
serviceids.#: "" => "2"
serviceids.0: "" => "99_tf_service_http_80"
serviceids.1: "" => "99_tf_service_https_443"
nsx_security_policy_rule.web: Creation complete after 1s
Thank in advance
Hi @Thanaphait
I have no idea why your nsx_security_policy_rule is not created even if it says so. Maybe you've found out why and might want to share your knowledge here! If not, maybe launching into debug mode by setting TF_LOG=DEBUG as an environment variable could help.
By reading your terraform resources, it seems that you're tagging a VM with a security tag, and that you're creating a policy, but you're not creating any security_group to link the security tag and the policy. This doesn't explain why your security_policy_rule isn't created, but it would explain why the firewall wouldn't work.
I actually seem to have the same issue:
2018/08/01 11:13:40 [DEBUG] apply: nsx_security_policy_rule.back_deny: executing Apply
nsx_security_policy_rule.back_deny: Creating...
action: "" => "deny"
direction: "" => "inbound"
name: "" => "spr-back_deny"
securitygroupids.#: "" => "1"
securitygroupids.0: "" => "securitygroup-25"
securitypolicyname: "" => "deny-sp-back"
serviceids.#: "" => "1"
serviceids.0: "" => "any"
2018-08-01T11:13:40.041+0200 [DEBUG] plugin.terraform-provider-nsx: 2018/08/01 11:13:40 Getting policy object to modify
2018-08-01T11:13:40.688+0200 [DEBUG] plugin.terraform-provider-nsx: 2018/08/01 11:13:40 [DEBUG] getAllAPI.GetResponse().FilterByName("deny-sp-back").ObjectID
2018-08-01T11:13:40.689+0200 [DEBUG] plugin.terraform-provider-nsx: 2018/08/01 11:13:40 [DEBUG] - policyTOModify :SecurityPolicy with objectId: policy-16
2018-08-01T11:13:40.689+0200 [DEBUG] plugin.terraform-provider-nsx: 2018/08/01 11:13:40 [DEBUG] policyToModify.AddInboundFirewallAction(spr-back_deny, deny, inbound, [any])
2018-08-01T11:13:40.689+0200 [DEBUG] plugin.terraform-provider-nsx: 2018/08/01 11:13:40 [DEBUG] - policyTOModify :SecurityPolicy with objectId: policy-16
2018-08-01T11:13:41.228+0200 [DEBUG] plugin.terraform-provider-nsx: 2018/08/01 11:13:41 [DEBUG] getAllAPI.GetResponse().FilterByName("deny-sp-back").ObjectID
2018-08-01T11:13:41.228+0200 [DEBUG] plugin.terraform-provider-nsx: 2018/08/01 11:13:41 [DEBUG] - policyToRead :SecurityPolicy with objectId: policy-16
2018-08-01T11:13:41.228+0200 [DEBUG] plugin.terraform-provider-nsx: 2018/08/01 11:13:41 [DEBUG] VsmUUID :=
nsx_security_policy_rule.back_deny: Creation complete after 1s
Found why reading the gonsx code.
@Thanaphait in your security_policy_rule, you had:
action = "BLOCK"
direction = "INBOUND"
The code is matching only for lowercase and it seems that the errors are not thrown if it's not matching.
In my case I set the action to deny which is not an accepted keyword. It should have been block.
I think the documentation can be updated to put the keywords in lowercase (https://github.com/sky-uk/terraform-provider-nsx/wiki/NSX-Security-Policy-Resource#nsx_security_policy_rule-resource).