https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412786#M2237 <P>It is indeed an array.</P><P>This is the terraform resource for L3 firewall rules.</P><PRE class="lia-code-sample language-markup"><CODE>resource "meraki_networks_appliance_firewall_l3_firewall_rules" "sb3_fw_l3" { network_id = meraki_networks.sb3.id rules = [{ comment = "Deny-RFC1918." dest_cidr = "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" dest_port = "any" policy = "deny" protocol = "any" src_cidr = "any" src_port = "any" syslog_enabled = false }, { comment = "Allow-corp-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_corp src_port = "any" syslog_enabled = false }, { comment = "Allow-iot-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_iot src_port = "any" syslog_enabled = false }, { comment = "Allow-guest-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_guest src_port = "any" syslog_enabled = false } ] }</CODE></PRE><P>This is how it ends up in the Dashboard.</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Skjermbilde 2025-07-17 211131.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/264438iDDBE8AA6F0609996/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P>I deleted all rules above and pasted the same array into postman.<BR />Postman body:</P><PRE class="lia-code-sample language-markup"><CODE>{ "rules": [ { "policy": "deny", "protocol": "any", "srcCidr": "any", "destCidr": "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16", "comment": "Deny-RFC1918.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.100.2.0/24", "destCidr": "any", "comment": "Allow-corp-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.110.2.0/24", "destCidr": "any", "comment": "Allow-iot-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.120.2.0/24", "destCidr": "any", "comment": "Allow-guest-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false } ] }</CODE></PRE><P>Postman response:</P><PRE class="lia-code-sample language-markup"><CODE>200 OK "rules": [ { "comment": "Deny-RFC1918.", "policy": "deny", "protocol": "any", "srcPort": "Any", "srcCidr": "Any", "destPort": "Any", "destCidr": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16", "syslogEnabled": false }, { "comment": "Allow-corp-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.100.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Allow-iot-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.110.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Allow-guest-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.120.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Default rule", "policy": "allow", "protocol": "Any", "srcPort": "Any", "srcCidr": "Any", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false } ] }</CODE></PRE><P>Dashboard:</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Skjermbilde 2025-07-17 210813.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/264439i5550ADB9BABEDE98/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P>Everything is identical in the array. The only difference is how i populate the fields in terraform. I'm just pointing to some variables defined in variables.tf</P><P>Here they are:</P><PRE class="lia-code-sample language-markup"><CODE>variable "subnet_prefix_corp" { type = string default = "10.100.2.0/24" } variable "appliance_ip_corp" { type = string default = "10.100.2.1" } variable "subnet_prefix_iot" { type = string default = "10.110.2.0/24" } variable "appliance_ip_iot" { type = string default = "10.110.2.1" } variable "subnet_prefix_guest" { type = string default = "10.120.2.0/24" } variable "appliance_ip_guest" { type = string default = "10.120.2.1" } variable "subnet_prefix_mgmt" { type = string default = "10.130.2.0/24" } variable "appliance_ip_mgmt" { type = string default = "10.130.2.1" }</CODE></PRE><P>It looks like Terraform is somehow re-ordering the array. But i'm not sure how or why <SPAN class="lia-unicode-emoji" title=":confused_face:"><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN> </P> Thu, 17 Jul 2025 19:07:05 GMT martin-lystad 2025-07-17T19:07:05Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412783#M2234 <P>Hi gang,</P><P>I'm working on a full IaC deployment of a Meraki organization using terraform. </P><P>I notice some issues with the firewall L3 rule ordering when applying the terraform code.</P><P>Since terraform applies all code at the same time unless a dependency is decleared the 10 or so starting rules i have end up in a random order. For the most part i dont care about rule order, but i got some deny rules that must be placed in a spesific sequence.</P><P>I notice that the API endpoint for L3 FW rules also does not contain any parameters for sequence.</P><P>Has anyone worked around this in a way that is scaleable?</P><P>Also if some meraki employees read this, is it possible to add a feature request for firewall sequence numbering?</P><P>Thanks in advance!</P> Thu, 17 Jul 2025 06:59:06 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412783#M2234 martin-lystad 2025-07-17T06:59:06Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412784#M2235 <P>You can try using a script (e.g., Python or Bash) that calls the Meraki API directly in the desired order. Terraform can trigger this script using the null_resource provisioner and local-exec.</P> Thu, 17 Jul 2025 13:01:39 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412784#M2235 aleabrahao 2025-07-17T13:01:39Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412785#M2236 <P>Question. When using <SPAN>updateNetworkApplianceFirewallL3FirewallRules, the input is an array of rules.</SPAN></P><P><SPAN>Are you seeing different behavior between Terraform, Postman, Python, etc’?</SPAN></P><P><SPAN>If so, can you share the Terraform plan you’re using?</SPAN></P> Thu, 17 Jul 2025 13:13:47 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412785#M2236 obrigg 2025-07-17T13:13:47Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412786#M2237 <P>It is indeed an array.</P><P>This is the terraform resource for L3 firewall rules.</P><PRE class="lia-code-sample language-markup"><CODE>resource "meraki_networks_appliance_firewall_l3_firewall_rules" "sb3_fw_l3" { network_id = meraki_networks.sb3.id rules = [{ comment = "Deny-RFC1918." dest_cidr = "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" dest_port = "any" policy = "deny" protocol = "any" src_cidr = "any" src_port = "any" syslog_enabled = false }, { comment = "Allow-corp-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_corp src_port = "any" syslog_enabled = false }, { comment = "Allow-iot-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_iot src_port = "any" syslog_enabled = false }, { comment = "Allow-guest-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_guest src_port = "any" syslog_enabled = false } ] }</CODE></PRE><P>This is how it ends up in the Dashboard.</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Skjermbilde 2025-07-17 211131.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/264438iDDBE8AA6F0609996/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P>I deleted all rules above and pasted the same array into postman.<BR />Postman body:</P><PRE class="lia-code-sample language-markup"><CODE>{ "rules": [ { "policy": "deny", "protocol": "any", "srcCidr": "any", "destCidr": "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16", "comment": "Deny-RFC1918.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.100.2.0/24", "destCidr": "any", "comment": "Allow-corp-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.110.2.0/24", "destCidr": "any", "comment": "Allow-iot-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.120.2.0/24", "destCidr": "any", "comment": "Allow-guest-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false } ] }</CODE></PRE><P>Postman response:</P><PRE class="lia-code-sample language-markup"><CODE>200 OK "rules": [ { "comment": "Deny-RFC1918.", "policy": "deny", "protocol": "any", "srcPort": "Any", "srcCidr": "Any", "destPort": "Any", "destCidr": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16", "syslogEnabled": false }, { "comment": "Allow-corp-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.100.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Allow-iot-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.110.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Allow-guest-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.120.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Default rule", "policy": "allow", "protocol": "Any", "srcPort": "Any", "srcCidr": "Any", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false } ] }</CODE></PRE><P>Dashboard:</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Skjermbilde 2025-07-17 210813.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/264439i5550ADB9BABEDE98/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P>Everything is identical in the array. The only difference is how i populate the fields in terraform. I'm just pointing to some variables defined in variables.tf</P><P>Here they are:</P><PRE class="lia-code-sample language-markup"><CODE>variable "subnet_prefix_corp" { type = string default = "10.100.2.0/24" } variable "appliance_ip_corp" { type = string default = "10.100.2.1" } variable "subnet_prefix_iot" { type = string default = "10.110.2.0/24" } variable "appliance_ip_iot" { type = string default = "10.110.2.1" } variable "subnet_prefix_guest" { type = string default = "10.120.2.0/24" } variable "appliance_ip_guest" { type = string default = "10.120.2.1" } variable "subnet_prefix_mgmt" { type = string default = "10.130.2.0/24" } variable "appliance_ip_mgmt" { type = string default = "10.130.2.1" }</CODE></PRE><P>It looks like Terraform is somehow re-ordering the array. But i'm not sure how or why <SPAN class="lia-unicode-emoji" title=":confused_face:"><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN> </P> Thu, 17 Jul 2025 19:07:05 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412786#M2237 martin-lystad 2025-07-17T19:07:05Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412787#M2238 <P>Wrap your rules in a <STRONG>tolist()</STRONG> to force Terraform to treat it as an ordered list.</P> Thu, 17 Jul 2025 19:37:24 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412787#M2238 aleabrahao 2025-07-17T19:37:24Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412788#M2239 <P>Thanks for the tip, but unfortunately it did not solve the issue.</P><P>rules wrapped in a tolist using locals:</P><PRE class="lia-code-sample language-markup"><CODE>locals { firewall_rules = tolist([ { comment = "Deny-RFC1918." dest_cidr = "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" dest_port = "any" policy = "deny" protocol = "any" src_cidr = "any" src_port = "any" syslog_enabled = false }, { comment = "Allow-corp-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_corp src_port = "any" syslog_enabled = false }, { comment = "Allow-iot-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_iot src_port = "any" syslog_enabled = false }, { comment = "Allow-guest-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_guest src_port = "any" syslog_enabled = false } ]) } resource "meraki_networks_appliance_firewall_l3_firewall_rules" "sb3_fw_l3" { network_id = meraki_networks.sb3.id rules = local.firewall_rules }</CODE></PRE><P>Dashboard:</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Skjermbilde 2025-07-17 220959.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/264440i97F6503321F816E5/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P>Copy of the state file block for firewall rules.</P><PRE class="lia-code-sample language-markup"><CODE>{ "mode": "managed", "type": "meraki_networks_appliance_firewall_l3_firewall_rules", "name": "sb3_fw_l3", "provider": "provider[\"registry.terraform.io/cisco-open/meraki\"]", "instances": [ { "schema_version": 0, "attributes": { "network_id": "xxxxxxxxxx", "rules": [ { "comment": "Allow-corp-outbound-to-internet.", "dest_cidr": "any", "dest_port": "any", "policy": "allow", "protocol": "any", "src_cidr": "10.100.2.0/24", "src_port": "any", "syslog_enabled": false }, { "comment": "Allow-guest-outbound-to-internet.", "dest_cidr": "any", "dest_port": "any", "policy": "allow", "protocol": "any", "src_cidr": "10.120.2.0/24", "src_port": "any", "syslog_enabled": false }, { "comment": "Allow-iot-outbound-to-internet.", "dest_cidr": "any", "dest_port": "any", "policy": "allow", "protocol": "any", "src_cidr": "10.110.2.0/24", "src_port": "any", "syslog_enabled": false }, { "comment": "Deny-RFC1918.", "dest_cidr": "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16", "dest_port": "any", "policy": "deny", "protocol": "any", "src_cidr": "any", "src_port": "any", "syslog_enabled": false } ], "rules_response": [ { "comment": "Allow-corp-outbound-to-internet.", "dest_cidr": "Any", "dest_port": "Any", "policy": "allow", "protocol": "any", "src_cidr": "10.100.2.0/24", "src_port": "Any", "syslog_enabled": false }, { "comment": "Allow-guest-outbound-to-internet.", "dest_cidr": "Any", "dest_port": "Any", "policy": "allow", "protocol": "any", "src_cidr": "10.120.2.0/24", "src_port": "Any", "syslog_enabled": false }, { "comment": "Allow-iot-outbound-to-internet.", "dest_cidr": "Any", "dest_port": "Any", "policy": "allow", "protocol": "any", "src_cidr": "10.110.2.0/24", "src_port": "Any", "syslog_enabled": false }, { "comment": "Default rule", "dest_cidr": "Any", "dest_port": "Any", "policy": "allow", "protocol": "Any", "src_cidr": "Any", "src_port": "Any", "syslog_enabled": false }, { "comment": "Deny-RFC1918.", "dest_cidr": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16", "dest_port": "Any", "policy": "deny", "protocol": "any", "src_cidr": "Any", "src_port": "Any", "syslog_enabled": false } ], "syslog_default_rule": null }, "sensitive_attributes": [], "identity_schema_version": 0, "dependencies": [ "meraki_networks.sb3" ] } ] }</CODE></PRE><P>The order in the statefile matches what i see in the dashboard. I just dont get why it reorders the array.</P> Thu, 17 Jul 2025 20:10:55 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412788#M2239 martin-lystad 2025-07-17T20:10:55Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412789#M2240 <P>Can you kindly open an issue on our <A href="https://github.com/cisco-open/terraform-provider-meraki" target="_blank" rel="noopener nofollow noreferrer">GitHub repo</A>? Our developers will take a look.</P> Thu, 17 Jul 2025 20:15:30 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412789#M2240 obrigg 2025-07-17T20:15:30Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412790#M2241 <P>With the debug information, please.</P> Thu, 17 Jul 2025 20:16:24 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412790#M2241 obrigg 2025-07-17T20:16:24Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412791#M2242 <P>Done. Here is a link to the issue.</P><P>Thanks for the replies <SPAN class="lia-unicode-emoji" title=":slightly_smiling_face:"><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN><BR /><A href="https://github.com/cisco-open/terraform-provider-meraki/issues/274" target="_blank" rel="nofollow noopener noreferrer">https://github.com/cisco-open/terraform-provider-meraki/issues/274</A></P> Thu, 17 Jul 2025 20:42:50 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412791#M2242 martin-lystad 2025-07-17T20:42:50Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412792#M2243 <P>Fyi there is a commit do the dev branch of the repo with a possible solution now. <SPAN class="lia-unicode-emoji" title=":slightly_smiling_face:"><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P> Mon, 21 Jul 2025 19:12:30 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412792#M2243 martin-lystad 2025-07-21T19:12:30Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412793#M2244 <P>And now its merged with main. New provider version 1.1.7-beta is out <SPAN class="lia-unicode-emoji" title=":slightly_smiling_face:"><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>Thanks everyone!</P> Mon, 21 Jul 2025 20:54:06 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412793#M2244 martin-lystad 2025-07-21T20:54:06Z https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412794#M2245 <P>Happy coding!</P> Mon, 21 Jul 2025 22:47:02 GMT https://community.cisco.com/t5/network-platform-api/terraform-meraki-mx-l3-firewall-rules-order/m-p/5412794#M2245 obrigg 2025-07-21T22:47:02Z