Updating a firewall section resets hit count statistics

[rokett]

The hit count statistics on each rule within a firewall policy whenever any of the following happens:

1. An existing rule within the firewall policy is changed.
2. A new rule is added to the firewall policy.
3. A rule is removed from the firewall policy.

I have verified that, when doing any of these actions within the NSX Manager GUI, the stats remain. It is only when making changes via Terraform that the stats get reset.

Maybe this is an unavoidable consequence of making changes via the API? The comment at

terraform-provider-nsxt/nsxt/resource_nsxt_policy_security_policy.go

Line 226 in 7a8bc99

// We need to use PUT, because PATCH will not replace the whole rule list

suggested that the whole firewall section got replaced, which aligns with the NSX-T API docs (we're using v2.5.1 currently) where a PUT replaced all of the rules. Saying that, PATCH also references a full replace, but with slightly different wording. I'm guessing a PUT is used due to the underlying way that Terraform works though.

We work around this problem at the moment by pulling out the rule stats in our CI pipeline before we apply changes, but it would be great if it was fixable so we didn't need to do that.

Any thoughts?

[annakhm]

Thanks @rokett for this observation. We're considering rewriting the resource with Hierarchical API, which would fix this problem. This issue would be another argument for doing this.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[annakhm]

Reopening this - fix is in the making.