Separate security policy and rule

Signed-off-by: graysonwu <[email protected]>
vmware · Dec 8, 2023 · d509e97 · d509e97
1 parent e9cf9cf
commit d509e97
Show file tree

Hide file tree

Showing 16 changed files with 1,442 additions and 72 deletions.
diff --git a/api/api_list.yaml b/api/api_list.yaml
@@ -877,3 +877,24 @@
   supported_method:
     - New
     - List
+- api_packages:
+    - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/security_policies
+      model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model
+      type: Local
+    - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/global_infra/domains/security_policies
+      model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/model
+      type: Global
+    - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains/security_policies
+      model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model
+      type: Multitenancy
+  model_name: Rule
+  obj_name: Rule
+  client_name: RulesClient
+  list_result_name: RuleListResult
+  supported_method:
+    - New
+    - Get
+    - Delete
+    - Patch
+    - Update
+    - List
diff --git a/api/infra/domains/security_policies/rule.go b/api/infra/domains/security_policies/rule.go
@@ -0,0 +1,192 @@
+//nolint:revive
+package securitypolicies
+
+// The following file has been autogenerated. Please avoid any changes!
+import (
+	"errors"
+
+	vapiProtocolClient_ "github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client"
+	client1 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/global_infra/domains/security_policies"
+	model1 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/model"
+	client0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/security_policies"
+	model0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
+	client2 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains/security_policies"
+
+	utl "github.com/vmware/terraform-provider-nsxt/api/utl"
+)
+
+type RuleClientContext utl.ClientContext
+
+func NewRulesClient(sessionContext utl.SessionContext, connector vapiProtocolClient_.Connector) *RuleClientContext {
+	var client interface{}
+
+	switch sessionContext.ClientType {
+
+	case utl.Local:
+		client = client0.NewRulesClient(connector)
+
+	case utl.Global:
+		client = client1.NewRulesClient(connector)
+
+	case utl.Multitenancy:
+		client = client2.NewRulesClient(connector)
+
+	default:
+		return nil
+	}
+	return &RuleClientContext{Client: client, ClientType: sessionContext.ClientType, ProjectID: sessionContext.ProjectID}
+}
+
+func (c RuleClientContext) Get(domainIdParam string, securityPolicyIdParam string, ruleIdParam string) (model0.Rule, error) {
+	var obj model0.Rule
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.Get(domainIdParam, securityPolicyIdParam, ruleIdParam)
+		if err != nil {
+			return obj, err
+		}
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		gmObj, err1 := client.Get(domainIdParam, securityPolicyIdParam, ruleIdParam)
+		if err1 != nil {
+			return obj, err1
+		}
+		var rawObj interface{}
+		rawObj, err = utl.ConvertModelBindingType(gmObj, model1.RuleBindingType(), model0.RuleBindingType())
+		obj = rawObj.(model0.Rule)
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		obj, err = client.Get(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam)
+		if err != nil {
+			return obj, err
+		}
+
+	default:
+		return obj, errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
+
+func (c RuleClientContext) Delete(domainIdParam string, securityPolicyIdParam string, ruleIdParam string) error {
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		err = client.Delete(domainIdParam, securityPolicyIdParam, ruleIdParam)
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		err = client.Delete(domainIdParam, securityPolicyIdParam, ruleIdParam)
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		err = client.Delete(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return err
+}
+
+func (c RuleClientContext) Patch(domainIdParam string, securityPolicyIdParam string, ruleIdParam string, ruleParam model0.Rule) error {
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		err = client.Patch(domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam)
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		gmObj, err1 := utl.ConvertModelBindingType(ruleParam, model0.RuleBindingType(), model1.RuleBindingType())
+		if err1 != nil {
+			return err1
+		}
+		err = client.Patch(domainIdParam, securityPolicyIdParam, ruleIdParam, gmObj.(model1.Rule))
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		err = client.Patch(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return err
+}
+
+func (c RuleClientContext) Update(domainIdParam string, securityPolicyIdParam string, ruleIdParam string, ruleParam model0.Rule) (model0.Rule, error) {
+	var err error
+	var obj model0.Rule
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.Update(domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam)
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		gmObj, err := utl.ConvertModelBindingType(ruleParam, model0.RuleBindingType(), model1.RuleBindingType())
+		if err != nil {
+			return obj, err
+		}
+		gmObj, err = client.Update(domainIdParam, securityPolicyIdParam, ruleIdParam, gmObj.(model1.Rule))
+		if err != nil {
+			return obj, err
+		}
+		obj1, err1 := utl.ConvertModelBindingType(gmObj, model1.RuleBindingType(), model0.RuleBindingType())
+		if err1 != nil {
+			return obj, err1
+		}
+		obj = obj1.(model0.Rule)
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		obj, err = client.Update(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
+
+func (c RuleClientContext) List(domainIdParam string, securityPolicyIdParam string, cursorParam *string, includeMarkForDeleteObjectsParam *bool, includedFieldsParam *string, pageSizeParam *int64, sortAscendingParam *bool, sortByParam *string) (model0.RuleListResult, error) {
+	var err error
+	var obj model0.RuleListResult
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.List(domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)
+
+	case utl.Global:
+		client := c.Client.(client1.RulesClient)
+		gmObj, err := client.List(domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)
+		if err != nil {
+			return obj, err
+		}
+		obj1, err1 := utl.ConvertModelBindingType(gmObj, model1.RuleListResultBindingType(), model0.RuleListResultBindingType())
+		if err1 != nil {
+			return obj, err1
+		}
+		obj = obj1.(model0.RuleListResult)
+
+	case utl.Multitenancy:
+		client := c.Client.(client2.RulesClient)
+		obj, err = client.List(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
diff --git a/nsxt/data_source_nsxt_policy_security_policy_rule.go b/nsxt/data_source_nsxt_policy_security_policy_rule.go
@@ -0,0 +1,86 @@
+/* Copyright © 2023 VMware, Inc. All Rights Reserved.
+   SPDX-License-Identifier: MPL-2.0 */
+
+package nsxt
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	securitypolicies "github.com/vmware/terraform-provider-nsxt/api/infra/domains/security_policies"
+	"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
+)
+
+func dataSourceNsxtPolicySecurityPolicyRule() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceNsxtPolicySecurityPolicyRuleRead,
+
+		Schema: map[string]*schema.Schema{
+			"id":           getDataSourceIDSchema(),
+			"display_name": getDataSourceDisplayNameSchema(),
+			"description":  getDataSourceDescriptionSchema(),
+			"path":         getPathSchema(),
+			"policy_path":  getPolicyPathSchema(true, false, "Security Policy path"),
+			"context":      getContextSchema(),
+		},
+	}
+}
+
+func dataSourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interface{}) error {
+	connector := getPolicyConnector(m)
+
+	policyPath := d.Get("policy_path").(string)
+	domain := getDomainFromResourcePath(policyPath)
+	policyID := getPolicyIDFromPath(policyPath)
+
+	client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector)
+	objID := d.Get("id").(string)
+	var obj model.Rule
+	if objID != "" {
+		// Get by id
+		objGet, err := client.Get(domain, policyID, objID)
+
+		if err != nil {
+			return handleDataSourceReadError(d, "SecurityPolicyRule", objID, err)
+		}
+		obj = objGet
+	} else {
+		// Get by full name/prefix
+		displayName := d.Get("display_name").(string)
+		objList, err := client.List(domain, policyID, nil, nil, nil, nil, nil, nil)
+		if err != nil {
+			return handleListError("SecurityPolicyRule", err)
+		}
+		// go over the list to find the correct one (prefer a perfect match. If not - prefix match)
+		var perfectMatch []model.Rule
+		var prefixMatch []model.Rule
+		for _, objInList := range objList.Results {
+			if strings.HasPrefix(*objInList.DisplayName, displayName) {
+				prefixMatch = append(prefixMatch, objInList)
+			}
+			if *objInList.DisplayName == displayName {
+				perfectMatch = append(perfectMatch, objInList)
+			}
+		}
+		if len(perfectMatch) > 0 {
+			if len(perfectMatch) > 1 {
+				return fmt.Errorf("Found multiple SecurityPolicyRule with name '%s'", displayName)
+			}
+			obj = perfectMatch[0]
+		} else if len(prefixMatch) > 0 {
+			if len(prefixMatch) > 1 {
+				return fmt.Errorf("Found multiple SecurityPolicyRule with name starting with '%s'", displayName)
+			}
+			obj = prefixMatch[0]
+		} else {
+			return fmt.Errorf("SecurityPolicyRule with name '%s' was not found", displayName)
+		}
+	}
+
+	d.SetId(*obj.Id)
+	d.Set("display_name", obj.DisplayName)
+	d.Set("description", obj.Description)
+	d.Set("path", obj.Path)
+	return nil
+}
diff --git a/nsxt/policy_common.go b/nsxt/policy_common.go
@@ -166,17 +166,23 @@ func getPolicyRuleActionSchema(isIds bool) *schema.Schema {
 }
 
 func getSecurityPolicyAndGatewayRulesSchema(scopeRequired bool, isIds bool, nsxIDReadOnly bool) *schema.Schema {
+	return &schema.Schema{
+		Type:        schema.TypeList,
+		Description: "List of rules in the section",
+		Optional:    true,
+		MaxItems:    1000,
+		Elem: &schema.Resource{
+			Schema: getSecurityPolicyAndGatewayRuleSchema(scopeRequired, isIds, nsxIDReadOnly, false),
+		},
+	}
+}
+
+func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxIDReadOnly bool, separated bool) map[string]*schema.Schema {
 	ruleSchema := map[string]*schema.Schema{
 		"nsx_id":       getFlexNsxIDSchema(nsxIDReadOnly),
 		"display_name": getDisplayNameSchema(),
 		"description":  getDescriptionSchema(),
 		"revision":     getRevisionSchema(),
-		"sequence_number": {
-			Type:        schema.TypeInt,
-			Description: "Sequence number of the this rule",
-			Optional:    true,
-			Computed:    true,
-		},
 		"destination_groups": {
 			Type:        schema.TypeSet,
 			Description: "List of destination groups",
@@ -282,19 +288,28 @@ func getSecurityPolicyAndGatewayRulesSchema(scopeRequired bool, isIds bool, nsxI
 	if isIds {
 		ruleSchema["ids_profiles"] = getIdsProfilesSchema()
 	}
-	return &schema.Schema{
-		Type:        schema.TypeList,
-		Description: "List of rules in the section",
-		Optional:    true,
-		MaxItems:    1000,
-		Elem: &schema.Resource{
-			Schema: ruleSchema,
-		},
+	if separated {
+		ruleSchema["policy_path"] = getPolicyPathSchema(true, false, "Security Policy path")
+		ruleSchema["sequence_number"] = &schema.Schema{
+			Type:        schema.TypeInt,
+			Description: "Sequence number of the this rule",
+			Required:    true,
+		}
+		ruleSchema["context"] = getContextSchema()
+		ruleSchema["path"] = getPathSchema()
+	} else {
+		ruleSchema["sequence_number"] = &schema.Schema{
+			Type:        schema.TypeInt,
+			Description: "Sequence number of the this rule",
+			Optional:    true,
+			Computed:    true,
+		}
 	}
+	return ruleSchema
 }
 
 func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
-	secPolicy := getPolicySecurityPolicySchema(false, true)
+	secPolicy := getPolicySecurityPolicySchema(false, true, true)
 	// GW Policies don't support scope
 	delete(secPolicy, "scope")
 	secPolicy["category"].ValidateFunc = validation.StringInSlice(gatewayPolicyCategoryWritableValues, false)
@@ -303,7 +318,7 @@ func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
 	return secPolicy
 }
 
-func getPolicySecurityPolicySchema(isIds bool, withContext bool) map[string]*schema.Schema {
+func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string]*schema.Schema {
 	result := map[string]*schema.Schema{
 		"nsx_id":       getNsxIDSchema(),
 		"path":         getPathSchema(),
@@ -371,6 +386,10 @@ func getPolicySecurityPolicySchema(isIds bool, withContext bool) map[string]*sch
 	if !withContext {
 		delete(result, "context")
 	}
+
+	if !withRule {
+		delete(result, "rule")
+	}
 	return result
 }