Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VPC E-W security policy resource #1217

Merged
merged 1 commit into from
Jun 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions nsxt/gateway_common.go
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,11 @@ func policyInfraPatch(context utl.SessionContext, obj model.Infra, connector cli
}

return infraClient.Patch(gmObj.(gm_model.Infra), &enforceRevision)
} else if context.ClientType == utl.VPC {
context = utl.SessionContext{
ClientType: utl.Multitenancy,
ProjectID: context.ProjectID,
}
}

infraClient := nsx_policy.NewInfraClient(context, connector)
Expand Down
9 changes: 6 additions & 3 deletions nsxt/policy_common.go
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxID
}

func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
secPolicy := getPolicySecurityPolicySchema(false, true, true)
secPolicy := getPolicySecurityPolicySchema(false, true, true, true)
// GW Policies don't support scope
delete(secPolicy, "scope")
secPolicy["category"].ValidateFunc = validation.StringInSlice(gatewayPolicyCategoryWritableValues, false)
Expand All @@ -320,15 +320,15 @@ func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
return secPolicy
}

func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string]*schema.Schema {
func getPolicySecurityPolicySchema(isIds, withContext, withRule, withDomain bool) map[string]*schema.Schema {
result := map[string]*schema.Schema{
"nsx_id": getNsxIDSchema(),
"path": getPathSchema(),
"display_name": getDisplayNameSchema(),
"description": getDescriptionSchema(),
"revision": getRevisionSchema(),
"tag": getTagsSchema(),
"context": getContextSchema(false, false, false),
"context": getContextSchema(!withDomain, false, !withDomain),
"domain": getDomainNameSchema(),
"category": {
Type: schema.TypeString,
Expand Down Expand Up @@ -392,6 +392,9 @@ func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string
if !withRule {
delete(result, "rule")
}
if !withDomain {
delete(result, "domain")
}
return result
}

Expand Down
1 change: 1 addition & 0 deletions nsxt/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -496,6 +496,7 @@ func Provider() *schema.Provider {
"nsxt_policy_gateway_flood_protection_profile_binding": resourceNsxtPolicyGatewayFloodProtectionProfileBinding(),
"nsxt_policy_compute_sub_cluster": resourceNsxtPolicyComputeSubCluster(),
"nsxt_policy_tier0_inter_vrf_routing": resourceNsxtPolicyTier0InterVRFRouting(),
"nsxt_vpc_security_policy": resourceNsxtVPCSecurityPolicy(),
},

ConfigureFunc: providerConfigure,
Expand Down
2 changes: 1 addition & 1 deletion nsxt/resource_nsxt_policy_intrusion_service_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func resourceNsxtPolicyIntrusionServicePolicy() *schema.Resource {
Importer: &schema.ResourceImporter{
State: nsxtDomainResourceImporter,
},
Schema: getPolicySecurityPolicySchema(true, true, true),
Schema: getPolicySecurityPolicySchema(true, true, true, true),
}
}

Expand Down
19 changes: 12 additions & 7 deletions nsxt/resource_nsxt_policy_parent_security_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ func resourceNsxtPolicyParentSecurityPolicy() *schema.Resource {
Importer: &schema.ResourceImporter{
State: nsxtDomainResourceImporter,
},
Schema: getPolicySecurityPolicySchema(false, true, false),
Schema: getPolicySecurityPolicySchema(false, true, false, true),
}
}

Expand Down Expand Up @@ -55,10 +55,13 @@ func parentSecurityPolicySchemaToModel(d *schema.ResourceData, id string) model.
}
}

func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*model.SecurityPolicy, error) {
func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}, withDomain bool) (*model.SecurityPolicy, error) {
connector := getPolicyConnector(m)
id := d.Id()
domainName := d.Get("domain").(string)
domainName := ""
if withDomain {
domainName = d.Get("domain").(string)
}
if id == "" {
return nil, fmt.Errorf("Error obtaining Security Policy id")
}
Expand All @@ -75,7 +78,9 @@ func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*
setPolicyTagsInSchema(d, obj.Tags)
d.Set("nsx_id", id)
d.Set("path", obj.Path)
d.Set("domain", getDomainFromResourcePath(*obj.Path))
if withDomain {
d.Set("domain", getDomainFromResourcePath(*obj.Path))
}
d.Set("category", obj.Category)
d.Set("comments", obj.Comments)
d.Set("locked", obj.Locked)
Expand All @@ -92,15 +97,15 @@ func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*
}

func resourceNsxtPolicyParentSecurityPolicyCreate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, false)
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, false, true)
}

func resourceNsxtPolicyParentSecurityPolicyRead(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, false)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, false, true)
}

func resourceNsxtPolicyParentSecurityPolicyUpdate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, false)
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, false, true)
}

func resourceNsxtPolicyParentSecurityPolicyDelete(d *schema.ResourceData, m interface{}) error {
Expand Down
82 changes: 73 additions & 9 deletions nsxt/resource_nsxt_policy_predefined_security_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (

"github.com/vmware/vsphere-automation-sdk-go/runtime/bindings"
"github.com/vmware/vsphere-automation-sdk-go/runtime/data"
nsxt "github.com/vmware/vsphere-automation-sdk-go/services/nsxt"
"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"

"github.com/vmware/terraform-provider-nsxt/api/infra/domains"
Expand Down Expand Up @@ -178,6 +179,60 @@ func revertSecurityPolicyDefaultRule(rule model.Rule) model.Rule {
return rule
}

func strPtr(s string) *string {
v := s
return &v
}

func createChildVPCWithSecurityPolicy(context utl.SessionContext, policyID string, policy model.SecurityPolicy) (*data.StructValue, error) {
converter := bindings.NewTypeConverter()

childPolicy := model.ChildSecurityPolicy{
ResourceType: "ChildSecurityPolicy",
SecurityPolicy: &policy,
}

dataValue, errors := converter.ConvertToVapi(childPolicy, model.ChildSecurityPolicyBindingType())
if len(errors) > 0 {
return nil, errors[0]
}

childVPC := model.ChildResourceReference{
Id: &context.VPCID,
ResourceType: "ChildResourceReference",
TargetType: strPtr("Vpc"),
Children: []*data.StructValue{dataValue.(*data.StructValue)},
}

dataValue, errors = converter.ConvertToVapi(childVPC, model.ChildResourceReferenceBindingType())
if len(errors) > 0 {
return nil, errors[0]
}
childProject := model.ChildResourceReference{
Id: &context.ProjectID,
ResourceType: "ChildResourceReference",
TargetType: strPtr("Project"),
Children: []*data.StructValue{dataValue.(*data.StructValue)},
}
dataValue, errors = converter.ConvertToVapi(childProject, model.ChildResourceReferenceBindingType())
if len(errors) > 0 {
return nil, errors[0]
}

childOrg := model.ChildResourceReference{
Id: strPtr(defaultOrgID),
ResourceType: "ChildResourceReference",
TargetType: strPtr("Org"),
Children: []*data.StructValue{dataValue.(*data.StructValue)},
}
dataValue, errors = converter.ConvertToVapi(childOrg, model.ChildResourceReferenceBindingType())
if len(errors) > 0 {
return nil, errors[0]
}

return dataValue.(*data.StructValue), nil
}

func createChildDomainWithSecurityPolicy(domain string, policyID string, policy model.SecurityPolicy) (*data.StructValue, error) {
converter := bindings.NewTypeConverter()

Expand Down Expand Up @@ -409,20 +464,29 @@ func resourceNsxtPolicyPredefinedSecurityPolicyDelete(d *schema.ResourceData, m
}

func securityPolicyInfraPatch(context utl.SessionContext, policy model.SecurityPolicy, domain string, m interface{}) error {
connector := getPolicyConnector(m)
if context.ClientType == utl.VPC {
childVPC, err := createChildVPCWithSecurityPolicy(context, *policy.Id, policy)
if err != nil {
return fmt.Errorf("Failed to create H-API for VPC Security Policy: %s", err)
}
orgRoot := model.OrgRoot{
ResourceType: strPtr("OrgRoot"),
Children: []*data.StructValue{childVPC},
}

client := nsxt.NewOrgRootClient(connector)
Copy link
Collaborator

@annakhm annakhm Jun 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would work with VPC admin privilege?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with v4.2.0, it does.

return client.Patch(orgRoot, nil)
}

childDomain, err := createChildDomainWithSecurityPolicy(domain, *policy.Id, policy)
if err != nil {
return fmt.Errorf("Failed to create H-API for Predefined Security Policy: %s", err)
}

var infraChildren []*data.StructValue
infraChildren = append(infraChildren, childDomain)

infraType := "Infra"
infraObj := model.Infra{
Children: infraChildren,
ResourceType: &infraType,
Children: []*data.StructValue{childDomain},
ResourceType: strPtr("Infra"),
}

return policyInfraPatch(context, infraObj, getPolicyConnector(m), false)

return policyInfraPatch(context, infraObj, connector, false)
}
37 changes: 22 additions & 15 deletions nsxt/resource_nsxt_policy_security_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ func resourceNsxtPolicySecurityPolicy() *schema.Resource {
Importer: &schema.ResourceImporter{
State: nsxtDomainResourceImporter,
},
Schema: getPolicySecurityPolicySchema(false, true, true),
Schema: getPolicySecurityPolicySchema(false, true, true, true),
}
}

Expand Down Expand Up @@ -61,9 +61,12 @@ func resourceNsxtPolicySecurityPolicyExistsPartial(domainName string) func(sessi
}
}

func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id string, createFlow, withRule bool) error {
func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id string, createFlow, withRule, withDomain bool) error {
obj := parentSecurityPolicySchemaToModel(d, id)
domain := d.Get("domain").(string)
domain := ""
if withDomain {
domain = d.Get("domain").(string)
}
revision := int64(d.Get("revision").(int))
log.Printf("[INFO] Creating Security Policy with ID %s", id)

Expand Down Expand Up @@ -92,15 +95,15 @@ func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id
}

func resourceNsxtPolicySecurityPolicyCreate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, true)
return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, true, true)
}

func resourceNsxtPolicySecurityPolicyRead(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, true)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, true, true)
}

func resourceNsxtPolicySecurityPolicyUpdate(d *schema.ResourceData, m interface{}) error {
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, true)
return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, true, true)
}

func resourceNsxtPolicySecurityPolicyDelete(d *schema.ResourceData, m interface{}) error {
Expand All @@ -124,14 +127,18 @@ func resourceNsxtPolicySecurityPolicyDelete(d *schema.ResourceData, m interface{
return nil
}

func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m interface{}, withRule bool) error {
func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
// Initialize resource Id and verify this ID is not yet used
id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyExistsPartial(d.Get("domain").(string)))
domain := ""
if withDomain {
domain = d.Get("domain").(string)
}
id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyExistsPartial(domain))
if err != nil {
return err
}

err = policySecurityPolicyBuildAndPatch(d, m, id, true, withRule)
err = policySecurityPolicyBuildAndPatch(d, m, id, true, withRule, withDomain)

if err != nil {
return handleCreateError("Security Policy", id, err)
Expand All @@ -140,11 +147,11 @@ func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m int
d.SetId(id)
d.Set("nsx_id", id)

return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule, withDomain)
}

func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m interface{}, withRule bool) error {
obj, err := parentSecurityPolicyModelToSchema(d, m)
func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
obj, err := parentSecurityPolicyModelToSchema(d, m, withDomain)
if err != nil {
return handleReadError(d, "SecurityPolicy", d.Id(), err)
}
Expand All @@ -154,15 +161,15 @@ func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m inter
return nil
}

func resourceNsxtPolicySecurityPolicyGeneralUpdate(d *schema.ResourceData, m interface{}, withRule bool) error {
func resourceNsxtPolicySecurityPolicyGeneralUpdate(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
id := d.Id()
if id == "" {
return fmt.Errorf("Error obtaining Security Policy id")
}
err := policySecurityPolicyBuildAndPatch(d, m, id, false, withRule)
err := policySecurityPolicyBuildAndPatch(d, m, id, false, withRule, withDomain)
if err != nil {
return handleUpdateError("Security Policy", id, err)
}

return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule)
return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule, withDomain)
}
Loading
Loading