nutanix_network_security_policy_v2 : Failed to add a rule on an existing security policy.

[aharlaut]

Nutanix Cluster Information

• Nutanix Cluster (Prism Element / AOS) : 7.3.0.7
• Nutanix Prism Central : pc.7.3.0.6

Terraform Version

Terraform v1.14.2 on windows_amd64
provider registry.terraform.io/nutanix/nutanix v2.3.4

Affected ressources :

• nutanix_network_security_policy_v2

Terraform Configuration Files

terraform {
  required_version = ">= 1.14"

  required_providers {
    nutanix = {
      source  = "nutanix/nutanix"
      version = "2.3.4"
    }
  }
}

variable "nutanix_endpoint" {
  description = "Nutanix Prism Central endpoint (FQDN or IP)"
  type        = string
  sensitive   = true
}

variable "nutanix_username" {
  description = "Nutanix Prism Central username"
  type        = string
  sensitive   = true
}

variable "nutanix_password" {
  description = "Nutanix Prism Central password"
  type        = string
  sensitive   = true
}

variable "nutanix_insecure" {
  description = "Allow insecure TLS connections"
  type        = bool
  default     = true
}

variable "vpc_name" {
  description = "Name of the VPC to scope the security policy to"
  type        = string
  default     = "your-vpc-name"
}


provider "nutanix" {
  username  = var.nutanix_username
  password  = var.nutanix_password
  endpoint  = var.nutanix_endpoint
  insecure  = var.nutanix_insecure
  wait_timeout = 60
}

data "nutanix_vpcs_v2" "vpc" {
  filter = "name eq '${var.vpc_name}'"
}

# Address groups
resource "nutanix_address_groups_v2" "admin_network" {
  name        = "AdminNetwork"
  description = "Administrator network addresses"

  ipv4_addresses {
    value         = "10.0.1.0"
    prefix_length = 24
  }
}

# Categories
# Category for web servers
resource "nutanix_category_v2" "webservers" {
  key         = "AppType"
  value       = "WebServer"
  description = "Web server applications"
}

# Category for database servers
resource "nutanix_category_v2" "database" {
  key         = "AppType"
  value       = "Database"
  description = "Database server applications"
}

# Services groups
# HTTPS service
resource "nutanix_service_groups_v2" "https" {
  name        = "TEST_HTTPS"
  description = "HTTPS traffic"

  tcp_services {
    start_port = "443"
    end_port   = "443"
  }
}

# SSH service
resource "nutanix_service_groups_v2" "ssh" {
  name        = "TEST_SSH"
  description = "SSH traffic"

  tcp_services {
    start_port = "22"
    end_port   = "22"
  }
}

# MySQL service
resource "nutanix_service_groups_v2" "mysql" {
  name        = "TEST_MySQL"
  description = "MySQL database traffic "

  tcp_services {
    start_port = "3306"
    end_port   = "3306"
  }
}

# Security policies

resource "nutanix_network_security_policy_v2" "simple_security_policy" {
  name        = "simple_security_policy"
  description = "Simple security policy "
  type        = "APPLICATION"
  state       = "MONITOR"  

  is_ipv6_traffic_allowed = false
  is_hitlog_enabled       = true

  vpc_reference = [data.nutanix_vpcs_v2.vpc.vpcs[0].ext_id]
  scope         = "VPC_LIST"

  # =========================================================================
  # RULE 1: Allow admins to access web servers via HTTPS
  # =========================================================================
  rules {
    description = "Admin to WebServers HTTPS"
    type        = "APPLICATION"

    spec {
      application_rule_spec {
        # Destination: Web servers (using category)
        secured_group_category_references = [
          nutanix_category_v2.webservers.id
        ]

        # Source: Admin network (using IP address group)
        src_address_group_references = [
          nutanix_address_groups_v2.admin_network.ext_id
        ]

        # Service: HTTPS
        service_group_references = [
          nutanix_service_groups_v2.https.ext_id
        ]
      }
    }
  }

  # =========================================================================
  # RULE 2: Allow web servers to access database via MySQL
  # =========================================================================
  rules {
    description = "WebServers to Database MySQL"
    type        = "APPLICATION"

    spec {
      application_rule_spec {
        # Destination: Database servers (using category)
        secured_group_category_references = [
          nutanix_category_v2.database.id
        ]

        # Source: Web servers (using category)
        src_category_references = [
          nutanix_category_v2.webservers.id
        ]

        # Service: MySQL
        service_group_references = [
          nutanix_service_groups_v2.mysql.ext_id
        ]
      }
    }
  }
  # =========================================================================
  # RULE 3: Allow admin to msqsl 
  # =========================================================================

  # rules {
  #   description = "Admin to MSSQL"
  #   type        = "APPLICATION"

  #   spec {
  #     application_rule_spec {
  #       # Destination: database (using category)
  #       secured_group_category_references = [
  #         nutanix_category_v2.database.id
  #       ]

  #       # Source: admin network (using address group)
  #       src_address_group_references = [
  #         nutanix_address_groups_v2.admin_network.ext_id
  #       ]

  #       # Service: MYSQL
  #       service_group_references = [
  #         nutanix_service_groups_v2.mysql.ext_id
  #       ]
  #     }
  #   }
  # }



  # Intra-Group Rule 1: Deny traffic between webserver categories
  rules {
    description = "Deny intra-group traffic between WebServers"
    type        = "INTRA_GROUP"
    
    spec {
      intra_entity_group_rule_spec {
        secured_group_category_references = [
          nutanix_category_v2.webservers.id
        ]
        secured_group_action = "DENY"
      }
    }
  }
  
  # Intra-Group Rule 2: Deny traffic between database categories
  rules {
    description = "Deny intra-group traffic between database VMs"
    type        = "INTRA_GROUP"
    
    spec {
      intra_entity_group_rule_spec {
        secured_group_category_references = [
         nutanix_category_v2.database.id
        ]
        secured_group_action = "DENY"
      }
    }
  }
}

Debug Output

https://gist.github.com/aharlaut/4261439bc56b8d2b9988c5e03f66af75

Panic Output

Expected Behavior

New rules added on a existing security policy should work.

Actual Behavior

New rules added on a existing security policy is not working.
We have to delete first the security policy (using taint or destroy) and then reapply the security policy

Steps to Reproduce

Error 1 :

1. terraform apply
2. Uncomment the rule 3 on the security policy
3. terraform apply with errors

Error 2 :

1. terraform apply
2. Uncomment the rule 3 on the security policy
3. terraform apply with errors
4. terraform apply without any changes

After a second apply without any modification the apply shows no changes.
The state is updated with 3 rules but the third rule is not configured on nutanix flow.

Please see the gist for more information
https://gist.github.com/aharlaut/4261439bc56b8d2b9988c5e03f66af75

Important Factors

[Haroon-Dweikat-Ntx]

Hi @aharlaut

When adding a new rule to an existing nutanix_network_security_policy_v2 policy, the apply can fail with:

Failed to create microseg.v4.config.IntraEntityGroupRuleSpec rule because spec type provided is application.

Investigation shows this is not a bug in the Nutanix resource logic. The failure comes from how Terraform represents list changes and how the API receives the updated rules.

---

Root Cause

How Terraform Handles List Updates

• The rules attribute is an ordered list of rule blocks.
• Terraform identifies list items by index (position), not by a stable id or by rule content.
• When you add a new rule in the middle of the list (e.g. as the 3rd rule), Terraform does not send a single “insert at position 2” operation. Instead it produces a plan that:
  1. Updates the existing rule at index 2 (and possibly later indices) with new content, and
  2. Adds one new rule at the end of the list.

So Terraform models the change as “replace items at index 2, 3, … and append one,” i.e. an index shift, not a true insert.

What Goes Wrong

• Before: State has 4 rules, for example:
  [APPLICATION, APPLICATION, INTRA_GROUP, INTRA_GROUP]
• Config: You add “Admin to MSSQL” (APPLICATION) as the 3rd rule so the intended order is:
  [APPLICATION, APPLICATION, APPLICATION, INTRA_GROUP, INTRA_GROUP]
• Plan: Because of index-based diffing, the plan becomes:
  • Update rule at index 2: change it from INTRA_GROUP to APPLICATION (“Admin to MSSQL”).
  • Update rule at index 3: change it to the first INTRA_GROUP (previously at index 2).
  • Add rule at index 4: the second INTRA_GROUP.

So the payload sent to the API can have the wrong type (e.g. APPLICATION) in a position where the backend still expects INTRA_GROUP (or the opposite). The API then returns MIC-30104: “Failed to create IntraEntityGroupRuleSpec rule because spec type provided is application.”

So:

• The resource/provider is doing what Terraform’s plan asks (update by index, then add).
• The issue is that Terraform’s “shift index” style of list update leads to a payload that no longer matches the API’s expectation for rule types per position.

---

Correct Way to Add a Rule in Terraform

To avoid this index-shift behavior and keep rule types and order correct:

1. Define the new rule in the right place in the list
   Add the new rules { ... } block in the exact position where you want it (e.g. 3rd rule), so that the full list order in the .tf file is the final order you want.

2. Prefer adding at the end when possible
   If the new rule can be the last rule, add it as the last rules block. Then Terraform will often plan “add one element at the end” instead of updating multiple indices, which is less likely to produce a bad payload.

3. Keep a consistent order
   A common and safe pattern is: all APPLICATION rules first, then all INTRA_GROUP rules. That way, even if the provider or API has ordering assumptions, the Terraform list order matches.

---

Correct Terraform Configuration

terraform {
  required_version = ">= 1.14"

  required_providers {
    nutanix = {
      source  = "nutanix/nutanix"
      version = "2.3.4"
    }
  }
}

variable "nutanix_endpoint" {
  description = "Nutanix Prism Central endpoint (FQDN or IP)"
  type        = string
  sensitive   = true
}

variable "nutanix_username" {
  description = "Nutanix Prism Central username"
  type        = string
  sensitive   = true
}

variable "nutanix_password" {
  description = "Nutanix Prism Central password"
  type        = string
  sensitive   = true
}

variable "nutanix_insecure" {
  description = "Allow insecure TLS connections"
  type        = bool
  default     = true
}

variable "vpc_name" {
  description = "Name of the VPC to scope the security policy to"
  type        = string
  default     = "your-vpc-name"
}


provider "nutanix" {
  username     = var.nutanix_username
  password     = var.nutanix_password
  endpoint     = var.nutanix_endpoint
  insecure     = var.nutanix_insecure
  wait_timeout = 60
}

data "nutanix_vpcs_v2" "vpc" {
  filter = "name eq '${var.vpc_name}'"
}

# Address groups
resource "nutanix_address_groups_v2" "admin_network" {
  name        = "AdminNetwork"
  description = "Administrator network addresses"

  ipv4_addresses {
    value         = "10.0.1.0"
    prefix_length = 24
  }
}

# Categories
# Category for web servers
resource "nutanix_category_v2" "webservers" {
  key         = "AppType"
  value       = "WebServer"
  description = "Web server applications"
}

# Category for database servers
resource "nutanix_category_v2" "database" {
  key         = "AppType"
  value       = "Database"
  description = "Database server applications"
}

# Services groups
# HTTPS service
resource "nutanix_service_groups_v2" "https" {
  name        = "TEST_HTTPS"
  description = "HTTPS traffic"

  tcp_services {
    start_port = "443"
    end_port   = "443"
  }
}

# SSH service
resource "nutanix_service_groups_v2" "ssh" {
  name        = "TEST_SSH"
  description = "SSH traffic"

  tcp_services {
    start_port = "22"
    end_port   = "22"
  }
}

# MySQL service
resource "nutanix_service_groups_v2" "mysql" {
  name        = "TEST_MySQL"
  description = "MySQL database traffic "

  tcp_services {
    start_port = "3306"
    end_port   = "3306"
  }
}

# Security policies

resource "nutanix_network_security_policy_v2" "simple_security_policy" {
  name        = "simple_security_policy"
  description = "Simple security policy "
  type        = "APPLICATION"
  state       = "MONITOR"

  is_ipv6_traffic_allowed = false
  is_hitlog_enabled       = true

  vpc_reference = [data.nutanix_vpcs_v2.vpc.vpcs[0].ext_id]
  scope         = "VPC_LIST"

  # =========================================================================
  # RULE 1: Allow admins to access web servers via HTTPS
  # =========================================================================
  rules {
    description = "Admin to WebServers HTTPS"
    type        = "APPLICATION"

    spec {
      application_rule_spec {
        # Destination: Web servers (using category)
        secured_group_category_references = [
          nutanix_category_v2.webservers.id
        ]

        # Source: Admin network (using IP address group)
        src_address_group_references = [
          nutanix_address_groups_v2.admin_network.ext_id
        ]

        # Service: HTTPS
        service_group_references = [
          nutanix_service_groups_v2.https.ext_id
        ]
      }
    }
  }

  # =========================================================================
  # RULE 2: Allow web servers to access database via MySQL
  # =========================================================================
  rules {
    description = "WebServers to Database MySQL"
    type        = "APPLICATION"

    spec {
      application_rule_spec {
        # Destination: Database servers (using category)
        secured_group_category_references = [
          nutanix_category_v2.database.id
        ]

        # Source: Web servers (using category)
        src_category_references = [
          nutanix_category_v2.webservers.id
        ]

        # Service: MySQL
        service_group_references = [
          nutanix_service_groups_v2.mysql.ext_id
        ]
      }
    }
  }




  # Intra-Group Rule 1: Deny traffic between webserver categories
  rules {
    description = "Deny intra-group traffic between WebServers"
    type        = "INTRA_GROUP"

    spec {
      intra_entity_group_rule_spec {
        secured_group_category_references = [
          nutanix_category_v2.webservers.id
        ]
        secured_group_action = "DENY"
      }
    }
  }

  # Intra-Group Rule 2: Deny traffic between database categories
  rules {
    description = "Deny intra-group traffic between database VMs"
    type        = "INTRA_GROUP"

    spec {
      intra_entity_group_rule_spec {
        secured_group_category_references = [
          nutanix_category_v2.database.id
        ]
        secured_group_action = "DENY"
      }
    }
  }

  # =========================================================================
  # RULE 3: Allow admin to msqsl 
  # =========================================================================

  # rules {
  #   description = "Admin to MSSQL"
  #   type        = "APPLICATION"

  #   spec {
  #     application_rule_spec {
  #       # Destination: database (using category)
  #       secured_group_category_references = [
  #         nutanix_category_v2.database.id
  #       ]

  #       # Source: admin network (using address group)
  #       src_address_group_references = [
  #         nutanix_address_groups_v2.admin_network.ext_id
  #       ]

  #       # Service: MYSQL
  #       service_group_references = [
  #         nutanix_service_groups_v2.mysql.ext_id
  #       ]
  #     }
  #   }
  # }

}

[Haroon-Dweikat-Ntx]

Hi @aharlaut
Just following up, was my response helpful, and is the issue now resolved? If so, may I go ahead and close it?

[Haroon-Dweikat-Ntx]

Closing it as there is nothing to do.