diff --git a/nsxt/data_source_nsxt_policy_security_policy_rule.go b/nsxt/data_source_nsxt_policy_security_policy_rule.go new file mode 100644 index 000000000..85d958408 --- /dev/null +++ b/nsxt/data_source_nsxt_policy_security_policy_rule.go @@ -0,0 +1,85 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + securitypolicies "github.com/vmware/terraform-provider-nsxt/api/infra/domains/security_policies" + "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model" + "strings" +) + +func dataSourceNsxtPolicySecurityPolicyRule() *schema.Resource { + return &schema.Resource{ + Read: dataSourceNsxtPolicySecurityPolicyRuleRead, + + Schema: map[string]*schema.Schema{ + "id": getDataSourceIDSchema(), + "display_name": getDataSourceDisplayNameSchema(), + "description": getDataSourceDescriptionSchema(), + "path": getPathSchema(), + "policy_path": getPolicyPathSchema(true, false, "Security Policy path"), + "context": getContextSchema(), + }, + } +} + +func dataSourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interface{}) error { + connector := getPolicyConnector(m) + + policyPath := d.Get("policy_path").(string) + domain := getDomainFromResourcePath(policyPath) + policyID := getPolicyIDFromPath(policyPath) + + client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector) + objID := d.Get("id").(string) + var obj model.Rule + if objID != "" { + // Get by id + objGet, err := client.Get(domain, policyID, objID) + + if err != nil { + return handleDataSourceReadError(d, "SecurityPolicyRule", objID, err) + } + obj = objGet + } else { + // Get by full name/prefix + displayName := d.Get("display_name").(string) + objList, err := client.List(domain, policyID, nil, nil, nil, nil, nil, nil) + if err != nil { + return handleListError("SecurityPolicyRule", err) + } + // go over the list to find the correct one (prefer a perfect match. If not - prefix match) + var perfectMatch []model.Rule + var prefixMatch []model.Rule + for _, objInList := range objList.Results { + if strings.HasPrefix(*objInList.DisplayName, displayName) { + prefixMatch = append(prefixMatch, objInList) + } + if *objInList.DisplayName == displayName { + perfectMatch = append(perfectMatch, objInList) + } + } + if len(perfectMatch) > 0 { + if len(perfectMatch) > 1 { + return fmt.Errorf("Found multiple SecurityPolicyRule with name '%s'", displayName) + } + obj = perfectMatch[0] + } else if len(prefixMatch) > 0 { + if len(prefixMatch) > 1 { + return fmt.Errorf("Found multiple SecurityPolicyRule with name starting with '%s'", displayName) + } + obj = prefixMatch[0] + } else { + return fmt.Errorf("SecurityPolicyRule with name '%s' was not found", displayName) + } + } + + d.SetId(*obj.Id) + d.Set("display_name", obj.DisplayName) + d.Set("description", obj.Description) + d.Set("path", obj.Path) + return nil +} diff --git a/nsxt/policy_common.go b/nsxt/policy_common.go index 22402f752..62d2cba39 100644 --- a/nsxt/policy_common.go +++ b/nsxt/policy_common.go @@ -296,6 +296,7 @@ func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxID Required: true, } ruleSchema["context"] = getContextSchema() + ruleSchema["path"] = getPathSchema() } else { ruleSchema["sequence_number"] = &schema.Schema{ Type: schema.TypeInt, diff --git a/nsxt/provider.go b/nsxt/provider.go index 544ca28d1..51a659b4b 100644 --- a/nsxt/provider.go +++ b/nsxt/provider.go @@ -294,6 +294,7 @@ func Provider() *schema.Provider { "nsxt_policy_host_transport_node": dataSourceNsxtPolicyHostTransportNode(), "nsxt_manager_cluster_node": dataSourceNsxtManagerClusterNode(), "nsxt_policy_host_transport_node_profile": dataSourceNsxtPolicyHostTransportNodeProfile(), + "nsxt_policy_security_policy_rule": dataSourceNsxtPolicySecurityPolicyRule(), }, ResourcesMap: map[string]*schema.Resource{ diff --git a/nsxt/resource_nsxt_policy_security_policy_no_rule.go b/nsxt/resource_nsxt_policy_security_policy_no_rule.go index f38e4636d..212a77f4d 100644 --- a/nsxt/resource_nsxt_policy_security_policy_no_rule.go +++ b/nsxt/resource_nsxt_policy_security_policy_no_rule.go @@ -1,4 +1,4 @@ -/* Copyright © 2019 VMware, Inc. All Rights Reserved. +/* Copyright © 2023 VMware, Inc. All Rights Reserved. SPDX-License-Identifier: MPL-2.0 */ package nsxt diff --git a/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go b/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go new file mode 100644 index 000000000..f7a43baa9 --- /dev/null +++ b/nsxt/resource_nsxt_policy_security_policy_no_rule_test.go @@ -0,0 +1,167 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccResourceNsxtPolicySecurityPolicyNoRule_basic(t *testing.T) { + testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t, false, func() { + testAccPreCheck(t) + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyNoRule_multitenancy(t *testing.T) { + testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t, true, func() { + testAccPreCheck(t) + testAccOnlyMultitenancy(t) + }) +} + +func testAccResourceNsxtPolicySecurityPolicyNoRuleBasic(t *testing.T, withContext bool, preCheck func()) { + testResourceName := "nsxt_policy_security_policy_no_rule.test" + + name := getAccTestResourceName() + updatedName := getAccTestResourceName() + locked := "true" + updatedLocked := "false" + seqNum := "1" + updatedSeqNum := "2" + tcpStrict := "true" + updatedTCPStrict := "false" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: preCheck, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state, updatedName) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext, name, locked, seqNum, tcpStrict), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicySecurityPolicyExists(testResourceName, defaultDomain), + resource.TestCheckResourceAttr(testResourceName, "display_name", name), + resource.TestCheckResourceAttr(testResourceName, "locked", locked), + resource.TestCheckResourceAttr(testResourceName, "sequence_number", seqNum), + resource.TestCheckResourceAttr(testResourceName, "tcp_strict", tcpStrict), + ), + }, + { + Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext, updatedName, updatedLocked, updatedSeqNum, updatedTCPStrict), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicySecurityPolicyExists(testResourceName, defaultDomain), + resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName), + resource.TestCheckResourceAttr(testResourceName, "locked", updatedLocked), + resource.TestCheckResourceAttr(testResourceName, "sequence_number", updatedSeqNum), + resource.TestCheckResourceAttr(testResourceName, "tcp_strict", updatedTCPStrict), + ), + }, + }, + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyNoRule_importBasic(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_security_policy_no_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state, name) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(false, name, "true", "1", "true"), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName), + }, + }, + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyNoRule_importBasic_multitenancy(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_security_policy_no_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + testAccPreCheck(t) + testAccOnlyMultitenancy(t) + }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyCheckDestroy(state, name, defaultDomain) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyNoRuleTemplate(true, name, "true", "1", "true"), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName), + }, + }, + }) +} + +func testAccNsxtPolicySecurityPolicyNoRuleCheckDestroy(state *terraform.State, displayName string) error { + connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients)) + for _, rs := range state.RootModule().Resources { + + if rs.Type != "nsxt_policy_security_policy_no_rule" { + continue + } + + resourceID := rs.Primary.Attributes["id"] + domain := rs.Primary.Attributes["domain"] + exists, err := resourceNsxtPolicySecurityPolicyExistsInDomain(testAccGetSessionContext(), resourceID, domain, connector) + if err != nil { + return err + } + if exists { + return fmt.Errorf("Policy SecurityPolicy %s still exists", displayName) + } + } + return nil +} + +func testAccNsxtPolicySecurityPolicyNoRuleTemplate(withContext bool, name, locked, seqNum, tcpStrict string) string { + context := "" + if withContext { + context = testAccNsxtPolicyMultitenancyContext() + } + return testAccNsxtPolicySecurityPolicyDeps() + fmt.Sprintf(` +resource "nsxt_policy_security_policy_no_rule" "test" { +%s + display_name = "%s" + description = "Acceptance Test" + domain = "default" + category = "Application" + locked = %s + sequence_number = %s + stateful = "true" + tcp_strict = %s + scope = [nsxt_policy_group.group1.path] + + tag { + scope = "color" + tag = "orange" + } + + depends_on = [nsxt_policy_group.group1] +}`, context, name, locked, seqNum, tcpStrict) +} diff --git a/nsxt/resource_nsxt_policy_security_policy_rule.go b/nsxt/resource_nsxt_policy_security_policy_rule.go index 09c81f839..dd938f718 100644 --- a/nsxt/resource_nsxt_policy_security_policy_rule.go +++ b/nsxt/resource_nsxt_policy_security_policy_rule.go @@ -6,6 +6,7 @@ package nsxt import ( "fmt" "log" + "strings" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client" @@ -22,7 +23,7 @@ func resourceNsxtPolicySecurityPolicyRule() *schema.Resource { Update: resourceNsxtPolicySecurityPolicyRuleUpdate, Delete: resourceNsxtPolicySecurityPolicyRuleDelete, Importer: &schema.ResourceImporter{ - State: nsxtDomainResourceImporter, + State: nsxtSecurityPolicyRuleImporter, }, Schema: getSecurityPolicyAndGatewayRuleSchema(false, false, true, true), } @@ -103,11 +104,11 @@ func securityPolicyRuleSchemaToModel(d *schema.ResourceData, id string) model.Ru func resourceNsxtPolicySecurityPolicyRuleExistsPartial(policyPath string) func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) { return func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) { - return resourceNsxtPolicySecurityPolicyRuleExistsInDomain(sessionContext, id, policyPath, connector) + return resourceNsxtPolicySecurityPolicyRuleExists(sessionContext, id, policyPath, connector) } } -func resourceNsxtPolicySecurityPolicyRuleExistsInDomain(sessionContext utl.SessionContext, id string, policyPath string, connector client.Connector) (bool, error) { +func resourceNsxtPolicySecurityPolicyRuleExists(sessionContext utl.SessionContext, id string, policyPath string, connector client.Connector) (bool, error) { client := securitypolicies.NewRulesClient(sessionContext, connector) domain := getDomainFromResourcePath(policyPath) @@ -135,7 +136,6 @@ func resourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interfac policyPath := d.Get("policy_path").(string) domain := getDomainFromResourcePath(policyPath) policyID := getPolicyIDFromPath(policyPath) - client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector) rule, err := client.Get(domain, policyID, id) if err != nil { @@ -149,6 +149,7 @@ func resourceNsxtPolicySecurityPolicyRuleRead(d *schema.ResourceData, m interfac func securityPolicyRuleModelToSchema(d *schema.ResourceData, rule model.Rule) { d.Set("display_name", rule.DisplayName) d.Set("description", rule.Description) + d.Set("path", rule.Path) d.Set("notes", rule.Notes) d.Set("logged", rule.Logged) d.Set("log_label", rule.Tag) @@ -214,3 +215,17 @@ func resourceNsxtPolicySecurityPolicyRuleDelete(d *schema.ResourceData, m interf client := securitypolicies.NewRulesClient(getSessionContext(d, m), connector) return client.Delete(domain, policyID, id) } + +func nsxtSecurityPolicyRuleImporter(d *schema.ResourceData, m interface{}) ([]*schema.ResourceData, error) { + importID := d.Id() + // Example of Rule path: /infra/domains/default/security-policies/04e862ad-ddce-434c-8453-229e2740982e/rules/b971bdc3-9e8f-442d-a694-846cbbb46ca5 + if strings.Count(importID, "/") != 7 { + return nil, fmt.Errorf("Invalid SecurityPolicyRule path %s", importID) + } + rd, err := nsxtPolicyPathResourceImporterHelper(d, m) + if err != nil { + return rd, err + } + d.Set("policy_path", importID[:strings.Index(importID, "rule")-1]) + return []*schema.ResourceData{d}, nil +} diff --git a/nsxt/resource_nsxt_policy_security_policy_rule_test.go b/nsxt/resource_nsxt_policy_security_policy_rule_test.go new file mode 100644 index 000000000..b55129e16 --- /dev/null +++ b/nsxt/resource_nsxt_policy_security_policy_rule_test.go @@ -0,0 +1,229 @@ +/* Copyright © 2023 VMware, Inc. All Rights Reserved. + SPDX-License-Identifier: MPL-2.0 */ + +package nsxt + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccResourceNsxtPolicySecurityPolicyRule_basic(t *testing.T) { + testAccResourceNsxtPolicySecurityPolicyRuleBasic(t, false, func() { + testAccPreCheck(t) + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyRule_multitenancy(t *testing.T) { + testAccResourceNsxtPolicySecurityPolicyRuleBasic(t, true, func() { + testAccPreCheck(t) + testAccOnlyMultitenancy(t) + }) +} + +func testAccResourceNsxtPolicySecurityPolicyRuleBasic(t *testing.T, withContext bool, preCheck func()) { + testResourceName := "nsxt_policy_security_policy_rule.test" + + name := getAccTestResourceName() + updatedName := getAccTestResourceName() + direction := "IN" + updatedDirection := "OUT" + proto := "IPV4" + updatedProto := "IPV4_IPV6" + action := "ALLOW" + updatedAction := "DROP" + seqNum := "1" + updatedSeqNum := "2" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: preCheck, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state, updatedName) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyRuleTemplate(withContext, name, action, direction, proto, seqNum), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicySecurityPolicyRuleExists(testResourceName), + resource.TestCheckResourceAttr(testResourceName, "display_name", name), + resource.TestCheckResourceAttr(testResourceName, "action", action), + resource.TestCheckResourceAttr(testResourceName, "direction", direction), + resource.TestCheckResourceAttr(testResourceName, "ip_version", proto), + resource.TestCheckResourceAttr(testResourceName, "sequence_number", seqNum), + ), + }, + { + Config: testAccNsxtPolicySecurityPolicyRuleTemplate(withContext, updatedName, updatedAction, updatedDirection, updatedProto, updatedSeqNum), + Check: resource.ComposeTestCheckFunc( + testAccNsxtPolicySecurityPolicyRuleExists(testResourceName), + resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName), + resource.TestCheckResourceAttr(testResourceName, "action", updatedAction), + resource.TestCheckResourceAttr(testResourceName, "direction", updatedDirection), + resource.TestCheckResourceAttr(testResourceName, "ip_version", updatedProto), + resource.TestCheckResourceAttr(testResourceName, "sequence_number", updatedSeqNum), + ), + }, + }, + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyRule_importBasic(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_security_policy_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state, name) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyRuleTemplate(false, name, "ALLOW", "IN", "IPV4", "1"), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName), + }, + }, + }) +} + +func TestAccResourceNsxtPolicySecurityPolicyRule_importBasic_multitenancy(t *testing.T) { + name := getAccTestResourceName() + testResourceName := "nsxt_policy_security_policy_rule.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { + testAccPreCheck(t) + testAccOnlyMultitenancy(t) + }, + Providers: testAccProviders, + CheckDestroy: func(state *terraform.State) error { + return testAccNsxtPolicySecurityPolicyCheckDestroy(state, name, defaultDomain) + }, + Steps: []resource.TestStep{ + { + Config: testAccNsxtPolicySecurityPolicyRuleTemplate(true, name, "ALLOW", "IN", "IPV4", "1"), + }, + { + ResourceName: testResourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateIdFunc: testAccResourceNsxtPolicyImportIDRetriever(testResourceName), + }, + }, + }) +} + +func testAccNsxtPolicySecurityPolicyRuleExists(resourceName string) resource.TestCheckFunc { + return func(state *terraform.State) error { + + connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients)) + + rs, ok := state.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("Policy SecurityPolicyRule resource %s not found in resources", resourceName) + } + + resourceID := rs.Primary.ID + if resourceID == "" { + return fmt.Errorf("Policy SecurityPolicyRule resource ID not set in resources") + } + + policyPath := rs.Primary.Attributes["policy_path"] + exists, err := resourceNsxtPolicySecurityPolicyRuleExists(testAccGetSessionContext(), resourceID, policyPath, connector) + if err != nil { + return err + } + if !exists { + return fmt.Errorf("Error while retrieving policy SecurityPolicyRule ID %s under SecurityPolicy %s", resourceID, policyPath) + } + return nil + } +} + +func testAccNsxtPolicySecurityPolicyRuleCheckDestroy(state *terraform.State, displayName string) error { + connector := getPolicyConnector(testAccProvider.Meta().(nsxtClients)) + for _, rs := range state.RootModule().Resources { + + if rs.Type != "nsxt_policy_security_policy_rule" { + continue + } + + resourceID := rs.Primary.Attributes["id"] + policyPath := rs.Primary.Attributes["policy_path"] + exists, err := resourceNsxtPolicySecurityPolicyRuleExists(testAccGetSessionContext(), resourceID, policyPath, connector) + if err != nil { + return err + } + if exists { + return fmt.Errorf("Policy SecurityPolicyRule %s still exists", displayName) + } + } + return nil +} + +func testAccNsxtPolicySecurityPolicyRuleDeps(withContext bool) string { + context := "" + if withContext { + context = testAccNsxtPolicyMultitenancyContext() + } + return testAccNsxtPolicySecurityPolicyDeps() + fmt.Sprintf(` +resource "nsxt_policy_security_policy_no_rule" "policy1" { +%s + display_name = "no-rule-policy" + description = "Acceptance Test" + category = "Application" + locked = false + sequence_number = 3 + stateful = true + tcp_strict = false + scope = [nsxt_policy_group.group1.path] + + tag { + scope = "color" + tag = "orange" + } + + depends_on = [nsxt_policy_group.group1] +}`, context) +} + +func testAccNsxtPolicySecurityPolicyRuleTemplate(withContext bool, name, action, direction, ipVersion, seqNum string) string { + context := "" + if withContext { + context = testAccNsxtPolicyMultitenancyContext() + } + return testAccNsxtPolicySecurityPolicyRuleDeps(withContext) + fmt.Sprintf(` +resource "nsxt_policy_security_policy_rule" "test" { +%s + display_name = "%s" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + action = "%s" + direction = "%s" + ip_version = "%s" + source_groups = [nsxt_policy_group.group2.path] + sequence_number = %s + + tag { + scope = "color" + tag = "orange" + } + + depends_on = [nsxt_policy_security_policy_no_rule.policy1, nsxt_policy_group.group2] +} + +data "nsxt_policy_security_policy_rule" "test" { +%s + display_name = "%s" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + depends_on = [nsxt_policy_security_policy_rule.test] +}`, context, name, action, direction, ipVersion, seqNum, context, name) +} diff --git a/website/docs/d/compute_manager.html.markdown b/website/docs/d/compute_manager.html.markdown index b142955c7..1ccee4abc 100644 --- a/website/docs/d/compute_manager.html.markdown +++ b/website/docs/d/compute_manager.html.markdown @@ -27,4 +27,4 @@ data "nsxt_compute_manager" "test_vcenter" { In addition to arguments listed above, the following attributes are exported: * `description` - The description of the resource. -* `server` - IP address or hostname of the resource. \ No newline at end of file +* `server` - IP address or hostname of the resource. diff --git a/website/docs/d/policy_security_policy_rule.html.markdown b/website/docs/d/policy_security_policy_rule.html.markdown new file mode 100644 index 000000000..053b4f693 --- /dev/null +++ b/website/docs/d/policy_security_policy_rule.html.markdown @@ -0,0 +1,51 @@ +--- +subcategory: "Firewall" +layout: "nsxt" +page_title: "NSXT: policy_security_policy_rule" +description: A policy Security Policy data source. +--- + +# nsxt_policy_security_policy_rule + +This data source provides information about policy Security Policy Rules configured on NSX. +This data source is applicable to NSX Policy Manager, NSX Global Manager and VMC. + +## Example Usage + +```hcl +data "nsxt_policy_security_policy_rule" "rule1" { + display_name = "rule1" + policy_path = data.nsxt_policy_security_policy.policy1.path +} +``` + +## Example Usage - Multi-Tenancy + +```hcl +data "nsxt_policy_project" "demoproj" { + display_name = "demoproj" +} + +data "nsxt_policy_security_policy_rule" "rule1" { + context { + project_id = data.nsxt_policy_project.demoproj.id + } + display_name = "rule name" + policy_path = data.nsxt_policy_security_policy.policy1.path +} +``` + +## Argument Reference + +* `id` - (Optional) The ID of Security Policy Rule to retrieve. +* `display_name` - (Optional) The Display Name of the Security Policy Rule to retrieve. +* `policy_path` - (Required) The path of the Security Policy which the object belongs to +* `context` - (Optional) The context which the object belongs to + * `project_id` - (Required) The ID of the project which the object belongs to + +## Attributes Reference + +In addition to arguments listed above, the following attributes are exported: + +* `description` - The description of the resource. +* `path` - The NSX path of the policy resource. diff --git a/website/docs/r/policy_security_policy_no_rule.html.markdown b/website/docs/r/policy_security_policy_no_rule.html.markdown new file mode 100644 index 000000000..528941de9 --- /dev/null +++ b/website/docs/r/policy_security_policy_no_rule.html.markdown @@ -0,0 +1,157 @@ +--- +subcategory: "Firewall" +layout: "nsxt" +page_title: "NSXT: nsxt_policy_security_policy_no_rule" +description: A resource to configure a Security Policy without rules. +--- + +# nsxt_policy_security_policy_no_rule + +This resource provides a method for the management of Security Policy without rules. + +Note: to avoid unexpected behavior, don't use this resource and resource `nsxt_policy_security_policy` to manage the same Security Policy at the same time. +To config rules under this resource, please use resource `nsxt_policy_security_policy_rule` to manage rules separately. + +This resource is applicable to NSX Global Manager, NSX Policy Manager and VMC. + +## Example Usage + +```hcl +resource "nsxt_policy_security_policy_no_rule" "policy1" { + display_name = "policy1" + description = "Terraform provisioned Security Policy" + category = "Application" + locked = false + stateful = true + tcp_strict = false + scope = [nsxt_policy_group.pets.path] + + lifecycle { + create_before_destroy = true + } +} + +resource "nsxt_policy_security_policy_rule" "rule1" { + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +## Global Manager example + +```hcl +data "nsxt_policy_site" "paris" { + display_name = "Paris" +} +resource "nsxt_policy_security_policy_no_rule" "policy1" { + display_name = "policy1" + description = "Terraform provisioned Security Policy" + category = "Application" + locked = false + stateful = true + tcp_strict = false + scope = [nsxt_policy_group.pets.path] + domain = data.nsxt_policy_site.paris.id + + lifecycle { + create_before_destroy = true + } +} + +resource "nsxt_policy_security_policy_rule" "rule1" { + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +## Example Usage - Multi-Tenancy + +```hcl +data "nsxt_policy_project" "demoproj" { + display_name = "demoproj" +} + +resource "nsxt_policy_security_policy_no_rule" "policy1" { + context { + project_id = data.nsxt_policy_project.demoproj.id + } + display_name = "policy1" + description = "Terraform provisioned Security Policy" + category = "Application" + locked = false + stateful = true + tcp_strict = false + scope = [nsxt_policy_group.pets.path] + + lifecycle { + create_before_destroy = true + } +} + +resource "nsxt_policy_security_policy_rule" "rule1" { + context { + project_id = data.nsxt_policy_project.demoproj.id + } + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +-> We recommend using `lifecycle` directive as in samples above, in order to avoid dependency issues when updating groups/services simultaneously with the rule. + +## Argument Reference + +The following arguments are supported: + +* `display_name` - (Required) Display name of the resource. +* `description` - (Optional) Description of the resource. +* `domain` - (Optional) The domain to use for the resource. This domain must already exist. For VMware Cloud on AWS use `cgw`. For Global Manager, please use site id for this field. If not specified, this field is default to `default`. +* `tag` - (Optional) A list of scope + tag pairs to associate with this policy. +* `nsx_id` - (Optional) The NSX ID of this resource. If set, this ID will be used to create the resource. +* `context` - (Optional) The context which the object belongs to + * `project_id` - (Required) The ID of the project which the object belongs to +* `category` - (Required) Category of this policy. For local manager must be one of `Ethernet`, `Emergency`, `Infrastructure`, `Environment`, `Application`. For global manager must be one of: `Infrastructure`, `Environment`, `Application`. +* `comments` - (Optional) Comments for security policy lock/unlock. +* `locked` - (Optional) Indicates whether a security policy should be locked. If locked by a user, no other user would be able to modify this policy. +* `scope` - (Optional) The list of policy object paths where the rules in this policy will get applied. +* `sequence_number` - (Optional) This field is used to resolve conflicts between security policies across domains. +* `stateful` - (Optional) If true, state of the network connects are tracked and a stateful packet inspection is performed. Default is true. +* `tcp_strict` - (Optional) Ensures that a 3 way TCP handshake is done before the data packets are sent. Default is false. + +## Attributes Reference + +In addition to arguments listed above, the following attributes are exported: + +* `id` - ID of the Security Policy. +* `revision` - Indicates current revision number of the object as seen by NSX-T API server. This attribute can be useful for debugging. +* `path` - The NSX path of the policy resource. + +## Importing + +An existing security policy can be [imported][docs-import] into this resource, via the following command: + +[docs-import]: https://www.terraform.io/cli/import + +``` +terraform import nsxt_policy_security_policy_no_rule.policy1 domain/ID +``` + +The above command imports the security policy named `policy1` under NSX domain `domain` with the NSX Policy ID `ID`. diff --git a/website/docs/r/policy_security_policy_rule.html.markdown b/website/docs/r/policy_security_policy_rule.html.markdown new file mode 100644 index 000000000..a1b844dcc --- /dev/null +++ b/website/docs/r/policy_security_policy_rule.html.markdown @@ -0,0 +1,100 @@ +--- +subcategory: "Firewall" +layout: "nsxt" +page_title: "NSXT: nsxt_policy_security_policy_rule" +description: A resource to configure a Security Policy Rule. +--- + +# nsxt_policy_security_policy_rule + +This resource provides a method for the management of Security Policy Rule. + +Note: to avoid unexpected behavior, don't use this resource and resource `nsxt_policy_security_policy` to manage rules under a security policy at the same time. +Recommend to use this resource with resource `nsxt_policy_security_policy_no_rule` to manage a security policy and its rules separately. And use `nsxt_policy_security_policy` to manage a security policy and its rules in one single resource. + +This resource is applicable to NSX Global Manager, NSX Policy Manager and VMC. + +## Example Usage + +```hcl +resource "nsxt_policy_security_policy_rule" "rule1" { + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = nsxt_policy_security_policy_no_rule.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +## Example Usage - Multi-Tenancy + +```hcl +data "nsxt_policy_project" "demoproj" { + display_name = "demoproj" +} + +resource "nsxt_policy_security_policy_rule" "rule1" { + context { + project_id = data.nsxt_policy_project.demoproj.id + } + display_name = "rule1" + description = "Terraform provisioned Security Policy Rule" + policy_path = data.nsxt_policy_security_policy.policy1.path + sequence_number = 1 + destination_groups = [nsxt_policy_group.cats.path, nsxt_policy_group.dogs.path] + action = "DROP" + services = [nsxt_policy_service.icmp.path] + logged = true +} +``` + +## Argument Reference + +The following arguments are supported: + +* `display_name` - (Required) Display name of the resource. +* `description` - (Optional) Description of the resource. +* `tag` - (Optional) A list of scope + tag pairs to associate with this policy. +* `nsx_id` - (Optional) The NSX ID of this resource. If set, this ID will be used to create the resource. +* `policy_path` - (Required) The path of the Security Policy which the object belongs to +* `context` - (Optional) The context which the object belongs to + * `project_id` - (Required) The ID of the project which the object belongs to +* `sequence_number` - (Required) This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain. Please note that sequence numbers should start with 1 and not 0 to avoid confusion. +* `action` - (Optional) Rule action, one of `ALLOW`, `DROP`, `REJECT` and `JUMP_TO_APPLICATION`. Default is `ALLOW`. `JUMP_TO_APPLICATION` is only applicable in `Environment` category. +* `destination_groups` - (Optional) Set of group paths that serve as the destination for this rule. IPs, IP ranges, or CIDRs may also be used starting in NSX-T 3.0. An empty set can be used to specify "Any". +* `source_groups` - (Optional) Set of group paths that serve as the source for this rule. IPs, IP ranges, or CIDRs may also be used starting in NSX-T 3.0. An empty set can be used to specify "Any". +* `destinations_excluded` - (Optional) A boolean value indicating negation of destination groups. +* `sources_excluded` - (Optional) A boolean value indicating negation of source groups. +* `direction` - (Optional) Traffic direction, one of `IN`, `OUT` or `IN_OUT`. Default is `IN_OUT`. +* `disabled` - (Optional) Flag to disable this rule. Default is false. +* `ip_version` - (Optional) Version of IP protocol, one of `NONE`, `IPV4`, `IPV6`, `IPV4_IPV6`. Default is `IPV4_IPV6`. For `Ethernet` category rules, use `NONE` value. +* `logged` - (Optional) Flag to enable packet logging. Default is false. +* `notes` - (Optional) Additional notes on changes. +* `profiles` - (Optional) Set of profile paths relevant for this rule. +* `scope` - (Optional) Set of policy object paths where the rule is applied. +* `services` - (Optional) Set of service paths to match. +* `log_label` - (Optional) Additional information (string) which will be propagated to the rule syslog. + + +## Attributes Reference + +In addition to arguments listed above, the following attributes are exported: + +* `revision` - Indicates current revision number of the object as seen by NSX-T API server. This attribute can be useful for debugging. +* `path` - The NSX path of the policy resource. +* `rule_id` - Unique positive number that is assigned by the system and is useful for debugging. + +## Importing + +An existing security policy can be [imported][docs-import] into this resource, via the following command: + +[docs-import]: https://www.terraform.io/cli/import + +``` +terraform import nsxt_policy_security_policy_rule.rule1 POLICY_PATH +``` + +The above command imports the security policy rule named `rule1` with policy path `POLICY_PATH`.