Allow IP CIDR Range or Any as Source and/or Destination Policy Groups #589
Conversation
|
Thank you @akgiesler! This looks great, but a documentation update is also needed, as well as acc tests. If you can add those it will be great, otherwise we'll follow up with those on top of your change. |
|
Sure thing @annakhm , we are working on those now. |
akgiesler
force-pushed
the
ip_as_policy_source_destination
branch
from
30953d9 to
23b612d
Compare
|
Hi @annakhm, During our build-out of the tests, it was discovered that the provider already supports using "ANY" as a source or destination in security policy. The way to do this was to map the source_groups or destination_groups to an empty set. for example: This was tested in NSX-T 3.1 using NSX-T Provider v3.1.0. I added this feature into the Security policy documentation. |
| }, | ||
| Steps: []resource.TestStep{ | ||
| { | ||
| Config: testAccNsxtPolicyGatewayPolicyWithIPCidrRangeDestCreate(name, policyIP, policyCidr, policyRange), |
There was a problem hiding this comment.
I would suggest to use a single function to test both Create and Update use cases (just pass different values in params), and also I think one test should be enough to cover both source and dest use cases. While our goal is to have good test coverage, we also try to keep CI running time reasonable :)
There was a problem hiding this comment.
I went ahead and collapsed the tests into a single test for both security policy and gateway policy. I also reduced the terraform generating functions down to single functions as you requested.
| @@ -93,7 +93,7 @@ The following arguments are supported: | |||
| * `rule` (Optional) A repeatable block to specify rules for the Gateway Policy. Each rule includes the following fields: | |||
| * `display_name` - (Required) Display name of the resource. | |||
| * `description` - (Optional) Description of the resource. | |||
| * `destination_groups` - (Optional) A list of destination group paths to use for the policy. | |||
| * `destination_groups` - (Optional) Set of group paths, IPs, IP ranges, or CIDRs that serve as the destination for this rule. | |||
There was a problem hiding this comment.
It should be helpful specifying here that IP/ranges/cidrs are only supported starting NSX 3.0.
There was a problem hiding this comment.
Hi @annakhm, I have updated all of the documentation as requested.
|
Thanks for those changes @akgiesler! You are correct, "ANY" is equivalent to empty set. I've ran your tests on gateway policy and they pass fine. I noticed that docs for gateway policy are updated in your change. |
Adds a new validator specific to source and destination policy groups. NSX-T can accept an IP, Range, CIDR, or a Group Path as a source and/or destination group through the security policy interface. Updates the getSecurityPolicyAndGatewayRulesSchema function to use the new validator. Updates docs to reference IP, Range, and CIDR as valid source / destination groups. Also include reference for using empty set to specify "ANY". Resolves: Issue vmware#584
akgiesler
force-pushed
the
ip_as_policy_source_destination
branch
from
23b612d to
b55fdb6
Compare
|
Thank you @akgiesler, merging this! |
Adds a new validator specific to source and destination policy groups.
NSX-T can accept an IP, Range, CIDR, or a Group Path as a source
and/or destination group through the security policy interface.
Updates the getSecurityPolicyAndGatewayRulesSchema function to use the
new validator.
Resolves: Issue #584