Merge pull request vmware#1212 from vmware/ignore-tag-scope

Add ignore_tags feature for segments
ksamoray · Jun 4, 2024 · 673b1dc · 673b1dc
2 parents 09cd1f2 + 03d3e23
commit 673b1dc
Show file tree

Hide file tree

Showing 7 changed files with 323 additions and 1 deletion.
diff --git a/nsxt/policy_common.go b/nsxt/policy_common.go
@@ -395,6 +395,43 @@ func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string
 	return result
 }
 
+func getIgnoreTagsSchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeList,
+		Optional: true,
+		MaxItems: 1,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"scopes": {
+					Type:        schema.TypeList,
+					Description: "List of scopes to ignore",
+					Required:    true,
+					Elem: &schema.Schema{
+						Type: schema.TypeString,
+					},
+				},
+				"detected": {
+					Type:        schema.TypeSet,
+					Description: "Tags matching scopes to ignore",
+					Computed:    true,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"scope": {
+								Type:     schema.TypeString,
+								Computed: true,
+							},
+							"tag": {
+								Type:     schema.TypeString,
+								Computed: true,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func setPolicyRulesInSchema(d *schema.ResourceData, rules []model.Rule) error {
 	var rulesList []map[string]interface{}
 	for _, rule := range rules {

diff --git a/nsxt/policy_utils.go b/nsxt/policy_utils.go
@@ -99,8 +99,24 @@ func initPolicyTagsSet(tags []model.Tag) []map[string]interface{} {
 	return tagList
 }
 
+func getIgnoredTagsFromSchema(d *schema.ResourceData) []model.Tag {
+	tags, defined := d.GetOk("ignore_tags")
+	if !defined {
+		return nil
+	}
+
+	tagMaps := tags.([]interface{})
+	if len(tagMaps) == 0 {
+		return nil
+	}
+	tagMap := tagMaps[0].(map[string]interface{})
+	discoveredTags := tagMap["detected"].(*schema.Set)
+	return getPolicyTagsFromSet(discoveredTags)
+}
+
 func getCustomizedPolicyTagsFromSchema(d *schema.ResourceData, schemaName string) []model.Tag {
 	tags := d.Get(schemaName).(*schema.Set).List()
+	ignoredTags := getIgnoredTagsFromSchema(d)
 	tagList := make([]model.Tag, 0)
 	for _, tag := range tags {
 		data := tag.(map[string]interface{})
@@ -112,21 +128,67 @@ func getCustomizedPolicyTagsFromSchema(d *schema.ResourceData, schemaName string
 
 		tagList = append(tagList, elem)
 	}
+	if len(ignoredTags) > 0 {
+		tagList = append(tagList, ignoredTags...)
+	}
 	return tagList
 }
 
+func setIgnoredTagsInSchema(d *schema.ResourceData, scopesToIgnore []string, tags []map[string]interface{}) {
+
+	elem := make(map[string]interface{})
+	elem["scopes"] = scopesToIgnore
+	elem["detected"] = tags
+
+	d.Set("ignore_tags", []map[string]interface{}{elem})
+}
+
+func getTagScopesToIgnore(d *schema.ResourceData) []string {
+
+	tags, defined := d.GetOk("ignore_tags")
+	if !defined {
+		return nil
+	}
+	tagMaps := tags.([]interface{})
+	if len(tagMaps) == 0 {
+		return nil
+	}
+	tagMap := tagMaps[0].(map[string]interface{})
+	return interface2StringList(tagMap["scopes"].([]interface{}))
+}
+
+// TODO - replace with slices.Contains when go is upgraded everywhere
+func shouldIgnoreScope(scope string, scopesToIgnore []string) bool {
+	for _, scopeToIgnore := range scopesToIgnore {
+		if scope == scopeToIgnore {
+			return true
+		}
+	}
+	return false
+}
+
 func setCustomizedPolicyTagsInSchema(d *schema.ResourceData, tags []model.Tag, schemaName string) {
 	var tagList []map[string]interface{}
+	var ignoredTagList []map[string]interface{}
+	scopesToIgnore := getTagScopesToIgnore(d)
 	for _, tag := range tags {
 		elem := make(map[string]interface{})
 		elem["scope"] = tag.Scope
 		elem["tag"] = tag.Tag
-		tagList = append(tagList, elem)
+		if tag.Scope != nil && shouldIgnoreScope(*tag.Scope, scopesToIgnore) {
+			ignoredTagList = append(ignoredTagList, elem)
+		} else {
+			tagList = append(tagList, elem)
+		}
 	}
 	err := d.Set(schemaName, tagList)
 	if err != nil {
 		log.Printf("[WARNING] Failed to set tag in schema: %v", err)
 	}
+
+	if len(scopesToIgnore) > 0 {
+		setIgnoredTagsInSchema(d, scopesToIgnore, ignoredTagList)
+	}
 }
 
 func getPolicyTagsFromSchema(d *schema.ResourceData) []model.Tag {

diff --git a/nsxt/resource_nsxt_policy_segment_test.go b/nsxt/resource_nsxt_policy_segment_test.go
@@ -463,6 +463,84 @@ func TestAccResourceNsxtPolicySegment_withDhcp(t *testing.T) {
 	})
 }
 
+func TestAccResourceNsxtPolicySegment_withIgnoreTags(t *testing.T) {
+	name := getAccTestResourceName()
+	testResourceName := "nsxt_policy_segment.test"
+	tzName := getOverlayTransportZoneName()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		CheckDestroy: func(state *terraform.State) error {
+			return testAccNsxtPolicySegmentCheckDestroy(state, name)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccNsxtPolicySegmentIgnoreTagsCreateTemplate(tzName, name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccNsxtPolicySegmentExists(testResourceName),
+					resource.TestCheckResourceAttr(testResourceName, "display_name", name),
+					resource.TestCheckResourceAttr(testResourceName, "tag.#", "3"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.#", "0"),
+				),
+			},
+			{
+				Config: testAccNsxtPolicySegmentIgnoreTagsUpdate1Template(tzName, name),
+				// This is an "pretend" update of ignored tag on backend
+				// Where backend changes are simulated with terraform update
+				// The fake backend changes are still present in intent at this point,
+				// Thus terraform will detect non-empty plan
+				// Next step will delete those tags from intent, and we expect them to
+				// remain in the ignored_tags section
+				ExpectNonEmptyPlan: true,
+				Check: resource.ComposeTestCheckFunc(
+					testAccNsxtPolicySegmentExists(testResourceName),
+					resource.TestCheckResourceAttr(testResourceName, "display_name", name),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.#", "1"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.scopes.#", "2"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.#", "2"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.0.scope", "color"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.0.tag", "orange"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.1.scope", "size"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.1.tag", "small"),
+				),
+			},
+			{
+				Config: testAccNsxtPolicySegmentIgnoreTagsUpdate2Template(tzName, name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccNsxtPolicySegmentExists(testResourceName),
+					resource.TestCheckResourceAttr(testResourceName, "display_name", name),
+					resource.TestCheckResourceAttr(testResourceName, "tag.#", "2"),
+					resource.TestCheckResourceAttr(testResourceName, "tag.0.scope", "rack"),
+					resource.TestCheckResourceAttr(testResourceName, "tag.0.tag", "5"),
+					resource.TestCheckResourceAttr(testResourceName, "tag.1.scope", "shape"),
+					resource.TestCheckResourceAttr(testResourceName, "tag.1.tag", "triangle"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.#", "1"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.scopes.#", "2"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.#", "2"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.0.scope", "color"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.0.tag", "orange"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.1.scope", "size"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.0.detected.1.tag", "small"),
+				),
+			},
+			{
+				Config: testAccNsxtPolicySegmentIgnoreTagsUpdate3Template(tzName, name),
+				Check: resource.ComposeTestCheckFunc(
+					testAccNsxtPolicySegmentExists(testResourceName),
+					resource.TestCheckResourceAttr(testResourceName, "display_name", name),
+					resource.TestCheckResourceAttr(testResourceName, "tag.#", "2"),
+					resource.TestCheckResourceAttr(testResourceName, "tag.0.scope", "color"),
+					resource.TestCheckResourceAttr(testResourceName, "tag.0.tag", "blue"),
+					resource.TestCheckResourceAttr(testResourceName, "tag.1.scope", "rack"),
+					resource.TestCheckResourceAttr(testResourceName, "tag.1.tag", "7"),
+					resource.TestCheckResourceAttr(testResourceName, "ignore_tags.#", "0"),
+				),
+			},
+		},
+	})
+}
+
 // TODO: add tests for l2_extension; requires L2 VPN Session
 
 func testAccNsxtPolicySegmentExists(resourceName string) resource.TestCheckFunc {
@@ -561,6 +639,128 @@ resource "nsxt_policy_segment" "test" {
 `, name)
 }
 
+func testAccNsxtPolicySegmentIgnoreTagsCreateTemplate(tzName string, name string) string {
+	return testAccNsxtPolicySegmentDeps(tzName, false) + fmt.Sprintf(`
+
+resource "nsxt_policy_segment" "test" {
+  display_name        = "%s"
+  overlay_id          = 1011
+  transport_zone_path = data.nsxt_policy_transport_zone.test.path
+  connectivity_path   = nsxt_policy_tier1_gateway.tier1ForSegments.path
+
+  subnet {
+     cidr = "12.12.2.1/24"
+  }
+
+  tag {
+    scope = "color"
+    tag   = "orange"
+  }
+
+  tag {
+    scope = "shape"
+    tag   = "triangle"
+  }
+
+  tag {
+    scope = "size"
+    tag   = "small"
+  }
+}
+`, name)
+}
+
+func testAccNsxtPolicySegmentIgnoreTagsUpdate1Template(tzName string, name string) string {
+	return testAccNsxtPolicySegmentDeps(tzName, false) + fmt.Sprintf(`
+
+resource "nsxt_policy_segment" "test" {
+  display_name        = "%s"
+  overlay_id          = 1011
+  transport_zone_path = data.nsxt_policy_transport_zone.test.path
+  connectivity_path   = nsxt_policy_tier1_gateway.tier1ForSegments.path
+
+  subnet {
+     cidr = "12.12.2.1/24"
+  }
+
+  tag {
+    scope = "color"
+    tag   = "orange"
+  }
+
+  tag {
+    scope = "shape"
+    tag   = "triangle"
+  }
+
+  tag {
+    scope = "size"
+    tag   = "small"
+  }
+
+  ignore_tags {
+    scopes = ["color", "size"]
+  }
+}
+`, name)
+}
+
+func testAccNsxtPolicySegmentIgnoreTagsUpdate2Template(tzName string, name string) string {
+	return testAccNsxtPolicySegmentDeps(tzName, false) + fmt.Sprintf(`
+
+resource "nsxt_policy_segment" "test" {
+  display_name        = "%s"
+  overlay_id          = 1011
+  transport_zone_path = data.nsxt_policy_transport_zone.test.path
+  connectivity_path   = nsxt_policy_tier1_gateway.tier1ForSegments.path
+
+  subnet {
+     cidr = "12.12.2.1/24"
+  }
+
+  tag {
+    scope = "rack"
+    tag   = "5"
+  }
+
+  tag {
+    scope = "shape"
+    tag   = "triangle"
+  }
+
+  ignore_tags {
+    scopes = ["color", "size"]
+  }
+}
+`, name)
+}
+
+func testAccNsxtPolicySegmentIgnoreTagsUpdate3Template(tzName string, name string) string {
+	return testAccNsxtPolicySegmentDeps(tzName, false) + fmt.Sprintf(`
+
+resource "nsxt_policy_segment" "test" {
+  display_name        = "%s"
+  overlay_id          = 1011
+  transport_zone_path = data.nsxt_policy_transport_zone.test.path
+  connectivity_path   = nsxt_policy_tier1_gateway.tier1ForSegments.path
+
+  subnet {
+     cidr = "12.12.2.1/24"
+  }
+
+  tag {
+    scope = "color"
+    tag   = "blue"
+  }
+ 
+  tag {
+    scope = "rack"
+    tag   = "7"
+  }
+}
+`, name)
+}
+
 func testAccNsxtPolicySegmentBasicUpdateTemplate(tzName string, name string) string {
 	return testAccNsxtPolicySegmentDeps(tzName, false) + fmt.Sprintf(`
 

diff --git a/nsxt/segment_common.go b/nsxt/segment_common.go
@@ -266,6 +266,7 @@ func getPolicyCommonSegmentSchema(vlanRequired bool, isFixed bool) map[string]*s
 		"description":  getDescriptionSchema(),
 		"revision":     getRevisionSchema(),
 		"tag":          getTagsSchema(),
+		"ignore_tags":  getIgnoreTagsSchema(),
 		"context":      getContextSchema(false, false),
 		"advanced_config": {
 			Type:        schema.TypeList,

diff --git a/website/docs/r/policy_fixed_segment.html.markdown b/website/docs/r/policy_fixed_segment.html.markdown
@@ -88,6 +88,7 @@ The following arguments are supported:
 * `display_name` - (Required) Display name of the resource.
 * `description` - (Optional) Description of the resource.
 * `tag` - (Optional) A list of scope + tag pairs to associate with this policy.
+* `ignore_tags` - (Optional) A list of tag scopes that provider should ignore, more specifically, it should not detect drift when tags with such scope are present on NSX, and it should not overwrite them when applying its own tags. This feature is useful for external network with VCD scenario.
 * `nsx_id` - (Optional) The NSX ID of this resource. If set, this ID will be used to create the resource.
 * `connectivity_path` - (Required) Policy path to the connecting Tier-0 or Tier-1.
 * `context` - (Optional) The context which the object belongs to