vmware / terraform-provider-nsxt Goto Github PK

View Code? Open in Web Editor NEW

123.0 25.0 80.0 31.05 MB

Terraform VMware NSX-T provider

Home Page: https://www.terraform.io/docs/providers/nsxt/

License: Other

Makefile 0.06% Go 98.69% Shell 0.05% Python 1.20%

terraform terraform-provider nsxt

terraform-provider-nsxt's Introduction

Terraform NSX-T Provider

This is the repository for the Terraform NSX Provider, which one can use with Terraform to work with VMware NSX-T.

For general information about Terraform, visit the official website and the GitHub project page.

Documentation on the NSX platform can be found at the NSX-T Documentation page

Using the Provider

The latest version of this provider requires Terraform v0.12 or higher to run.

The VMware supported version of the provider requires NSX version 3.0.0 onwards and Terraform 0.12 onwards. Version 2.0.0 of the provider offers NSX consumption via policy APIs, which is the recommended way. Most policy resources are supported with NSX version 3.0.0 onwards, however some resources or attributes require later releases. Please refer to documentation for more details. The recommended vSphere provider to be used in conjunction with the NSX-T Terraform Provider is 1.3.3 or above.

Note that you need to run terraform init to fetch the provider before deploying.

Full Provider Documentation

The provider is documented in full on the Terraform website and can be found here. Check the provider documentation for details on entering your connection information and how to get started with writing configuration for vSphere resources.

Controlling the provider version

Note that you can also control the provider version. This requires the use of a provider block in your Terraform configuration if you have not added one already.

The syntax is as follows:

provider "nsxt" {
  version = "~> 3.2"
  ...
}

Version locking uses a pessimistic operator, so this version lock would mean anything within the 3.x namespace, including or after 3.0.0. Read more on provider version control.

Automated Installation (Recommended)

Download and initialization of Terraform providers is with the “terraform init” command. This applies to the NSX-T provider as well. Once the provider block for the NSX-T provider is specified in your .tf file, “terraform init” will detect a need for the provider and download it to your environment. You can list versions of providers installed in your environment by running “terraform version” command:

$ ./terraform version
Terraform v1.2.1
on linux_amd64
+ provider registry.terraform.io/vmware/nsxt v3.3

Manual Installation

NOTE: Unless you are developing or require a pre-release bugfix or feature, you will want to use the officially released version of the provider (see the section above).

NOTE: Recommended way to compile the provider is using Go Modules.

NOTE: For terraform 0.13, please refer to provider installation configuration in order to use custom provider.

Cloning the Project

First, you will want to clone the repository to $GOPATH/src/github.com/vmware/terraform-provider-nsxt:

mkdir -p $GOPATH/src/github.com/vmware
cd $GOPATH/src/github.com/vmware
git clone https://github.com/vmware/terraform-provider-nsxt.git

Building and Installing the Provider

Recommended golang version is go1.18 onwards. After the clone has been completed, you can enter the provider directory and build the provider.

cd $GOPATH/src/github.com/vmware/terraform-provider-nsxt
make

After the build is complete, copy the provider executable terraform-provider-nsxt into location specified in your provider installation configuration. Make sure to delete provider lock files that might exist in your working directory due to prior provider usage. Run terraform init. For developing, consider using dev overrides configuration. Please note that terraform init should not be used with dev overrides.

Developing the Provider

NOTE: Before you start work on a feature, please make sure to check the issue tracker and existing pull requests to ensure that work is not being duplicated. For further clarification, you can also ask in a new issue.

If you wish to work on the provider, you'll first need Go installed on your machine (version 1.19+ is recommended). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.

See Manual Installation for details on building the provider.

Testing the Provider

NOTE: Testing the NSX-T provider is currently a complex operation as it requires having a NSX-T manager endpoint to test against, which should be hosting a standard configuration for a NSX-T cluster. To cover Global Manager test cases, NSX-T Global Manager suite needs to be preconfigured.

Configuring Environment Variables

Most of the tests in this provider require a comprehensive list of environment variables to run. See the individual *_test.go files in the nsxt/ directory for more details, in addition to tests_utils.go for details on some tunables that can be used to specify the locations of certain pre-created resources that some tests require.

Minimum environment variable :

$ export NSXT_MANAGER_HOST="192.168.110.41"
$ export NSXT_USERNAME="admin"
$ export NSXT_PASSWORD="MyPassword123!"
$ export NSXT_ALLOW_UNVERIFIED_SSL=true

Running the Acceptance Tests

After this is done, you can run the acceptance tests by running:

$ make testacc

If you want to run against a specific set of tests, run make testacc with the TESTARGS parameter containing the run mask as per below:

make testacc TESTARGS="-run=TestAccResourceNsxtPolicyTier0Gateway"

This following example would run all of the acceptance tests matching TestAccResourceNsxtPolicyTier0Gateway. Change this for the specific tests you want to run.

Interoperability

The following versions of NSX are supported:

NSX-T 4.1.*
NSX-T 4.0.*
NSX-T 3.2.*
NSX-T 3.1.*
NSX-T 3.0.*
NSX-T 2.5.* support is limited with provider version 3.2.x and above

Some specific resources and attributed may require recent versions of NSX-T. Please refer to documentation for more details.

Support

The NSX Terraform provider is now VMware supported as well as community supported. For bugs and feature requests please open a Github Issue and label it appropriately or contact VMware support.

License

The NSX Terraform provider is available under MPL2.0 license.

terraform-provider-nsxt's People

Contributors

Stargazers

Watchers

terraform-provider-nsxt's Issues

Failed to create DhcpServer {uuid}: Json de-serialization error: property server_addresses is unrecognized. (code 287)

This module is using terraform version 0.12 syntax:

The Module

resource "nsxt_policy_dhcp_server" "dhcp" {
  display_name      = "dhcp-server-01"
  description       = "dhcp-server-01 provisioned by Terraform"
  edge_cluster_path = var.edge_cluster_path
  server_addresses  = ["192.168.0.2/24"]
}

The problem

terraform apply -auto-approve give me this error:

[ERROR]:  Failed to create DhcpServer {uuid}: Json de-serialization error: property server_addresses is unrecognized. (code 287)

Creating nsxt_policy_dhcp_server resource fails with error

On trying to create a resource of type nsxt_policy_dhcp_server

resource "nsxt_policy_dhcp_server" "dhcpserver" {
  display_name      = "test"
  edge_cluster_path = "${data.nsxt_policy_edge_cluster.EC.path}"
  server_addresses  = ["192.168.255.1/24"]
  lease_time        = 7200
}

this error is returned.

Error: Failed to create DhcpServer f967f88d-6fdb-4c07-84bb-cc258b2d55a4: Json de-serialization error: property server_addresses is unrecognized. (code 287)

Creating a DHCP server with the same values in the NSX-T UI works without problems.

NSX-T Version: 2.5.0.0.0.14663974

DHCP Server enforces gateway

I have a requirement for VM's to be multi-homed, but I only want one default gateway. According to https://www.terraform.io/docs/providers/nsxt/r/logical_dhcp_server.html the gateway property is required, but through the NSX-T CLI/API this is not the case:

Trying to specify a DHCP server without a gateway returns the following:

The argument "gateway_ip" is required, but no definition was found.

nsxt-policy-support: missing nsxt_policy_ip_pool data source

Since version v1.1.2 there is a datasource nsxt_ip_pool. But in the nsxt-policy-support branch the corresponding datasource nsxt_policy_ip_poolis missing. This prevents to lookup an IP pool by display name.

Can't update Default Firewall Rule

In Edge Firewall update, I can't seem to be able to edit the imported bottom rule.

I get the following error from the NSX-T API in the end:

* nsxt_firewall_section.section_bottom: Error during FirewallSection 944eb72d-7a70-4086-9df6-f2bf26c334b5 update: Status: 400 , Body: {
  "httpStatus" : "BAD_REQUEST",
  "error_code" : 100077,
  "module_name" : "NSX Firewall",
  "error_message" : "Default rule found at invalid position: 944eb72d-7a70-4086-9df6-f2bf26c334b5, should be at end of list"
}

I would like to be able to change the default from ALLOW to DROP, no other changes whatsoever. Outcome of terraform apply is

Terraform will perform the following actions:

  ~ nsxt_firewall_section.section_bottom
      rule.0.action: "ALLOW" => "DROP"

VPN Support

Will there be support for L2 VPN, IPsec VPN and SSL VPN in the future?

Thanks.

Declarative API supprt

So i was wondering if/when support for the declarative api with be added, from what i understand thats the preference and would like to use that along with the simplified UI over the Adv Networking and security UI

Firewall section always modifies even when no changes are made

When using the following sample Terraform file which creates a single firewall section with 2 rules, after the first time running terraform apply, everything is created successgully, however for every subsequent time terraform apply is run, it says that an update in-place is required, even though nothing has changed.

A reasonable expectation is that if there are no changes, then there should be nothing to update. In this example, changes are actually submitted to the NSX Manager. I can provide the logs if required.

##########################################################################
# Begin terraform file
##########################################################################
resource "nsxt_firewall_section" "7b631ece-7557-4df0-96d3-7428d8c6e88b" {
  description  = "Provisioned by Terraform"
  display_name = "DALES_TERRAFORM_TEST"
  section_type = "LAYER3"
  stateful     = true

  rule {
    display_name          = "c144a383-e915-4827-a570-fb33ed6e59c5"
    description           = ""
    action                = "ALLOW"
    logged                = false
    disabled              = false
    sources_excluded      = false
    destinations_excluded = false
    direction             = "IN_OUT"
    ip_protocol           = "IPV4_IPV6"

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.e52edc8b-dc6f-4222-bf75-09b00febe99b.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.1a319382-fc62-487e-ae52-d4c913e9f09a.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242.id}"
    }

    destination {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8.id}"
    }

    destination {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549.id}"
    }

    service {
      target_type = "NSService"
      target_id   = "${nsxt_l4_port_set_ns_service.18ec9eaa-1657-4240-ab97-5f234623336b.id}"
    }
  }

  rule {
    display_name          = "46a8cad8-1b97-47f8-be03-6d99d8c04bd1"
    description           = ""
    action                = "ALLOW"
    logged                = false
    disabled              = false
    sources_excluded      = false
    destinations_excluded = false
    direction             = "IN_OUT"
    ip_protocol           = "IPV4_IPV6"

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79.id}"
    }

    source {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242.id}"
    }

    destination {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8.id}"
    }

    destination {
      target_type = "IPSet"
      target_id   = "${nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549.id}"
    }

    service {
      target_type = "NSService"
      target_id   = "${nsxt_l4_port_set_ns_service.97aeb443-9aea-11d5-bd16-0090272ccb30.id}"
    }
  }
}

resource "nsxt_ip_set" "e52edc8b-dc6f-4222-bf75-09b00febe99b" {
  display_name = "AAA-1"
  ip_addresses = ["192.168.5.100"]
}

resource "nsxt_ip_set" "1a319382-fc62-487e-ae52-d4c913e9f09a" {
  display_name = "AAA-2"
  ip_addresses = ["192.168.5.101"]
}

resource "nsxt_ip_set" "a8f99be0-da24-4b77-8590-810ca9adba41" {
  display_name = "AAA-3"
  ip_addresses = ["192.168.31.35"]
}

resource "nsxt_ip_set" "20cc4c71-6d1a-478e-ab67-8e27885daa6c" {
  display_name = "AAA-4"
  ip_addresses = ["192.168.31.37"]
}

resource "nsxt_ip_set" "0bcabc32-1005-496f-8e17-bbe994cef473" {
  display_name = "AAA-5"
  ip_addresses = ["192.168.24.28"]
}

resource "nsxt_ip_set" "d6736ed6-10d8-41c9-8284-d2a6a13022ff" {
  display_name = "AAA-6"
  ip_addresses = ["192.168.31.31"]
}

resource "nsxt_ip_set" "1ef4b586-9b7b-4ab6-892b-e4603cbe5b79" {
  display_name = "AAA-7"
  ip_addresses = ["192.168.0.22"]
}

resource "nsxt_ip_set" "90d02d8b-ed4e-4aaa-9440-93e02bd80242" {
  display_name = "AAA-8"
  ip_addresses = ["192.168.5.69"]
}

resource "nsxt_ip_set" "7024fbb2-e859-46a6-a8b0-2f5604b505e8" {
  display_name = "AAA-9"
  ip_addresses = ["192.168.60.15"]
}

resource "nsxt_ip_set" "fe4eedd0-9fef-454b-b752-dc930b65a549" {
  display_name = "AAA-10"
  ip_addresses = ["192.168.130.115"]
}

resource "nsxt_l4_port_set_ns_service" "18ec9eaa-1657-4240-ab97-5f234623336b" {
  description       = "secure shell, encrypted and authenticated rsh"
  display_name      = "ssh"
  protocol          = "TCP"
  destination_ports = ["22"]
}

resource "nsxt_l4_port_set_ns_service" "97aeb443-9aea-11d5-bd16-0090272ccb30" {
  display_name      = "https"
  protocol          = "TCP"
  destination_ports = ["443"]
  source_ports      = ["1024-65535"]
}
##########################################################################
# End terraform file
##########################################################################

Here is the output from running terraform apply for the first time.

$ terraform apply -var-file supersecret.tfvars -parallelism=30

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b
      id:                                       <computed>
      description:                              "Provisioned by Terraform"
      display_name:                             "DALES_TERRAFORM_TEST"
      is_default:                               <computed>
      revision:                                 <computed>
      rule.#:                                   "2"
      rule.0.action:                            "ALLOW"
      rule.0.destination.#:                     "2"
      rule.0.destination.0.is_valid:            <computed>
      rule.0.destination.0.target_display_name: <computed>
      rule.0.destination.0.target_id:           "${nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8.id}"
      rule.0.destination.0.target_type:         "IPSet"
      rule.0.destination.1.is_valid:            <computed>
      rule.0.destination.1.target_display_name: <computed>
      rule.0.destination.1.target_id:           "${nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549.id}"
      rule.0.destination.1.target_type:         "IPSet"
      rule.0.destinations_excluded:             "false"
      rule.0.direction:                         "IN_OUT"
      rule.0.disabled:                          "false"
      rule.0.display_name:                      "c144a383-e915-4827-a570-fb33ed6e59c5"
      rule.0.id:                                <computed>
      rule.0.ip_protocol:                       "IPV4_IPV6"
      rule.0.logged:                            "false"
      rule.0.revision:                          <computed>
      rule.0.service.#:                         "1"
      rule.0.service.0.is_valid:                <computed>
      rule.0.service.0.target_display_name:     <computed>
      rule.0.service.0.target_id:               "${nsxt_l4_port_set_ns_service.18ec9eaa-1657-4240-ab97-5f234623336b.id}"
      rule.0.service.0.target_type:             "NSService"
      rule.0.source.#:                          "8"
      rule.0.source.0.is_valid:                 <computed>
      rule.0.source.0.target_display_name:      <computed>
      rule.0.source.0.target_id:                "${nsxt_ip_set.e52edc8b-dc6f-4222-bf75-09b00febe99b.id}"
      rule.0.source.0.target_type:              "IPSet"
      rule.0.source.1.is_valid:                 <computed>
      rule.0.source.1.target_display_name:      <computed>
      rule.0.source.1.target_id:                "${nsxt_ip_set.1a319382-fc62-487e-ae52-d4c913e9f09a.id}"
      rule.0.source.1.target_type:              "IPSet"
      rule.0.source.2.is_valid:                 <computed>
      rule.0.source.2.target_display_name:      <computed>
      rule.0.source.2.target_id:                "${nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41.id}"
      rule.0.source.2.target_type:              "IPSet"
      rule.0.source.3.is_valid:                 <computed>
      rule.0.source.3.target_display_name:      <computed>
      rule.0.source.3.target_id:                "${nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c.id}"
      rule.0.source.3.target_type:              "IPSet"
      rule.0.source.4.is_valid:                 <computed>
      rule.0.source.4.target_display_name:      <computed>
      rule.0.source.4.target_id:                "${nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473.id}"
      rule.0.source.4.target_type:              "IPSet"
      rule.0.source.5.is_valid:                 <computed>
      rule.0.source.5.target_display_name:      <computed>
      rule.0.source.5.target_id:                "${nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff.id}"
      rule.0.source.5.target_type:              "IPSet"
      rule.0.source.6.is_valid:                 <computed>
      rule.0.source.6.target_display_name:      <computed>
      rule.0.source.6.target_id:                "${nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79.id}"
      rule.0.source.6.target_type:              "IPSet"
      rule.0.source.7.is_valid:                 <computed>
      rule.0.source.7.target_display_name:      <computed>
      rule.0.source.7.target_id:                "${nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242.id}"
      rule.0.source.7.target_type:              "IPSet"
      rule.0.sources_excluded:                  "false"
      rule.1.action:                            "ALLOW"
      rule.1.destination.#:                     "2"
      rule.1.destination.0.is_valid:            <computed>
      rule.1.destination.0.target_display_name: <computed>
      rule.1.destination.0.target_id:           "${nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8.id}"
      rule.1.destination.0.target_type:         "IPSet"
      rule.1.destination.1.is_valid:            <computed>
      rule.1.destination.1.target_display_name: <computed>
      rule.1.destination.1.target_id:           "${nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549.id}"
      rule.1.destination.1.target_type:         "IPSet"
      rule.1.destinations_excluded:             "false"
      rule.1.direction:                         "IN_OUT"
      rule.1.disabled:                          "false"
      rule.1.display_name:                      "46a8cad8-1b97-47f8-be03-6d99d8c04bd1"
      rule.1.id:                                <computed>
      rule.1.ip_protocol:                       "IPV4_IPV6"
      rule.1.logged:                            "false"
      rule.1.revision:                          <computed>
      rule.1.service.#:                         "1"
      rule.1.service.0.is_valid:                <computed>
      rule.1.service.0.target_display_name:     <computed>
      rule.1.service.0.target_id:               "${nsxt_l4_port_set_ns_service.97aeb443-9aea-11d5-bd16-0090272ccb30.id}"
      rule.1.service.0.target_type:             "NSService"
      rule.1.source.#:                          "6"
      rule.1.source.0.is_valid:                 <computed>
      rule.1.source.0.target_display_name:      <computed>
      rule.1.source.0.target_id:                "${nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41.id}"
      rule.1.source.0.target_type:              "IPSet"
      rule.1.source.1.is_valid:                 <computed>
      rule.1.source.1.target_display_name:      <computed>
      rule.1.source.1.target_id:                "${nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c.id}"
      rule.1.source.1.target_type:              "IPSet"
      rule.1.source.2.is_valid:                 <computed>
      rule.1.source.2.target_display_name:      <computed>
      rule.1.source.2.target_id:                "${nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473.id}"
      rule.1.source.2.target_type:              "IPSet"
      rule.1.source.3.is_valid:                 <computed>
      rule.1.source.3.target_display_name:      <computed>
      rule.1.source.3.target_id:                "${nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff.id}"
      rule.1.source.3.target_type:              "IPSet"
      rule.1.source.4.is_valid:                 <computed>
      rule.1.source.4.target_display_name:      <computed>
      rule.1.source.4.target_id:                "${nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79.id}"
      rule.1.source.4.target_type:              "IPSet"
      rule.1.source.5.is_valid:                 <computed>
      rule.1.source.5.target_display_name:      <computed>
      rule.1.source.5.target_id:                "${nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242.id}"
      rule.1.source.5.target_type:              "IPSet"
      rule.1.sources_excluded:                  "false"
      section_type:                             "LAYER3"
      stateful:                                 "true"

  + nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473
      id:                                       <computed>
      display_name:                             "AAA-5"
      ip_addresses.#:                           "1"
      ip_addresses.2219010323:                  "192.168.24.28"
      revision:                                 <computed>

  + nsxt_ip_set.1a319382-fc62-487e-ae52-d4c913e9f09a
      id:                                       <computed>
      display_name:                             "AAA-2"
      ip_addresses.#:                           "1"
      ip_addresses.1764425318:                  "192.168.5.101"
      revision:                                 <computed>

  + nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79
      id:                                       <computed>
      display_name:                             "AAA-7"
      ip_addresses.#:                           "1"
      ip_addresses.991121979:                   "192.168.0.22"
      revision:                                 <computed>

  + nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c
      id:                                       <computed>
      display_name:                             "AAA-4"
      ip_addresses.#:                           "1"
      ip_addresses.27607870:                    "192.168.31.37"
      revision:                                 <computed>

  + nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8
      id:                                       <computed>
      display_name:                             "AAA-9"
      ip_addresses.#:                           "1"
      ip_addresses.1572490705:                  "192.168.60.15"
      revision:                                 <computed>

  + nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242
      id:                                       <computed>
      display_name:                             "AAA-8"
      ip_addresses.#:                           "1"
      ip_addresses.386837596:                   "192.168.5.69"
      revision:                                 <computed>

  + nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41
      id:                                       <computed>
      display_name:                             "AAA-3"
      ip_addresses.#:                           "1"
      ip_addresses.865280444:                   "192.168.31.35"
      revision:                                 <computed>

  + nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff
      id:                                       <computed>
      display_name:                             "AAA-6"
      ip_addresses.#:                           "1"
      ip_addresses.1476388024:                  "192.168.31.31"
      revision:                                 <computed>

  + nsxt_ip_set.e52edc8b-dc6f-4222-bf75-09b00febe99b
      id:                                       <computed>
      display_name:                             "AAA-1"
      ip_addresses.#:                           "1"
      ip_addresses.1882312487:                  "192.168.5.100"
      revision:                                 <computed>

  + nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549
      id:                                       <computed>
      display_name:                             "AAA-10"
      ip_addresses.#:                           "1"
      ip_addresses.2686045977:                  "192.168.130.115"
      revision:                                 <computed>

  + nsxt_l4_port_set_ns_service.18ec9eaa-1657-4240-ab97-5f234623336b
      id:                                       <computed>
      default_service:                          <computed>
      description:                              "secure shell, encrypted and authenticated rsh"
      destination_ports.#:                      "1"
      destination_ports.2228573625:             "22"
      display_name:                             "ssh"
      protocol:                                 "TCP"
      revision:                                 <computed>

  + nsxt_l4_port_set_ns_service.97aeb443-9aea-11d5-bd16-0090272ccb30
      id:                                       <computed>
      default_service:                          <computed>
      destination_ports.#:                      "1"
      destination_ports.940536242:              "443"
      display_name:                             "https"
      protocol:                                 "TCP"
      revision:                                 <computed>
      source_ports.#:                           "1"
      source_ports.213573897:                   "1024-65535"

  + nsxt_l4_port_set_ns_service.Dummy-Service
      id:                                       <computed>
      default_service:                          <computed>
      description:                              "Service created as a placeholder within an empty service group"
      destination_ports.#:                      "1"
      destination_ports.1274546220:             "4"
      display_name:                             "AAA-Terraform-Dummy-Service"
      protocol:                                 "TCP"
      revision:                                 <computed>


Plan: 14 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c: Creating...
  display_name:          "" => "AAA-4"
  ip_addresses.#:        "0" => "1"
  ip_addresses.27607870: "" => "192.168.31.37"
  revision:              "" => "<computed>"
nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff: Creating...
  display_name:            "" => "AAA-6"
  ip_addresses.#:          "0" => "1"
  ip_addresses.1476388024: "" => "192.168.31.31"
  revision:                "" => "<computed>"
nsxt_l4_port_set_ns_service.Dummy-Service: Creating...
  default_service:              "" => "<computed>"
  description:                  "" => "Service created as a placeholder within an empty service group"
  destination_ports.#:          "0" => "1"
  destination_ports.1274546220: "" => "4"
  display_name:                 "" => "AAA-Terraform-Dummy-Service"
  protocol:                     "" => "TCP"
  revision:                     "" => "<computed>"
nsxt_l4_port_set_ns_service.18ec9eaa-1657-4240-ab97-5f234623336b: Creating...
  default_service:              "" => "<computed>"
  description:                  "" => "secure shell, encrypted and authenticated rsh"
  destination_ports.#:          "0" => "1"
  destination_ports.2228573625: "" => "22"
  display_name:                 "" => "ssh"
  protocol:                     "" => "TCP"
  revision:                     "" => "<computed>"
nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242: Creating...
  display_name:           "" => "AAA-8"
  ip_addresses.#:         "0" => "1"
  ip_addresses.386837596: "" => "192.168.5.69"
  revision:               "" => "<computed>"
nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8: Creating...
  display_name:            "" => "AAA-9"
  ip_addresses.#:          "0" => "1"
  ip_addresses.1572490705: "" => "192.168.60.15"
  revision:                "" => "<computed>"
nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549: Creating...
  display_name:            "" => "AAA-10"
  ip_addresses.#:          "0" => "1"
  ip_addresses.2686045977: "" => "192.168.130.115"
  revision:                "" => "<computed>"
nsxt_ip_set.1a319382-fc62-487e-ae52-d4c913e9f09a: Creating...
  display_name:            "" => "AAA-2"
  ip_addresses.#:          "0" => "1"
  ip_addresses.1764425318: "" => "192.168.5.101"
  revision:                "" => "<computed>"
nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41: Creating...
  display_name:           "" => "AAA-3"
  ip_addresses.#:         "0" => "1"
  ip_addresses.865280444: "" => "192.168.31.35"
  revision:               "" => "<computed>"
nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79: Creating...
  display_name:           "" => "AAA-7"
  ip_addresses.#:         "0" => "1"
  ip_addresses.991121979: "" => "192.168.0.22"
  revision:               "" => "<computed>"
nsxt_l4_port_set_ns_service.97aeb443-9aea-11d5-bd16-0090272ccb30: Creating...
  default_service:             "" => "<computed>"
  destination_ports.#:         "0" => "1"
  destination_ports.940536242: "" => "443"
  display_name:                "" => "https"
  protocol:                    "" => "TCP"
  revision:                    "" => "<computed>"
  source_ports.#:              "0" => "1"
  source_ports.213573897:      "" => "1024-65535"
nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473: Creating...
  display_name:            "" => "AAA-5"
  ip_addresses.#:          "0" => "1"
  ip_addresses.2219010323: "" => "192.168.24.28"
  revision:                "" => "<computed>"
nsxt_ip_set.e52edc8b-dc6f-4222-bf75-09b00febe99b: Creating...
  display_name:            "" => "AAA-1"
  ip_addresses.#:          "0" => "1"
  ip_addresses.1882312487: "" => "192.168.5.100"
  revision:                "" => "<computed>"
nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549: Creation complete after 1s (ID: 2ec2f460-7678-49fa-89cb-ae97ef532208)
nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242: Creation complete after 2s (ID: ab350c7c-74ed-4a4d-b6ec-0aaf3e647741)
nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41: Creation complete after 2s (ID: c915c260-5ef2-4ef1-af44-dc8b417f25f0)
nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8: Creation complete after 2s (ID: dc56baf9-a028-4625-b1c8-40da76fd3e98)
nsxt_ip_set.e52edc8b-dc6f-4222-bf75-09b00febe99b: Creation complete after 2s (ID: bc756e37-d3ab-4bdd-ae71-43c27070d99e)
nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c: Creation complete after 2s (ID: c328a368-f8bd-4141-b084-1a11e069bb67)
nsxt_l4_port_set_ns_service.18ec9eaa-1657-4240-ab97-5f234623336b: Creation complete after 2s (ID: 5d2228ec-3733-43a4-af07-ae13c52490d7)
nsxt_l4_port_set_ns_service.97aeb443-9aea-11d5-bd16-0090272ccb30: Creation complete after 2s (ID: 16b00705-0c12-42a2-a8a0-0048639b0fc7)
nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473: Creation complete after 2s (ID: dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8)
nsxt_l4_port_set_ns_service.Dummy-Service: Creation complete after 2s (ID: dc1dc0af-12bc-4a19-9be1-cdd46c4398ae)
nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff: Creation complete after 2s (ID: 12c71ee5-13ba-4b28-b093-ce81ba8a1bf1)
nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79: Creation complete after 2s (ID: 64f511f0-7464-40c1-8a7e-2a7c3ee6574c)
nsxt_ip_set.1a319382-fc62-487e-ae52-d4c913e9f09a: Creation complete after 2s (ID: 9b502edb-8cab-4732-b064-d4d3dfa6856e)
nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b: Creating...
  description:                              "" => "Provisioned by Terraform"
  display_name:                             "" => "DALES_TERRAFORM_TEST"
  is_default:                               "" => "<computed>"
  revision:                                 "" => "<computed>"
  rule.#:                                   "" => "2"
  rule.0.action:                            "" => "ALLOW"
  rule.0.destination.#:                     "" => "2"
  rule.0.destination.0.is_valid:            "" => "<computed>"
  rule.0.destination.0.target_display_name: "" => "<computed>"
  rule.0.destination.0.target_id:           "" => "dc56baf9-a028-4625-b1c8-40da76fd3e98"
  rule.0.destination.0.target_type:         "" => "IPSet"
  rule.0.destination.1.is_valid:            "" => "<computed>"
  rule.0.destination.1.target_display_name: "" => "<computed>"
  rule.0.destination.1.target_id:           "" => "2ec2f460-7678-49fa-89cb-ae97ef532208"
  rule.0.destination.1.target_type:         "" => "IPSet"
  rule.0.destinations_excluded:             "" => "false"
  rule.0.direction:                         "" => "IN_OUT"
  rule.0.disabled:                          "" => "false"
  rule.0.display_name:                      "" => "c144a383-e915-4827-a570-fb33ed6e59c5"
  rule.0.id:                                "" => "<computed>"
  rule.0.ip_protocol:                       "" => "IPV4_IPV6"
  rule.0.logged:                            "" => "false"
  rule.0.revision:                          "" => "<computed>"
  rule.0.service.#:                         "" => "1"
  rule.0.service.0.is_valid:                "" => "<computed>"
  rule.0.service.0.target_display_name:     "" => "<computed>"
  rule.0.service.0.target_id:               "" => "5d2228ec-3733-43a4-af07-ae13c52490d7"
  rule.0.service.0.target_type:             "" => "NSService"
  rule.0.source.#:                          "" => "8"
  rule.0.source.0.is_valid:                 "" => "<computed>"
  rule.0.source.0.target_display_name:      "" => "<computed>"
  rule.0.source.0.target_id:                "" => "bc756e37-d3ab-4bdd-ae71-43c27070d99e"
  rule.0.source.0.target_type:              "" => "IPSet"
  rule.0.source.1.is_valid:                 "" => "<computed>"
  rule.0.source.1.target_display_name:      "" => "<computed>"
  rule.0.source.1.target_id:                "" => "9b502edb-8cab-4732-b064-d4d3dfa6856e"
  rule.0.source.1.target_type:              "" => "IPSet"
  rule.0.source.2.is_valid:                 "" => "<computed>"
  rule.0.source.2.target_display_name:      "" => "<computed>"
  rule.0.source.2.target_id:                "" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
  rule.0.source.2.target_type:              "" => "IPSet"
  rule.0.source.3.is_valid:                 "" => "<computed>"
  rule.0.source.3.target_display_name:      "" => "<computed>"
  rule.0.source.3.target_id:                "" => "c328a368-f8bd-4141-b084-1a11e069bb67"
  rule.0.source.3.target_type:              "" => "IPSet"
  rule.0.source.4.is_valid:                 "" => "<computed>"
  rule.0.source.4.target_display_name:      "" => "<computed>"
  rule.0.source.4.target_id:                "" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
  rule.0.source.4.target_type:              "" => "IPSet"
  rule.0.source.5.is_valid:                 "" => "<computed>"
  rule.0.source.5.target_display_name:      "" => "<computed>"
  rule.0.source.5.target_id:                "" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
  rule.0.source.5.target_type:              "" => "IPSet"
  rule.0.source.6.is_valid:                 "" => "<computed>"
  rule.0.source.6.target_display_name:      "" => "<computed>"
  rule.0.source.6.target_id:                "" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
  rule.0.source.6.target_type:              "" => "IPSet"
  rule.0.source.7.is_valid:                 "" => "<computed>"
  rule.0.source.7.target_display_name:      "" => "<computed>"
  rule.0.source.7.target_id:                "" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"
  rule.0.source.7.target_type:              "" => "IPSet"
  rule.0.sources_excluded:                  "" => "false"
  rule.1.action:                            "" => "ALLOW"
  rule.1.destination.#:                     "" => "2"
  rule.1.destination.0.is_valid:            "" => "<computed>"
  rule.1.destination.0.target_display_name: "" => "<computed>"
  rule.1.destination.0.target_id:           "" => "dc56baf9-a028-4625-b1c8-40da76fd3e98"
  rule.1.destination.0.target_type:         "" => "IPSet"
  rule.1.destination.1.is_valid:            "" => "<computed>"
  rule.1.destination.1.target_display_name: "" => "<computed>"
  rule.1.destination.1.target_id:           "" => "2ec2f460-7678-49fa-89cb-ae97ef532208"
  rule.1.destination.1.target_type:         "" => "IPSet"
  rule.1.destinations_excluded:             "" => "false"
  rule.1.direction:                         "" => "IN_OUT"
  rule.1.disabled:                          "" => "false"
  rule.1.display_name:                      "" => "46a8cad8-1b97-47f8-be03-6d99d8c04bd1"
  rule.1.id:                                "" => "<computed>"
  rule.1.ip_protocol:                       "" => "IPV4_IPV6"
  rule.1.logged:                            "" => "false"
  rule.1.revision:                          "" => "<computed>"
  rule.1.service.#:                         "" => "1"
  rule.1.service.0.is_valid:                "" => "<computed>"
  rule.1.service.0.target_display_name:     "" => "<computed>"
  rule.1.service.0.target_id:               "" => "16b00705-0c12-42a2-a8a0-0048639b0fc7"
  rule.1.service.0.target_type:             "" => "NSService"
  rule.1.source.#:                          "" => "6"
  rule.1.source.0.is_valid:                 "" => "<computed>"
  rule.1.source.0.target_display_name:      "" => "<computed>"
  rule.1.source.0.target_id:                "" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
  rule.1.source.0.target_type:              "" => "IPSet"
  rule.1.source.1.is_valid:                 "" => "<computed>"
  rule.1.source.1.target_display_name:      "" => "<computed>"
  rule.1.source.1.target_id:                "" => "c328a368-f8bd-4141-b084-1a11e069bb67"
  rule.1.source.1.target_type:              "" => "IPSet"
  rule.1.source.2.is_valid:                 "" => "<computed>"
  rule.1.source.2.target_display_name:      "" => "<computed>"
  rule.1.source.2.target_id:                "" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
  rule.1.source.2.target_type:              "" => "IPSet"
  rule.1.source.3.is_valid:                 "" => "<computed>"
  rule.1.source.3.target_display_name:      "" => "<computed>"
  rule.1.source.3.target_id:                "" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
  rule.1.source.3.target_type:              "" => "IPSet"
  rule.1.source.4.is_valid:                 "" => "<computed>"
  rule.1.source.4.target_display_name:      "" => "<computed>"
  rule.1.source.4.target_id:                "" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
  rule.1.source.4.target_type:              "" => "IPSet"
  rule.1.source.5.is_valid:                 "" => "<computed>"
  rule.1.source.5.target_display_name:      "" => "<computed>"
  rule.1.source.5.target_id:                "" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"
  rule.1.source.5.target_type:              "" => "IPSet"
  rule.1.sources_excluded:                  "" => "false"
  section_type:                             "" => "LAYER3"
  stateful:                                 "" => "true"
nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b: Creation complete after 3s (ID: 4d834e3a-5caf-491e-8e7f-7015882fe8a2)

Apply complete! Resources: 14 added, 0 changed, 0 destroyed.

Run terraform apply immediately afterwards (with no changes), and it says that updates are required.

$ terraform apply -var-file supersecret.tfvars -parallelism=30
nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549: Refreshing state... (ID: 2ec2f460-7678-49fa-89cb-ae97ef532208)
nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c: Refreshing state... (ID: c328a368-f8bd-4141-b084-1a11e069bb67)
nsxt_l4_port_set_ns_service.18ec9eaa-1657-4240-ab97-5f234623336b: Refreshing state... (ID: 5d2228ec-3733-43a4-af07-ae13c52490d7)
nsxt_l4_port_set_ns_service.97aeb443-9aea-11d5-bd16-0090272ccb30: Refreshing state... (ID: 16b00705-0c12-42a2-a8a0-0048639b0fc7)
nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79: Refreshing state... (ID: 64f511f0-7464-40c1-8a7e-2a7c3ee6574c)
nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41: Refreshing state... (ID: c915c260-5ef2-4ef1-af44-dc8b417f25f0)
nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473: Refreshing state... (ID: dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8)
nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8: Refreshing state... (ID: dc56baf9-a028-4625-b1c8-40da76fd3e98)
nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242: Refreshing state... (ID: ab350c7c-74ed-4a4d-b6ec-0aaf3e647741)
nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff: Refreshing state... (ID: 12c71ee5-13ba-4b28-b093-ce81ba8a1bf1)
nsxt_ip_set.1a319382-fc62-487e-ae52-d4c913e9f09a: Refreshing state... (ID: 9b502edb-8cab-4732-b064-d4d3dfa6856e)
nsxt_l4_port_set_ns_service.Dummy-Service: Refreshing state... (ID: dc1dc0af-12bc-4a19-9be1-cdd46c4398ae)
nsxt_ip_set.e52edc8b-dc6f-4222-bf75-09b00febe99b: Refreshing state... (ID: bc756e37-d3ab-4bdd-ae71-43c27070d99e)
nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b: Refreshing state... (ID: 4d834e3a-5caf-491e-8e7f-7015882fe8a2)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b
      rule.0.source.0.target_id: "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741" => "bc756e37-d3ab-4bdd-ae71-43c27070d99e"
      rule.0.source.1.target_id: "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1" => "9b502edb-8cab-4732-b064-d4d3dfa6856e"
      rule.0.source.2.target_id: "64f511f0-7464-40c1-8a7e-2a7c3ee6574c" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
      rule.0.source.3.target_id: "9b502edb-8cab-4732-b064-d4d3dfa6856e" => "c328a368-f8bd-4141-b084-1a11e069bb67"
      rule.0.source.4.target_id: "c328a368-f8bd-4141-b084-1a11e069bb67" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
      rule.0.source.5.target_id: "bc756e37-d3ab-4bdd-ae71-43c27070d99e" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
      rule.0.source.6.target_id: "c915c260-5ef2-4ef1-af44-dc8b417f25f0" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
      rule.0.source.7.target_id: "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"
      rule.1.source.0.target_id: "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
      rule.1.source.1.target_id: "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1" => "c328a368-f8bd-4141-b084-1a11e069bb67"
      rule.1.source.2.target_id: "64f511f0-7464-40c1-8a7e-2a7c3ee6574c" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
      rule.1.source.3.target_id: "c328a368-f8bd-4141-b084-1a11e069bb67" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
      rule.1.source.4.target_id: "c915c260-5ef2-4ef1-af44-dc8b417f25f0" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
      rule.1.source.5.target_id: "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b: Modifying... (ID: 4d834e3a-5caf-491e-8e7f-7015882fe8a2)
  rule.0.source.0.target_id: "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741" => "bc756e37-d3ab-4bdd-ae71-43c27070d99e"
  rule.0.source.1.target_id: "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1" => "9b502edb-8cab-4732-b064-d4d3dfa6856e"
  rule.0.source.2.target_id: "64f511f0-7464-40c1-8a7e-2a7c3ee6574c" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
  rule.0.source.3.target_id: "9b502edb-8cab-4732-b064-d4d3dfa6856e" => "c328a368-f8bd-4141-b084-1a11e069bb67"
  rule.0.source.4.target_id: "c328a368-f8bd-4141-b084-1a11e069bb67" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
  rule.0.source.5.target_id: "bc756e37-d3ab-4bdd-ae71-43c27070d99e" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
  rule.0.source.6.target_id: "c915c260-5ef2-4ef1-af44-dc8b417f25f0" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
  rule.0.source.7.target_id: "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"
  rule.1.source.0.target_id: "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
  rule.1.source.1.target_id: "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1" => "c328a368-f8bd-4141-b084-1a11e069bb67"
  rule.1.source.2.target_id: "64f511f0-7464-40c1-8a7e-2a7c3ee6574c" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
  rule.1.source.3.target_id: "c328a368-f8bd-4141-b084-1a11e069bb67" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
  rule.1.source.4.target_id: "c915c260-5ef2-4ef1-af44-dc8b417f25f0" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
  rule.1.source.5.target_id: "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"
nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b: Modifications complete after 3s (ID: 4d834e3a-5caf-491e-8e7f-7015882fe8a2)

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

And if you keep running terraform apply, it keeps saying the same changes are required.

$ terraform apply -var-file supersecret.tfvars -parallelism=30
nsxt_ip_set.1a319382-fc62-487e-ae52-d4c913e9f09a: Refreshing state... (ID: 9b502edb-8cab-4732-b064-d4d3dfa6856e)
nsxt_ip_set.90d02d8b-ed4e-4aaa-9440-93e02bd80242: Refreshing state... (ID: ab350c7c-74ed-4a4d-b6ec-0aaf3e647741)
nsxt_ip_set.a8f99be0-da24-4b77-8590-810ca9adba41: Refreshing state... (ID: c915c260-5ef2-4ef1-af44-dc8b417f25f0)
nsxt_l4_port_set_ns_service.Dummy-Service: Refreshing state... (ID: dc1dc0af-12bc-4a19-9be1-cdd46c4398ae)
nsxt_ip_set.0bcabc32-1005-496f-8e17-bbe994cef473: Refreshing state... (ID: dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8)
nsxt_ip_set.1ef4b586-9b7b-4ab6-892b-e4603cbe5b79: Refreshing state... (ID: 64f511f0-7464-40c1-8a7e-2a7c3ee6574c)
nsxt_ip_set.e52edc8b-dc6f-4222-bf75-09b00febe99b: Refreshing state... (ID: bc756e37-d3ab-4bdd-ae71-43c27070d99e)
nsxt_ip_set.d6736ed6-10d8-41c9-8284-d2a6a13022ff: Refreshing state... (ID: 12c71ee5-13ba-4b28-b093-ce81ba8a1bf1)
nsxt_ip_set.7024fbb2-e859-46a6-a8b0-2f5604b505e8: Refreshing state... (ID: dc56baf9-a028-4625-b1c8-40da76fd3e98)
nsxt_ip_set.20cc4c71-6d1a-478e-ab67-8e27885daa6c: Refreshing state... (ID: c328a368-f8bd-4141-b084-1a11e069bb67)
nsxt_l4_port_set_ns_service.97aeb443-9aea-11d5-bd16-0090272ccb30: Refreshing state... (ID: 16b00705-0c12-42a2-a8a0-0048639b0fc7)
nsxt_l4_port_set_ns_service.18ec9eaa-1657-4240-ab97-5f234623336b: Refreshing state... (ID: 5d2228ec-3733-43a4-af07-ae13c52490d7)
nsxt_ip_set.fe4eedd0-9fef-454b-b752-dc930b65a549: Refreshing state... (ID: 2ec2f460-7678-49fa-89cb-ae97ef532208)
nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b: Refreshing state... (ID: 4d834e3a-5caf-491e-8e7f-7015882fe8a2)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b
      rule.0.source.0.target_id: "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741" => "bc756e37-d3ab-4bdd-ae71-43c27070d99e"
      rule.0.source.1.target_id: "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1" => "9b502edb-8cab-4732-b064-d4d3dfa6856e"
      rule.0.source.2.target_id: "64f511f0-7464-40c1-8a7e-2a7c3ee6574c" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
      rule.0.source.3.target_id: "9b502edb-8cab-4732-b064-d4d3dfa6856e" => "c328a368-f8bd-4141-b084-1a11e069bb67"
      rule.0.source.4.target_id: "c328a368-f8bd-4141-b084-1a11e069bb67" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
      rule.0.source.5.target_id: "bc756e37-d3ab-4bdd-ae71-43c27070d99e" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
      rule.0.source.6.target_id: "c915c260-5ef2-4ef1-af44-dc8b417f25f0" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
      rule.0.source.7.target_id: "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"
      rule.1.source.0.target_id: "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
      rule.1.source.1.target_id: "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1" => "c328a368-f8bd-4141-b084-1a11e069bb67"
      rule.1.source.2.target_id: "64f511f0-7464-40c1-8a7e-2a7c3ee6574c" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
      rule.1.source.3.target_id: "c328a368-f8bd-4141-b084-1a11e069bb67" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
      rule.1.source.4.target_id: "c915c260-5ef2-4ef1-af44-dc8b417f25f0" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
      rule.1.source.5.target_id: "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b: Modifying... (ID: 4d834e3a-5caf-491e-8e7f-7015882fe8a2)
  rule.0.source.0.target_id: "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741" => "bc756e37-d3ab-4bdd-ae71-43c27070d99e"
  rule.0.source.1.target_id: "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1" => "9b502edb-8cab-4732-b064-d4d3dfa6856e"
  rule.0.source.2.target_id: "64f511f0-7464-40c1-8a7e-2a7c3ee6574c" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
  rule.0.source.3.target_id: "9b502edb-8cab-4732-b064-d4d3dfa6856e" => "c328a368-f8bd-4141-b084-1a11e069bb67"
  rule.0.source.4.target_id: "c328a368-f8bd-4141-b084-1a11e069bb67" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
  rule.0.source.5.target_id: "bc756e37-d3ab-4bdd-ae71-43c27070d99e" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
  rule.0.source.6.target_id: "c915c260-5ef2-4ef1-af44-dc8b417f25f0" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
  rule.0.source.7.target_id: "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"
  rule.1.source.0.target_id: "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741" => "c915c260-5ef2-4ef1-af44-dc8b417f25f0"
  rule.1.source.1.target_id: "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1" => "c328a368-f8bd-4141-b084-1a11e069bb67"
  rule.1.source.2.target_id: "64f511f0-7464-40c1-8a7e-2a7c3ee6574c" => "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8"
  rule.1.source.3.target_id: "c328a368-f8bd-4141-b084-1a11e069bb67" => "12c71ee5-13ba-4b28-b093-ce81ba8a1bf1"
  rule.1.source.4.target_id: "c915c260-5ef2-4ef1-af44-dc8b417f25f0" => "64f511f0-7464-40c1-8a7e-2a7c3ee6574c"
  rule.1.source.5.target_id: "dcf5dcf9-ff34-4771-b02a-dde1ceeb2ee8" => "ab350c7c-74ed-4a4d-b6ec-0aaf3e647741"
nsxt_firewall_section.7b631ece-7557-4df0-96d3-7428d8c6e88b: Modifications complete after 3s (ID: 4d834e3a-5caf-491e-8e7f-7015882fe8a2)

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Terraform breaks when NAT rule is deleted

Expected behavior

When a previously created NAT rule is deleted and terraform apply is run, the NAT rule is recreated.

Observed behavior

When a previously created NAT rule is deleted and terraform apply is run, terraform produces an error and refuses to continue. Produces error like this:

Error: Error refreshing state: 1 error(s) occurred:

* nsxt_nat_rule.pks-dnat-api: 1 error(s) occurred:

* nsxt_nat_rule.pks-dnat-api: nsxt_nat_rule.pks-dnat-api: Error during NatRule read: Status: 400 , Body: {
  "httpStatus" : "BAD_REQUEST",
  "error_code" : 11013,
  "module_name" : "ROUTING",
  "error_message" : "[Routing] Invalid resource NAT rule 1064 for the logical router 8b6dbd75-4820-426c-b754-abf0ae62102a."
}

Steps to reproduce

Create terraform that requires a NAT rule
Run terraform apply against NSX-T
Delete the NAT rule using the NSX-Manager GUI
Run terraform apply

nsxt_lb_pool member_group max_ip_list_size defaults to zero

When using the nsxt_lb_pool and creating a member group with a nsxt_ns_group dynamic member, the default for max_ip_list_size is getting set as zero instead of getting set as an empty value. We ran a few tests and verified this test matrix:

Given max_ip_list_size is empty or zero in NSX-T   
   When max_ip_list_size property is missing
       Then terraform plan detects no changes
   When max_ip_list_size property is set to zero
       Then terraform plan detects no changes
   When max_ip_list_size property is set greater than zero
       Then terraform plan detects changes and sets the value

Given max_ip_list_size is set with a value greater than zero in NSX-T
   When max_ip_list_size property is missing
      Then terraform plan detects changes and sets the value to zero
   When max_ip_list_size property is zero
      Then terraform plan detects changes and sets the value to zero
   When max_ip_list_size property is greater than zero
      If the max_ip_list_size property value equals the existing value
         Then terraform plan detects no changes
      If the max_ip_list_size property value does not equal the existing vlaue
         Then terraform plan detects changes

We expect this to behave like the api, when the property in the api is unset NSX-T will set the value to empty. Instead, it appears that terraform is setting it to the default value for an integer which is zero.

Firewall section always modifies even when no changes are made - Services and AppliedTo

Somewhat similar to #107, this also occurs when multiple services are specified in a rule.

And to make sure that nothing is left out, the other field that can return multiple entries is the Applied To field of a rule.

Found the issue while using version 1.1.0 of the NSX-T Provider.

Error during DhcpProfile create: Status: 400 Bad Request, Body: Bad Request This combination of host and port requires TLS.

I have a NSX Manager and 1 nsx edge services gateway managed through Vcenter.
I have tested the nsx manager api for edge services and its returning me the right values.

Get api/4.0/edges

My module is as below:

provider "nsxt" {
host = var.nsxt_manager
username = var.nsxt_username
password = var.nsxt_password
allow_unverified_ssl = true
max_retries = 10
retry_min_delay = 500
retry_max_delay = 5000
retry_on_status_codes = [429, 400]
}

#data "nsxt_edge_cluster" "edge_cluster1" {

display_name = "edge-1"

resource "nsxt_dhcp_server_profile" "prf" {
description = "dhcp_profile provisioned by Terraform"
display_name = "dhcp_profile"
edge_cluster_id = "domain-c7"
edge_cluster_member_indexes = [0]
tag {
scope = "env"
tag = "admin"
}
}

resource "nsxt_logical_dhcp_server" "logical_dhcp_server" {
display_name = "logical_dhcp_server"
dhcp_profile_id = "${nsxt_dhcp_server_profile.prf.id}"
dhcp_server_ip = "10.70.10.2/24"
gateway_ip = "10.70.10.253"
}

resource "nsxt_dhcp_server_ip_pool" "public_ip_pool" {
display_name = "ip pool"
description = "ip pool"
logical_dhcp_server_id = "${nsxt_logical_dhcp_server.logical_dhcp_server.id}"
gateway_ip = "10.70.10.253"
lease_time = 86400
error_threshold = 98
warning_threshold = 70

ip_range {
start = "10.70.10.1"
end = "10.70.10.252"
}

tag {
scope = "env"
tag = "admin"
}

}

can you let me know if this provider works on the above setup

Please release a current version of the NSX-T provider

Hello esteemed maintainers,

Could you please release a current version of the NSX-T provider? We would like to take advantage of the as-yet unreleased load balancer features. Thanks!

"applied to" doesn't work for DFW rule

When adding rules which have "applied to" defined (in my case, applied to logical swithc) , it won't implemented in NSX although the terraform suggest the change and no error during the implementation.

_nsxt_firewall_section.terraform: Modifying... (ID: 68faeb0e-616b-4de1-80f5-7e1119314dbc)
rule.0.applied_to.#: "0" => "1"
rule.0.applied_to.0.target_id: "" => "62fab32d-809c-4ce7-aaa6-831dc31a3544"
rule.0.applied_to.0.target_type: "" => "LogicalSwitch"
2018-09-20T23:53:25.401+1000 [DEBUG] plugin.terraform-provider-nsxt_v1.0.0_x4: 2018/09/20 23:53:25 [DEBUG] NSX version 2.2.0.0.0.8680778
nsxt_firewall_section.terraform: Modifications complete after 1s (ID: 68faeb0e-616b-4de1-80f5-7e1119314dbc)
2018/09/20 23:53:25 [DEBUG] plugin: waiting for all plugin processes to complete...

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Outputs:

edge-cluster-deployment_type = VIRTUAL_MACHINE
edge-cluster-id = 78c9b238-c188-4b5f-9195-6b338826ce98
2018-09-20T23:53:25.582+1000 [DEBUG] plugin: plugin process exited: path=/root/terraform/.terraform/plugins/linux_amd64/terraform-provider-nsxt_v1.0.0_x4_
[root@networkauto terraform]#

Re-run again: terraform apply.

see the same

_provider.nsxt - *terraform.NodeApplyableProvider
2018/09/20 23:55:14 [TRACE] Graph after step *terraform.PruneProviderTransformer:

nsxt_firew
nsxt_firewall_section.terraform: Modifying... (ID: 68faeb0e-616b-4de1-80f5-7e1119314dbc)
rule.0.applied_to.#: "0" => "1"
rule.0.applied_to.0.target_id: "" => "62fab32d-809c-4ce7-aaa6-831dc31a3544"
rule.0.applied_to.0.target_type: "" => "LogicalSwitch"
2018-09-20T23:55:15.100+1000 [DEBUG] plugin.terraform-provider-nsxt_v1.0.0_x4: 2018/09/20 23:55:15 [DEBUG] NSX version 2.2.0.0.0.8680778
nsxt_firewall_section.terraform: Modifications complete after 0s (ID: 68faeb0e-616b-4de1-80f5-7e1119314dbc)
2018/09/20 23:55:15 [DEBUG] plugin: waiting for all plugin processes to complete...

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Outputs:

edge-cluster-deployment_type = VIRTUAL_MACHINE
edge-cluster-id = 78c9b238-c188-4b5f-9195-6b338826ce98
2018-09-20T23:55:15.286+1000 [DEBUG] plugin: plugin process exited: path=/root/terraform/.terraform/plugins/linux_amd64/terraform-provider-nsxt_v1.0.0_x4
[root@networkauto terraform]#_

Resource nsxt_ns_group support for IPSet membership_criteria

We are trying to create ns groups's based on membership criteria of tags assigned to virtual machines and tags assigned to IPSets.

This resource currently does not support IPSets as membership criteria however the GUI does.

Error: expected membership_criteria.0.target_type to be one of [LogicalPort LogicalSwitch VirtualMachine], got IPSet

Running NSX-T Data Center 2.4.2

Add support for "Advertise All LB VIP Routes" on T1 routers

I noticed today while troubleshooting a newly recreated (with terraform) T1 router that has a loadbalancer on it that the "Advertise All LB VIP Routes" toggle is not set in the UI. I came to notice that this doesn't seem possible to set in the nsxt_logical_tier1_router object so it must be manually toggled after the terraform configuration is implemented. It would be great if there could be an option for enabling this (similar to advertise_static_routes, for example).

Ability to create NAT rules on the T0 router

Need the ability to create NAT rules on the T0 router, not just the T1.

API rate limit reached

Got the following error. I understand we can raise the limit on the nsx manager, but would think a rate limit on the nsxt provider would be beneficial.

Any thought or work along that line? Or raising the limit on the server is the only available choice?

* restapi_object.infrastructure-outbound: restapi_object.infrastructure-outbound: Unexpected response code '429': { "module_name" : "common-services", "error_message" : "Client 'admin' exceeded request rate of 100 per second", "error_code" : "102" }

Thanks
Yansheng

Unknown token path in nsxt-policy-support branch

This module is using nsxt-policy-support branch to use policy API.

My module

data "nsxt_policy_edge_cluster" "EC_01" {
  display_name = "Cluster-01"
}

data "nsxt_policy_tier0_gateway" "T0_01" {
  display_name = "T0-Gateway-01"
}

resource "nsxt_policy_tier1_gateway" "T1_01" {
  description               = "T1 description"
  display_name              = "T1-Gateway-01"
  edge_cluster_path         = data.nsxt_policy_edge_cluster.EC_01.path
  failover_mode             = "NON_PREEMPTIVE"
  default_rule_logging      = "false"
  enable_firewall           = "true"
  enable_standby_relocation = "false"
  force_whitelisting        = "true"
  tier0_path                = data.nsxt_policy_tier0_gateway.T0_01.path
  route_advertisement_types = ["TIER1_STATIC_ROUTES", "TIER1_CONNECTED"]

  tag {
    scope = "${local.nsx_tag_scope}"
    tag   = "${local.nsx_tag}"
  }
}

The problem

Unknown token: 4:31 IDENT data.nsxt_policy_edge_cluster.EC_01.path

It seems that it cannot resolve path from edge_cluster, it also happens to path in tier0 gateway. On tier0 gateway it also failed to resolve attribute edge_cluster_path.

I follow manual installation as stated here https://github.com/terraform-providers/terraform-provider-nsxt/tree/nsxt-policy-support#manual-installation

Support for Installation Workflows

Is there any future considerations being given to expanding this provider to actually lay down the Manager, Controllers, and Edges or would the expectation be to use the vSphere provider?

If the latter, where would the logic go to connect the controllers and edges to the manager?

Thanks.

Dynamic routing configuration

Is there any plan for providing support for BGP configuration on T0 ?

Diff Mismatch in firewall section when removing a rule

Opening this issue here as a reference point. The issue is NOT observed with terraform v0.12 and will be closed when the module is pumped up to v0.12.

The issue can be seen in test TestAccResourceNsxtFirewallSection_ordered when ip_protocol is set to non-default value (f.e. "IPV4").

=== RUN   TestAccResourceNsxtFirewallSection_ordered
--- FAIL: TestAccResourceNsxtFirewallSection_ordered (12.96s)
    testing.go:538: Step 1 error: Error applying: 1 error occurred:
                * nsxt_firewall_section.test2: nsxt_firewall_section.test2: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

        Please include the following information in your report:

            Terraform Version: 0.11.14
            Resource ID: nsxt_firewall_section.test2
            Mismatch reason: attribute mismatch: rule.0.ip_protocol
            Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"display_name":*terraform.ResourceAttrDiff{Old:"s2", New:"s2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "insert_before":*terraform.ResourceAttrDiff{Old:"8bf3a34f-ac3c-46b2-9b2f-2800c4b1eff6", New:"${nsxt_firewall_section.test1.id}", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "is_default":*terraform.ResourceAttrDiff{Old:"false", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "revision":*terraform.ResourceAttrDiff{Old:"0", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "rule.#":*terraform.ResourceAttrDiff{Old:"1", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "rule.0.action":*terraform.ResourceAttrDiff{Old:"ALLOW", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "rule.0.direction":*terraform.ResourceAttrDiff{Old:"IN", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "rule.0.display_name":*terraform.ResourceAttrDiff{Old:"test", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "rule.0.ip_protocol":*terraform.ResourceAttrDiff{Old:"IPV4", New:"IPV4_IPV6", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "rule.0.logged":*terraform.ResourceAttrDiff{Old:"true", New:"false", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "section_type":*terraform.ResourceAttrDiff{Old:"LAYER3", New:"LAYER3", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "stateful":*terraform.ResourceAttrDiff{Old:"true", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
            Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"display_name":*terraform.ResourceAttrDiff{Old:"", New:"s2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "insert_before":*terraform.ResourceAttrDiff{Old:"", New:"9f3e1070-be1c-4b21-bf52-82132b2f93a8", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "is_default":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "revision":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "section_type":*terraform.ResourceAttrDiff{Old:"", New:"LAYER3", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "stateful":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}

Firewall Section insert_before bottom_line

Please clarify in the documentation where "bottom_line" comes from in the insert_before rule and if there are any other special rule ID's that can be used.

Create uplink router port for t0 router

I'm having a hard time to find the right resource to create an UPLINK router port for t0 router. All I see is centralized nsxt_logical_router_centralized_service_port and downlink nsxt_logical_router_downlink_port

How do I create the uplink port?

Datasource for NSGroup

Required for auto creation of FW sections and applying a specific NSGROUP on applied to.

Support for terraform cli 0.12.0

Is there any plans for providing support for terraform cli 0.12.0?

I ran into the issue, where brew installed terraform version 0.12.0, and my terraform init started to fail.

Upon scanning the release notes from hashicorp, I ran into this https://www.hashicorp.com/blog/releasing-terraform-0-12-0-rc1#provider-compatibility

and NSX-T is not available as a provider there.

README.md license link broken

Existing link: https://github.com/vmware/terraform-provider-nsxt/blob/master/LICENSE.txt
Correct link: https://github.com/terraform-providers/terraform-provider-nsxt/blob/master/LICENSE.txt

Manage VMware NSX-T infrastucture from behind proxy.

I am trying to manage VMware NSX-T infrastructure from a system that allows outbound http/https connections using a proxy server. This fails with the following error

error(s) occurred:* provider.nsxt: Failed to create session: Post https://xxx/api/session/create: dial tcp xxx:443: getsockopt: no route to host.

It looks like the https://github.com/terraform-providers/terraform-provider-nsxt/blob/master/vendor/github.com/vmware/go-vmware-nsxt/api_client.go#L180 is missing Proxy: http.ProxyFromEnvironment. I am able to get it to work after I change the code to

transport := &http.Transport{Proxy: http.ProxyFromEnvironment,TLSClientConfig: tlsConfig}

Importing a Firewall section shows applied_to = LogicalRouter

As written in title I have imported a firewall section by id. It is an edge firewall on a T0
From my tfstate:

 "nsxt_firewall_section.section_prod": {
                    "type": "nsxt_firewall_section",
                    "depends_on": [],
                    "primary": {
                        "id": "ewadwadwa",
                        "attributes": {
                            "applied_to.#": "1",
                            "applied_to.903722171.is_valid": "true",
                            "applied_to.903722171.target_display_name": "my_to",
                            "applied_to.903722171.target_id": "dwadwadwad",
                            "applied_to.903722171.target_type": "LogicalRouter",
                            "description": "",
                            "display_name": "Infrastructure",
                            "id": "dwadwadwadwad",
                            "is_default": "false",
                            "revision": "2", [...]

But as written in docs, target_type LogicalRouter does not seem supported, so if in my resource I do write

resource "nsxt_firewall_section" "section_prod" {
    section_type = "LAYER3"
    stateful = "true"
    applied_to = {
        target_id = "dwadwadwad",
        target_type = "LogicalRouter"
    }
}

it fails and tells me LogicalRouter is not supported. Am I missing something?

Curl'ing the API /firewall/sections it mixes DFW and EFW rules, so I would assume EFW could be created using the same framework.

EDIT: I was able to make it work by adding LogicalRouter to the array at https://github.com/terraform-providers/terraform-provider-nsxt/blob/master/nsxt/resource_nsxt_firewall_section.go#L103 - the API behind is the same so it's only a matter of internal validation.

After "terraform apply" it will try and update logical switches "replication_mode" => MTEP

Terraform will perform the following actions:

~ nsxt_logical_switch.T0_UPLINK_VLAN_LS
replication_mode: "" => "MTEP"

If you submit another terraform apply it will try an update the LS with the replication mode again if nothing in the template has changed.

Question: how do I attach a VM to an existing NSX-T logical switch

Hello,

I probably missed something in the provider documentation, but how do I attach a VM on an existing NST-T logical switch / segment ? logical switch are only resources in the provider, not data.
So far NSX-T provider is great for configuring deploying NSX-T, but now I need it as data for provisioning VMs. Is it part of the roadmap ?

Thanks.

Data Source - Port

Ability to pull port data source from NSX-T using filters

Terraform crash while creating logical port

Terraform Version
Terraform v0.11.7

Provider Version

├── provider.nsxt 1.0.0
└── provider.vsphere 1.3.3
go version go1.9.2 linux/amd64

stack@no:~/go/bin$ terraform providers

Affected Resource(s)
Please list the resources as a list, for example:
nsxt_logical_port

Terraform Configuration Files
Debug Output
:

nsxt_logical_port.LP1.69: unexpected EOF
2018/05/17 08:48:18 [TRACE] [walkApply] Exiting eval tree: nsxt_logical_port.LP1[69]
2018/05/17 08:48:18 [TRACE] root: eval: *terraform.EvalApplyPost
2018/05/17 08:48:18 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:
Panic Output
https://gist.github.com/ashishg29/9af88f467dd3c13b866a11bba3f0c529

Expected Behavior
What should have happened?
Proper reason for the crash should be provided for the user to debug the issue.
And during plan itself the check should be added.

Actual Behavior
What actually happened?
The template work in past multiple time but suddenly if fails with terraform crash error and this issue is not always seen.

Steps to Reproduce
Attaching the main.tf
https://gist.github.com/ashishg29/9af88f467dd3c13b866a11bba3f0c529
Please list the steps required to reproduce the issue, for example:
1.
./terraform apply -parallelism=100

Update installation section of the README

The installation section was written for manual install of the provider. It now automatically installs using "terraform init". This section of the documentation needs to be updated to reflect the fact that the provider is now part of the Terraform ecosystem.

Creation and Modification of Switching Profiles

create / delete switching profiles along with map them to a LS
Ability to modify the settings in the profile,

Thanks

After "terraform apply" it will try and update the "failover_mode "" => PREEMPTIVE on T1 routers

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

~ nsxt_logical_tier1_router.T1-K8S
failover_mode: "" => "PREEMPTIVE"

~ nsxt_logical_tier1_router.T1-MGMT
failover_mode: "" => "PREEMPTIVE"

If you submit another terraform apply it will try an update the T1 routers again even if nothing has changed.

access_log_enabled property on nsxt_lb_tcp_virtual_server causes failures

It seems no matter what values I plug in, the system always kicks back an error about access_log_enabled property being set, but not expected by the API.

* nsxt_lb_tcp_virtual_server.test-vserver: Error during LbVirtualServer create: Status: 400 , Body: {
  "httpStatus" : "BAD_REQUEST",
  "error_code" : 287,
  "module_name" : "common-services",
  "error_message" : "Json de-serialization error: property access_log_enabled is unrecognized."
}

Indeed, when browsing the swagger spec for NSX-T API, this property didn't get added until 2.2 (I'm using 2.1). Is it intended for this provider to be only 2.2+ compatible?

Change pre-created object tags

Is there any way to change pre-created NSX-T object tag via TF ?

New release of nsxt provider

Hi,

is it possible to create a new release of the NSXT Terraform provider as we need those three changes #190, #191 and #196.

Regards,
Andreas

/cc @MartinWeindel @mandelsoft

Support NSX Load Balancer

A feature request to support the NSX load balancing feature.

Tier0 Router HA VIP Configuration

Please provide a resource object to configure HA VIP for T0 Router. On GUI, it could be done via
Advanced Networking & Security > Router > T0 Router Name > Configuration > HA VIP

DNS Forwarder/Zones Support

When will the DNS forwarder and DNS zone be supported?

Thanks.

Add a lb_service_id option in nsxt_lb_{http|tcp|udp}_virtual_server

Can we add lb_service_id optional parameter in nsxt_lb_{http|tcp|udp}_virtual_server, so we can attach virtual servers to existing LBS?

Support for DHCP Server

A feature request to support the NSX DHCP server platform feature.

Add data_source_nsxt_logical_tier1_router

Add ability to pull data for logical t1 router

DHCP server IP pools feature not present.

Terraform Version and vSphere Provider Version

vmware@rallyrunner:~/go/bin$ ./terraform version
Terraform v0.11.8

provider.nsxt (unversioned)
provider.vsphere v1.8.1

type=feature
Affected Resource(s) - nsxt_logical_dhcp_server

While adding DHCP server/update the DHCP server, there is no way to add ip pool for the DHCP service. Currently we need to add ip pool manually to the dhcp server, for client vm to get fixed ip.

The NSX api that we will need to support is POST /api/v1/dhcp/servers/ /ip-pools

Support for NSX IPAM

Support for IPAM objects such as block and subnet.

[PROPOSAL] Switch to Go Modules

As part of the preparation for Terraform v0.12, we would like to migrate all providers to use Go Modules. We plan to continue checking dependencies into vendor/ to remain compatible with existing tooling/CI for a period of time, however go modules will be used for management. Go Modules is the official solution for the go programming language, we understand some providers might not want this change yet, however we encourage providers to begin looking towards the switch as this is how we will be managing all Go projects in the future. Would maintainers please react with 👍 for support, or 👎 if you wish to have this provider omitted from the first wave of pull requests. If your provider is in support, we would ask that you avoid merging any pull requests that mutate the dependencies while the Go Modules PR is open (in fact a total codefreeze would be even more helpful), otherwise we will need to close that PR and re-run go mod init. Once merged, dependencies can be added or updated as follows:

$ GO111MODULE=on go get github.com/some/module@master
$ GO111MODULE=on go mod tidy
$ GO111MODULE=on go mod vendor

GO111MODULE=on might be unnecessary depending on your environment, this example will fetch a module @ master and record it in your project's go.mod and go.sum files. It's a good idea to tidy up afterward and then copy the dependencies into vendor/. To remove dependencies from your project, simply remove all usage from your codebase and run:

$ GO111MODULE=on go mody tidy
$ GO111MODULE=on go mod vendor

Thank you sincerely for all your time, contributions, and cooperation!

The ability to specify a VLAN LS with VLAN ID: 0

1 error(s) occurred:

nsxt_logical_switch.T0_UPLINK_VLAN_LS: 1 error(s) occurred:
nsxt_logical_switch.T0_UPLINK_VLAN_LS: Error during LogicalSwitch create: Status: 400 , Body: {
"httpStatus" : "BAD_REQUEST",
"error_code" : 8318,
"module_name" : "NsxSwitching service",
"error_message" : "The VLAN field must be specified in the logical switch configuration for logical switches in the VLAN Transport Zone."
}

ICMP Service errors and configuration issues

When trying to create various ICMP services where no icmp_code is provided, the terraform provider is automatically submitting an icmp_code of 0 when creating the service. The end result is a service created that is not the one which was intended to be created.

Here are some examples:

Intended configuration = Destination unreachable
Realised configuration = Destination network unreachable

resource "nsxt_icmp_type_ns_service" "B012" {
  display_name = "ICMP - Destination unreachable"
  protocol     = "ICMPv4"
  icmp_type    = "3"
}

Intended configuration = Parameter Problem: Bad IP header
Realised configuration = pointer indicates the error

resource "nsxt_icmp_type_ns_service" "B029" {
  display_name = "ICMP - Parameter Problem: Bad IP header"
  protocol     = "ICMPv4"
  icmp_type    = "12"
}

Intended configuration = Redirect Message
Realised configuration = Redirect Datagram for the Network

resource "nsxt_icmp_type_ns_service" "B036" {
  display_name = "ICMP - Redirect Message"
  protocol     = "ICMPv4"
  icmp_type    = "5"
}

Intended configuration = Time Exceeded
Realised configuration = TTL expired in transit

resource "nsxt_icmp_type_ns_service" "B042" {
  display_name = "ICMP - Time Exceeded"
  protocol     = "ICMPv4"
  icmp_type    = "11"
}

When trying to create a service which does not contain a icmp_type or icmp_code, an error is returned as the Terraform provider is submitting a icmp_code of 0 in the backend, when both the icmp_type and icmp_code should be omitted.

resource "nsxt_icmp_type_ns_service" "B001" {
  display_name = "ICMP - All"
  protocol     = "ICMPv4"
}

Error message received

* nsxt_icmp_type_ns_service.B001: Error during NsService create: Status: 400 , Body: {
   "httpStatus" : "BAD_REQUEST",
   "error_code" : 25323,
   "module_name" : "grouping-objects service",
   "error_message" : "Invalid ICMP type, code combination. Type is mandatory, if code is specified."
 }

When trying to create a service for echo-reply, which requires both icmp_type and icmp_code to be set to 0, an error is received.

resource "nsxt_icmp_type_ns_service" "B013" {
  display_name = "ICMP - Echo reply"
  protocol     = "ICMPv4"
  icmp_type    = "0"
  icmp_code    = "0"
}

Error message received_

* nsxt_icmp_type_ns_service.B013: Error during NsService create: Status: 400 , Body: {
  "httpStatus" : "BAD_REQUEST",
  "error_code" : 25323,
  "module_name" : "grouping-objects service",
  "error_message" : "Invalid ICMP type, code combination. Type is mandatory, if code is specified."
}

vmware / terraform-provider-nsxt Goto Github PK

terraform-provider-nsxt's Introduction

Terraform NSX-T Provider

Using the Provider

Full Provider Documentation

Controlling the provider version

Automated Installation (Recommended)

Manual Installation

Cloning the Project

Building and Installing the Provider

Developing the Provider

Testing the Provider

Configuring Environment Variables

Running the Acceptance Tests

Interoperability

Support

License

terraform-provider-nsxt's People

Contributors

Stargazers

Watchers

Forkers

terraform-provider-nsxt's Issues

The Module

The problem

Expected behavior

Observed behavior

Steps to reproduce

My module is as below:

display_name = "edge-1"

My module

The problem

Recommend Projects

Recommend Topics

Recommend Org