Skip to content

Commit

Permalink
VPC E-W security policy resource
Browse files Browse the repository at this point in the history
Implement the resource for east-west VPC security policy.

Signed-off-by: Kobi Samoray <[email protected]>
  • Loading branch information
ksamoray committed Jun 4, 2024
1 parent 6ea23e2 commit 3783c57
Show file tree
Hide file tree
Showing 12 changed files with 519 additions and 63 deletions.
5 changes: 5 additions & 0 deletions nsxt/gateway_common.go
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,11 @@ func policyInfraPatch(context utl.SessionContext, obj model.Infra, connector cli
}

return infraClient.Patch(gmObj.(gm_model.Infra), &enforceRevision)
} else if context.ClientType == utl.VPC {
context = utl.SessionContext{
ClientType: utl.Multitenancy,
ProjectID: context.ProjectID,
}
}

infraClient := nsx_policy.NewInfraClient(context, connector)
Expand Down
9 changes: 6 additions & 3 deletions nsxt/policy_common.go
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxID
}

func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
secPolicy := getPolicySecurityPolicySchema(false, true, true)
secPolicy := getPolicySecurityPolicySchema(false, true, true, true)
// GW Policies don't support scope
delete(secPolicy, "scope")
secPolicy["category"].ValidateFunc = validation.StringInSlice(gatewayPolicyCategoryWritableValues, false)
Expand All @@ -320,15 +320,15 @@ func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
return secPolicy
}

func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string]*schema.Schema {
func getPolicySecurityPolicySchema(isIds, withContext, withRule, withDomain bool) map[string]*schema.Schema {
result := map[string]*schema.Schema{
"nsx_id": getNsxIDSchema(),
"path": getPathSchema(),
"display_name": getDisplayNameSchema(),
"description": getDescriptionSchema(),
"revision": getRevisionSchema(),
"tag": getTagsSchema(),
"context": getContextSchema(false, false, false),
"context": getContextSchema(!withDomain, false, !withDomain),
"domain": getDomainNameSchema(),
"category": {
Type: schema.TypeString,
Expand Down Expand Up @@ -392,6 +392,9 @@ func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string
if !withRule {
delete(result, "rule")
}
if !withDomain {
delete(result, "domain")
}
return result
}

Expand Down
1 change: 1 addition & 0 deletions nsxt/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -496,6 +496,7 @@ func Provider() *schema.Provider {
"nsxt_policy_gateway_flood_protection_profile_binding": resourceNsxtPolicyGatewayFloodProtectionProfileBinding(),
"nsxt_policy_compute_sub_cluster": resourceNsxtPolicyComputeSubCluster(),
"nsxt_policy_tier0_inter_vrf_routing": resourceNsxtPolicyTier0InterVRFRouting(),
"nsxt_policy_vpc_security_policy": resourceNsxtPolicyVPCSecurityPolicy(),
},

ConfigureFunc: providerConfigure,
Expand Down
2 changes: 1 addition & 1 deletion nsxt/resource_nsxt_policy_intrusion_service_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func resourceNsxtPolicyIntrusionServicePolicy() *schema.Resource {
Importer: &schema.ResourceImporter{
State: nsxtDomainResourceImporter,
},
Schema: getPolicySecurityPolicySchema(true, true, true),
Schema: getPolicySecurityPolicySchema(true, true, true, true),
}
}

Expand Down
19 changes: 12 additions & 7 deletions nsxt/resource_nsxt_policy_parent_security_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ func resourceNsxtPolicyParentSecurityPolicy() *schema.Resource {
Importer: &schema.ResourceImporter{
State: nsxtDomainResourceImporter,
},
Schema: getPolicySecurityPolicySchema(false, true, false),
Schema: getPolicySecurityPolicySchema(false, true, false, true),
}
}

Expand Down Expand Up @@ -55,10 +55,13 @@ func parentSecurityPolicySchemaToModel(d *schema.ResourceData, id string) model.
}
}

func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*model.SecurityPolicy, error) {
func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}, withDomain bool) (*model.SecurityPolicy, error) {
connector := getPolicyConnector(m)
id := d.Id()
domainName := d.Get("domain").(string)
domainName := ""
if withDomain {
domainName = d.Get("domain").(string)
}
if id == "" {
return nil, fmt.Errorf("Error obtaining Security Policy id")
}
Expand All @@ -72,7 +75,9 @@ func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*
setPolicyTagsInSchema(d, obj.Tags)
d.Set("nsx_id", id)
d.Set("path", obj.Path)
d.Set("domain", getDomainFromResourcePath(*obj.Path))
if withDomain {
d.Set("domain", getDomainFromResourcePath(*obj.Path))
}
d.Set("category", obj.Category)
d.Set("comments", obj.Comments)
d.Set("locked", obj.Locked)
Expand All @@ -89,15 +94,15 @@ func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*
}

func resourceNsxtPolicyParentSecurityPolicyCreate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, false)
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, false, true)
}

func resourceNsxtPolicyParentSecurityPolicyRead(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, false)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, false, true)
}

func resourceNsxtPolicyParentSecurityPolicyUpdate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, false)
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, false, true)
}

func resourceNsxtPolicyParentSecurityPolicyDelete(d *schema.ResourceData, m interface{}) error {
Expand Down
82 changes: 73 additions & 9 deletions nsxt/resource_nsxt_policy_predefined_security_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (

"github.com/vmware/vsphere-automation-sdk-go/runtime/bindings"
"github.com/vmware/vsphere-automation-sdk-go/runtime/data"
nsxt "github.com/vmware/vsphere-automation-sdk-go/services/nsxt"
"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"

"github.com/vmware/terraform-provider-nsxt/api/infra/domains"
Expand Down Expand Up @@ -178,6 +179,60 @@ func revertSecurityPolicyDefaultRule(rule model.Rule) model.Rule {
return rule
}

func strPtr(s string) *string {
v := s
return &v
}

func createChildVPCWithSecurityPolicy(context utl.SessionContext, policyID string, policy model.SecurityPolicy) (*data.StructValue, error) {
converter := bindings.NewTypeConverter()

childPolicy := model.ChildSecurityPolicy{
ResourceType: "ChildSecurityPolicy",
SecurityPolicy: &policy,
}

dataValue, errors := converter.ConvertToVapi(childPolicy, model.ChildSecurityPolicyBindingType())
if len(errors) > 0 {
return nil, errors[0]
}

childVPC := model.ChildResourceReference{
Id: &context.VPCID,
ResourceType: "ChildResourceReference",
TargetType: strPtr("Vpc"),
Children: []*data.StructValue{dataValue.(*data.StructValue)},
}

dataValue, errors = converter.ConvertToVapi(childVPC, model.ChildResourceReferenceBindingType())
if len(errors) > 0 {
return nil, errors[0]
}
childProject := model.ChildResourceReference{
Id: &context.ProjectID,
ResourceType: "ChildResourceReference",
TargetType: strPtr("Project"),
Children: []*data.StructValue{dataValue.(*data.StructValue)},
}
dataValue, errors = converter.ConvertToVapi(childProject, model.ChildResourceReferenceBindingType())
if len(errors) > 0 {
return nil, errors[0]
}

childOrg := model.ChildResourceReference{
Id: strPtr(defaultOrgID),
ResourceType: "ChildResourceReference",
TargetType: strPtr("Org"),
Children: []*data.StructValue{dataValue.(*data.StructValue)},
}
dataValue, errors = converter.ConvertToVapi(childOrg, model.ChildResourceReferenceBindingType())
if len(errors) > 0 {
return nil, errors[0]
}

return dataValue.(*data.StructValue), nil
}

func createChildDomainWithSecurityPolicy(domain string, policyID string, policy model.SecurityPolicy) (*data.StructValue, error) {
converter := bindings.NewTypeConverter()

Expand Down Expand Up @@ -406,20 +461,29 @@ func resourceNsxtPolicyPredefinedSecurityPolicyDelete(d *schema.ResourceData, m
}

func securityPolicyInfraPatch(context utl.SessionContext, policy model.SecurityPolicy, domain string, m interface{}) error {
connector := getPolicyConnector(m)
if context.ClientType == utl.VPC {
childVPC, err := createChildVPCWithSecurityPolicy(context, *policy.Id, policy)
if err != nil {
return fmt.Errorf("Failed to create H-API for VPC Security Policy: %s", err)
}
orgRoot := model.OrgRoot{
ResourceType: strPtr("OrgRoot"),
Children: []*data.StructValue{childVPC},
}

client := nsxt.NewOrgRootClient(connector)
return client.Patch(orgRoot, nil)
}

childDomain, err := createChildDomainWithSecurityPolicy(domain, *policy.Id, policy)
if err != nil {
return fmt.Errorf("Failed to create H-API for Predefined Security Policy: %s", err)
}

var infraChildren []*data.StructValue
infraChildren = append(infraChildren, childDomain)

infraType := "Infra"
infraObj := model.Infra{
Children: infraChildren,
ResourceType: &infraType,
Children: []*data.StructValue{childDomain},
ResourceType: strPtr("Infra"),
}

return policyInfraPatch(context, infraObj, getPolicyConnector(m), false)

return policyInfraPatch(context, infraObj, connector, false)
}
37 changes: 22 additions & 15 deletions nsxt/resource_nsxt_policy_security_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ func resourceNsxtPolicySecurityPolicy() *schema.Resource {
Importer: &schema.ResourceImporter{
State: nsxtDomainResourceImporter,
},
Schema: getPolicySecurityPolicySchema(false, true, true),
Schema: getPolicySecurityPolicySchema(false, true, true, true),
}
}

Expand Down Expand Up @@ -55,9 +55,12 @@ func resourceNsxtPolicySecurityPolicyExistsPartial(domainName string) func(sessi
}
}

func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id string, createFlow, withRule bool) error {
func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id string, createFlow, withRule, withDomain bool) error {
obj := parentSecurityPolicySchemaToModel(d, id)
domain := d.Get("domain").(string)
domain := ""
if withDomain {
domain = d.Get("domain").(string)
}
revision := int64(d.Get("revision").(int))
log.Printf("[INFO] Creating Security Policy with ID %s", id)

Expand Down Expand Up @@ -86,15 +89,15 @@ func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id
}

func resourceNsxtPolicySecurityPolicyCreate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, true)
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, true, true)
}

func resourceNsxtPolicySecurityPolicyRead(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, true)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, true, true)
}

func resourceNsxtPolicySecurityPolicyUpdate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, true)
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, true, true)
}

func resourceNsxtPolicySecurityPolicyDelete(d *schema.ResourceData, m interface{}) error {
Expand All @@ -115,14 +118,18 @@ func resourceNsxtPolicySecurityPolicyDelete(d *schema.ResourceData, m interface{
return nil
}

func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m interface{}, withRule bool) error {
func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
// Initialize resource Id and verify this ID is not yet used
id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyExistsPartial(d.Get("domain").(string)))
domain := ""
if withDomain {
domain = d.Get("domain").(string)
}
id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyExistsPartial(domain))
if err != nil {
return err
}

err = policySecurityPolicyBuildAndPatch(d, m, id, true, withRule)
err = policySecurityPolicyBuildAndPatch(d, m, id, true, withRule, withDomain)

if err != nil {
return handleCreateError("Security Policy", id, err)
Expand All @@ -131,11 +138,11 @@ func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m int
d.SetId(id)
d.Set("nsx_id", id)

return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule, withDomain)
}

func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m interface{}, withRule bool) error {
obj, err := parentSecurityPolicyModelToSchema(d, m)
func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
obj, err := parentSecurityPolicyModelToSchema(d, m, withDomain)
if err != nil {
return handleReadError(d, "SecurityPolicy", d.Id(), err)
}
Expand All @@ -145,15 +152,15 @@ func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m inter
return nil
}

func resourceNsxtPolicySecurityPolicyGeneralUpdate(d *schema.ResourceData, m interface{}, withRule bool) error {
func resourceNsxtPolicySecurityPolicyGeneralUpdate(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
id := d.Id()
if id == "" {
return fmt.Errorf("Error obtaining Security Policy id")
}
err := policySecurityPolicyBuildAndPatch(d, m, id, false, withRule)
err := policySecurityPolicyBuildAndPatch(d, m, id, false, withRule, withDomain)
if err != nil {
return handleUpdateError("Security Policy", id, err)
}

return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule, withDomain)
}
Loading

0 comments on commit 3783c57

Please sign in to comment.