Hi @Geir Sand-Strand 

1. Unfortunately, Nexus as code module doesn't support the property that will allow you to set this. Under vnsAbsGraph, there is parameter called "filterBetweenNodes". Nexus as Code creates this resources, but as we can see below - it's not specified in body that is send to APIC:

https://github.com/netascode/terraform-aci-nac-aci/blob/main/modules/terraform-aci-service-graph-template/main.tf

resource "aci_rest_managed" "vnsAbsGraph" {
  dn         = "uni/tn-${var.tenant}/AbsGraph-${var.name}"
  class_name = "vnsAbsGraph"
  annotation = var.annotation
  content = {
    name           = var.name
    descr          = var.description
    nameAlias      = var.alias
    type           = "legacy"
    uiTemplateType = "UNSPECIFIED"
  }
}

 
If this parameter is not specified explicitly, then default value is used, which is set to "allow-all".

In order to get this parameter be available for you to control in data model, you need to raise an issue on github page of NaC: https://github.com/netascode/terraform-aci-nac-aci/issues to request for that feature.

For 2 and 3 - could you please give me more context and examples so I could better understand the problem?

Thanks.

Thx for the reply.

1. I found out about the filterBetweenNodes in the module for the service graph template.  So for now as a workaround, i added  it locally in the main.tf file of the module.  As you say, deault is "allow-all". I added this line to the module main.tf file:
filterBetweenNodes = "filters-from-contract"
And now it uses that as default.
I did also raise an issue https://github.com/netascode/terraform-aci-nac-aci/issues/215 so maybe it will be something to control in the future. 

2. Device Selection Policies, I figured out that I used it wrong. Under device_selection_policies the name of the l3out and extEPG needed to correspond to my actual naming for the l3out.  So I solved this also.

So running terraform with the NaC, it creates everything I want (tenant, vrf, bd, epg, contract, l3out and all I need for the service graph part). 

The last thing is to apply the service graph template so that my NaC automate it all.
3. If i right-click on the created Service Graph template I created with NaC, I can configure it via GUI and it starts to work.
But I want terraform and NaC to do that automatically.  That I haven't figured out yet.  Is it possible?

I'm new to service graph, so trying to learn how it can be used.
Not sure if the way I am trying is a good way. But it is for testing service graph.
1-5 yes, that is DONE with NaC, and it works nice.
6 is the last thing I'm looking at.

Assigning graph to contract's subject, with the contract object in datamodel, and parameter "service_graph" under subject for the contract, does apply it to the contract subject. But it doesn't solve the issue.

The goal is that epg/bd200 and epg/bd201, with the L3Out (bgp towards a firewall) to send all traffic to the firewall.
And then let the firewall-rules allow/drop the traffic.
Some specific traffic might be allowed directly between nodes within the epg's. That I haven't looked into yet.
Why? Well this is just for testing and looking into service graph's. Maybe I learn something good

When it all is created with NaC, I do the last part (6) manually.
I then manually apply the L4-L7 Service Graph Template by right-click the template I select the following:
- Checked the "Intra-Endpoint Contract"
- EPG/Network: selected the extEPG created for the L3Out
- Contract type: Selected "Select Existing Contract Subject"
- Existing Contracts with Subjects: Selected the contract created
- Clicked Next
- Under Connector and Type, selected "Route Peering"
- L3 Ext Network" selected the extEPG created for the L3Out
- Unticked the "L3 Destination VIP"
- In "Redirect Policy", selected the redirect policy created (SG_VRF-East-West-FW_pbr)
- In "Cluster Interface", selected the cluster interface created (Clusterif)
- Click Finised, and I'm done!

Now the Service Graph is applied and shows up under "Deployed Graph Instances"
And it looks like it is working also.

But how can NaC apply the service graph template in the way above?

Sorry, I think you are right about "that you need to assign graph to contract's subject. You can use the contract object in datamodel:
https://netascode.cisco.com/data_model/apic/tenants/contract
Parameter "service_graph" under subject"

I just tested it, and it seems to be working. Using the correct template-name with the service:graph like this:
service_graph: ServiceGraph_NAC
Did a little testing now, and it seems to solve my issue with appling the service graph.

I will do some more testing tomorrow and let you know the status.

Thanks for all help.

I'm glad to hear it works! Sure, please let me know how your tests went.

Yes, it looks good.  Thank's for the help, you got me on the right track.

Geir