vmware-archive · dcoghlan · Apr 6, 2021 · Apr 6, 2021 · Apr 6, 2021 · Apr 6, 2021
diff --git a/module/PowerNSX.psm1 b/module/PowerNSX.psm1
@@ -23747,6 +23747,9 @@ function Remove-NsxSecurityGroupMember {
             [object]$SecurityGroup,
         [Parameter (Mandatory=$False)]
             [switch]$FailIfAbsent=$true,
+        [Parameter (Mandatory=$False)]
+            #The specified exclude members are to be removed from the security group
+            [switch]$MemberIsExcluded=$false,
         [Parameter (Mandatory=$true)]
             [ValidateScript({ ValidateSecurityGroupMember $_ })]
             [object[]]$Member,
@@ -23767,7 +23770,7 @@ function Remove-NsxSecurityGroupMember {
     }
 
     process {
-
+        $modified = $False
         #Get our internal SG object and id.  The internal obejct is used to modify and put for bulk update.
         if ( $SecurityGroup -is [System.Xml.XmlElement] ) {
             $SecurityGroupId = $securityGroup.objectId
@@ -23787,7 +23790,7 @@ function Remove-NsxSecurityGroupMember {
                 if ($_Member -is [System.Xml.XmlElement] ) {
                     $MemberMoref = $_Member.objectId
                 }
-                elseif ( ($_Member -is [string]) -and ($_Member -match "^vm-\d+$|^resgroup-\d+$|^dvportgroup-\d+$|^directory_group-\d+$" )) {
+                elseif ( ($_Member -is [string]) -and ($_Member -match "^vm-\d+$|^resgroup-\d+$|^dvportgroup-\d+$|^directory_group-\d+$|^domain-c\d+$" )) {
                     $MemberMoref = $_Member
 
                 }
@@ -23811,24 +23814,38 @@ function Remove-NsxSecurityGroupMember {
                     throw "Invalid member specified $($_Member)"
                 }
 
-                if ( $FailIfAbsent) {
-                    #Need to check before removing the member, because we are now using bulk update, the API doesnt do this for us.
-                    #To support the prior functionality of failIfAbsent, we have to check ourselves...
-
+                # Check for the correct member type (inclue or exclude member)
+                if ( $MemberIsExcluded ) {
+                    $existingMember = (Invoke-XpathQuery -QueryMethod SelectSingleNode -Node $_SecurityGroup -query "child::excludeMember[objectId=`"$MemberMoref`"]" )
+                }
+                else {
                     $existingMember = (Invoke-XpathQuery -QueryMethod SelectSingleNode -Node $_SecurityGroup -query "child::member[objectId=`"$MemberMoref`"]" )
+                }
 
-                    if ( $existingMember -eq $null ) {
-                        throw "Member $($_Member.Name) ($MemberMoref) is not a member of the specified SecurityGroup."
-                    }
-                    else {
-                        $null = $_SecurityGroup.Removechild($existingMember)
+                if ( $FailIfAbsent) {
+                    #To support the prior functionality of failIfAbsent, we have to check ourselves...
+                    if ( $null -eq $existingMember ) {
+                        throw "Member $(if ($_Member | Get-Member -memberType Properties -name Name) {$_member.name}) ($MemberMoref) is not a member of the specified SecurityGroup."
                     }
                 }
+
+                #Need to check before removing the member, because we are now using bulk update, the API doesnt do this for us.
+                if ($existingMember) {
+                    $null = $_SecurityGroup.Removechild($existingMember)
+                    $modified = $True
+                }
             }
-            $URI = "/api/2.0/services/securitygroup/bulk/$($SecurityGroupId)"
-            Write-Progress -activity "Updating membership of Security Group $SecurityGroupId"
-            $null = invoke-nsxwebrequest -method "put" -uri $URI -connection $connection -body $_SecurityGroup.OuterXml
-            write-progress -activity "Updating membership of Security Group $SecurityGroupId" -completed
+
+            # There is no reason to just blindly update the configuration as
+            # there may be no changes required, so we only do it if we find the
+            # member/excludeMember object via the xPath query
+            if ($modified) {
+                $URI = "/api/2.0/services/securitygroup/bulk/$($SecurityGroupId)"
+                Write-Progress -activity "Updating membership of Security Group $SecurityGroupId"
+                $null = invoke-nsxwebrequest -method "put" -uri $URI -connection $connection -body $_SecurityGroup.OuterXml
+                write-progress -activity "Updating membership of Security Group $SecurityGroupId" -completed
+            }
+
         }
         #Get-NsxSecurityGroup -objectId $SecurityGroup.objectId -connection $connection
     }