-
Notifications
You must be signed in to change notification settings - Fork 85
/
resource_nsxt_policy_security_policy.go
178 lines (146 loc) · 5.33 KB
/
resource_nsxt_policy_security_policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
/* Copyright © 2019 VMware, Inc. All Rights Reserved.
SPDX-License-Identifier: MPL-2.0 */
package nsxt
import (
"fmt"
"log"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client"
"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
"github.com/vmware/terraform-provider-nsxt/api/infra/domains"
utl "github.com/vmware/terraform-provider-nsxt/api/utl"
)
func resourceNsxtPolicySecurityPolicy() *schema.Resource {
return &schema.Resource{
Create: resourceNsxtPolicySecurityPolicyCreate,
Read: resourceNsxtPolicySecurityPolicyRead,
Update: resourceNsxtPolicySecurityPolicyUpdate,
Delete: resourceNsxtPolicySecurityPolicyDelete,
Importer: &schema.ResourceImporter{
State: nsxtDomainResourceImporter,
},
Schema: getPolicySecurityPolicySchema(false, true, true, false),
}
}
func getSecurityPolicyInDomain(sessionContext utl.SessionContext, id string, domainName string, connector client.Connector) (model.SecurityPolicy, error) {
client := domains.NewSecurityPoliciesClient(sessionContext, connector)
if client == nil {
return model.SecurityPolicy{}, policyResourceNotSupportedError()
}
return client.Get(domainName, id)
}
func resourceNsxtPolicySecurityPolicyExistsInDomain(sessionContext utl.SessionContext, id string, domainName string, connector client.Connector) (bool, error) {
client := domains.NewSecurityPoliciesClient(sessionContext, connector)
if client == nil {
return false, policyResourceNotSupportedError()
}
_, err := client.Get(domainName, id)
if err == nil {
return true, nil
}
if isNotFoundError(err) {
return false, nil
}
return false, logAPIError("Error retrieving Security Policy", err)
}
func resourceNsxtPolicySecurityPolicyExistsPartial(domainName string) func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) {
return func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) {
return resourceNsxtPolicySecurityPolicyExistsInDomain(sessionContext, id, domainName, connector)
}
}
func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id string, createFlow, withRule, isVPC bool) error {
obj, structErr := parentSecurityPolicySchemaToModel(d, id)
if structErr != nil {
return structErr
}
domain := ""
if !isVPC {
domain = d.Get("domain").(string)
}
revision := int64(d.Get("revision").(int))
log.Printf("[INFO] Creating Security Policy with ID %s", id)
if createFlow && withRule {
if err := validatePolicyRuleSequence(d); err != nil {
return err
}
}
if !createFlow {
// This is update flow
obj.Revision = &revision
}
if withRule {
policyChildren, err := getUpdatedRuleChildren(d)
if err != nil {
return err
}
if len(policyChildren) > 0 {
obj.Children = policyChildren
}
}
log.Printf("[INFO] Using selective H-API for policy with ID %s", id)
return securityPolicyInfraPatch(getSessionContext(d, m), obj, domain, m)
}
func resourceNsxtPolicySecurityPolicyCreate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, true, false)
}
func resourceNsxtPolicySecurityPolicyRead(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, true, false)
}
func resourceNsxtPolicySecurityPolicyUpdate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, true, false)
}
func resourceNsxtPolicySecurityPolicyDelete(d *schema.ResourceData, m interface{}) error {
id := d.Id()
if id == "" {
return fmt.Errorf("Error obtaining Security Policy id")
}
connector := getPolicyConnector(m)
client := domains.NewSecurityPoliciesClient(getSessionContext(d, m), connector)
if client == nil {
return policyResourceNotSupportedError()
}
err := client.Delete(d.Get("domain").(string), id)
if err != nil {
return handleDeleteError("Security Policy", id, err)
}
return nil
}
func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m interface{}, withRule, isVPC bool) error {
// Initialize resource Id and verify this ID is not yet used
domain := ""
if !isVPC {
domain = d.Get("domain").(string)
}
id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyExistsPartial(domain))
if err != nil {
return err
}
err = policySecurityPolicyBuildAndPatch(d, m, id, true, withRule, isVPC)
if err != nil {
return handleCreateError("Security Policy", id, err)
}
d.SetId(id)
d.Set("nsx_id", id)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule, isVPC)
}
func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m interface{}, withRule, isVPC bool) error {
obj, err := parentSecurityPolicyModelToSchema(d, m, isVPC)
if err != nil {
return handleReadError(d, "SecurityPolicy", d.Id(), err)
}
if withRule {
return setPolicyRulesInSchema(d, obj.Rules)
}
return nil
}
func resourceNsxtPolicySecurityPolicyGeneralUpdate(d *schema.ResourceData, m interface{}, withRule, isVPC bool) error {
id := d.Id()
if id == "" {
return fmt.Errorf("Error obtaining Security Policy id")
}
err := policySecurityPolicyBuildAndPatch(d, m, id, false, withRule, isVPC)
if err != nil {
return handleUpdateError("Security Policy", id, err)
}
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule, isVPC)
}