Separate security policy and rule

Signed-off-by: graysonwu <[email protected]>
vmware · Dec 7, 2023 · 149dc4e · 149dc4e
1 parent e9cf9cf
commit 149dc4e
Show file tree

Hide file tree

Showing 9 changed files with 634 additions and 71 deletions.
diff --git a/api/api_list.yaml b/api/api_list.yaml
@@ -877,3 +877,24 @@
   supported_method:
     - New
     - List
+- api_packages:
+    - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/security_policies
+      model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model
+      type: Local
+    - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/global_infra/domains/security_policies
+      model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/model
+      type: Global
+    - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains/security_policies
+      model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model
+      type: Multitenancy
+  model_name: Rule
+  obj_name: Rule
+  client_name: RulesClient
+  list_result_name: RuleListResult
+  supported_method:
+    - New
+    - Get
+    - Delete
+    - Patch
+    - Update
+    - List
diff --git a/api/infra/domains/security_policies/rule.go b/api/infra/domains/security_policies/rule.go
@@ -0,0 +1,192 @@
+//nolint:revive
+package securitypolicies
+
+// The following file has been autogenerated. Please avoid any changes!
+import (
+	"errors"
+
+	vapiProtocolClient_ "github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client"
+	client1 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/global_infra/domains/security_policies"
+	model1 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/model"
+	client0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/security_policies"
+	model0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
+	client2 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains/security_policies"
+
+	utl "github.com/vmware/terraform-provider-nsxt/api/utl"
+)
+
+type RuleClientContext utl.ClientContext
+
+func NewRulesClient(sessionContext utl.SessionContext, connector vapiProtocolClient_.Connector) *RuleClientContext {
+	var client interface{}
+
+	switch sessionContext.ClientType {
+
+	case utl.Local:
+		client = client0.NewRulesClient(connector)
+
+	case utl.Global:
+		client = client1.NewRulesClient(connector)
+
+	case utl.Multitenancy:
+		client = client2.NewRulesClient(connector)
+
+	default:
+		return nil
+	}
+	return &RuleClientContext{Client: client, ClientType: sessionContext.ClientType, ProjectID: sessionContext.ProjectID}
+}
+
+func (c RuleClientContext) Get(domainIdParam string, securityPolicyIdParam string, ruleIdParam string) (model0.Rule, error) {
+	var obj model0.Rule
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.Get(domainIdParam, securityPolicyIdParam, ruleIdParam)
+		if err != nil {
+			return obj, err
+		}
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		gmObj, err1 := client.Get(domainIdParam, securityPolicyIdParam, ruleIdParam)
+		if err1 != nil {
+			return obj, err1
+		}
+		var rawObj interface{}
+		rawObj, err = utl.ConvertModelBindingType(gmObj, model1.RuleBindingType(), model0.RuleBindingType())
+		obj = rawObj.(model0.Rule)
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		obj, err = client.Get(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam)
+		if err != nil {
+			return obj, err
+		}
+
+	default:
+		return obj, errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
+
+func (c RuleClientContext) Delete(domainIdParam string, securityPolicyIdParam string, ruleIdParam string) error {
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		err = client.Delete(domainIdParam, securityPolicyIdParam, ruleIdParam)
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		err = client.Delete(domainIdParam, securityPolicyIdParam, ruleIdParam)
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		err = client.Delete(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return err
+}
+
+func (c RuleClientContext) Patch(domainIdParam string, securityPolicyIdParam string, ruleIdParam string, ruleParam model0.Rule) error {
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		err = client.Patch(domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam)
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		gmObj, err1 := utl.ConvertModelBindingType(ruleParam, model0.RuleBindingType(), model1.RuleBindingType())
+		if err1 != nil {
+			return err1
+		}
+		err = client.Patch(domainIdParam, securityPolicyIdParam, ruleIdParam, gmObj.(model1.Rule))
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		err = client.Patch(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return err
+}
+
+func (c RuleClientContext) Update(domainIdParam string, securityPolicyIdParam string, ruleIdParam string, ruleParam model0.Rule) (model0.Rule, error) {
+	var err error
+	var obj model0.Rule
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.Update(domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam)
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		gmObj, err := utl.ConvertModelBindingType(ruleParam, model0.RuleBindingType(), model1.RuleBindingType())
+		if err != nil {
+			return obj, err
+		}
+		gmObj, err = client.Update(domainIdParam, securityPolicyIdParam, ruleIdParam, gmObj.(model1.Rule))
+		if err != nil {
+			return obj, err
+		}
+		obj1, err1 := utl.ConvertModelBindingType(gmObj, model1.RuleBindingType(), model0.RuleBindingType())
+		if err1 != nil {
+			return obj, err1
+		}
+		obj = obj1.(model0.Rule)
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		obj, err = client.Update(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
+
+func (c RuleClientContext) List(domainIdParam string, securityPolicyIdParam string, cursorParam *string, includeMarkForDeleteObjectsParam *bool, includedFieldsParam *string, pageSizeParam *int64, sortAscendingParam *bool, sortByParam *string) (model0.RuleListResult, error) {
+	var err error
+	var obj model0.RuleListResult
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.List(domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		gmObj, err := client.List(domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)
+		if err != nil {
+			return obj, err
+		}
+		obj1, err1 := utl.ConvertModelBindingType(gmObj, model1.RuleListResultBindingType(), model0.RuleListResultBindingType())
+		if err1 != nil {
+			return obj, err1
+		}
+		obj = obj1.(model0.RuleListResult)
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		obj, err = client.List(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
diff --git a/nsxt/policy_common.go b/nsxt/policy_common.go
@@ -166,17 +166,23 @@ func getPolicyRuleActionSchema(isIds bool) *schema.Schema {
 }
 
 func getSecurityPolicyAndGatewayRulesSchema(scopeRequired bool, isIds bool, nsxIDReadOnly bool) *schema.Schema {
+	return &schema.Schema{
+		Type:        schema.TypeList,
+		Description: "List of rules in the section",
+		Optional:    true,
+		MaxItems:    1000,
+		Elem: &schema.Resource{
+			Schema: getSecurityPolicyAndGatewayRuleSchema(scopeRequired, isIds, nsxIDReadOnly, false),
+		},
+	}
+}
+
+func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxIDReadOnly bool, separated bool) map[string]*schema.Schema {
 	ruleSchema := map[string]*schema.Schema{
 		"nsx_id":       getFlexNsxIDSchema(nsxIDReadOnly),
 		"display_name": getDisplayNameSchema(),
 		"description":  getDescriptionSchema(),
 		"revision":     getRevisionSchema(),
-		"sequence_number": {
-			Type:        schema.TypeInt,
-			Description: "Sequence number of the this rule",
-			Optional:    true,
-			Computed:    true,
-		},
 		"destination_groups": {
 			Type:        schema.TypeSet,
 			Description: "List of destination groups",
@@ -282,19 +288,27 @@ func getSecurityPolicyAndGatewayRulesSchema(scopeRequired bool, isIds bool, nsxI
 	if isIds {
 		ruleSchema["ids_profiles"] = getIdsProfilesSchema()
 	}
-	return &schema.Schema{
-		Type:        schema.TypeList,
-		Description: "List of rules in the section",
-		Optional:    true,
-		MaxItems:    1000,
-		Elem: &schema.Resource{
-			Schema: ruleSchema,
-		},
+	if separated {
+		ruleSchema["policy_path"] = getPolicyPathSchema(true, false, "Security Policy path")
+		ruleSchema["sequence_number"] = &schema.Schema{
+			Type:        schema.TypeInt,
+			Description: "Sequence number of the this rule",
+			Required:    true,
+		}
+		ruleSchema["context"] = getContextSchema()
+	} else {
+		ruleSchema["sequence_number"] = &schema.Schema{
+			Type:        schema.TypeInt,
+			Description: "Sequence number of the this rule",
+			Optional:    true,
+			Computed:    true,
+		}
 	}
+	return ruleSchema
 }
 
 func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
-	secPolicy := getPolicySecurityPolicySchema(false, true)
+	secPolicy := getPolicySecurityPolicySchema(false, true, true)
 	// GW Policies don't support scope
 	delete(secPolicy, "scope")
 	secPolicy["category"].ValidateFunc = validation.StringInSlice(gatewayPolicyCategoryWritableValues, false)
@@ -303,7 +317,7 @@ func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
 	return secPolicy
 }
 
-func getPolicySecurityPolicySchema(isIds bool, withContext bool) map[string]*schema.Schema {
+func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string]*schema.Schema {
 	result := map[string]*schema.Schema{
 		"nsx_id":       getNsxIDSchema(),
 		"path":         getPathSchema(),
@@ -371,6 +385,10 @@ func getPolicySecurityPolicySchema(isIds bool, withContext bool) map[string]*sch
 	if !withContext {
 		delete(result, "context")
 	}
+
+	if !withRule {
+		delete(result, "rule")
+	}
 	return result
 }
 

diff --git a/nsxt/policy_utils.go b/nsxt/policy_utils.go
@@ -155,6 +155,21 @@ func setPathListInMap(data map[string]interface{}, attrName string, pathList []s
 	}
 }
 
+func getPathListFromSchema(d *schema.ResourceData, schemaAttrName string) []string {
+	pathList := interface2StringList(d.Get(schemaAttrName).(*schema.Set).List())
+	if len(pathList) == 0 {
+		// Convert empty value to "ANY"
+		pathList = append(pathList, "ANY")
+	}
+	return pathList
+}
+
+func setPathListInSchema(d *schema.ResourceData, attrName string, pathList []string) {
+	if !(len(pathList) == 1 && pathList[0] == "ANY") {
+		d.Set(attrName, pathList)
+	}
+}
+
 func getDomainFromResourcePath(rPath string) string {
 	return getResourceIDFromResourcePath(rPath, "domains")
 }

diff --git a/nsxt/provider.go b/nsxt/provider.go
@@ -437,6 +437,8 @@ func Provider() *schema.Provider {
 			"nsxt_edge_high_availability_profile":          resourceNsxtEdgeHighAvailabilityProfile(),
 			"nsxt_policy_host_transport_node_collection":   resourceNsxtPolicyHostTransportNodeCollection(),
 			"nsxt_policy_lb_client_ssl_profile":            resourceNsxtPolicyLBClientSslProfile(),
+			"nsxt_policy_security_policy_rule":             resourceNsxtPolicySecurityPolicyRule(),
+			"nsxt_policy_security_policy_no_rule":          resourceNsxtPolicySecurityPolicyNoRule(),
 		},
 
 		ConfigureFunc: providerConfigure,

diff --git a/nsxt/resource_nsxt_policy_intrusion_service_policy.go b/nsxt/resource_nsxt_policy_intrusion_service_policy.go
@@ -29,7 +29,7 @@ func resourceNsxtPolicyIntrusionServicePolicy() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			State: nsxtDomainResourceImporter,
 		},
-		Schema: getPolicySecurityPolicySchema(true, false),
+		Schema: getPolicySecurityPolicySchema(true, false, true),
 	}
 }