Environment

• Nautobot version: 1.3.3
• nautobot-plugin-firewall-model version: 0.1.0.beta3

Proposed Functionality

Given a query like

query ($device_id: ID!) {
  device(id: $device_id) {
    policies
  }
}

I want all Policy objects to be returned for that given device, as in

• Policy objects that are directly assigned to devices
• Policy objects that are assigned to devices through dynamic groups

Use Case

Get all rules for a given device, specific use case is using nautobot-golden-config to generate ACLs as part of the configuration.

Are you saying your use case is not handled or that it is not handled sufficiently simple enough? If the latter then I think to be expected, GraphQl is simply based on the relationships in models

A little bit of both. Currently I can only retrieve policies assigned directly to devices, not those assigned through dynamic groups. I talked about this with the Nautobot core team and they didn't have an immediate solution in mind, but in general thought that the extension of GraphQL models by plugins might be a use case worthwhile exploring.

So the first is Nautobot Core issue, and the second I would not expect any update on, as it is based on the GraphQL implementation.

I understand the sentiment, but taking away the thoughts about the implementation and just thinking of the actual feature for now, don't you think it would be useful to have this feature in, especially in regards to how we're using GraphQL with golden config? Otherwise I have to piece together which policies apply to my device.

Ok, fair enough. Imho the GitHub issue should focus more on the problem/use case and less about the solution you may specifically be looking for.

Related to #70

@Kircheneer still not clear to me what the request is, my recommendation is to still look at the use case/problem. While yes I agree it would be better to have GraphQL have a more simplified view in this case I do not think it plausible/reasonable to have another implementation of GraphQL just for this use case. So if we remove from the suggested solution, what is the problem? I have added to_json and policy_details methods on 2 of the models, for what I guess is the same underlying problem.

Alright let me try to lay out again why I think I need this. My use case, which I think is fairly standard, is that I want to retrieve all Policy objects that apply to a given Device object so I have the entire firewall policy that should apply to that device. Now currently (with GraphQL/REST and assuming no ORM access, which is reasonable for a SoT IMO) I have to do the following things to get there:

1. Somehow get all dynamic groups a device is part of (this is an issue on the Nautobot core side)
2. Get all Policy objects that apply to those given dynamic groups
3. Get all Policy objects that apply directly to that given device
4. Get all PolicyRule objects for each of those Policy objects
5. Done

To me this just sounds like a lot of work and a very complex GraphQL query / a lot of individual REST API queries for what I think will be a fairly common use case. I can however understand if you don't think this is a battery worth including, I just wanted to highlight my though process here.

As mentioned in my prior comment, for 1-5 I still don't understand how the to_json and policy_details are not solving the problem, other than not being the preferred graphql. Can you speak directly to that point on to_json & policy_details?

Well I need ORM access to use those, don't I? So that rules out both the preferred GraphQL as well as the REST API in their current state. Also unless I am misunderstanding something, even if we had these methods exposed on say the REST API then I would still need to know all the relevant Policy objects (steps 1+2) before I can make calls to their respective to_json or policy_details endpoints.