From d509e975c1a0fc5eaf3100944b842532e4eb2e53 Mon Sep 17 00:00:00 2001 From: graysonwu Date: Wed, 6 Dec 2023 09:33:44 -0800 Subject: [PATCH] Separate security policy and rule Signed-off-by: graysonwu --- api/api_list.yaml | 21 ++ api/infra/domains/security_policies/rule.go | 192 +++++++++++++++ ...source_nsxt_policy_security_policy_rule.go | 86 +++++++ nsxt/policy_common.go | 51 ++-- nsxt/policy_utils.go | 15 ++ nsxt/provider.go | 3 + ...ce_nsxt_policy_intrusion_service_policy.go | 2 +- nsxt/resource_nsxt_policy_security_policy.go | 58 +---- ...rce_nsxt_policy_security_policy_no_rule.go | 149 +++++++++++ ...sxt_policy_security_policy_no_rule_test.go | 167 +++++++++++++ ...source_nsxt_policy_security_policy_rule.go | 231 ++++++++++++++++++ ...e_nsxt_policy_security_policy_rule_test.go | 229 +++++++++++++++++ website/docs/d/compute_manager.html.markdown | 2 +- .../policy_security_policy_rule.html.markdown | 51 ++++ ...licy_security_policy_no_rule.html.markdown | 157 ++++++++++++ .../policy_security_policy_rule.html.markdown | 100 ++++++++ 16 files changed, 1442 insertions(+), 72 deletions(-) create mode 100644 api/infra/domains/security_policies/rule.go create mode 100644 nsxt/data_source_nsxt_policy_security_policy_rule.go create mode 100644 nsxt/resource_nsxt_policy_security_policy_no_rule.go create mode 100644 nsxt/resource_nsxt_policy_security_policy_no_rule_test.go create mode 100644 nsxt/resource_nsxt_policy_security_policy_rule.go create mode 100644 nsxt/resource_nsxt_policy_security_policy_rule_test.go create mode 100644 website/docs/d/policy_security_policy_rule.html.markdown create mode 100644 website/docs/r/policy_security_policy_no_rule.html.markdown create mode 100644 website/docs/r/policy_security_policy_rule.html.markdown diff --git a/api/api_list.yaml b/api/api_list.yaml index ddfb2404c..5d6c6cdea 100644 --- a/api/api_list.yaml +++ b/api/api_list.yaml @@ -877,3 +877,24 @@ supported_method: - New - List +- api_packages: + - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/security_policies + model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model + type: Local + - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/global_infra/domains/security_policies + model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/model + type: Global + - client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains/security_policies + model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model + type: Multitenancy + model_name: Rule + obj_name: Rule + client_name: RulesClient + list_result_name: RuleListResult + supported_method: + - New + - Get + - Delete + - Patch + - Update + - List \ No newline at end of file diff --git a/api/infra/domains/security_policies/rule.go b/api/infra/domains/security_policies/rule.go new file mode 100644 index 000000000..214820ab1 --- /dev/null +++ b/api/infra/domains/security_policies/rule.go @@ -0,0 +1,192 @@ +//nolint:revive +package securitypolicies + +// The following file has been autogenerated. Please avoid any changes! +import ( + "errors" + + vapiProtocolClient_ "github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client" + client1 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/global_infra/domains/security_policies" + model1 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt-gm/model" + client0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/security_policies" + model0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model" + client2 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains/security_policies" + + utl "github.com/vmware/terraform-provider-nsxt/api/utl" +) + +type RuleClientContext utl.ClientContext + +func NewRulesClient(sessionContext utl.SessionContext, connector vapiProtocolClient_.Connector) *RuleClientContext { + var client interface{} + + switch sessionContext.ClientType { + + case utl.Local: + client = client0.NewRulesClient(connector) + + case utl.Global: + client = client1.NewRulesClient(connector) + + case utl.Multitenancy: + client = client2.NewRulesClient(connector) + + default: + return nil + } + return &RuleClientContext{Client: client, ClientType: sessionContext.ClientType, ProjectID: sessionContext.ProjectID} +} + +func (c RuleClientContext) Get(domainIdParam string, securityPolicyIdParam string, ruleIdParam string) (model0.Rule, error) { + var obj model0.Rule + var err error + + switch c.ClientType { + + case utl.Local: + client := c.Client.(client0.RulesClient) + obj, err = client.Get(domainIdParam, securityPolicyIdParam, ruleIdParam) + if err != nil { + return obj, err + } + + case utl.Global: + client := c.Client.(client1.RulesClient) + gmObj, err1 := client.Get(domainIdParam, securityPolicyIdParam, ruleIdParam) + if err1 != nil { + return obj, err1 + } + var rawObj interface{} + rawObj, err = utl.ConvertModelBindingType(gmObj, model1.RuleBindingType(), model0.RuleBindingType()) + obj = rawObj.(model0.Rule) + + case utl.Multitenancy: + client := c.Client.(client2.RulesClient) + obj, err = client.Get(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam) + if err != nil { + return obj, err + } + + default: + return obj, errors.New("invalid infrastructure for model") + } + return obj, err +} + +func (c RuleClientContext) Delete(domainIdParam string, securityPolicyIdParam string, ruleIdParam string) error { + var err error + + switch c.ClientType { + + case utl.Local: + client := c.Client.(client0.RulesClient) + err = client.Delete(domainIdParam, securityPolicyIdParam, ruleIdParam) + + case utl.Global: + client := c.Client.(client1.RulesClient) + err = client.Delete(domainIdParam, securityPolicyIdParam, ruleIdParam) + + case utl.Multitenancy: + client := c.Client.(client2.RulesClient) + err = client.Delete(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam) + + default: + err = errors.New("invalid infrastructure for model") + } + return err +} + +func (c RuleClientContext) Patch(domainIdParam string, securityPolicyIdParam string, ruleIdParam string, ruleParam model0.Rule) error { + var err error + + switch c.ClientType { + + case utl.Local: + client := c.Client.(client0.RulesClient) + err = client.Patch(domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam) + + case utl.Global: + client := c.Client.(client1.RulesClient) + gmObj, err1 := utl.ConvertModelBindingType(ruleParam, model0.RuleBindingType(), model1.RuleBindingType()) + if err1 != nil { + return err1 + } + err = client.Patch(domainIdParam, securityPolicyIdParam, ruleIdParam, gmObj.(model1.Rule)) + + case utl.Multitenancy: + client := c.Client.(client2.RulesClient) + err = client.Patch(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam) + + default: + err = errors.New("invalid infrastructure for model") + } + return err +} + +func (c RuleClientContext) Update(domainIdParam string, securityPolicyIdParam string, ruleIdParam string, ruleParam model0.Rule) (model0.Rule, error) { + var err error + var obj model0.Rule + + switch c.ClientType { + + case utl.Local: + client := c.Client.(client0.RulesClient) + obj, err = client.Update(domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam) + + case utl.Global: + client := c.Client.(client1.RulesClient) + gmObj, err := utl.ConvertModelBindingType(ruleParam, model0.RuleBindingType(), model1.RuleBindingType()) + if err != nil { + return obj, err + } + gmObj, err = client.Update(domainIdParam, securityPolicyIdParam, ruleIdParam, gmObj.(model1.Rule)) + if err != nil { + return obj, err + } + obj1, err1 := utl.ConvertModelBindingType(gmObj, model1.RuleBindingType(), model0.RuleBindingType()) + if err1 != nil { + return obj, err1 + } + obj = obj1.(model0.Rule) + + case utl.Multitenancy: + client := c.Client.(client2.RulesClient) + obj, err = client.Update(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, ruleIdParam, ruleParam) + + default: + err = errors.New("invalid infrastructure for model") + } + return obj, err +} + +func (c RuleClientContext) List(domainIdParam string, securityPolicyIdParam string, cursorParam *string, includeMarkForDeleteObjectsParam *bool, includedFieldsParam *string, pageSizeParam *int64, sortAscendingParam *bool, sortByParam *string) (model0.RuleListResult, error) { + var err error + var obj model0.RuleListResult + + switch c.ClientType { + + case utl.Local: + client := c.Client.(client0.RulesClient) + obj, err = client.List(domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam) + + case utl.Global: + client := c.Client.(client1.RulesClient) + gmObj, err := client.List(domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam) + if err != nil { + return obj, err + } + obj1, err1 := utl.ConvertModelBindingType(gmObj, model1.RuleListResultBindingType(), model0.RuleListResultBindingType()) + if err1 != nil { + return obj, err1 + } + obj = obj1.(model0.RuleListResult) + + case utl.Multitenancy: + client := c.Client.(client2.RulesClient) + obj, err = client.List(utl.DefaultOrgID, c.ProjectID, domainIdParam, securityPolicyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam) + + default: + err = errors.New("invalid infrastructure for model") + } + return obj, err +} diff --git a/nsxt/data_source_nsxt_policy_security_policy_rule.go b/nsxt/data_source_nsxt_policy_security_policy_rule.go new file mode 100644 index 000000000..55c181c4e --- /dev/null +++ b/nsxt/data_source_nsxt_policy_security_policy_rule.go @@ -0,0 +1,86 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "strings" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + securitypolicies "github.com/vmware/terraform-provider-nsxt/api/infra/domains/security_policies" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model" +) + +func dataSourceNsxtPolicySecurityPolicyRule() *schema.Resource { + return &schema.Resource{ + Read: dataSourceNsxtPolicySecurityPolicyRuleRead, + + Schema: map[string]*schema.Schema{ + "id": getDataSourceIDSchema(), + "display_name": getDataSourceDisplayNameSchema(), + "description": getDataSourceDescriptionSchema(), + "path": getPathSchema(), + "policy_path": getPolicyPathSchema(true, false, "Security Policy path"), + "context": getContextSchema(), + }, + } +} + +func dataSourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interface{}) error { + connector := getPolicyConnector(m) + + policyPath := d.Get("policy_path").(string) + domain := getDomainFromResourcePath(policyPath) + policyID := getPolicyIDFromPath(policyPath) + + client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector) + objID := d.Get("id").(string) + var obj model.Rule + if objID != "" { + // Get by id + objGet, err := client.Get(domain, policyID, objID) + + if err != nil { + return handleDataSourceReadError(d, "SecurityPolicyRule", objID, err) + } + obj = objGet + } else { + // Get by full name/prefix + displayName := d.Get("display_name").(string) + objList, err := client.List(domain, policyID, nil, nil, nil, nil, nil, nil) + if err != nil { + return handleListError("SecurityPolicyRule", err) + } + // go over the list to find the correct one (prefer a perfect match. If not - prefix match) + var perfectMatch []model.Rule + var prefixMatch []model.Rule + for _, objInList := range objList.Results { + if strings.HasPrefix(*objInList.DisplayName, displayName) { + prefixMatch = append(prefixMatch, objInList) + } + if *objInList.DisplayName == displayName { + perfectMatch = append(perfectMatch, objInList) + } + } + if len(perfectMatch) > 0 { + if len(perfectMatch) > 1 { + return fmt.Errorf("Found multiple SecurityPolicyRule with name '%s'", displayName) + } + obj = perfectMatch[0] + } else if len(prefixMatch) > 0 { + if len(prefixMatch) > 1 { + return fmt.Errorf("Found multiple SecurityPolicyRule with name starting with '%s'", displayName) + } + obj = prefixMatch[0] + } else { + return fmt.Errorf("SecurityPolicyRule with name '%s' was not found", displayName) + } + } + + d.SetId(*obj.Id) + d.Set("display_name", obj.DisplayName) + d.Set("description", obj.Description) + d.Set("path", obj.Path) + return nil +} diff --git a/nsxt/policy_common.go b/nsxt/policy_common.go index 169a2f506..62d2cba39 100644 --- a/nsxt/policy_common.go +++ b/nsxt/policy_common.go @@ -166,17 +166,23 @@ func getPolicyRuleActionSchema(isIds bool) *schema.Schema { } func getSecurityPolicyAndGatewayRulesSchema(scopeRequired bool, isIds bool, nsxIDReadOnly bool) *schema.Schema { + return &schema.Schema{ + Type: schema.TypeList, + Description: "List of rules in the section", + Optional: true, + MaxItems: 1000, + Elem: &schema.Resource{ + Schema: getSecurityPolicyAndGatewayRuleSchema(scopeRequired, isIds, nsxIDReadOnly, false), + }, + } +} + +func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxIDReadOnly bool, separated bool) map[string]*schema.Schema { ruleSchema := map[string]*schema.Schema{ "nsx_id": getFlexNsxIDSchema(nsxIDReadOnly), "display_name": getDisplayNameSchema(), "description": getDescriptionSchema(), "revision": getRevisionSchema(), - "sequence_number": { - Type: schema.TypeInt, - Description: "Sequence number of the this rule", - Optional: true, - Computed: true, - }, "destination_groups": { Type: schema.TypeSet, Description: "List of destination groups", @@ -282,19 +288,28 @@ func getSecurityPolicyAndGatewayRulesSchema(scopeRequired bool, isIds bool, nsxI if isIds { ruleSchema["ids_profiles"] = getIdsProfilesSchema() } - return &schema.Schema{ - Type: schema.TypeList, - Description: "List of rules in the section", - Optional: true, - MaxItems: 1000, - Elem: &schema.Resource{ - Schema: ruleSchema, - }, + if separated { + ruleSchema["policy_path"] = getPolicyPathSchema(true, false, "Security Policy path") + ruleSchema["sequence_number"] = &schema.Schema{ + Type: schema.TypeInt, + Description: "Sequence number of the this rule", + Required: true, + } + ruleSchema["context"] = getContextSchema() + ruleSchema["path"] = getPathSchema() + } else { + ruleSchema["sequence_number"] = &schema.Schema{ + Type: schema.TypeInt, + Description: "Sequence number of the this rule", + Optional: true, + Computed: true, + } } + return ruleSchema } func getPolicyGatewayPolicySchema() map[string]*schema.Schema { - secPolicy := getPolicySecurityPolicySchema(false, true) + secPolicy := getPolicySecurityPolicySchema(false, true, true) // GW Policies don't support scope delete(secPolicy, "scope") secPolicy["category"].ValidateFunc = validation.StringInSlice(gatewayPolicyCategoryWritableValues, false) @@ -303,7 +318,7 @@ func getPolicyGatewayPolicySchema() map[string]*schema.Schema { return secPolicy } -func getPolicySecurityPolicySchema(isIds bool, withContext bool) map[string]*schema.Schema { +func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string]*schema.Schema { result := map[string]*schema.Schema{ "nsx_id": getNsxIDSchema(), "path": getPathSchema(), @@ -371,6 +386,10 @@ func getPolicySecurityPolicySchema(isIds bool, withContext bool) map[string]*sch if !withContext { delete(result, "context") } + + if !withRule { + delete(result, "rule") + } return result } diff --git a/nsxt/policy_utils.go b/nsxt/policy_utils.go index 59561cd95..9a729ef70 100644 --- a/nsxt/policy_utils.go +++ b/nsxt/policy_utils.go @@ -155,6 +155,21 @@ func setPathListInMap(data map[string]interface{}, attrName string, pathList []s } } +func getPathListFromSchema(d *schema.ResourceData, schemaAttrName string) []string { + pathList := interface2StringList(d.Get(schemaAttrName).(*schema.Set).List()) + if len(pathList) == 0 { + // Convert empty value to "ANY" + pathList = append(pathList, "ANY") + } + return pathList +} + +func setPathListInSchema(d *schema.ResourceData, attrName string, pathList []string) { + if !(len(pathList) == 1 && pathList[0] == "ANY") { + d.Set(attrName, pathList) + } +} + func getDomainFromResourcePath(rPath string) string { return getResourceIDFromResourcePath(rPath, "domains") } diff --git a/nsxt/provider.go b/nsxt/provider.go index 2200d860f..51a659b4b 100644 --- a/nsxt/provider.go +++ b/nsxt/provider.go @@ -294,6 +294,7 @@ func Provider() *schema.Provider { "nsxt_policy_host_transport_node": dataSourceNsxtPolicyHostTransportNode(), "nsxt_manager_cluster_node": dataSourceNsxtManagerClusterNode(), "nsxt_policy_host_transport_node_profile": dataSourceNsxtPolicyHostTransportNodeProfile(), + "nsxt_policy_security_policy_rule": dataSourceNsxtPolicySecurityPolicyRule(), }, ResourcesMap: map[string]*schema.Resource{ @@ -437,6 +438,8 @@ func Provider() *schema.Provider { "nsxt_edge_high_availability_profile": resourceNsxtEdgeHighAvailabilityProfile(), "nsxt_policy_host_transport_node_collection": resourceNsxtPolicyHostTransportNodeCollection(), "nsxt_policy_lb_client_ssl_profile": resourceNsxtPolicyLBClientSslProfile(), + "nsxt_policy_security_policy_rule": resourceNsxtPolicySecurityPolicyRule(), + "nsxt_policy_security_policy_no_rule": resourceNsxtPolicySecurityPolicyNoRule(), }, ConfigureFunc: providerConfigure, diff --git a/nsxt/resource_nsxt_policy_intrusion_service_policy.go b/nsxt/resource_nsxt_policy_intrusion_service_policy.go index e37593620..e3b7ff895 100644 --- a/nsxt/resource_nsxt_policy_intrusion_service_policy.go +++ b/nsxt/resource_nsxt_policy_intrusion_service_policy.go @@ -29,7 +29,7 @@ func resourceNsxtPolicyIntrusionServicePolicy() *schema.Resource { Importer: &schema.ResourceImporter{ State: nsxtDomainResourceImporter, }, - Schema: getPolicySecurityPolicySchema(true, false), + Schema: getPolicySecurityPolicySchema(true, false, true), } } diff --git a/nsxt/resource_nsxt_policy_security_policy.go b/nsxt/resource_nsxt_policy_security_policy.go index 1ca398f6b..fc9df539f 100644 --- a/nsxt/resource_nsxt_policy_security_policy.go +++ b/nsxt/resource_nsxt_policy_security_policy.go @@ -24,7 +24,7 @@ func resourceNsxtPolicySecurityPolicy() *schema.Resource { Importer: &schema.ResourceImporter{ State: nsxtDomainResourceImporter, }, - Schema: getPolicySecurityPolicySchema(false, true), + Schema: getPolicySecurityPolicySchema(false, true, true), } } @@ -57,34 +57,9 @@ func resourceNsxtPolicySecurityPolicyExistsPartial(domainName string) func(sessi func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, connector client.Connector, isGlobalManager bool, id string, createFlow bool) error { + obj := securityPolicySchemaToModelNoRule(d, id) domain := d.Get("domain").(string) - displayName := d.Get("display_name").(string) - description := d.Get("description").(string) - tags := getPolicyTagsFromSchema(d) - category := d.Get("category").(string) - comments := d.Get("comments").(string) - locked := d.Get("locked").(bool) - scope := getStringListFromSchemaSet(d, "scope") - sequenceNumber := int64(d.Get("sequence_number").(int)) - stateful := d.Get("stateful").(bool) - tcpStrict := d.Get("tcp_strict").(bool) revision := int64(d.Get("revision").(int)) - objType := "SecurityPolicy" - - obj := model.SecurityPolicy{ - Id: &id, - DisplayName: &displayName, - Description: &description, - Tags: tags, - Category: &category, - Comments: &comments, - Locked: &locked, - Scope: scope, - SequenceNumber: &sequenceNumber, - Stateful: &stateful, - TcpStrict: &tcpStrict, - ResourceType: &objType, - } log.Printf("[INFO] Creating Security Policy with ID %s", id) if createFlow { @@ -130,35 +105,10 @@ func resourceNsxtPolicySecurityPolicyCreate(d *schema.ResourceData, m interface{ } func resourceNsxtPolicySecurityPolicyRead(d *schema.ResourceData, m interface{}) error { - connector := getPolicyConnector(m) - id := d.Id() - domainName := d.Get("domain").(string) - if id == "" { - return fmt.Errorf("Error obtaining Security Policy id") - } - client := domains.NewSecurityPoliciesClient(getSessionContext(d, m), connector) - obj, err := client.Get(domainName, id) + obj, err := securityPolicyModelToSchemaNoRule(d, m) if err != nil { - return handleReadError(d, "SecurityPolicy", id, err) - } - d.Set("display_name", obj.DisplayName) - d.Set("description", obj.Description) - setPolicyTagsInSchema(d, obj.Tags) - d.Set("nsx_id", id) - d.Set("path", obj.Path) - d.Set("domain", getDomainFromResourcePath(*obj.Path)) - d.Set("category", obj.Category) - d.Set("comments", obj.Comments) - d.Set("locked", obj.Locked) - if len(obj.Scope) == 1 && obj.Scope[0] == "ANY" { - d.Set("scope", nil) - } else { - d.Set("scope", obj.Scope) + return err } - d.Set("sequence_number", obj.SequenceNumber) - d.Set("stateful", obj.Stateful) - d.Set("tcp_strict", obj.TcpStrict) - d.Set("revision", obj.Revision) return setPolicyRulesInSchema(d, obj.Rules) } diff --git a/nsxt/resource_nsxt_policy_security_policy_no_rule.go b/nsxt/resource_nsxt_policy_security_policy_no_rule.go new file mode 100644 index 000000000..212a77f4d --- /dev/null +++ b/nsxt/resource_nsxt_policy_security_policy_no_rule.go @@ -0,0 +1,149 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "log" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model" + + "github.com/vmware/terraform-provider-nsxt/api/infra/domains" +) + +func resourceNsxtPolicySecurityPolicyNoRule() *schema.Resource { + return &schema.Resource{ + Create: resourceNsxtPolicySecurityPolicyNoRuleCreate, + Read: resourceNsxtPolicySecurityPolicyNoRuleRead, + Update: resourceNsxtPolicySecurityPolicyNoRuleUpdate, + Delete: resourceNsxtPolicySecurityPolicyNoRuleDelete, + Importer: &schema.ResourceImporter{ + State: nsxtDomainResourceImporter, + }, + Schema: getPolicySecurityPolicySchema(false, true, false), + } +} + +func resourceNsxtPolicySecurityPolicyNoRuleCreate(d *schema.ResourceData, m interface{}) error { + connector := getPolicyConnector(m) + + // Initialize resource Id and verify this ID is not yet used + id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyExistsPartial(d.Get("domain").(string))) + if err != nil { + return err + } + + log.Printf("[INFO] Creating Security Policy with ID %s", id) + domain := d.Get("domain").(string) + client := domains.NewSecurityPoliciesClient(getSessionContext(d, m), connector) + + obj := securityPolicySchemaToModelNoRule(d, id) + err = client.Patch(domain, id, obj) + if err != nil { + return handleCreateError("Security Policy", id, err) + } + + d.SetId(id) + d.Set("nsx_id", id) + + return resourceNsxtPolicySecurityPolicyNoRuleRead(d, m) +} + +func securityPolicySchemaToModelNoRule(d *schema.ResourceData, id string) model.SecurityPolicy { + displayName := d.Get("display_name").(string) + description := d.Get("description").(string) + tags := getPolicyTagsFromSchema(d) + category := d.Get("category").(string) + comments := d.Get("comments").(string) + locked := d.Get("locked").(bool) + scope := getStringListFromSchemaSet(d, "scope") + sequenceNumber := int64(d.Get("sequence_number").(int)) + stateful := d.Get("stateful").(bool) + tcpStrict := d.Get("tcp_strict").(bool) + objType := "SecurityPolicy" + + return model.SecurityPolicy{ + Id: &id, + DisplayName: &displayName, + Description: &description, + Tags: tags, + Category: &category, + Comments: &comments, + Locked: &locked, + Scope: scope, + SequenceNumber: &sequenceNumber, + Stateful: &stateful, + TcpStrict: &tcpStrict, + ResourceType: &objType, + } +} + +func resourceNsxtPolicySecurityPolicyNoRuleRead(d *schema.ResourceData, m interface{}) error { + _, err := securityPolicyModelToSchemaNoRule(d, m) + return err +} + +func securityPolicyModelToSchemaNoRule(d *schema.ResourceData, m interface{}) (*model.SecurityPolicy, error) { + connector := getPolicyConnector(m) + id := d.Id() + domainName := d.Get("domain").(string) + if id == "" { + return nil, fmt.Errorf("Error obtaining Security Policy id") + } + client := domains.NewSecurityPoliciesClient(getSessionContext(d, m), connector) + obj, err := client.Get(domainName, id) + if err != nil { + return nil, handleReadError(d, "SecurityPolicy", id, err) + } + d.Set("display_name", obj.DisplayName) + d.Set("description", obj.Description) + setPolicyTagsInSchema(d, obj.Tags) + d.Set("nsx_id", id) + d.Set("path", obj.Path) + d.Set("domain", getDomainFromResourcePath(*obj.Path)) + d.Set("category", obj.Category) + d.Set("comments", obj.Comments) + d.Set("locked", obj.Locked) + if len(obj.Scope) == 1 && obj.Scope[0] == "ANY" { + d.Set("scope", nil) + } else { + d.Set("scope", obj.Scope) + } + d.Set("sequence_number", obj.SequenceNumber) + d.Set("stateful", obj.Stateful) + d.Set("tcp_strict", obj.TcpStrict) + d.Set("revision", obj.Revision) + return &obj, nil +} + +func resourceNsxtPolicySecurityPolicyNoRuleUpdate(d *schema.ResourceData, m interface{}) error { + connector := getPolicyConnector(m) + + id := d.Id() + if id == "" { + return fmt.Errorf("Error obtaining Security Policy id") + } + + log.Printf("[INFO] Updating Security Policy with ID %s", id) + domain := d.Get("domain").(string) + client := domains.NewSecurityPoliciesClient(getSessionContext(d, m), connector) + remoteObj, err := client.Get(domain, id) + if err != nil { + return handleUpdateError("Security Policy", id, err) + } + + obj := securityPolicySchemaToModelNoRule(d, id) + obj.Rules = remoteObj.Rules + err = client.Patch(domain, id, obj) + if err != nil { + return handleUpdateError("Security Policy", id, err) + } + + return resourceNsxtPolicySecurityPolicyNoRuleRead(d, m) +} + +func resourceNsxtPolicySecurityPolicyNoRuleDelete(d *schema.ResourceData, m interface{}) error { + return resourceNsxtPolicySecurityPolicyDelete(d, m) +} diff --git a/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go b/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go new file mode 100644 index 000000000..f7a43baa9 --- /dev/null +++ b/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go @@ -0,0 +1,167 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccResourceNsxtPolicySecurityPolicyNoRule_basic(t *testing.T) { + testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t, false, func() { + testAccPreCheck(t) + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyNoRule_multitenancy(t *testing.T) { + testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t, true, func() { + testAccPreCheck(t) + testAccOnlyMultitenancy(t) + }) +} + +func testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t *testing.T, withContext bool, preCheck func()) { + testResourceName := "nsxt_policy_security_policy_no_rule.test" + + name := getAccTestResourceName() + updatedName := getAccTestResourceName() + locked := "true" + updatedLocked := "false" + seqNum := "1" + updatedSeqNum := "2" + tcpStrict := "true" + updatedTCPStrict := "false" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: preCheck, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state, updatedName) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext, name, locked, seqNum, tcpStrict), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicySecurityPolicyExists(testResourceName, defaultDomain), + resource.TestCheckResourceAttr(testResourceName, "display_name", name), + resource.TestCheckResourceAttr(testResourceName, "locked", locked), + resource.TestCheckResourceAttr(testResourceName, "sequence_number", seqNum), + resource.TestCheckResourceAttr(testResourceName, "tcp_strict", tcpStrict), + ), + }, + { + Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext, updatedName, updatedLocked, updatedSeqNum, updatedTCPStrict), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicySecurityPolicyExists(testResourceName, defaultDomain), + resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName), + resource.TestCheckResourceAttr(testResourceName, "locked", updatedLocked), + resource.TestCheckResourceAttr(testResourceName, "sequence_number", updatedSeqNum), + resource.TestCheckResourceAttr(testResourceName, "tcp_strict", updatedTCPStrict), + ), + }, + }, + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyNoRule_importBasic(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_security_policy_no_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state, name) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(false, name, "true", "1", "true"), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName), + }, + }, + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyNoRule_importBasic_multitenancy(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_security_policy_no_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + testAccPreCheck(t) + testAccOnlyMultitenancy(t) + }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyCheckDestroy(state, name, defaultDomain) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(true, name, "true", "1", "true"), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName), + }, + }, + }) +} + +func testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state *terraform.State, displayName string) error { + connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients)) + for _, rs := range state.RootModule().Resources { + + if rs.Type != "nsxt_policy_security_policy_no_rule" { + continue + } + + resourceID := rs.Primary.Attributes["id"] + domain := rs.Primary.Attributes["domain"] + exists, err := resourceNsxtPolicySecurityPolicyExistsInDomain(testAccGetSessionContext(), resourceID, domain, connector) + if err != nil { + return err + } + if exists { + return fmt.Errorf("Policy SecurityPolicy %s still exists", displayName) + } + } + return nil +} + +func testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext bool, name, locked, seqNum, tcpStrict string) string { + context := "" + if withContext { + context = testAccNsxtPolicyMultitenancyContext() + } + return testAccNsxtPolicySecurityPolicyDeps() + fmt.Sprintf(` +resource "nsxt_policy_security_policy_no_rule" "test" { +%s + display_name = "%s" + description = "Acceptance Test" + domain = "default" + category = "Application" + locked = %s + sequence_number = %s + stateful = "true" + tcp_strict = %s + scope = [nsxt_policy_group.group1.path] + + tag { + scope = "color" + tag = "orange" + } + + depends_on = [nsxt_policy_group.group1] +}`, context, name, locked, seqNum, tcpStrict) +} diff --git a/nsxt/resource_nsxt_policy_security_policy_rule.go b/nsxt/resource_nsxt_policy_security_policy_rule.go new file mode 100644 index 000000000..fbe23b350 --- /dev/null +++ b/nsxt/resource_nsxt_policy_security_policy_rule.go @@ -0,0 +1,231 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. +SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "log" + "strings" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model" + + securitypolicies "github.com/vmware/terraform-provider-nsxt/api/infra/domains/security_policies" + utl "github.com/vmware/terraform-provider-nsxt/api/utl" +) + +func resourceNsxtPolicySecurityPolicyRule() *schema.Resource { + return &schema.Resource{ + Create: resourceNsxtPolicySecurityPolicyRuleCreate, + Read: resourceNsxtPolicySecurityPolicyRuleRead, + Update: resourceNsxtPolicySecurityPolicyRuleUpdate, + Delete: resourceNsxtPolicySecurityPolicyRuleDelete, + Importer: &schema.ResourceImporter{ + State: nsxtSecurityPolicyRuleImporter, + }, + Schema: getSecurityPolicyAndGatewayRuleSchema(false, false, true, true), + } +} + +func resourceNsxtPolicySecurityPolicyRuleCreate(d *schema.ResourceData, m interface{}) error { + connector := getPolicyConnector(m) + + // Initialize resource Id and verify this ID is not yet used + id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyRuleExistsPartial(d.Get("policy_path").(string))) + if err != nil { + return err + } + + policyPath := d.Get("policy_path").(string) + log.Printf("[INFO] Creating Security Policy Rule with ID %s under policy %s", id, policyPath) + domain := getDomainFromResourcePath(policyPath) + policyID := getPolicyIDFromPath(policyPath) + + client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector) + rule := securityPolicyRuleSchemaToModel(d, id) + err = client.Patch(domain, policyID, id, rule) + if err != nil { + return handleCreateError("Security Policy Rule", id, err) + } + + d.SetId(id) + d.Set("nsx_id", id) + + return resourceNsxtPolicySecurityPolicyRuleRead(d, m) +} + +func securityPolicyRuleSchemaToModel(d *schema.ResourceData, id string) model.Rule { + displayName := d.Get("display_name").(string) + description := d.Get("description").(string) + action := d.Get("action").(string) + logged := d.Get("logged").(bool) + tag := d.Get("log_label").(string) + disabled := d.Get("disabled").(bool) + sourcesExcluded := d.Get("sources_excluded").(bool) + destinationsExcluded := d.Get("destinations_excluded").(bool) + + var ipProtocol *string + ipp := d.Get("ip_version").(string) + if ipp != "NONE" { + ipProtocol = &ipp + } + direction := d.Get("direction").(string) + notes := d.Get("notes").(string) + seq := d.Get("sequence_number").(int) + sequenceNumber := int64(seq) + tagStructs := getPolicyTagsFromSet(d.Get("tag").(*schema.Set)) + + resourceType := "Rule" + return model.Rule{ + ResourceType: &resourceType, + Id: &id, + DisplayName: &displayName, + Notes: ¬es, + Description: &description, + Action: &action, + Logged: &logged, + Tag: &tag, + Tags: tagStructs, + Disabled: &disabled, + SourcesExcluded: &sourcesExcluded, + DestinationsExcluded: &destinationsExcluded, + IpProtocol: ipProtocol, + Direction: &direction, + SourceGroups: getPathListFromSchema(d, "source_groups"), + DestinationGroups: getPathListFromSchema(d, "destination_groups"), + Services: getPathListFromSchema(d, "services"), + Scope: getPathListFromSchema(d, "scope"), + Profiles: getPathListFromSchema(d, "profiles"), + SequenceNumber: &sequenceNumber, + } +} + +func resourceNsxtPolicySecurityPolicyRuleExistsPartial(policyPath string) func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) { + return func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) { + return resourceNsxtPolicySecurityPolicyRuleExists(sessionContext, id, policyPath, connector) + } +} + +func resourceNsxtPolicySecurityPolicyRuleExists(sessionContext utl.SessionContext, id string, policyPath string, connector client.Connector) (bool, error) { + client := securitypolicies.NewRulesClient(sessionContext, connector) + + domain := getDomainFromResourcePath(policyPath) + policyID := getPolicyIDFromPath(policyPath) + _, err := client.Get(domain, policyID, id) + + if err == nil { + return true, nil + } + + if isNotFoundError(err) { + return false, nil + } + + return false, logAPIError("Error retrieving Security Policy Rule", err) +} + +func resourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interface{}) error { + connector := getPolicyConnector(m) + id := d.Id() + if id == "" { + return fmt.Errorf("Error obtaining Security Policy Rule ID") + } + + policyPath := d.Get("policy_path").(string) + domain := getDomainFromResourcePath(policyPath) + policyID := getPolicyIDFromPath(policyPath) + client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector) + rule, err := client.Get(domain, policyID, id) + if err != nil { + return handleReadError(d, "SecurityPolicyRule", fmt.Sprintf("%s/%s", policyPath, id), err) + } + + securityPolicyRuleModelToSchema(d, rule) + return nil +} + +func securityPolicyRuleModelToSchema(d *schema.ResourceData, rule model.Rule) { + d.Set("display_name", rule.DisplayName) + d.Set("description", rule.Description) + d.Set("path", rule.Path) + d.Set("notes", rule.Notes) + d.Set("logged", rule.Logged) + d.Set("log_label", rule.Tag) + d.Set("action", rule.Action) + d.Set("destinations_excluded", rule.DestinationsExcluded) + d.Set("sources_excluded", rule.SourcesExcluded) + if rule.IpProtocol == nil { + d.Set("ip_version", "NONE") + } else { + d.Set("ip_version", rule.IpProtocol) + } + d.Set("direction", rule.Direction) + d.Set("disabled", rule.Disabled) + d.Set("revision", rule.Revision) + setPathListInSchema(d, "source_groups", rule.SourceGroups) + setPathListInSchema(d, "destination_groups", rule.DestinationGroups) + setPathListInSchema(d, "profiles", rule.Profiles) + setPathListInSchema(d, "services", rule.Services) + setPathListInSchema(d, "scope", rule.Scope) + d.Set("sequence_number", rule.SequenceNumber) + d.Set("nsx_id", rule.Id) + d.Set("rule_id", rule.RuleId) + + setPolicyTagsInSchema(d, rule.Tags) +} + +func resourceNsxtPolicySecurityPolicyRuleUpdate(d *schema.ResourceData, m interface{}) error { + connector := getPolicyConnector(m) + + id := d.Id() + if id == "" { + return fmt.Errorf("Error obtaining Security Policy Rule ID") + } + + policyPath := d.Get("policy_path").(string) + log.Printf("[INFO] Updating Security Policy Rule with ID %s under policy %s", id, policyPath) + domain := getDomainFromResourcePath(policyPath) + policyID := getPolicyIDFromPath(policyPath) + + client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector) + rule := securityPolicyRuleSchemaToModel(d, id) + err := client.Patch(domain, policyID, id, rule) + if err != nil { + return handleUpdateError("Security Policy Rule", id, err) + } + + return resourceNsxtPolicySecurityPolicyRuleRead(d, m) +} + +func resourceNsxtPolicySecurityPolicyRuleDelete(d *schema.ResourceData, m interface{}) error { + id := d.Get("nsx_id").(string) + if id == "" { + return fmt.Errorf("Error obtaining Security Policy Rule ID") + } + + connector := getPolicyConnector(m) + + policyPath := d.Get("policy_path").(string) + log.Printf("[INFO] Deleting Security Policy Rule with ID %s under policy %s", id, policyPath) + domain := getDomainFromResourcePath(policyPath) + policyID := getPolicyIDFromPath(policyPath) + + client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector) + return client.Delete(domain, policyID, id) +} + +func nsxtSecurityPolicyRuleImporter(d *schema.ResourceData, m interface{}) ([]*schema.ResourceData, error) { + importID := d.Id() + // Example of Rule path: /infra/domains/default/security-policies/04e862ad-ddce-434c-8453-229e2740982e/rules/b971bdc3-9e8f-442d-a694-846cbbb46ca5 + if strings.Count(importID, "/") != 7 { + return nil, fmt.Errorf("Invalid SecurityPolicyRule path %s", importID) + } + rd, err := nsxtPolicyPathResourceImporterHelper(d, m) + if err != nil { + return rd, err + } + d.Set("policy_path", importID[:strings.Index(importID, "rule")-1]) + return []*schema.ResourceData{d}, nil +} diff --git a/nsxt/resource_nsxt_policy_security_policy_rule_test.go b/nsxt/resource_nsxt_policy_security_policy_rule_test.go new file mode 100644 index 000000000..b55129e16 --- /dev/null +++ b/nsxt/resource_nsxt_policy_security_policy_rule_test.go @@ -0,0 +1,229 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccResourceNsxtPolicySecurityPolicyRule_basic(t *testing.T) { + testAccResourceNsxtPolicySecurityPolicyRuleBasic(t, false, func() { + testAccPreCheck(t) + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyRule_multitenancy(t *testing.T) { + testAccResourceNsxtPolicySecurityPolicyRuleBasic(t, true, func() { + testAccPreCheck(t) + testAccOnlyMultitenancy(t) + }) +} + +func testAccResourceNsxtPolicySecurityPolicyRuleBasic(t *testing.T, withContext bool, preCheck func()) { + testResourceName := "nsxt_policy_security_policy_rule.test" + + name := getAccTestResourceName() + updatedName := getAccTestResourceName() + direction := "IN" + updatedDirection := "OUT" + proto := "IPV4" + updatedProto := "IPV4_IPV6" + action := "ALLOW" + updatedAction := "DROP" + seqNum := "1" + updatedSeqNum := "2" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: preCheck, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state, updatedName) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyRuleTemplate(withContext, name, action, direction, proto, seqNum), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicySecurityPolicyRuleExists(testResourceName), + resource.TestCheckResourceAttr(testResourceName, "display_name", name), + resource.TestCheckResourceAttr(testResourceName, "action", action), + resource.TestCheckResourceAttr(testResourceName, "direction", direction), + resource.TestCheckResourceAttr(testResourceName, "ip_version", proto), + resource.TestCheckResourceAttr(testResourceName, "sequence_number", seqNum), + ), + }, + { + Config: testAccNsxtPolicySecurityPolicyRuleTemplate(withContext, updatedName, updatedAction, updatedDirection, updatedProto, updatedSeqNum), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicySecurityPolicyRuleExists(testResourceName), + resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName), + resource.TestCheckResourceAttr(testResourceName, "action", updatedAction), + resource.TestCheckResourceAttr(testResourceName, "direction", updatedDirection), + resource.TestCheckResourceAttr(testResourceName, "ip_version", updatedProto), + resource.TestCheckResourceAttr(testResourceName, "sequence_number", updatedSeqNum), + ), + }, + }, + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyRule_importBasic(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_security_policy_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state, name) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyRuleTemplate(false, name, "ALLOW", "IN", "IPV4", "1"), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName), + }, + }, + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyRule_importBasic_multitenancy(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_security_policy_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + testAccPreCheck(t) + testAccOnlyMultitenancy(t) + }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyCheckDestroy(state, name, defaultDomain) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyRuleTemplate(true, name, "ALLOW", "IN", "IPV4", "1"), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName), + }, + }, + }) +} + +func testAccNsxtPolicySecurityPolicyRuleExists(resourceName string) resource.TestCheckFunc { + return func(state *terraform.State) error { + + connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients)) + + rs, ok := state.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("Policy SecurityPolicyRule resource %s not found in resources", resourceName) + } + + resourceID := rs.Primary.ID + if resourceID == "" { + return fmt.Errorf("Policy SecurityPolicyRule resource ID not set in resources") + } + + policyPath := rs.Primary.Attributes["policy_path"] + exists, err := resourceNsxtPolicySecurityPolicyRuleExists(testAccGetSessionContext(), resourceID, policyPath, connector) + if err != nil { + return err + } + if !exists { + return fmt.Errorf("Error while retrieving policy SecurityPolicyRule ID %s under SecurityPolicy %s", resourceID, policyPath) + } + return nil + } +} + +func testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state *terraform.State, displayName string) error { + connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients)) + for _, rs := range state.RootModule().Resources { + + if rs.Type != "nsxt_policy_security_policy_rule" { + continue + } + + resourceID := rs.Primary.Attributes["id"] + policyPath := rs.Primary.Attributes["policy_path"] + exists, err := resourceNsxtPolicySecurityPolicyRuleExists(testAccGetSessionContext(), resourceID, policyPath, connector) + if err != nil { + return err + } + if exists { + return fmt.Errorf("Policy SecurityPolicyRule %s still exists", displayName) + } + } + return nil +} + +func testAccNsxtPolicySecurityPolicyRuleDeps(withContext bool) string { + context := "" + if withContext { + context = testAccNsxtPolicyMultitenancyContext() + } + return testAccNsxtPolicySecurityPolicyDeps() + fmt.Sprintf(` +resource "nsxt_policy_security_policy_no_rule" "policy1" { +%s + display_name = "no-rule-policy" + description = "Acceptance Test" + category = "Application" + locked = false + sequence_number = 3 + stateful = true + tcp_strict = false + scope = [nsxt_policy_group.group1.path] + + tag { + scope = "color" + tag = "orange" + } + + depends_on = [nsxt_policy_group.group1] +}`, context) +} + +func testAccNsxtPolicySecurityPolicyRuleTemplate(withContext bool, name, action, direction, ipVersion, seqNum string) string { + context := "" + if withContext { + context = testAccNsxtPolicyMultitenancyContext() + } + return testAccNsxtPolicySecurityPolicyRuleDeps(withContext) + fmt.Sprintf(` +resource "nsxt_policy_security_policy_rule" "test" { +%s + display_name = "%s" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + action = "%s" + direction = "%s" + ip_version = "%s" + source_groups = [nsxt_policy_group.group2.path] + sequence_number = %s + + tag { + scope = "color" + tag = "orange" + } + + depends_on = [nsxt_policy_security_policy_no_rule.policy1, nsxt_policy_group.group2] +} + +data "nsxt_policy_security_policy_rule" "test" { +%s + display_name = "%s" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + depends_on = [nsxt_policy_security_policy_rule.test] +}`, context, name, action, direction, ipVersion, seqNum, context, name) +} diff --git a/website/docs/d/compute_manager.html.markdown b/website/docs/d/compute_manager.html.markdown index b142955c7..1ccee4abc 100644 --- a/website/docs/d/compute_manager.html.markdown +++ b/website/docs/d/compute_manager.html.markdown @@ -27,4 +27,4 @@ data "nsxt_compute_manager" "test_vcenter" { In addition to arguments listed above, the following attributes are exported: * `description` - The description of the resource. -* `server` - IP address or hostname of the resource. \ No newline at end of file +* `server` - IP address or hostname of the resource. diff --git a/website/docs/d/policy_security_policy_rule.html.markdown b/website/docs/d/policy_security_policy_rule.html.markdown new file mode 100644 index 000000000..053b4f693 --- /dev/null +++ b/website/docs/d/policy_security_policy_rule.html.markdown @@ -0,0 +1,51 @@ +--- +subcategory: "Firewall" +layout: "nsxt" +page_title: "NSXT: policy_security_policy_rule" +description: A policy Security Policy data source. +--- + +# nsxt_policy_security_policy_rule + +This data source provides information about policy Security Policy Rules configured on NSX. +This data source is applicable to NSX Policy Manager, NSX Global Manager and VMC. + +## Example Usage + +```hcl +data "nsxt_policy_security_policy_rule" "rule1" { + display_name = "rule1" + policy_path = data.nsxt_policy_security_policy.policy1.path +} +``` + +## Example Usage - Multi-Tenancy + +```hcl +data "nsxt_policy_project" "demoproj" { + display_name = "demoproj" +} + +data "nsxt_policy_security_policy_rule" "rule1" { + context { + project_id = data.nsxt_policy_project.demoproj.id + } + display_name = "rule name" + policy_path = data.nsxt_policy_security_policy.policy1.path +} +``` + +## Argument Reference + +* `id` - (Optional) The ID of Security Policy Rule to retrieve. +* `display_name` - (Optional) The Display Name of the Security Policy Rule to retrieve. +* `policy_path` - (Required) The path of the Security Policy which the object belongs to +* `context` - (Optional) The context which the object belongs to + * `project_id` - (Required) The ID of the project which the object belongs to + +## Attributes Reference + +In addition to arguments listed above, the following attributes are exported: + +* `description` - The description of the resource. +* `path` - The NSX path of the policy resource. diff --git a/website/docs/r/policy_security_policy_no_rule.html.markdown b/website/docs/r/policy_security_policy_no_rule.html.markdown new file mode 100644 index 000000000..528941de9 --- /dev/null +++ b/website/docs/r/policy_security_policy_no_rule.html.markdown @@ -0,0 +1,157 @@ +--- +subcategory: "Firewall" +layout: "nsxt" +page_title: "NSXT: nsxt_policy_security_policy_no_rule" +description: A resource to configure a Security Policy without rules. +--- + +# nsxt_policy_security_policy_no_rule + +This resource provides a method for the management of Security Policy without rules. + +Note: to avoid unexpected behavior, don't use this resource and resource `nsxt_policy_security_policy` to manage the same Security Policy at the same time. +To config rules under this resource, please use resource `nsxt_policy_security_policy_rule` to manage rules separately. + +This resource is applicable to NSX Global Manager, NSX Policy Manager and VMC. + +## Example Usage + +```hcl +resource "nsxt_policy_security_policy_no_rule" "policy1" { + display_name = "policy1" + description = "Terraform provisioned Security Policy" + category = "Application" + locked = false + stateful = true + tcp_strict = false + scope = [nsxt_policy_group.pets.path] + + lifecycle { + create_before_destroy = true + } +} + +resource "nsxt_policy_security_policy_rule" "rule1" { + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +## Global Manager example + +```hcl +data "nsxt_policy_site" "paris" { + display_name = "Paris" +} +resource "nsxt_policy_security_policy_no_rule" "policy1" { + display_name = "policy1" + description = "Terraform provisioned Security Policy" + category = "Application" + locked = false + stateful = true + tcp_strict = false + scope = [nsxt_policy_group.pets.path] + domain = data.nsxt_policy_site.paris.id + + lifecycle { + create_before_destroy = true + } +} + +resource "nsxt_policy_security_policy_rule" "rule1" { + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +## Example Usage - Multi-Tenancy + +```hcl +data "nsxt_policy_project" "demoproj" { + display_name = "demoproj" +} + +resource "nsxt_policy_security_policy_no_rule" "policy1" { + context { + project_id = data.nsxt_policy_project.demoproj.id + } + display_name = "policy1" + description = "Terraform provisioned Security Policy" + category = "Application" + locked = false + stateful = true + tcp_strict = false + scope = [nsxt_policy_group.pets.path] + + lifecycle { + create_before_destroy = true + } +} + +resource "nsxt_policy_security_policy_rule" "rule1" { + context { + project_id = data.nsxt_policy_project.demoproj.id + } + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +-> We recommend using `lifecycle` directive as in samples above, in order to avoid dependency issues when updating groups/services simultaneously with the rule. + +## Argument Reference + +The following arguments are supported: + +* `display_name` - (Required) Display name of the resource. +* `description` - (Optional) Description of the resource. +* `domain` - (Optional) The domain to use for the resource. This domain must already exist. For VMware Cloud on AWS use `cgw`. For Global Manager, please use site id for this field. If not specified, this field is default to `default`. +* `tag` - (Optional) A list of scope + tag pairs to associate with this policy. +* `nsx_id` - (Optional) The NSX ID of this resource. If set, this ID will be used to create the resource. +* `context` - (Optional) The context which the object belongs to + * `project_id` - (Required) The ID of the project which the object belongs to +* `category` - (Required) Category of this policy. For local manager must be one of `Ethernet`, `Emergency`, `Infrastructure`, `Environment`, `Application`. For global manager must be one of: `Infrastructure`, `Environment`, `Application`. +* `comments` - (Optional) Comments for security policy lock/unlock. +* `locked` - (Optional) Indicates whether a security policy should be locked. If locked by a user, no other user would be able to modify this policy. +* `scope` - (Optional) The list of policy object paths where the rules in this policy will get applied. +* `sequence_number` - (Optional) This field is used to resolve conflicts between security policies across domains. +* `stateful` - (Optional) If true, state of the network connects are tracked and a stateful packet inspection is performed. Default is true. +* `tcp_strict` - (Optional) Ensures that a 3 way TCP handshake is done before the data packets are sent. Default is false. + +## Attributes Reference + +In addition to arguments listed above, the following attributes are exported: + +* `id` - ID of the Security Policy. +* `revision` - Indicates current revision number of the object as seen by NSX-T API server. This attribute can be useful for debugging. +* `path` - The NSX path of the policy resource. + +## Importing + +An existing security policy can be [imported][docs-import] into this resource, via the following command: + +[docs-import]: https://www.terraform.io/cli/import + +``` +terraform import nsxt_policy_security_policy_no_rule.policy1 domain/ID +``` + +The above command imports the security policy named `policy1` under NSX domain `domain` with the NSX Policy ID `ID`. diff --git a/website/docs/r/policy_security_policy_rule.html.markdown b/website/docs/r/policy_security_policy_rule.html.markdown new file mode 100644 index 000000000..a1b844dcc --- /dev/null +++ b/website/docs/r/policy_security_policy_rule.html.markdown @@ -0,0 +1,100 @@ +--- +subcategory: "Firewall" +layout: "nsxt" +page_title: "NSXT: nsxt_policy_security_policy_rule" +description: A resource to configure a Security Policy Rule. +--- + +# nsxt_policy_security_policy_rule + +This resource provides a method for the management of Security Policy Rule. + +Note: to avoid unexpected behavior, don't use this resource and resource `nsxt_policy_security_policy` to manage rules under a security policy at the same time. +Recommend to use this resource with resource `nsxt_policy_security_policy_no_rule` to manage a security policy and its rules separately. And use `nsxt_policy_security_policy` to manage a security policy and its rules in one single resource. + +This resource is applicable to NSX Global Manager, NSX Policy Manager and VMC. + +## Example Usage + +```hcl +resource "nsxt_policy_security_policy_rule" "rule1" { + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +## Example Usage - Multi-Tenancy + +```hcl +data "nsxt_policy_project" "demoproj" { + display_name = "demoproj" +} + +resource "nsxt_policy_security_policy_rule" "rule1" { + context { + project_id = data.nsxt_policy_project.demoproj.id + } + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = data.nsxt_policy_security_policy.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +## Argument Reference + +The following arguments are supported: + +* `display_name` - (Required) Display name of the resource. +* `description` - (Optional) Description of the resource. +* `tag` - (Optional) A list of scope + tag pairs to associate with this policy. +* `nsx_id` - (Optional) The NSX ID of this resource. If set, this ID will be used to create the resource. +* `policy_path` - (Required) The path of the Security Policy which the object belongs to +* `context` - (Optional) The context which the object belongs to + * `project_id` - (Required) The ID of the project which the object belongs to +* `sequence_number` - (Required) This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain. Please note that sequence numbers should start with 1 and not 0 to avoid confusion. +* `action` - (Optional) Rule action, one of `ALLOW`, `DROP`, `REJECT` and `JUMP_TO_APPLICATION`. Default is `ALLOW`. `JUMP_TO_APPLICATION` is only applicable in `Environment` category. +* `destination_groups` - (Optional) Set of group paths that serve as the destination for this rule. IPs, IP ranges, or CIDRs may also be used starting in NSX-T 3.0. An empty set can be used to specify "Any". +* `source_groups` - (Optional) Set of group paths that serve as the source for this rule. IPs, IP ranges, or CIDRs may also be used starting in NSX-T 3.0. An empty set can be used to specify "Any". +* `destinations_excluded` - (Optional) A boolean value indicating negation of destination groups. +* `sources_excluded` - (Optional) A boolean value indicating negation of source groups. +* `direction` - (Optional) Traffic direction, one of `IN`, `OUT` or `IN_OUT`. Default is `IN_OUT`. +* `disabled` - (Optional) Flag to disable this rule. Default is false. +* `ip_version` - (Optional) Version of IP protocol, one of `NONE`, `IPV4`, `IPV6`, `IPV4_IPV6`. Default is `IPV4_IPV6`. For `Ethernet` category rules, use `NONE` value. +* `logged` - (Optional) Flag to enable packet logging. Default is false. +* `notes` - (Optional) Additional notes on changes. +* `profiles` - (Optional) Set of profile paths relevant for this rule. +* `scope` - (Optional) Set of policy object paths where the rule is applied. +* `services` - (Optional) Set of service paths to match. +* `log_label` - (Optional) Additional information (string) which will be propagated to the rule syslog. + + +## Attributes Reference + +In addition to arguments listed above, the following attributes are exported: + +* `revision` - Indicates current revision number of the object as seen by NSX-T API server. This attribute can be useful for debugging. +* `path` - The NSX path of the policy resource. +* `rule_id` - Unique positive number that is assigned by the system and is useful for debugging. + +## Importing + +An existing security policy can be [imported][docs-import] into this resource, via the following command: + +[docs-import]: https://www.terraform.io/cli/import + +``` +terraform import nsxt_policy_security_policy_rule.rule1 POLICY_PATH +``` + +The above command imports the security policy rule named `rule1` with policy path `POLICY_PATH`.