vcd_nsxt_firewall resource issues: logging state not being applied and missing 'REJECT' support

[Nagte502]

Description

Hi! We are currently working on implementing the ‘vcd_nsxt_firewall’ resource into our code. We came across 2 issues of which one appears to be a bug.

1. The ‘logging’ attribute doesn’t seem to be applied. When running the terraform apply command, terraform does see the required changes:

However, when the apply has completed, the logging state hasn't changed. It will see (and tries to apply) this change every run.

2. the 'Action' attribute only allowes 'DROP' and 'ALLOW'. We would like to see the 'REJECT' to be supported as well.

Affected Resource(s)

vcd_nsxt_firewall

[at-afa]

I confirm the logging attribute issue also:

Terraform v1.7.1
on linux_amd64
+ provider registry.terraform.io/vmware/vcd v3.11.0

Observed behaviour: terraform apply and firewall rules are created, with code having logging=true but VCD UI shows logging=false. Then the next terraform apply wants to update logging=true, it confirms the operation succesfully, however logging is still false. This repeats itself then on each terraform apply.

[Didainius]

Hello,
As for logging - could you check this thread - #985 (comment) - can it be that you're affected?

[at-afa]

Hi,

VCD version is 10.4.2.21954589
From logging, I find: "vDC Group: Configure Logging", present.

However I have tried to enable logging from VCD UI and it does not work, with the same behavior as above. Updated Firewall rule successfully, however logging is still disabled.

This happens only for Firewall from Edge Gateway. On Distributed Firewall from Datacenter Group, enabling/disabling logging works. (tested from VCD UI)

[Nagte502]

Hello,

[EDIT]
We see the same behaviour throught the VCD UI indeed. The logging attribute is not being updated after changes have been made and will always show disabled. So is this an platform issues?

As for the 'REJECT' option, will this be implemented in an upcoming release? :)

[Didainius]

We see the same behaviour throught the VCD UI indeed. The logging attribute is not being updated after changes have been made and will always show disabled. So is this an platform issues?

Yes, I believe so. As quoted here one should probably expect it to work on 10.4.2.2. You could check it against your build number - https://docs.vmware.com/en/VMware-Cloud-Director/10.4.2/rn/vmware-cloud-director-1042-release-notes/index.html

As for the 'REJECT' option, will this be implemented in an upcoming release? :)

Can't yet promise, but I will keep that in mind. While it looks simple to implement, it still needs testing on our side as we never release features that are not covered by tests. This helps to keep the provider stable.

[Didainius]

VCD version is 10.4.2.21954589 From logging, I find: "vDC Group: Configure Logging", present.

However I have tried to enable logging from VCD UI and it does not work, with the same behavior as above. Updated Firewall rule successfully, however logging is still disabled.

This happens only for Firewall from Edge Gateway. On Distributed Firewall from Datacenter Group, enabling/disabling logging works. (tested from VCD UI)

Looking at your build number it is 10.4.2.1 (check in the page https://docs.vmware.com/en/VMware-Cloud-Director/10.4.2.1/rn/vmware-cloud-director-10421-release-notes/index.html), while it was mentioned that the fix is in 10.4.2.2. https://docs.vmware.com/en/VMware-Cloud-Director/10.4.2.2/rn/vmware-cloud-director-10422-release-notes/index.html

[Nagte502]

Alright! Thank you for you help and quick responses! I'll look into the version number and request an update on our side :)

[jfunke4]

For the logging issue:
We're running vCD 10.4.2.2 (Build: 22463311), but still have this issue.
We're unable to activate the logging via GUI or terraform with an Organisation Admin user.

[Didainius]

I have looked at the logging problem today. I think I was also specifying incorrect right. The one I have specified was related to VDC Groups (which should work for distributed firewall). There is a similar right Configure System Logging under Edge Gateway

I don't have all the versions in hand now and it might be that some didn't work, but I have explicitly tested that enabling this particular right makes toggle (both in Terraform and UI) work properly. (did that on VCD 10.5.1)

[at-afa]

Hi, here, the fix was that "Gateway: Configure System Logging" had to be allowed in "Default Rights Bundle", according to my VDC colleagues, so yeah that's probably it.

[Nagte502]

Thank you very much!