Unable to stitch NLB and FW with aci_l4_l7_service_graph_template and aci_function_node resources

[marinalf]

Description

I am encountering a few issues with the resources below:

1. Network Load Balancer gets created, but unable to set static IP (documented on issue Ability to set static ip under aci_cloud_l4_l7_native_load_balancer resource #1129)
2. The 1st function node does not give the option to set "Redirect" on consumer and provider connector types. Redirect is only available for the routing_mode attribute.
3. When adding the 2nd function node for the FW, there are no errors during apply but GUI does not get configured.

Please kindly advise if I am missing something or if this is not expected. Thank you.

Version

• Version 26.0(2h) - Azure
• Terraform Provider: 2.12.2

Affected Resource(s)

• aci_l4_l7_service_graph_template
• aci_function_node

Terraform Configuration Files

# Create Logical Firewall Representation (3rd party example)

resource "aci_cloud_l4_l7_third_party_device" "pa_fw" {
  tenant_dn                     = data.aci_tenant.infra_tenant.id
  name                          = var.fw_name
  relation_cloud_rs_ldev_to_ctx = data.aci_vrf.services_vrf.id

  interface_selectors {
    allow_all = "yes"
    name      = "trust"
    end_point_selectors {
      match_expression = "custom:internal=='trust'"
      name             = "trust"
    }
  }
  interface_selectors {
    allow_all = "yes"
    name      = "untrust"
    end_point_selectors {
      match_expression = "custom:external=='untrust'"
      name             = "untrust"
    }
  }
}

# Create Native Network Load Balancer for Firewall

resource "aci_cloud_l4_l7_native_load_balancer" "fw_nlb" {
  tenant_dn                              = data.aci_tenant.infra_tenant.id
  name                                   = var.fw_nlb_name
  relation_cloud_rs_ldev_to_cloud_subnet = [data.aci_cloud_subnet.fw_nlb_subnet.id]
  allow_all                              = "yes"
  is_static_ip                           = "yes" # Refer to https://github.com/CiscoDevNet/terraform-provider-aci/issues/1129
  scheme                                 = "internal"
  cloud_l4l7_load_balancer_type          = "network"
}

# Create Service Graph for FW and NLB

resource "aci_l4_l7_service_graph_template" "fw_sg" {
  tenant_dn                         = data.aci_tenant.tenant1.id
  name                              = var.fw_sg
  l4_l7_service_graph_template_type = "cloud"
}

resource "aci_function_node" "nlb" {
  l4_l7_service_graph_template_dn     = aci_l4_l7_service_graph_template.fw_sg.id
  name                                = "fw-nlb"
  func_template_type                  = "CLOUD_NATIVE_LB"
  routing_mode                        = "Redirect" # No option to set Redirect on consumer and provider connector types
  relation_vns_rs_node_to_cloud_l_dev = aci_cloud_l4_l7_native_load_balancer.fw_nlb.id
}

resource "aci_function_node" "pan_fw" { # does not get configured
  l4_l7_service_graph_template_dn      = aci_l4_l7_service_graph_template.fw_sg.id
  name                                 = "pan-fw"
  func_template_type                   = "FW_ROUTED"
  relation_vns_rs_node_to_cloud_l_dev  = aci_cloud_l4_l7_third_party_device.pa_fw.id
  l4_l7_device_interface_consumer_name = "trust"
  l4_l7_device_interface_provider_name = "untrust"
}

complete code

Debug Output

Logs

References

• Added Cloud L4-L7 device resources and updated aci_l4_l7_service_graph_template examples #1097