Skip to content
Network as Code

Bulk Mode

Traditionally, Terraform creates each resource object individually, issuing a separate API request per object. You can switch to bulk operations for certain resources, allowing the creation or deletion of multiple resources in a single API call instead. This feature leverages the Secure Firewall Management Center (FMC) API bulk capabilities to improve performance when managing large numbers of objects.

Additional information is available in FMC Terraform Provider documentation.

Why Use Bulk Operations?

Section titled “Why Use Bulk Operations?”

Bulk operations provide several key benefits:

  • Improved Performance: Significantly faster when managing large numbers of resources
  • Reduced API Calls: Fewer requests to the FMC API, reducing load and potential rate limiting issues

Usage

Section titled “Usage”

By default, all objects are created in non-bulk mode, except for network_groups and policies, which are always created in bulk. The YAML definition of resources is the same regardless of whether bulk or non-bulk mode is used.

In the Network as Code for FMC (nac-fmc) module, you can enable bulk operations using the nac_configuration settings:

# Enable bulk mode for all supported objects
fmc:
  nac_configuration:
    bulk: true
# Enable bulk mode per object type:
fmc:
  nac_configuration:
    hosts_bulk: true
    networks_bulk: true
    ranges_bulk: true

More information on supported objects is available in the data model section. Note that even if an object type is labeled as bulk, it may fall back to one-by-one operations for FMC versions that do not support bulk for that resource type. Refreshes are always performed in bulk. Refer to the Terraform resource documentation for details on each individual resource.

Bulk mode limitations

Section titled “Bulk mode limitations”

Bulk mode comes with limitations related to changing dependencies between resources that Terraform cannot resolve on its own.

Case 1: Object Replacement

Section titled “Case 1: Object Replacement”

When replacing objects that are referenced by other resources (e.g., a host referenced by a network group), you may encounter dependency conflicts. Terraform cannot:

  • Modify the bulk resource first (would break references)
  • Modify the dependent resource first (new object doesn’t exist yet)

Solution: Use a staged deployment approach:

  1. Stage 1: Add the new object while keeping the old one and update references
  2. Stage 2: Remove the old object

Case 2: Object Removal

Section titled “Case 2: Object Removal”

When removing objects that are referenced by other resources, you cannot do it in a single step.

Solution: Use a staged deployment approach:

  1. Stage 1: Remove references to the object from dependent resources
  2. Stage 2: Remove the object itself from the bulk resource