VMware Networking Community
future2000
Enthusiast
Enthusiast
‎06-26-2022 05:37 PM

NSX-T DFW Policy Section Ordering using Ansible

Hi,

 

Has anyone had any experience ordering policy sections using the VMware Ansible NSX-T

https://github.com/vmware/ansible-for-nsxt

I'm using the nsxt_policy_security_policy.py module to process JSON payloads and create rules in sections. This is all working pretty well. The problem I'm having is that Policy sections cannot be ordered with the sequence_number definition. Whatever I put in the sequence_number section is ignored and the sections appear in an order which is not defined in my JSON. Pulling back the sections from the REST API show sequence number for each policy section as 0. If I manually order these in the NSX-T Web UI and then pull them back from the REST API the sequence numbers are defined with a number reflecting the order.

It appears as if the sequence, which is described as follows:-

 

sequence_number:
description: Sequence number to resolve conflicts across Domains

type: int

 

Does not appear to order the rule sections. Perhaps this is not intended to do this?

 

In the rules subsection, the sequence number as described as follows...

 

sequence_number:
description: Sequence number of the this Rule

type: int

 

When I use this it does appear to order rules.

 

0 Kudos
2 Replies
Bectato
Contributor
Contributor
‎06-26-2022 05:45 PM

Once it is created, can you then modifythe sequence number?

It could be a creation thing

0 Kudos
future2000
Enthusiast
Enthusiast
‎06-26-2022 06:21 PM

It is created from the JSON payload. When running the playbook again, after the items were created previously, the order is not changed at all unfortunately. This is in complete contradiction to the rules themselves which are ordered as per the code and are changed when they already exist and are modified via the code.

I'm thinking that sequence_number is not the same for policy sections as it is for rules. In which case there is no mechanism to change the policy section order themselves. Other than by using rest_direct.

Having said that I just sent a definition for a service to the REST API with postman and I am able to order sections by changing this field in the JSON body?!

This is sent to infra/domains/default/security-policies/policy_name and cannot include the domain-id (default) obviously as this is in the URI. Hmmm.

0 Kudos