Skip to content

Commit

Permalink
VPC N-S security policy resource
Browse files Browse the repository at this point in the history
Implement the resource for north-south VPC security policy.

Signed-off-by: Kobi Samoray <kobi.samoray@broadcom.com>
  • Loading branch information
ksamoray committed Jun 18, 2024
1 parent d77898b commit b5e5ebf
Show file tree
Hide file tree
Showing 10 changed files with 545 additions and 28 deletions.
3 changes: 3 additions & 0 deletions api/api_list.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,9 @@
- client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains
model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model
type: Multitenancy
- client: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/vpcs
model: github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model
type: VPC
model_name: GatewayPolicy
obj_name: GatewayPolicy
client_name: GatewayPoliciesClient
Expand Down
27 changes: 27 additions & 0 deletions api/infra/domains/gateway_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
client0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains"
model0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
client2 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains"
client3 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/vpcs"

utl "github.com/vmware/terraform-provider-nsxt/api/utl"
)
Expand All @@ -31,6 +32,9 @@ func NewGatewayPoliciesClient(sessionContext utl.SessionContext, connector vapiP
case utl.Multitenancy:
client = client2.NewGatewayPoliciesClient(connector)

case utl.VPC:
client = client3.NewGatewayPoliciesClient(connector)

default:
return nil
}
Expand Down Expand Up @@ -67,6 +71,13 @@ func (c GatewayPolicyClientContext) Get(domainIdParam string, gatewayPolicyIdPar
return obj, err
}

case utl.VPC:
client := c.Client.(client3.GatewayPoliciesClient)
obj, err = client.Get(utl.DefaultOrgID, c.ProjectID, c.VPCID, gatewayPolicyIdParam)
if err != nil {
return obj, err
}

default:
return obj, errors.New("invalid infrastructure for model")
}
Expand Down Expand Up @@ -94,6 +105,10 @@ func (c GatewayPolicyClientContext) Patch(domainIdParam string, gatewayPolicyIdP
client := c.Client.(client2.GatewayPoliciesClient)
err = client.Patch(utl.DefaultOrgID, c.ProjectID, domainIdParam, gatewayPolicyIdParam, gatewayPolicyParam)

case utl.VPC:
client := c.Client.(client3.GatewayPoliciesClient)
err = client.Patch(utl.DefaultOrgID, c.ProjectID, c.VPCID, gatewayPolicyIdParam, gatewayPolicyParam)

default:
err = errors.New("invalid infrastructure for model")
}
Expand Down Expand Up @@ -130,6 +145,10 @@ func (c GatewayPolicyClientContext) Update(domainIdParam string, gatewayPolicyId
client := c.Client.(client2.GatewayPoliciesClient)
obj, err = client.Update(utl.DefaultOrgID, c.ProjectID, domainIdParam, gatewayPolicyIdParam, gatewayPolicyParam)

case utl.VPC:
client := c.Client.(client3.GatewayPoliciesClient)
obj, err = client.Update(utl.DefaultOrgID, c.ProjectID, c.VPCID, gatewayPolicyIdParam, gatewayPolicyParam)

default:
err = errors.New("invalid infrastructure for model")
}
Expand All @@ -153,6 +172,10 @@ func (c GatewayPolicyClientContext) Delete(domainIdParam string, gatewayPolicyId
client := c.Client.(client2.GatewayPoliciesClient)
err = client.Delete(utl.DefaultOrgID, c.ProjectID, domainIdParam, gatewayPolicyIdParam)

case utl.VPC:
client := c.Client.(client3.GatewayPoliciesClient)
err = client.Delete(utl.DefaultOrgID, c.ProjectID, c.VPCID, gatewayPolicyIdParam)

default:
err = errors.New("invalid infrastructure for model")
}
Expand Down Expand Up @@ -185,6 +208,10 @@ func (c GatewayPolicyClientContext) List(domainIdParam string, cursorParam *stri
client := c.Client.(client2.GatewayPoliciesClient)
obj, err = client.List(utl.DefaultOrgID, c.ProjectID, domainIdParam, cursorParam, includeMarkForDeleteObjectsParam, includeRuleCountParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)

case utl.VPC:
client := c.Client.(client3.GatewayPoliciesClient)
obj, err = client.List(utl.DefaultOrgID, c.ProjectID, c.VPCID, cursorParam, includeMarkForDeleteObjectsParam, includeRuleCountParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)

default:
err = errors.New("invalid infrastructure for model")
}
Expand Down
6 changes: 3 additions & 3 deletions nsxt/policy_common.go
Original file line number Diff line number Diff line change
Expand Up @@ -310,13 +310,13 @@ func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxID
return ruleSchema
}

func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
secPolicy := getPolicySecurityPolicySchema(false, true, true, true)
func getPolicyGatewayPolicySchema(withDomain bool) map[string]*schema.Schema {
secPolicy := getPolicySecurityPolicySchema(false, true, true, withDomain)
// GW Policies don't support scope
delete(secPolicy, "scope")
secPolicy["category"].ValidateFunc = validation.StringInSlice(gatewayPolicyCategoryWritableValues, false)
// GW Policy rules require scope to be set
secPolicy["rule"] = getSecurityPolicyAndGatewayRulesSchema(true, false, true)
secPolicy["rule"] = getSecurityPolicyAndGatewayRulesSchema(withDomain, false, true)
return secPolicy
}

Expand Down
1 change: 1 addition & 0 deletions nsxt/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -497,6 +497,7 @@ func Provider() *schema.Provider {
"nsxt_policy_compute_sub_cluster": resourceNsxtPolicyComputeSubCluster(),
"nsxt_policy_tier0_inter_vrf_routing": resourceNsxtPolicyTier0InterVRFRouting(),
"nsxt_vpc_security_policy": resourceNsxtVPCSecurityPolicy(),
"nsxt_vpc_gateway_policy": resourceNsxtVPCGatewayPolicy(),
},

ConfigureFunc: providerConfigure,
Expand Down
19 changes: 11 additions & 8 deletions nsxt/resource_nsxt_policy_gateway_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,11 @@ func resourceNsxtPolicyGatewayPolicy() *schema.Resource {
State: nsxtDomainResourceImporter,
},

Schema: getPolicyGatewayPolicySchema(),
Schema: getPolicyGatewayPolicySchema(true),
}
}

func getGatewayPolicyInDomain(sessionContext utl.SessionContext, id string, domainName string, connector client.Connector) (model.GatewayPolicy, error) {
func getGatewayPolicy(sessionContext utl.SessionContext, id string, domainName string, connector client.Connector) (model.GatewayPolicy, error) {
client := domains.NewGatewayPoliciesClient(sessionContext, connector)
if client == nil {
return model.GatewayPolicy{}, policyResourceNotSupportedError()
Expand All @@ -40,7 +40,7 @@ func getGatewayPolicyInDomain(sessionContext utl.SessionContext, id string, doma
}

func resourceNsxtPolicyGatewayPolicyExistsInDomain(sessionContext utl.SessionContext, id string, domainName string, connector client.Connector) (bool, error) {
_, err := getGatewayPolicyInDomain(sessionContext, id, domainName, connector)
_, err := getGatewayPolicy(sessionContext, id, domainName, connector)

if err == nil {
return true, nil
Expand Down Expand Up @@ -124,9 +124,12 @@ func getUpdatedRuleChildren(d *schema.ResourceData) ([]*data.StructValue, error)

}

func policyGatewayPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, connector client.Connector, isGlobalManager bool, id string) error {
func policyGatewayPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, connector client.Connector, isGlobalManager bool, id string, withDomain bool) error {

domain := d.Get("domain").(string)
domain := ""
if withDomain {
domain = d.Get("domain").(string)
}
displayName := d.Get("display_name").(string)
description := d.Get("description").(string)
tags := getPolicyTagsFromSchema(d)
Expand Down Expand Up @@ -181,7 +184,7 @@ func resourceNsxtPolicyGatewayPolicyCreate(d *schema.ResourceData, m interface{}
return err
}

err = policyGatewayPolicyBuildAndPatch(d, m, connector, isPolicyGlobalManager(m), id)
err = policyGatewayPolicyBuildAndPatch(d, m, connector, isPolicyGlobalManager(m), id, true)
if err != nil {
return handleCreateError("Gateway Policy", id, err)
}
Expand All @@ -200,7 +203,7 @@ func resourceNsxtPolicyGatewayPolicyRead(d *schema.ResourceData, m interface{})
return fmt.Errorf("Error obtaining Gateway Policy ID")
}

obj, err := getGatewayPolicyInDomain(getSessionContext(d, m), id, d.Get("domain").(string), connector)
obj, err := getGatewayPolicy(getSessionContext(d, m), id, d.Get("domain").(string), connector)
if err != nil {
return handleReadError(d, "Gateway Policy", id, err)
}
Expand Down Expand Up @@ -232,7 +235,7 @@ func resourceNsxtPolicyGatewayPolicyUpdate(d *schema.ResourceData, m interface{}
return fmt.Errorf("Error obtaining Gateway Policy ID")
}

err := policyGatewayPolicyBuildAndPatch(d, m, connector, isPolicyGlobalManager(m), id)
err := policyGatewayPolicyBuildAndPatch(d, m, connector, isPolicyGlobalManager(m), id, true)
if err != nil {
return handleUpdateError("Gateway Policy", id, err)
}
Expand Down
33 changes: 18 additions & 15 deletions nsxt/resource_nsxt_policy_gateway_policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ func TestAccResourceNsxtPolicyGatewayPolicy_multitenancy(t *testing.T) {
func testAccResourceNsxtPolicyGatewayPolicyBasic(t *testing.T, withContext bool, preCheck func()) {
name := getAccTestResourceName()
updatedName := getAccTestResourceName()
testResourceName := "nsxt_policy_gateway_policy.test"
resourceName := "nsxt_policy_gateway_policy"
testResourceName := fmt.Sprintf("%s.test", resourceName)
comments1 := "Acceptance test create"
comments2 := "Acceptance test update"
direction1 := "IN"
Expand All @@ -46,7 +47,7 @@ func testAccResourceNsxtPolicyGatewayPolicyBasic(t *testing.T, withContext bool,
},
Steps: []resource.TestStep{
{
Config: testAccNsxtPolicyGatewayPolicyBasic(name, comments1, withContext),
Config: testAccNsxtPolicyGatewayPolicyBasic(resourceName, name, comments1, withContext),
Check: resource.ComposeTestCheckFunc(
testAccNsxtPolicyGatewayPolicyExists(testResourceName, defaultDomain),
resource.TestCheckResourceAttr(testResourceName, "display_name", name),
Expand All @@ -63,7 +64,7 @@ func testAccResourceNsxtPolicyGatewayPolicyBasic(t *testing.T, withContext bool,
),
},
{
Config: testAccNsxtPolicyGatewayPolicyBasic(updatedName, comments2, withContext),
Config: testAccNsxtPolicyGatewayPolicyBasic(resourceName, updatedName, comments2, withContext),
Check: resource.ComposeTestCheckFunc(
testAccNsxtPolicyGatewayPolicyExists(testResourceName, defaultDomain),
resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName),
Expand All @@ -79,7 +80,7 @@ func testAccResourceNsxtPolicyGatewayPolicyBasic(t *testing.T, withContext bool,
),
},
{
Config: testAccNsxtPolicyGatewayPolicyWithRule(updatedName, direction1, proto1, tag1, withContext),
Config: testAccNsxtPolicyGatewayPolicyWithRule(resourceName, updatedName, direction1, proto1, tag1, withContext),
Check: resource.ComposeTestCheckFunc(
testAccNsxtPolicyGatewayPolicyExists(testResourceName, defaultDomain),
resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName),
Expand All @@ -102,7 +103,7 @@ func testAccResourceNsxtPolicyGatewayPolicyBasic(t *testing.T, withContext bool,
),
},
{
Config: testAccNsxtPolicyGatewayPolicyWithRule(updatedName, direction2, proto2, tag2, withContext),
Config: testAccNsxtPolicyGatewayPolicyWithRule(resourceName, updatedName, direction2, proto2, tag2, withContext),
Check: resource.ComposeTestCheckFunc(
testAccNsxtPolicyGatewayPolicyExists(testResourceName, defaultDomain),
resource.TestCheckResourceAttr(testResourceName, "display_name", updatedName),
Expand Down Expand Up @@ -208,7 +209,8 @@ func TestAccResourceNsxtPolicyGatewayPolicy_withDependencies(t *testing.T) {
}
func TestAccResourceNsxtPolicyGatewayPolicy_importBasic(t *testing.T) {
name := getAccTestResourceName()
testResourceName := "nsxt_policy_gateway_policy.test"
resourceName := "nsxt_policy_gateway_policy"
testResourceName := fmt.Sprintf("%s.test", resourceName)

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Expand All @@ -218,7 +220,7 @@ func TestAccResourceNsxtPolicyGatewayPolicy_importBasic(t *testing.T) {
},
Steps: []resource.TestStep{
{
Config: testAccNsxtPolicyGatewayPolicyBasic(name, "import", false),
Config: testAccNsxtPolicyGatewayPolicyBasic(resourceName, name, "import", false),
},
{
ResourceName: testResourceName,
Expand All @@ -231,7 +233,8 @@ func TestAccResourceNsxtPolicyGatewayPolicy_importBasic(t *testing.T) {

func TestAccResourceNsxtPolicyGatewayPolicy_importBasic_multitenancy(t *testing.T) {
name := getAccTestResourceName()
testResourceName := "nsxt_policy_gateway_policy.test"
resourceName := "nsxt_policy_gateway_policy"
testResourceName := fmt.Sprintf("%s.test", resourceName)

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t); testAccOnlyMultitenancy(t) },
Expand All @@ -241,7 +244,7 @@ func TestAccResourceNsxtPolicyGatewayPolicy_importBasic_multitenancy(t *testing.
},
Steps: []resource.TestStep{
{
Config: testAccNsxtPolicyGatewayPolicyBasic(name, "import", true),
Config: testAccNsxtPolicyGatewayPolicyBasic(resourceName, name, "import", true),
},
{
ResourceName: testResourceName,
Expand Down Expand Up @@ -623,13 +626,13 @@ resource "nsxt_policy_gateway_policy" "test" {
}`, name, comments)
}

func testAccNsxtPolicyGatewayPolicyBasic(name string, comments string, withContext bool) string {
func testAccNsxtPolicyGatewayPolicyBasic(resourceName, name, comments string, withContext bool) string {
context := ""
if withContext {
context = testAccNsxtPolicyMultitenancyContext()
}
return fmt.Sprintf(`
resource "nsxt_policy_gateway_policy" "test" {
resource "%s" "test" {
%s
display_name = "%s"
description = "Acceptance Test"
Expand All @@ -645,10 +648,10 @@ resource "nsxt_policy_gateway_policy" "test" {
tag = "orange"
}
}`, context, name, comments)
}`, resourceName, context, name, comments)
}

func testAccNsxtPolicyGatewayPolicyWithRule(name string, direction string, protocol string, ruleTag string, withContext bool) string {
func testAccNsxtPolicyGatewayPolicyWithRule(resourceName, name, direction, protocol, ruleTag string, withContext bool) string {
context := ""
if withContext {
context = testAccNsxtPolicyMultitenancyContext()
Expand All @@ -660,7 +663,7 @@ resource "nsxt_policy_tier1_gateway" "gwt1test" {
description = "Acceptance Test"
}
resource "nsxt_policy_gateway_policy" "test" {
resource "%s" "test" {
%s
display_name = "%s"
description = "Acceptance Test"
Expand All @@ -687,7 +690,7 @@ resource "nsxt_policy_gateway_policy" "test" {
tag = "blue"
}
}
}`, context, context, name, name, direction, protocol, ruleTag)
}`, context, resourceName, context, name, name, direction, protocol, ruleTag)
}

// TODO: add profiles when available
Expand Down
20 changes: 18 additions & 2 deletions nsxt/resource_nsxt_policy_predefined_gateway_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
nsxt "github.com/vmware/vsphere-automation-sdk-go/services/nsxt"

"github.com/vmware/vsphere-automation-sdk-go/runtime/bindings"
"github.com/vmware/vsphere-automation-sdk-go/runtime/data"
Expand Down Expand Up @@ -264,6 +265,21 @@ func createChildDomainWithGatewayPolicy(domain string, policyID string, policy m
}

func gatewayPolicyInfraPatch(context utl.SessionContext, policy model.GatewayPolicy, domain string, m interface{}) error {
connector := getPolicyConnector(m)
if context.ClientType == utl.VPC {
childVPC, err := createChildVPCWithGatewayPolicy(context, *policy.Id, policy)
if err != nil {
return fmt.Errorf("failed to create H-API for VPC Gateway Policy: %s", err)
}

orgRoot := model.OrgRoot{
ResourceType: strPtr("OrgRoot"),
Children: []*data.StructValue{childVPC},
}

client := nsxt.NewOrgRootClient(connector)
return client.Patch(orgRoot, nil)
}
childDomain, err := createChildDomainWithGatewayPolicy(domain, *policy.Id, policy)
if err != nil {
return fmt.Errorf("Failed to create H-API for Predefined Gateway Policy: %s", err)
Expand Down Expand Up @@ -293,7 +309,7 @@ func updatePolicyPredefinedGatewayPolicy(id string, d *schema.ResourceData, m in
return fmt.Errorf("Failed to extract domain from Gateway Policy path %s", path)
}

predefinedPolicy, err := getGatewayPolicyInDomain(getSessionContext(d, m), id, domain, connector)
predefinedPolicy, err := getGatewayPolicy(getSessionContext(d, m), id, domain, connector)
if err != nil {
return err
}
Expand Down Expand Up @@ -468,7 +484,7 @@ func resourceNsxtPolicyPredefinedGatewayPolicyDelete(d *schema.ResourceData, m i
path := d.Get("path").(string)
domain := getDomainFromResourcePath(path)

predefinedPolicy, err := getGatewayPolicyInDomain(getSessionContext(d, m), id, domain, getPolicyConnector(m))
predefinedPolicy, err := getGatewayPolicy(getSessionContext(d, m), id, domain, getPolicyConnector(m))
if err != nil {
return err
}
Expand Down
Loading

0 comments on commit b5e5ebf

Please sign in to comment.