firewall-cmd and NetworkManager

It appears firewall-cmd is not properly working with NetworkManager in RHEL7

If I run a command like

firewall-cmd --permanent --zone=external --change-interface=enp8s0

even though it says success (and even if I --complete-reload) when I do a --list-all-zones it still shows the interface attached to the public zone. I restart firewalld and still it does not move even though the files in /etc/firewalld clearly show the enp8s0 interface in the external zone and not the public zone.

I finally added ZONE=external to /etc/sysconfig/network-interfaces/ifcfg-enp8s0 and then restarted NetworkManager and firewalld and it finally moved.

I finally see buried deep in the documentation https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html where it mentions this problem, but I don't think this is clear enough. And it should not be the case. It should be simple for firewall-cmd to signal NetworkManager if it is running to do the right thing. Or at least not report success. Lots of automation tools (aka puppet) are just going to have a terrible time with this otherwise.