Merge pull request #627 from vmware/segment-urpf

Support urpf_mode in segment advanced config
vmware · May 27, 2021 · a8bc5f9 · a8bc5f9
2 parents 78a47a6 + 342c4b6
commit a8bc5f9
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 0 deletions.
diff --git a/nsxt/resource_nsxt_policy_segment_test.go b/nsxt/resource_nsxt_policy_segment_test.go
@@ -151,6 +151,7 @@ func TestAccResourceNsxtPolicySegment_updateAdvConfig(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "tag.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.connectivity", "OFF"),
 					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.local_egress", "true"),
+					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.urpf_mode", "STRICT"),
 				),
 			},
 			{
@@ -167,6 +168,7 @@ func TestAccResourceNsxtPolicySegment_updateAdvConfig(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "tag.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.connectivity", "ON"),
 					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.local_egress", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.urpf_mode", "NONE"),
 				),
 			},
 		},
@@ -588,6 +590,7 @@ resource "nsxt_policy_segment" "test" {
   advanced_config {
     connectivity = "OFF"
     local_egress = true
+    urpf_mode    = "STRICT"
   }
 }
 `, name)
@@ -617,6 +620,7 @@ resource "nsxt_policy_segment" "test" {
   advanced_config {
     connectivity = "ON"
     local_egress = false
+    urpf_mode    = "NONE"
   }
 }
 `, name)

diff --git a/nsxt/resource_nsxt_policy_vlan_segment_test.go b/nsxt/resource_nsxt_policy_vlan_segment_test.go
@@ -90,6 +90,7 @@ func TestAccResourceNsxtPolicyVlanSegment_updateAdvConfig(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "tag.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.connectivity", "OFF"),
 					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.local_egress", "true"),
+					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.urpf_mode", "NONE"),
 				),
 			},
 			{
@@ -102,6 +103,7 @@ func TestAccResourceNsxtPolicyVlanSegment_updateAdvConfig(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "tag.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.connectivity", "ON"),
 					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.local_egress", "false"),
+					resource.TestCheckResourceAttr(testResourceName, "advanced_config.0.urpf_mode", "STRICT"),
 				),
 			},
 		},
@@ -351,6 +353,7 @@ resource "nsxt_policy_vlan_segment" "test" {
   advanced_config {
     connectivity = "OFF"
     local_egress = true
+    urpf_mode    = "NONE"
   }
 }
 `, name)

diff --git a/nsxt/segment_common.go b/nsxt/segment_common.go
@@ -27,6 +27,11 @@ var connectivityValues = []string{
 	model.SegmentAdvancedConfig_CONNECTIVITY_OFF,
 }
 
+var urpfModeValues = []string{
+	model.SegmentAdvancedConfig_URPF_MODE_NONE,
+	model.SegmentAdvancedConfig_URPF_MODE_STRICT,
+}
+
 func getPolicySegmentDhcpV4ConfigSchema() *schema.Resource {
 	return &schema.Resource{
 		Schema: map[string]*schema.Schema{
@@ -182,6 +187,13 @@ func getPolicySegmentAdvancedConfigurationSchema() *schema.Resource {
 				Description: "The name of the switching uplink teaming policy for the bridge endpoint",
 				Optional:    true,
 			},
+			"urpf_mode": {
+				Type:         schema.TypeString,
+				Description:  "This URPF mode is applied to the downlink logical router port created while attaching this segment to gateway",
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice(urpfModeValues, false),
+				Default:      model.SegmentAdvancedConfig_URPF_MODE_STRICT,
+			},
 		},
 	}
 }
@@ -744,6 +756,9 @@ func policySegmentResourceToInfraStruct(id string, d *schema.ResourceData, isVla
 			if teamingPolicy != "" {
 				advConfigStruct.UplinkTeamingPolicyName = &teamingPolicy
 			}
+
+			urpfMode := advConfigMap["urpf_mode"].(string)
+			advConfigStruct.UrpfMode = &urpfMode
 		}
 		obj.AdvancedConfig = &advConfigStruct
 	}
@@ -1292,6 +1307,9 @@ func nsxtPolicySegmentRead(d *schema.ResourceData, m interface{}, isVlan bool, i
 		if obj.AdvancedConfig.UplinkTeamingPolicyName != nil {
 			advConfig["uplink_teaming_policy"] = *obj.AdvancedConfig.UplinkTeamingPolicyName
 		}
+		if obj.AdvancedConfig.UrpfMode != nil {
+			advConfig["urpf_mode"] = *obj.AdvancedConfig.UrpfMode
+		}
 		// This is a list with 1 element
 		var advConfigList []map[string]interface{}
 		advConfigList = append(advConfigList, advConfig)

diff --git a/website/docs/r/policy_fixed_segment.html.markdown b/website/docs/r/policy_fixed_segment.html.markdown
@@ -89,6 +89,7 @@ The following arguments are supported:
   * `hybrid` - (Optional) Boolean flag to identify a hybrid logical switch.
   * `local_egress` - (Optional) Boolean flag to enable local egress when used in conjunction with L2VPN.
   * `uplink_teaming_policy` - (Optional) The name of the switching uplink teaming policy for the bridge endpoint. This name corresponds to one of the switching uplink teaming policy names listed in the transport zone.
+  * `urpf_mode` - (Optional) URPF mode to be applied to gateway downlink interface. One of `STRICT`, `NONE`.
 
 ## Attributes Reference
 

diff --git a/website/docs/r/policy_segment.html.markdown b/website/docs/r/policy_segment.html.markdown
@@ -96,6 +96,7 @@ The following arguments are supported:
   * `hybrid` - (Optional) Boolean flag to identify a hybrid logical switch.
   * `local_egress` - (Optional) Boolean flag to enable local egress when used in conjunction with L2VPN.
   * `uplink_teaming_policy` - (Optional) The name of the switching uplink teaming policy for the bridge endpoint. This name corresponds to one of the switching uplink teaming policy names listed in the transport zone.
+  * `urpf_mode` - (Optional) URPF mode to be applied to gateway downlink interface. One of `STRICT`, `NONE`.
 * `discovery_profile` - (Optional) IP and MAC discovery profile specification for the segment.
   * `ip_discovery_profile_path` - (Optional) Path for IP discovery profile to be associated with the segment.
   * `mac_discovery_profile_path` - (Optional) Path for MAC discovery profile to be associated with the segment.

diff --git a/website/docs/r/policy_vlan_segment.html.markdown b/website/docs/r/policy_vlan_segment.html.markdown
@@ -99,6 +99,7 @@ The following arguments are supported:
   * `hybrid` - (Optional) Boolean flag to identify a hybrid logical switch.
   * `local_egress` - (Optional) Boolean flag to enable local egress.
   * `uplink_teaming_policy` - (Optional) The name of the switching uplink teaming policy for the bridge endpoint. This name corresponds to one of the switching uplink teaming policy names listed in the transport zone.
+  * `urpf_mode` - (Optional) URPF mode to be applied to gateway downlink interface. One of `STRICT`, `NONE`.
 * `discovery_profile` - (Optional) IP and MAC discovery profile specification for the segment.
   * `ip_discovery_profile_path` - (Optional) Path for IP discovery profile to be associated with the segment.
   * `mac_discovery_profile_path` - (Optional) Path for MAC discovery profile to be associated with the segment.