diff --git a/module/PowerNSX.psm1 b/module/PowerNSX.psm1 index c76434f8..5a434a65 100644 --- a/module/PowerNSX.psm1 +++ b/module/PowerNSX.psm1 @@ -23747,6 +23747,9 @@ function Remove-NsxSecurityGroupMember { [object]$SecurityGroup, [Parameter (Mandatory=$False)] [switch]$FailIfAbsent=$true, + [Parameter (Mandatory=$False)] + #The specified exclude members are to be removed from the security group + [switch]$MemberIsExcluded=$false, [Parameter (Mandatory=$true)] [ValidateScript({ ValidateSecurityGroupMember $_ })] [object[]]$Member, @@ -23767,7 +23770,7 @@ function Remove-NsxSecurityGroupMember { } process { - + $modified = $False #Get our internal SG object and id. The internal obejct is used to modify and put for bulk update. if ( $SecurityGroup -is [System.Xml.XmlElement] ) { $SecurityGroupId = $securityGroup.objectId @@ -23787,7 +23790,7 @@ function Remove-NsxSecurityGroupMember { if ($_Member -is [System.Xml.XmlElement] ) { $MemberMoref = $_Member.objectId } - elseif ( ($_Member -is [string]) -and ($_Member -match "^vm-\d+$|^resgroup-\d+$|^dvportgroup-\d+$|^directory_group-\d+$" )) { + elseif ( ($_Member -is [string]) -and ($_Member -match "^vm-\d+$|^resgroup-\d+$|^dvportgroup-\d+$|^directory_group-\d+$|^domain-c\d+$" )) { $MemberMoref = $_Member } @@ -23811,24 +23814,38 @@ function Remove-NsxSecurityGroupMember { throw "Invalid member specified $($_Member)" } - if ( $FailIfAbsent) { - #Need to check before removing the member, because we are now using bulk update, the API doesnt do this for us. - #To support the prior functionality of failIfAbsent, we have to check ourselves... - + # Check for the correct member type (inclue or exclude member) + if ( $MemberIsExcluded ) { + $existingMember = (Invoke-XpathQuery -QueryMethod SelectSingleNode -Node $_SecurityGroup -query "child::excludeMember[objectId=`"$MemberMoref`"]" ) + } + else { $existingMember = (Invoke-XpathQuery -QueryMethod SelectSingleNode -Node $_SecurityGroup -query "child::member[objectId=`"$MemberMoref`"]" ) + } - if ( $existingMember -eq $null ) { - throw "Member $($_Member.Name) ($MemberMoref) is not a member of the specified SecurityGroup." - } - else { - $null = $_SecurityGroup.Removechild($existingMember) + if ( $FailIfAbsent) { + #To support the prior functionality of failIfAbsent, we have to check ourselves... + if ( $null -eq $existingMember ) { + throw "Member $(if ($_Member | Get-Member -memberType Properties -name Name) {$_member.name}) ($MemberMoref) is not a member of the specified SecurityGroup." } } + + #Need to check before removing the member, because we are now using bulk update, the API doesnt do this for us. + if ($existingMember) { + $null = $_SecurityGroup.Removechild($existingMember) + $modified = $True + } } - $URI = "/api/2.0/services/securitygroup/bulk/$($SecurityGroupId)" - Write-Progress -activity "Updating membership of Security Group $SecurityGroupId" - $null = invoke-nsxwebrequest -method "put" -uri $URI -connection $connection -body $_SecurityGroup.OuterXml - write-progress -activity "Updating membership of Security Group $SecurityGroupId" -completed + + # There is no reason to just blindly update the configuration as + # there may be no changes required, so we only do it if we find the + # member/excludeMember object via the xPath query + if ($modified) { + $URI = "/api/2.0/services/securitygroup/bulk/$($SecurityGroupId)" + Write-Progress -activity "Updating membership of Security Group $SecurityGroupId" + $null = invoke-nsxwebrequest -method "put" -uri $URI -connection $connection -body $_SecurityGroup.OuterXml + write-progress -activity "Updating membership of Security Group $SecurityGroupId" -completed + } + } #Get-NsxSecurityGroup -objectId $SecurityGroup.objectId -connection $connection } diff --git a/tests/integration/11.SecurityGroups.Tests.ps1 b/tests/integration/11.SecurityGroups.Tests.ps1 index 8bef8380..350cc008 100644 --- a/tests/integration/11.SecurityGroups.Tests.ps1 +++ b/tests/integration/11.SecurityGroups.Tests.ps1 @@ -452,6 +452,18 @@ Describe "SecurityGroups" { } + it "Can modify a SecurityGroup excludion membership by id" { + #Specify SG to be modified and member by id + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberSg1.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $SecGrpMemberName1 + $get.excludeMember.objectId | should be $MemberSG1.objectId + } + it "Can add multiple members by object" { $SecGrp | Add-NsxSecurityGroupMember -Member $MemberSg1, $MemberSg2 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -466,6 +478,25 @@ Describe "SecurityGroups" { } + it "Can remove multiple exclude members by object" { + $SecGrp | Add-NsxSecurityGroupMember -Member $MemberSg1, $MemberSg2 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMembers have been added + $get.excludeMember.count | should be 2 + $get.excludeMember.name -contains $SecGrpMemberName1 | should be $true + $get.excludeMember.name -contains $SecGrpMemberName2 | should be $true + $get.excludeMember.objectId -contains $MemberSG1.objectId | should be $true + $get.excludeMember.objectId -contains $MemberSG2.objectId | should be $true + + # Now remove the excludeMembers + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberSg1, $MemberSg2 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add multiple members by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberSg1.objectId, $MemberSg2.objectId $get = Get-nsxsecuritygroup -Name $secGrpName @@ -479,6 +510,25 @@ Describe "SecurityGroups" { $get.member.objectId -contains $MemberSG2.objectId | should be $true } + it "Can remove multiple exclude members by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberSg1.objectId, $MemberSg2.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMembers have been added + $get.excludeMember.count | should be 2 + $get.excludeMember.name -contains $SecGrpMemberName1 | should be $true + $get.excludeMember.name -contains $SecGrpMemberName2 | should be $true + $get.excludeMember.objectId -contains $MemberSG1.objectId | should be $true + $get.excludeMember.objectId -contains $MemberSG2.objectId | should be $true + + # Now remove the excludeMembers + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberSg1.objectId, $MemberSg2.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a Logical Switch member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberLS1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -491,6 +541,23 @@ Describe "SecurityGroups" { } + it "Can remove a Logical Switch exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberLS1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberLSName1 + $get.excludeMember.objectId | should be $MemberLS1.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberLS1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a Logical Switch member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberLS1.ObjectId $get = Get-nsxsecuritygroup -Name $secGrpName @@ -503,6 +570,23 @@ Describe "SecurityGroups" { } + it "Can remove a Logical Switch exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberLS1.ObjectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberLSName1 + $get.excludeMember.objectId | should be $MemberLS1.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberLS1.ObjectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a VM member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVM1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -515,6 +599,23 @@ Describe "SecurityGroups" { } + it "Can remove a VM exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVM1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberVMName1 + $get.excludeMember.objectId | should be $MemberVM1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVM1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a VM member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVM1.ExtensionData.MoRef.Value $get = Get-nsxsecuritygroup -Name $secGrpName @@ -527,6 +628,23 @@ Describe "SecurityGroups" { } + it "Can remove a VM exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVM1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberVMName1 + $get.excludeMember.objectId | should be $MemberVM1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVM1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add an IPSet member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberIpSet1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -539,6 +657,23 @@ Describe "SecurityGroups" { } + it "Can remove an IPSet exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberIpSet1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberIPSetName1 + $get.excludeMember.objectId | should be $MemberIpSet1.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberIpSet1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add an IPSet member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberIpSet1.objectId $get = Get-nsxsecuritygroup -Name $secGrpName @@ -551,6 +686,23 @@ Describe "SecurityGroups" { } + it "Can remove an IPSet exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberIpSet1.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberIPSetName1 + $get.excludeMember.objectId | should be $MemberIpSet1.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberIpSet1.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a ResourcePool member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberResPool1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -563,6 +715,23 @@ Describe "SecurityGroups" { } + it "Can remove a ResourcePool exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberResPool1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberResPoolName1 + $get.excludeMember.objectId | should be $MemberResPool1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberResPool1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add an ResourcePool member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberResPool1.ExtensionData.MoRef.Value $get = Get-nsxsecuritygroup -Name $secGrpName @@ -575,6 +744,23 @@ Describe "SecurityGroups" { } + it "Can remove an ResourcePool exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberResPool1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberResPoolName1 + $get.excludeMember.objectId | should be $MemberResPool1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberResPool1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a DVPortGRoup member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVdPortGroup1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -587,6 +773,23 @@ Describe "SecurityGroups" { } + it "Can remove a DVPortGRoup exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVdPortGroup1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberVdPortGroupName1 + $get.excludeMember.objectId | should be $MemberVdPortGroup1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVdPortGroup1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a DVPortGRoup member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVdPortGroup1.ExtensionData.MoRef.Value $get = Get-nsxsecuritygroup -Name $secGrpName @@ -599,6 +802,23 @@ Describe "SecurityGroups" { } + it "Can remove a DVPortGRoup exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVdPortGroup1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberVdPortGroupName1 + $get.excludeMember.objectId | should be $MemberVdPortGroup1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVdPortGroup1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a Datacenter member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberDc1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -611,6 +831,23 @@ Describe "SecurityGroups" { } + it "Can remove a Datacenter exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberDc1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberDcName1 + $get.excludeMember.objectId | should be $MemberDc1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberDc1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a Datacenter member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberDc1.ExtensionData.MoRef.Value $get = Get-nsxsecuritygroup -Name $secGrpName @@ -623,6 +860,23 @@ Describe "SecurityGroups" { } + it "Can remove a Datacenter exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberDc1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberDcName1 + $get.excludeMember.objectId | should be $MemberDc1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberDc1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a Cluster member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberCluster1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -635,6 +889,23 @@ Describe "SecurityGroups" { } + it "Can remove a Cluster exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberCluster1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberClusterName1 + $get.excludeMember.objectId | should be $MemberCluster1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberCluster1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a Cluster member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberCluster1.ExtensionData.MoRef.Value $get = Get-nsxsecuritygroup -Name $secGrpName @@ -647,6 +918,23 @@ Describe "SecurityGroups" { } + it "Can remove a Cluster exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberCluster1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberClusterName1 + $get.excludeMember.objectId | should be $MemberCluster1.ExtensionData.MoRef.Value + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberCluster1.ExtensionData.MoRef.Value -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a VNIC member by object" { $vmUuid = ($MemberVnic1.parent | get-view).config.instanceuuid $VnicId = "$vmUuid.$($MemberVnic1.id.substring($MemberVnic1.id.length-3))" @@ -661,6 +949,24 @@ Describe "SecurityGroups" { } + it "Can remove a VNIC exclude member by object" { + $vmUuid = ($MemberVnic1.parent | get-view).config.instanceuuid + $VnicId = "$vmUuid.$($MemberVnic1.id.substring($MemberVnic1.id.length-3))" + + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVnic1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.objectId | should be $VnicId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberVnic1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a VNIC member by id" { $vmUuid = ($MemberVnic1.parent | get-view).config.instanceuuid @@ -675,6 +981,25 @@ Describe "SecurityGroups" { } + it "Can remove a VNIC exclude member by id" { + + $vmUuid = ($MemberVnic1.parent | get-view).config.instanceuuid + $VnicId = "$vmUuid.$($MemberVnic1.id.substring($MemberVnic1.id.length-3))" + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $VnicId -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.objectId | should be $VnicId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $VnicId -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add an SecurityTag member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberST1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -687,6 +1012,23 @@ Describe "SecurityGroups" { } + it "Can remove an SecurityTag exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberST1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberSTName1 + $get.excludeMember.objectId | should be $MemberST1.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberST1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a SecurityTag member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberST1.objectId $get = Get-nsxsecuritygroup -Name $secGrpName @@ -699,6 +1041,23 @@ Describe "SecurityGroups" { } + it "Can remove a SecurityTag exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberST1.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberSTName1 + $get.excludeMember.objectId | should be $MemberST1.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberST1.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a MACSet member by object" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberMacSet1 $get = Get-nsxsecuritygroup -Name $secGrpName @@ -711,7 +1070,24 @@ Describe "SecurityGroups" { } - it "Can add a MACSet member by object" { + it "Can remove a MACSet exclude member by object" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberMacSet1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberMacSetName1 + $get.excludeMember.objectId | should be $MemberMacSet1.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberMacSet1 -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + + it "Can add a MACSet member by id" { Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberMacSet1.objectId $get = Get-nsxsecuritygroup -Name $secGrpName $get.name | should be $secGrp.name @@ -723,6 +1099,23 @@ Describe "SecurityGroups" { } + it "Can remove a MACSet exclude member by id" { + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberMacSet1.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -Name $secGrpName + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $MemberMacSetName1 + $get.excludeMember.objectId | should be $MemberMacSet1.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $MemberMacSet1.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a Directory Group member by id" -skip:(-not $script:directoryDomainConfigured ) { $directoryGroup = Get-NsxApplicableMember -SecurityGroupApplicableMembers -MemberType DirectoryGroup | Select-Object -First 1 Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $directoryGroup.objectId @@ -735,6 +1128,24 @@ Describe "SecurityGroups" { $get.member.objectId | should be $directoryGroup.objectId } + it "Can remove a Directory Group exclude member by id" -skip:(-not $script:directoryDomainConfigured ) { + $directoryGroup = Get-NsxApplicableMember -SecurityGroupApplicableMembers -MemberType DirectoryGroup | Select-Object -First 1 + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $directoryGroup.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $directoryGroup.name + $get.excludeMember.objectId | should be $directoryGroup.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $directoryGroup.objectId -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + it "Can add a Directory Group member by object" -skip:(-not $script:directoryDomainConfigured ) { $directoryGroup = Get-NsxApplicableMember -SecurityGroupApplicableMembers -MemberType DirectoryGroup | Select-Object -First 1 Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $directoryGroup @@ -747,6 +1158,24 @@ Describe "SecurityGroups" { $get.member.objectId | should be $directoryGroup.objectId } + it "Can remove a Directory Group exclude member by object" -skip:(-not $script:directoryDomainConfigured ) { + $directoryGroup = Get-NsxApplicableMember -SecurityGroupApplicableMembers -MemberType DirectoryGroup | Select-Object -First 1 + Add-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $directoryGroup -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + $get.name | should be $secGrp.name + $get.description | should be $secGrp.description + + # Verify the excludeMember has been added + $get.excludeMember | should beoftype System.xml.xmlelement + $get.excludeMember.name | should be $directoryGroup.name + $get.excludeMember.objectId | should be $directoryGroup.objectId + + # Now remove the excludeMember + Remove-NsxSecurityGroupMember -SecurityGroup $SecGrp.objectId -Member $directoryGroup -MemberIsExcluded + $get = Get-nsxsecuritygroup -objectid $SecGrp.objectId + ($get | get-member -membertype property -Name excludeMember) | should be $null + } + foreach ( $key in $DynamicCriteriaKeySubstitute.keys ) { foreach ( $condition in $DynamicCriteriaConditionSubstitute.keys ) { it "Can create a new Dynamic Criteria Spec: $key/$condition" {