Separate security policy and rule #1056
Conversation
GraysonWu
force-pushed
the
separate-rule
branch
2 times, most recently
from
eaeba4e to
149dc4e
Compare
|
/test-all |
GraysonWu
force-pushed
the
separate-rule
branch
from
4092157 to
d5d79a1
Compare
GraysonWu
changed the title
GraysonWu
force-pushed
the
separate-rule
branch
from
d5d79a1 to
d509e97
Compare
|
Hi @GraysonWu, I don't see a use case for rule data source - can you suggest where it might be needed? |
I think it might be related to Issue 1043 #1043 |
| } | ||
|
|
||
| func resourceNsxtPolicySecurityPolicyNoRuleCreate(d *schema.ResourceData, m interface{}) error { | ||
| connector := getPolicyConnector(m) |
There was a problem hiding this comment.
would it make sense to parametrize the CRUD to functions to either include or exclude the rule, in order to reuse the common code with the other policy resource?
There was a problem hiding this comment.
It could make sense but I think it might deserve a separate PR to do so, including switch from using H-API to using security policy API for nsxt_policy_security_policy
There was a problem hiding this comment.
I just noticed that securityPolicy's API couldn't delete rules. So to let parent_security_policy and security_policy share the common code I changed to use H-API for the parent_security_policy with the latest commit. It will make more sense to conduct in this PR instead of another one.
And, as for the other policy resource, did you mean gateway_policy and predefined_security_poilcy as well? From my understanding, predefined_security_policy has a different schema than security_policy. And gateway_policy, although sharing most of the schema, is a different model. I'm not sure merging those two resources could share much common code. Seems making them self-contained is a better option.
Glad to hear your thoughts!
There was a problem hiding this comment.
Could you please clarify what you mean by lack of support for deleting rules from the API - I see this in the SDK.
Regardless, follow up PR for optimizing's the code is fine by me!
There was a problem hiding this comment.
Sorry for the confusion.
I mean I couldn't use the security policy client to delete the rule belonging to it. If we use the SDK for Rule to manage security_policy, not the parent one, we have to make several additional API calls for the rules, instead of one API call as H-API does. I'm a little bit concerned about the performance.
There was a problem hiding this comment.
I think when you fire the DELETE api call for the policy, all of its rules will be deleted - no need to delete them beforehand. What that your concern?
There was a problem hiding this comment.
I mean for example, there is a policy that has 200 rules and we want to delete 100 rules.
nsxt/provider.go
Outdated
| @@ -437,6 +438,8 @@ func Provider() *schema.Provider { | |||
| "nsxt_edge_high_availability_profile": resourceNsxtEdgeHighAvailabilityProfile(), | |||
| "nsxt_policy_host_transport_node_collection": resourceNsxtPolicyHostTransportNodeCollection(), | |||
| "nsxt_policy_lb_client_ssl_profile": resourceNsxtPolicyLBClientSslProfile(), | |||
| "nsxt_policy_security_policy_rule": resourceNsxtPolicySecurityPolicyRule(), | |||
| "nsxt_policy_security_policy_no_rule": resourceNsxtPolicySecurityPolicyNoRule(), | |||
There was a problem hiding this comment.
I feel that nsxt_policy_security_policy_no_rule is confusing, especially next to nsxt_policy_security_policy_rule.
I don't have a much better option, but lets not give up on better naming yet :)
nsxt_policy_empty_security_policy? nsxt_policy_parent_security_policy?
There is also an option to remove the first policy part, since non-policy resources are deprecated by now.
This would result in nsxt_security_policy and nsxt_security_policy_rule.
There was a problem hiding this comment.
Changed to nsxt_policy_parent_security_policy. Ideas are welcome!
|
@GraysonWu, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding
|
GraysonWu
force-pushed
the
separate-rule
branch
from
ece03e4 to
06b0971
Compare
|
/test-all |
GraysonWu
force-pushed
the
separate-rule
branch
from
06b0971 to
abfa16b
Compare
Not for now. As @2ez4szliu said, a data source might be needed for issue #1043. Considering a resource should be enough, let me remove it. |
|
/test-all |
1 similar comment
|
/test-all |
GraysonWu
force-pushed
the
separate-rule
branch
from
bec655f to
3615a63
Compare
|
/test-all |
GraysonWu
force-pushed
the
separate-rule
branch
from
3615a63 to
868fc02
Compare
|
/test-all |
GraysonWu
force-pushed
the
separate-rule
branch
from
868fc02 to
6112704
Compare
|
/test-all |
GraysonWu
force-pushed
the
separate-rule
branch
from
6112704 to
ef0198a
Compare
|
/test-all |
GraysonWu
force-pushed
the
separate-rule
branch
from
ef0198a to
512e168
Compare
|
/test-all |
1 similar comment
|
/test-all |
Signed-off-by: graysonwu <[email protected]>
Signed-off-by: graysonwu <[email protected]>
GraysonWu
force-pushed
the
separate-rule
branch
from
512e168 to
1849704
Compare
|
/test-all |
|
Hello @GraysonWu , @annakhm Why is nsxt_policy_security_policy_rule still appears as a beta resource in the latest release (3.5) documentation ? I tried CRUD operations on it, it works wonders. |
|
Hello @Nacymus, glad to hear it works for you! We also feel good about the quality of this resource, but haven't run the full set of tests on it yet. We expect to promote this from beta on next release. |
Fixes #777
Fixes #1043