Merge pull request vmware#1217 from ksamoray/vpc-ew-policy

VPC E-W security policy resource
ksamoray · Jun 18, 2024 · d77898b · d77898b
2 parents b1d6b2c + e29eb44
commit d77898b
Show file tree

Hide file tree

Showing 12 changed files with 539 additions and 63 deletions.
diff --git a/nsxt/gateway_common.go b/nsxt/gateway_common.go
@@ -436,6 +436,11 @@ func policyInfraPatch(context utl.SessionContext, obj model.Infra, connector cli
 		}
 
 		return infraClient.Patch(gmObj.(gm_model.Infra), &enforceRevision)
+	} else if context.ClientType == utl.VPC {
+		context = utl.SessionContext{
+			ClientType: utl.Multitenancy,
+			ProjectID:  context.ProjectID,
+		}
 	}
 
 	infraClient := nsx_policy.NewInfraClient(context, connector)

diff --git a/nsxt/policy_common.go b/nsxt/policy_common.go
@@ -311,7 +311,7 @@ func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxID
 }
 
 func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
-	secPolicy := getPolicySecurityPolicySchema(false, true, true)
+	secPolicy := getPolicySecurityPolicySchema(false, true, true, true)
 	// GW Policies don't support scope
 	delete(secPolicy, "scope")
 	secPolicy["category"].ValidateFunc = validation.StringInSlice(gatewayPolicyCategoryWritableValues, false)
@@ -320,15 +320,15 @@ func getPolicyGatewayPolicySchema() map[string]*schema.Schema {
 	return secPolicy
 }
 
-func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string]*schema.Schema {
+func getPolicySecurityPolicySchema(isIds, withContext, withRule, withDomain bool) map[string]*schema.Schema {
 	result := map[string]*schema.Schema{
 		"nsx_id":       getNsxIDSchema(),
 		"path":         getPathSchema(),
 		"display_name": getDisplayNameSchema(),
 		"description":  getDescriptionSchema(),
 		"revision":     getRevisionSchema(),
 		"tag":          getTagsSchema(),
-		"context":      getContextSchema(false, false, false),
+		"context":      getContextSchema(!withDomain, false, !withDomain),
 		"domain":       getDomainNameSchema(),
 		"category": {
 			Type:         schema.TypeString,
@@ -392,6 +392,9 @@ func getPolicySecurityPolicySchema(isIds, withContext, withRule bool) map[string
 	if !withRule {
 		delete(result, "rule")
 	}
+	if !withDomain {
+		delete(result, "domain")
+	}
 	return result
 }
 

diff --git a/nsxt/provider.go b/nsxt/provider.go
@@ -496,6 +496,7 @@ func Provider() *schema.Provider {
 			"nsxt_policy_gateway_flood_protection_profile_binding":     resourceNsxtPolicyGatewayFloodProtectionProfileBinding(),
 			"nsxt_policy_compute_sub_cluster":                          resourceNsxtPolicyComputeSubCluster(),
 			"nsxt_policy_tier0_inter_vrf_routing":                      resourceNsxtPolicyTier0InterVRFRouting(),
+			"nsxt_vpc_security_policy":                                 resourceNsxtVPCSecurityPolicy(),
 		},
 
 		ConfigureFunc: providerConfigure,

diff --git a/nsxt/resource_nsxt_policy_intrusion_service_policy.go b/nsxt/resource_nsxt_policy_intrusion_service_policy.go
@@ -29,7 +29,7 @@ func resourceNsxtPolicyIntrusionServicePolicy() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			State: nsxtDomainResourceImporter,
 		},
-		Schema: getPolicySecurityPolicySchema(true, true, true),
+		Schema: getPolicySecurityPolicySchema(true, true, true, true),
 	}
 }
 

diff --git a/nsxt/resource_nsxt_policy_parent_security_policy.go b/nsxt/resource_nsxt_policy_parent_security_policy.go
@@ -21,7 +21,7 @@ func resourceNsxtPolicyParentSecurityPolicy() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			State: nsxtDomainResourceImporter,
 		},
-		Schema: getPolicySecurityPolicySchema(false, true, false),
+		Schema: getPolicySecurityPolicySchema(false, true, false, true),
 	}
 }
 
@@ -55,10 +55,13 @@ func parentSecurityPolicySchemaToModel(d *schema.ResourceData, id string) model.
 	}
 }
 
-func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*model.SecurityPolicy, error) {
+func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}, withDomain bool) (*model.SecurityPolicy, error) {
 	connector := getPolicyConnector(m)
 	id := d.Id()
-	domainName := d.Get("domain").(string)
+	domainName := ""
+	if withDomain {
+		domainName = d.Get("domain").(string)
+	}
 	if id == "" {
 		return nil, fmt.Errorf("Error obtaining Security Policy id")
 	}
@@ -75,7 +78,9 @@ func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*
 	setPolicyTagsInSchema(d, obj.Tags)
 	d.Set("nsx_id", id)
 	d.Set("path", obj.Path)
-	d.Set("domain", getDomainFromResourcePath(*obj.Path))
+	if withDomain {
+		d.Set("domain", getDomainFromResourcePath(*obj.Path))
+	}
 	d.Set("category", obj.Category)
 	d.Set("comments", obj.Comments)
 	d.Set("locked", obj.Locked)
@@ -92,15 +97,15 @@ func parentSecurityPolicyModelToSchema(d *schema.ResourceData, m interface{}) (*
 }
 
 func resourceNsxtPolicyParentSecurityPolicyCreate(d *schema.ResourceData, m interface{}) error {
-	return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, false)
+	return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, false, true)
 }
 
 func resourceNsxtPolicyParentSecurityPolicyRead(d *schema.ResourceData, m interface{}) error {
-	return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, false)
+	return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, false, true)
 }
 
 func resourceNsxtPolicyParentSecurityPolicyUpdate(d *schema.ResourceData, m interface{}) error {
-	return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, false)
+	return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, false, true)
 }
 
 func resourceNsxtPolicyParentSecurityPolicyDelete(d *schema.ResourceData, m interface{}) error {

diff --git a/nsxt/resource_nsxt_policy_predefined_security_policy.go b/nsxt/resource_nsxt_policy_predefined_security_policy.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/vmware/vsphere-automation-sdk-go/runtime/bindings"
 	"github.com/vmware/vsphere-automation-sdk-go/runtime/data"
+	nsxt "github.com/vmware/vsphere-automation-sdk-go/services/nsxt"
 	"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
 
 	"github.com/vmware/terraform-provider-nsxt/api/infra/domains"
@@ -178,6 +179,60 @@ func revertSecurityPolicyDefaultRule(rule model.Rule) model.Rule {
 	return rule
 }
 
+func strPtr(s string) *string {
+	v := s
+	return &v
+}
+
+func createChildVPCWithSecurityPolicy(context utl.SessionContext, policyID string, policy model.SecurityPolicy) (*data.StructValue, error) {
+	converter := bindings.NewTypeConverter()
+
+	childPolicy := model.ChildSecurityPolicy{
+		ResourceType:   "ChildSecurityPolicy",
+		SecurityPolicy: &policy,
+	}
+
+	dataValue, errors := converter.ConvertToVapi(childPolicy, model.ChildSecurityPolicyBindingType())
+	if len(errors) > 0 {
+		return nil, errors[0]
+	}
+
+	childVPC := model.ChildResourceReference{
+		Id:           &context.VPCID,
+		ResourceType: "ChildResourceReference",
+		TargetType:   strPtr("Vpc"),
+		Children:     []*data.StructValue{dataValue.(*data.StructValue)},
+	}
+
+	dataValue, errors = converter.ConvertToVapi(childVPC, model.ChildResourceReferenceBindingType())
+	if len(errors) > 0 {
+		return nil, errors[0]
+	}
+	childProject := model.ChildResourceReference{
+		Id:           &context.ProjectID,
+		ResourceType: "ChildResourceReference",
+		TargetType:   strPtr("Project"),
+		Children:     []*data.StructValue{dataValue.(*data.StructValue)},
+	}
+	dataValue, errors = converter.ConvertToVapi(childProject, model.ChildResourceReferenceBindingType())
+	if len(errors) > 0 {
+		return nil, errors[0]
+	}
+
+	childOrg := model.ChildResourceReference{
+		Id:           strPtr(defaultOrgID),
+		ResourceType: "ChildResourceReference",
+		TargetType:   strPtr("Org"),
+		Children:     []*data.StructValue{dataValue.(*data.StructValue)},
+	}
+	dataValue, errors = converter.ConvertToVapi(childOrg, model.ChildResourceReferenceBindingType())
+	if len(errors) > 0 {
+		return nil, errors[0]
+	}
+
+	return dataValue.(*data.StructValue), nil
+}
+
 func createChildDomainWithSecurityPolicy(domain string, policyID string, policy model.SecurityPolicy) (*data.StructValue, error) {
 	converter := bindings.NewTypeConverter()
 
@@ -409,20 +464,29 @@ func resourceNsxtPolicyPredefinedSecurityPolicyDelete(d *schema.ResourceData, m
 }
 
 func securityPolicyInfraPatch(context utl.SessionContext, policy model.SecurityPolicy, domain string, m interface{}) error {
+	connector := getPolicyConnector(m)
+	if context.ClientType == utl.VPC {
+		childVPC, err := createChildVPCWithSecurityPolicy(context, *policy.Id, policy)
+		if err != nil {
+			return fmt.Errorf("Failed to create H-API for VPC Security Policy: %s", err)
+		}
+		orgRoot := model.OrgRoot{
+			ResourceType: strPtr("OrgRoot"),
+			Children:     []*data.StructValue{childVPC},
+		}
+
+		client := nsxt.NewOrgRootClient(connector)
+		return client.Patch(orgRoot, nil)
+	}
+
 	childDomain, err := createChildDomainWithSecurityPolicy(domain, *policy.Id, policy)
 	if err != nil {
 		return fmt.Errorf("Failed to create H-API for Predefined Security Policy: %s", err)
 	}
-
-	var infraChildren []*data.StructValue
-	infraChildren = append(infraChildren, childDomain)
-
-	infraType := "Infra"
 	infraObj := model.Infra{
-		Children:     infraChildren,
-		ResourceType: &infraType,
+		Children:     []*data.StructValue{childDomain},
+		ResourceType: strPtr("Infra"),
 	}
 
-	return policyInfraPatch(context, infraObj, getPolicyConnector(m), false)
-
+	return policyInfraPatch(context, infraObj, connector, false)
 }
diff --git a/nsxt/resource_nsxt_policy_security_policy.go b/nsxt/resource_nsxt_policy_security_policy.go
@@ -24,7 +24,7 @@ func resourceNsxtPolicySecurityPolicy() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			State: nsxtDomainResourceImporter,
 		},
-		Schema: getPolicySecurityPolicySchema(false, true, true),
+		Schema: getPolicySecurityPolicySchema(false, true, true, true),
 	}
 }
 
@@ -61,9 +61,12 @@ func resourceNsxtPolicySecurityPolicyExistsPartial(domainName string) func(sessi
 	}
 }
 
-func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id string, createFlow, withRule bool) error {
+func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id string, createFlow, withRule, withDomain bool) error {
 	obj := parentSecurityPolicySchemaToModel(d, id)
-	domain := d.Get("domain").(string)
+	domain := ""
+	if withDomain {
+		domain = d.Get("domain").(string)
+	}
 	revision := int64(d.Get("revision").(int))
 	log.Printf("[INFO] Creating Security Policy with ID %s", id)
 
@@ -92,15 +95,15 @@ func policySecurityPolicyBuildAndPatch(d *schema.ResourceData, m interface{}, id
 }
 
 func resourceNsxtPolicySecurityPolicyCreate(d *schema.ResourceData, m interface{}) error {
-	return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, true)
+	return resourceNsxtPolicySecurityPolicyGeneralCreate(d, m, true, true)
 }
 
 func resourceNsxtPolicySecurityPolicyRead(d *schema.ResourceData, m interface{}) error {
-	return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, true)
+	return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, true, true)
 }
 
 func resourceNsxtPolicySecurityPolicyUpdate(d *schema.ResourceData, m interface{}) error {
-	return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, true)
+	return resourceNsxtPolicySecurityPolicyGeneralUpdate(d, m, true, true)
 }
 
 func resourceNsxtPolicySecurityPolicyDelete(d *schema.ResourceData, m interface{}) error {
@@ -124,14 +127,18 @@ func resourceNsxtPolicySecurityPolicyDelete(d *schema.ResourceData, m interface{
 	return nil
 }
 
-func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m interface{}, withRule bool) error {
+func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
 	// Initialize resource Id and verify this ID is not yet used
-	id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyExistsPartial(d.Get("domain").(string)))
+	domain := ""
+	if withDomain {
+		domain = d.Get("domain").(string)
+	}
+	id, err := getOrGenerateID2(d, m, resourceNsxtPolicySecurityPolicyExistsPartial(domain))
 	if err != nil {
 		return err
 	}
 
-	err = policySecurityPolicyBuildAndPatch(d, m, id, true, withRule)
+	err = policySecurityPolicyBuildAndPatch(d, m, id, true, withRule, withDomain)
 
 	if err != nil {
 		return handleCreateError("Security Policy", id, err)
@@ -140,11 +147,11 @@ func resourceNsxtPolicySecurityPolicyGeneralCreate(d *schema.ResourceData, m int
 	d.SetId(id)
 	d.Set("nsx_id", id)
 
-	return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule)
+	return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule, withDomain)
 }
 
-func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m interface{}, withRule bool) error {
-	obj, err := parentSecurityPolicyModelToSchema(d, m)
+func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
+	obj, err := parentSecurityPolicyModelToSchema(d, m, withDomain)
 	if err != nil {
 		return handleReadError(d, "SecurityPolicy", d.Id(), err)
 	}
@@ -154,15 +161,15 @@ func resourceNsxtPolicySecurityPolicyGeneralRead(d *schema.ResourceData, m inter
 	return nil
 }
 
-func resourceNsxtPolicySecurityPolicyGeneralUpdate(d *schema.ResourceData, m interface{}, withRule bool) error {
+func resourceNsxtPolicySecurityPolicyGeneralUpdate(d *schema.ResourceData, m interface{}, withRule, withDomain bool) error {
 	id := d.Id()
 	if id == "" {
 		return fmt.Errorf("Error obtaining Security Policy id")
 	}
-	err := policySecurityPolicyBuildAndPatch(d, m, id, false, withRule)
+	err := policySecurityPolicyBuildAndPatch(d, m, id, false, withRule, withDomain)
 	if err != nil {
 		return handleUpdateError("Security Policy", id, err)
 	}
 
-	return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule)
+	return resourceNsxtPolicySecurityPolicyGeneralRead(d, m, withRule, withDomain)
 }