vmware · Didainius · Jul 27, 2022 · Jun 30, 2022 · Jul 1, 2022 · Jul 5, 2022
@@ -0,0 +1,4 @@
+* Add support for Dynamic Security Groups in VCD 10.3 by expanding `types.NsxtFirewallGroup` to
+  accommodate fields required for dynamic security groups, implemented automatic API elevation to
+  v36.0. Added New functions `VdcGroup.CreateNsxtFirewallGroup`,
+  `NsxtFirewallGroup.IsDynamicSecurityGroup` [GH-487]
@@ -165,13 +165,15 @@ type TestConfig struct {
 		ExternalNetworkPortGroupType string `yaml:"externalNetworkPortGroupType,omitempty"`
 		VimServer                    string `yaml:"vimServer,omitempty"`
 		Nsxt                         struct {
-			Manager           string `yaml:"manager"`
-			Tier0router       string `yaml:"tier0router"`
-			Tier0routerVrf    string `yaml:"tier0routerVrf"`
-			Vdc               string `yaml:"vdc"`
-			ExternalNetwork   string `yaml:"externalNetwork"`
-			EdgeGateway       string `yaml:"edgeGateway"`
-			NsxtImportSegment string `yaml:"nsxtImportSegment"`
+			Manager             string `yaml:"manager"`
+			Tier0router         string `yaml:"tier0router"`
+			Tier0routerVrf      string `yaml:"tier0routerVrf"`
+			Vdc                 string `yaml:"vdc"`
+			ExternalNetwork     string `yaml:"externalNetwork"`
+			EdgeGateway         string `yaml:"edgeGateway"`
+			NsxtImportSegment   string `yaml:"nsxtImportSegment"`
+			VdcGroup            string `yaml:"vdcGroup"`
+			VdcGroupEdgeGateway string `yaml:"vdcGroupEdgeGateway"`
 
 			NsxtAlbControllerUrl      string `yaml:"nsxtAlbControllerUrl"`
 			NsxtAlbControllerUser     string `yaml:"nsxtAlbControllerUser"`

@@ -36,6 +36,11 @@ func (egw *NsxtEdgeGateway) CreateNsxtFirewallGroup(firewallGroupConfig *types.N
 	return createNsxtFirewallGroup(egw.client, firewallGroupConfig)
 }
 
+// CreateNsxtFirewallGroup allows users to create NSX-T Firewall Group
+func (vdcGroup *VdcGroup) CreateNsxtFirewallGroup(firewallGroupConfig *types.NsxtFirewallGroup) (*NsxtFirewallGroup, error) {
+	return createNsxtFirewallGroup(vdcGroup.client, firewallGroupConfig)
+}
+
 // GetAllNsxtFirewallGroups allows users to retrieve all Firewall Groups for Org
 // firewallGroupType can be one of the following:
 // * types.FirewallGroupTypeSecurityGroup - for NSX-T Security Groups
@@ -57,8 +62,9 @@ func (egw *NsxtEdgeGateway) CreateNsxtFirewallGroup(firewallGroupConfig *types.N
 // 'networkProviderId' is NSX-T manager ID
 func (org *Org) GetAllNsxtFirewallGroups(queryParameters url.Values, firewallGroupType string) ([]*NsxtFirewallGroup, error) {
 	queryParams := copyOrNewUrlValues(queryParameters)
+	filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(org.client)
 	if firewallGroupType != "" {
-		queryParams = queryParameterFilterAnd("type=="+firewallGroupType, queryParams)
+		queryParams = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
 	}
 
 	return getAllNsxtFirewallGroups(org.client, queryParams)
@@ -80,8 +86,9 @@ func (vdc *Vdc) GetAllNsxtFirewallGroups(queryParameters url.Values, firewallGro
 func (egw *NsxtEdgeGateway) GetAllNsxtFirewallGroups(queryParameters url.Values, firewallGroupType string) ([]*NsxtFirewallGroup, error) {
 	queryParams := copyOrNewUrlValues(queryParameters)
 
+	filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(egw.client)
 	if firewallGroupType != "" {
-		queryParams = queryParameterFilterAnd("type=="+firewallGroupType, queryParams)
+		queryParams = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
 	}
 
 	// Automatically inject Edge Gateway filter because this is an Edge Gateway scoped query
@@ -100,8 +107,9 @@ func (egw *NsxtEdgeGateway) GetAllNsxtFirewallGroups(queryParameters url.Values,
 // of the same type cannot exist) and firewallGroupType is left empty.
 func (org *Org) GetNsxtFirewallGroupByName(name, firewallGroupType string) (*NsxtFirewallGroup, error) {
 	queryParameters := url.Values{}
+	filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(org.client)
 	if firewallGroupType != "" {
-		queryParameters = queryParameterFilterAnd("type=="+firewallGroupType, queryParameters)
+		queryParameters = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
 	}
 
 	return getNsxtFirewallGroupByName(org.client, name, queryParameters)
@@ -118,15 +126,17 @@ func (org *Org) GetNsxtFirewallGroupByName(name, firewallGroupType string) (*Nsx
 func (vdc *Vdc) GetNsxtFirewallGroupByName(name, firewallGroupType string) (*NsxtFirewallGroup, error) {
 
 	queryParameters := url.Values{}
+	filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(vdc.client)
 	if firewallGroupType != "" {
-		queryParameters = queryParameterFilterAnd("type=="+firewallGroupType, queryParameters)
+		queryParameters = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
 	}
 	return getNsxtFirewallGroupByName(vdc.client, name, queryParameters)
 }
 
 // GetNsxtFirewallGroupByName allows users to retrieve Firewall Group by Name in a particular VDC Group
 // firewallGroupType can be one of the following:
-// * types.FirewallGroupTypeSecurityGroup - for NSX-T Security Groups
+// * types.FirewallGroupTypeSecurityGroup - for NSX-T Static Security Groups
+// * types.FirewallGroupTypeVmCriteria - for NSX-T Dynamic Security Groups
 // * types.FirewallGroupTypeIpSet - for NSX-T IP Sets
 // * "" (empty) - search will not be limited and will get both - IP Sets and Security Groups
 //
@@ -135,8 +145,9 @@ func (vdc *Vdc) GetNsxtFirewallGroupByName(name, firewallGroupType string) (*Nsx
 func (vdcGroup *VdcGroup) GetNsxtFirewallGroupByName(name string, firewallGroupType string) (*NsxtFirewallGroup, error) {
 	queryParameters := url.Values{}
 
+	filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(vdcGroup.client)
 	if firewallGroupType != "" {
-		queryParameters = queryParameterFilterAnd("type=="+firewallGroupType, queryParameters)
+		queryParameters = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
 	}
 
 	// Automatically inject Edge Gateway filter because this is an Edge Gateway scoped query
@@ -156,8 +167,9 @@ func (vdcGroup *VdcGroup) GetNsxtFirewallGroupByName(name string, firewallGroupT
 func (egw *NsxtEdgeGateway) GetNsxtFirewallGroupByName(name string, firewallGroupType string) (*NsxtFirewallGroup, error) {
 	queryParameters := url.Values{}
 
+	filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(egw.client)
 	if firewallGroupType != "" {
-		queryParameters = queryParameterFilterAnd("type=="+firewallGroupType, queryParameters)
+		queryParameters = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
 	}
 
 	// Automatically inject Edge Gateway filter because this is an Edge Gateway scoped query
@@ -189,7 +201,7 @@ func (vdcGroup *VdcGroup) GetNsxtFirewallGroupById(id string) (*NsxtFirewallGrou
 // Update allows users to update NSX-T Firewall Group
 func (firewallGroup *NsxtFirewallGroup) Update(firewallGroupConfig *types.NsxtFirewallGroup) (*NsxtFirewallGroup, error) {
 	endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
-	minimumApiVersion, err := firewallGroup.client.checkOpenApiEndpointCompatibility(endpoint)
+	apiVersion, err := firewallGroup.client.getOpenApiHighestElevatedVersion(endpoint)
 	if err != nil {
 		return nil, err
 	}
@@ -208,7 +220,7 @@ func (firewallGroup *NsxtFirewallGroup) Update(firewallGroupConfig *types.NsxtFi
 		client:            firewallGroup.client,
 	}
 
-	err = firewallGroup.client.OpenApiPutItem(minimumApiVersion, urlRef, nil, firewallGroupConfig, returnObject.NsxtFirewallGroup, nil)
+	err = firewallGroup.client.OpenApiPutItem(apiVersion, urlRef, nil, firewallGroupConfig, returnObject.NsxtFirewallGroup, nil)
 	if err != nil {
 		return nil, fmt.Errorf("error updating NSX-T firewall group: %s", err)
 	}
@@ -219,7 +231,7 @@ func (firewallGroup *NsxtFirewallGroup) Update(firewallGroupConfig *types.NsxtFi
 // Delete allows users to delete NSX-T Firewall Group
 func (firewallGroup *NsxtFirewallGroup) Delete() error {
 	endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
-	minimumApiVersion, err := firewallGroup.client.checkOpenApiEndpointCompatibility(endpoint)
+	apiVersion, err := firewallGroup.client.getOpenApiHighestElevatedVersion(endpoint)
 	if err != nil {
 		return err
 	}
@@ -233,7 +245,7 @@ func (firewallGroup *NsxtFirewallGroup) Delete() error {
 		return err
 	}
 
-	err = firewallGroup.client.OpenApiDeleteItem(minimumApiVersion, urlRef, nil, nil)
+	err = firewallGroup.client.OpenApiDeleteItem(apiVersion, urlRef, nil, nil)
 
 	if err != nil {
 		return fmt.Errorf("error deleting NSX-T Firewall Group: %s", err)
@@ -248,7 +260,7 @@ func (firewallGroup *NsxtFirewallGroup) Delete() error {
 // similar to: "only Security Groups have associated VMs. This Firewall Group has type 'IP_SET'"
 func (firewallGroup *NsxtFirewallGroup) GetAssociatedVms() ([]*types.NsxtFirewallGroupMemberVms, error) {
 	endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
-	minimumApiVersion, err := firewallGroup.client.checkOpenApiEndpointCompatibility(endpoint)
+	apiVersion, err := firewallGroup.client.getOpenApiHighestElevatedVersion(endpoint)
 	if err != nil {
 		return nil, err
 	}
@@ -257,7 +269,7 @@ func (firewallGroup *NsxtFirewallGroup) GetAssociatedVms() ([]*types.NsxtFirewal
 		return nil, fmt.Errorf("cannot retrieve associated VMs for NSX-T Firewall Group without ID")
 	}
 
-	if !firewallGroup.IsSecurityGroup() {
+	if !firewallGroup.IsSecurityGroup() && !firewallGroup.IsDynamicSecurityGroup() {
 		return nil, fmt.Errorf("only Security Groups have associated VMs. This Firewall Group has type '%s'",
 			firewallGroup.NsxtFirewallGroup.Type)
 	}
@@ -269,7 +281,7 @@ func (firewallGroup *NsxtFirewallGroup) GetAssociatedVms() ([]*types.NsxtFirewal
 
 	associatedVms := []*types.NsxtFirewallGroupMemberVms{{}}
 
-	err = firewallGroup.client.OpenApiGetAllItems(minimumApiVersion, urlRef, nil, &associatedVms, nil)
+	err = firewallGroup.client.OpenApiGetAllItems(apiVersion, urlRef, nil, &associatedVms, nil)
 
 	if err != nil {
 		return nil, fmt.Errorf("error retrieving associated VMs: %s", err)
@@ -278,11 +290,16 @@ func (firewallGroup *NsxtFirewallGroup) GetAssociatedVms() ([]*types.NsxtFirewal
 	return associatedVms, nil
 }
 
-// IsSecurityGroup allows users to check if Firewall Group is a Security Group
+// IsSecurityGroup allows users to check if Firewall Group is a Static Security Group
 func (firewallGroup *NsxtFirewallGroup) IsSecurityGroup() bool {
 	return firewallGroup.NsxtFirewallGroup.Type == types.FirewallGroupTypeSecurityGroup
 }
 
+// IsDynamicSecurityGroup allows users to check if Firewall Group is a Dynamic Security Group
+func (firewallGroup *NsxtFirewallGroup) IsDynamicSecurityGroup() bool {
+	return firewallGroup.NsxtFirewallGroup.TypeValue == types.FirewallGroupTypeVmCriteria
+}
+
 // IsIpSet allows users to check if Firewall Group is an IP Set
 func (firewallGroup *NsxtFirewallGroup) IsIpSet() bool {
 	return firewallGroup.NsxtFirewallGroup.Type == types.FirewallGroupTypeIpSet
@@ -317,7 +334,7 @@ func getNsxtFirewallGroupByName(client *Client, name string, queryParameters url
 
 func getNsxtFirewallGroupById(client *Client, id string) (*NsxtFirewallGroup, error) {
 	endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
-	minimumApiVersion, err := client.checkOpenApiEndpointCompatibility(endpoint)
+	apiVersion, err := client.getOpenApiHighestElevatedVersion(endpoint)
 	if err != nil {
 		return nil, err
 	}
@@ -336,7 +353,7 @@ func getNsxtFirewallGroupById(client *Client, id string) (*NsxtFirewallGroup, er
 		client:            client,
 	}
 
-	err = client.OpenApiGetItem(minimumApiVersion, urlRef, nil, fwGroup.NsxtFirewallGroup, nil)
+	err = client.OpenApiGetItem(apiVersion, urlRef, nil, fwGroup.NsxtFirewallGroup, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -346,7 +363,7 @@ func getNsxtFirewallGroupById(client *Client, id string) (*NsxtFirewallGroup, er
 
 func getAllNsxtFirewallGroups(client *Client, queryParameters url.Values) ([]*NsxtFirewallGroup, error) {
 	endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
-	minimumApiVersion, err := client.checkOpenApiEndpointCompatibility(endpoint)
+	apiVersion, err := client.getOpenApiHighestElevatedVersion(endpoint)
 	if err != nil {
 		return nil, err
 	}
@@ -359,7 +376,7 @@ func getAllNsxtFirewallGroups(client *Client, queryParameters url.Values) ([]*Ns
 	}
 
 	typeResponses := []*types.NsxtFirewallGroup{{}}
-	err = client.OpenApiGetAllItems(minimumApiVersion, urlRef, queryParameters, &typeResponses, nil)
+	err = client.OpenApiGetAllItems(apiVersion, urlRef, queryParameters, &typeResponses, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -378,7 +395,7 @@ func getAllNsxtFirewallGroups(client *Client, queryParameters url.Values) ([]*Ns
 
 func createNsxtFirewallGroup(client *Client, firewallGroupConfig *types.NsxtFirewallGroup) (*NsxtFirewallGroup, error) {
 	endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
-	minimumApiVersion, err := client.checkOpenApiEndpointCompatibility(endpoint)
+	apiVersion, err := client.getOpenApiHighestElevatedVersion(endpoint)
 	if err != nil {
 		return nil, err
 	}
@@ -393,10 +410,24 @@ func createNsxtFirewallGroup(client *Client, firewallGroupConfig *types.NsxtFire
 		client:            client,
 	}
 
-	err = client.OpenApiPostItem(minimumApiVersion, urlRef, nil, firewallGroupConfig, returnObject.NsxtFirewallGroup, nil)
+	err = client.OpenApiPostItem(apiVersion, urlRef, nil, firewallGroupConfig, returnObject.NsxtFirewallGroup, nil)
 	if err != nil {
 		return nil, fmt.Errorf("error creating NSX-T Firewall Group: %s", err)
 	}
 
 	return returnObject, nil
 }
+
+// getFirewallGroupTypeFilterFieldName is a helper that returns the field name to use for filtering
+// TODO - remove this function when VCD 10.2 is no longer supported
+// by type.
+// For VCD < 10.3.0, the type field is called "type" and for VCD >= 10.3.0, the type field is called
+// "typeValue".
+func getFirewallGroupTypeFilterFieldName(client *Client) string {
+	// Starting with API 36.0 new field 'typeValue' was introduced instead of deprecated `type` field.
+	filteringTypeFieldName := "typeValue"
+	if client.APIVCDMaxVersionIs(" < 36.0") {
+		filteringTypeFieldName = "type"
+	}
+	return filteringTypeFieldName
+}
@@ -0,0 +1,103 @@
+//go:build network || nsxt || functional || openapi || ALL
+// +build network nsxt functional openapi ALL
+
+package govcd
+
+import (
+	"github.com/vmware/go-vcloud-director/v2/types/v56"
+	. "gopkg.in/check.v1"
+)
+
+// Test_NsxtDynamicSecurityGroup tests out CRUD of Dynamic NSX-T Security Group
+//
+// Note. Dynamic Security Group is one type of Firewall Group. Other types are IP-Set and Static
+// Security Group.
+func (vcd *TestVCD) Test_NsxtDynamicSecurityGroup(check *C) {
+	skipNoNsxtConfiguration(vcd, check)
+	skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups)
+
+	if vcd.client.Client.APIVCDMaxVersionIs("< 36.0") {
+		check.Skip("Dynamic security groups require VCD 10.3+")
+	}
+
+	adminOrg, err := vcd.client.GetAdminOrgByName(vcd.config.VCD.Org)
+	check.Assert(err, IsNil)
+
+	vdcGroup, err := adminOrg.GetVdcGroupByName(vcd.config.VCD.Nsxt.VdcGroup)
+	check.Assert(err, IsNil)
+
+	// vdcGroupEdgeGateway.
+
+	dynamicSecGroupDefinition := &types.NsxtFirewallGroup{
+		Name:        check.TestName(),
+		Description: check.TestName() + "-Description",
+		TypeValue:   types.FirewallGroupTypeVmCriteria,
+		OwnerRef:    &types.OpenApiReference{ID: vdcGroup.VdcGroup.Id},
+		VmCriteria: []types.NsxtFirewallGroupVmCriteria{
+			{
+				[]types.NsxtFirewallGroupVmCriteriaRule{
+					{
+						AttributeType:  "VM_TAG",
+						Operator:       "EQUALS",
+						AttributeValue: "string",
+					}, // Boolean AND
+					{
+						AttributeType:  "VM_TAG",
+						Operator:       "CONTAINS",
+						AttributeValue: "substring",
+					}, // Boolean AND
+					{
+						AttributeType:  "VM_TAG",
+						Operator:       "STARTS_WITH",
+						AttributeValue: "substring",
+					}, // Boolean AND
+					{
+						AttributeType:  "VM_TAG",
+						Operator:       "ENDS_WITH",
+						AttributeValue: "substring",
+					}, // Boolean AND
+				},
+			}, // Boolean OR
+			{
+				[]types.NsxtFirewallGroupVmCriteriaRule{
+					{
+						AttributeType:  "VM_NAME",
+						Operator:       "CONTAINS",
+						AttributeValue: "substring",
+					}, // Boolean AND
+					{
+						AttributeType:  "VM_NAME",
+						Operator:       "STARTS_WITH",
+						AttributeValue: "substring",
+					}, // Boolean AND
+				},
+			},
+		},
+	}
+
+	createdDynamicGroup, err := vdcGroup.CreateNsxtFirewallGroup(dynamicSecGroupDefinition)
+	check.Assert(err, IsNil)
+	check.Assert(createdDynamicGroup, NotNil)
+
+	openApiEndpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups + createdDynamicGroup.NsxtFirewallGroup.ID
+	AddToCleanupListOpenApi(createdDynamicGroup.NsxtFirewallGroup.Name, check.TestName(), openApiEndpoint)
+
+	check.Assert(createdDynamicGroup.NsxtFirewallGroup.ID, Not(Equals), "")
+	check.Assert(createdDynamicGroup.NsxtFirewallGroup.OwnerRef.Name, Equals, vcd.config.VCD.Nsxt.VdcGroup)
+	check.Assert(createdDynamicGroup.NsxtFirewallGroup.TypeValue, Equals, types.FirewallGroupTypeVmCriteria)
+
+	// Update
+	createdDynamicGroup.NsxtFirewallGroup.Description = "updated-description"
+	createdDynamicGroup.NsxtFirewallGroup.Name = check.TestName() + "-updated"
+
+	updatedDynamicGroup, err := createdDynamicGroup.Update(createdDynamicGroup.NsxtFirewallGroup)
+	check.Assert(err, IsNil)
+	check.Assert(updatedDynamicGroup, NotNil)
+	check.Assert(updatedDynamicGroup.NsxtFirewallGroup, DeepEquals, createdDynamicGroup.NsxtFirewallGroup)
+
+	check.Assert(updatedDynamicGroup, DeepEquals, createdDynamicGroup)
+
+	// Remove
+	err = updatedDynamicGroup.Delete()
+	check.Assert(err, IsNil)
+}
@@ -8,10 +8,10 @@ import (
 	. "gopkg.in/check.v1"
 )
 
-// Test_NsxtSecurityGroup tests out CRUD of NSX-T Security Group
+// Test_NsxtSecurityGroup tests out CRUD of Static NSX-T Security Group
 //
 // Note. Security Group is one type of Firewall Group
-func (vcd *TestVCD) Test_NsxtSecurityGroup(check *C) {
+func (vcd *TestVCD) Test_NsxtStaticSecurityGroup(check *C) {
 	skipNoNsxtConfiguration(vcd, check)
 	skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups)
 

@@ -28,12 +28,14 @@ var endpointMinApiVersions = map[string]string{
 	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointImportableTier0Routers:              "32.0",
 	// OpenApiEndpointExternalNetworks endpoint support was introduced with version 32.0 however it was still not stable
 	// enough to be used. (i.e. it did not support update "PUT")
-	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointExternalNetworks:                   "33.0",
-	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointVdcComputePolicies:                 "32.0",
-	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointVdcAssignedComputePolicies:         "33.0",
-	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointSessionCurrent:                     "34.0",
-	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointEdgeClusters:                       "34.0", // VCD 10.1+
-	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointEdgeGateways:                       "34.0",
+	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointExternalNetworks:           "33.0",
+	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointVdcComputePolicies:         "32.0",
+	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointVdcAssignedComputePolicies: "33.0",
+	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointSessionCurrent:             "34.0",
+	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointEdgeClusters:               "34.0", // VCD 10.1+
+	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointEdgeGateways:               "34.0",
+
+	// Static security groups and IP sets in VCD 10.2, Dynamic security groups in VCD 10.3+
 	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups:                     "34.0",
 	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointNsxtNatRules:                       "34.0",
 	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointNsxtFirewallRules:                  "34.0",
@@ -94,6 +96,10 @@ var endpointElevatedApiVersions = map[string][]string{
 		//"32.0", // Basic minimum required version
 		"36.1", // Adds support for dnsServers
 	},
+	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups: {
+		//"34.0", // Basic minimum required version
+		"36.0", // Adds support for Dynamic Security Groups by deprecating `Type` field in favor of `TypeValue`
+	},
 }
 
 // checkOpenApiEndpointCompatibility checks if VCD version (to which the client is connected) is sufficient to work with

@@ -434,12 +434,16 @@ const (
 )
 
 const (
-	// FirewallGroupTypeSecurityGroup can be used in types.NsxtFirewallGroup for 'type' field to
-	// create Security Group
+	// FirewallGroupTypeSecurityGroup can be used in types.NsxtFirewallGroup for 'TypeValue' field
+	// to create Security Group
 	FirewallGroupTypeSecurityGroup = "SECURITY_GROUP"
-	// FirewallGroupTypeIpSet can be used in types.NsxtFirewallGroup for 'type' field to create IP
-	// Set
+	// FirewallGroupTypeIpSet can be used in types.NsxtFirewallGroup for 'TypeValue' field to create
+	// IP Set
 	FirewallGroupTypeIpSet = "IP_SET"
+
+	// FirewallGroupTypeVmCriteria can be used in types.NsxtFirewallGroup for 'TypeValue' field to
+	// create Dynamic Security Group (VCD 10.3+)
+	FirewallGroupTypeVmCriteria = "VM_CRITERIA"
 )
 
 // These constants can be used to pick type of NSX-T NAT Rule

@@ -255,7 +255,7 @@ type OpenApiOrgVdcNetworkDhcpPools struct {
 type NsxtFirewallGroup struct {
 	// ID contains Firewall Group ID (URN format)
 	// e.g. urn:vcloud:firewallGroup:d7f4e0b4-b83f-4a07-9f22-d242c9c0987a
-	ID string `json:"id"`
+	ID string `json:"id,omitempty"`
 	// Name of Firewall Group. Name are unique per 'Type'. There cannot be two SECURITY_GROUP or two
 	// IP_SET objects with the same name, but there can be one object of Type SECURITY_GROUP and one
 	// of Type IP_SET named the same.
@@ -276,6 +276,13 @@ type NsxtFirewallGroup struct {
 	// groups )
 	Members []OpenApiReference `json:"members,omitempty"`
 
+	// VmCriteria (VCD 10.3+) defines list of dynamic criteria that determines whether a VM belongs
+	// to a dynamic firewall group. A VM needs to meet at least one criteria to belong to the
+	// firewall group. In other words, the logical AND is used for rules within a single criteria
+	// and the logical OR is used in between each criteria. This is only applicable for Dynamic
+	// Security Groups (VM_CRITERIA Firewall Groups).
+	VmCriteria []NsxtFirewallGroupVmCriteria `json:"vmCriteria,omitempty"`
+
 	// OwnerRef replaces EdgeGatewayRef in API V35.0+ and can accept both - NSX-T Edge Gateway or a
 	// VDC group ID
 	// Sample VDC Group URN - urn:vcloud:vdcGroup:89a53000-ef41-474d-80dc-82431ff8a020
@@ -289,8 +296,29 @@ type NsxtFirewallGroup struct {
 	// value is only populated in this field (not OwnerRef)
 	EdgeGatewayRef *OpenApiReference `json:"edgeGatewayRef,omitempty"`
 
-	// Type is either SECURITY_GROUP or IP_SET
-	Type string `json:"type"`
+	// Type is deprecated starting with API 36.0 (VCD 10.3+)
+	Type string `json:"type,omitempty"`
+
+	// TypeValue replaces Type starting with API 36.0 (VCD 10.3+) and can be one of:
+	// SECURITY_GROUP, IP_SET, VM_CRITERIA(VCD 10.3+ only)
+	// Constants `types.FirewallGroupTypeSecurityGroup`, `types.FirewallGroupTypeIpSet`,
+	// `types.FirewallGroupTypeVmCriteria` can be used to set the value.
+	TypeValue string `json:"typeValue,omitempty"`
+}
+
+// NsxtFirewallGroupVmCriteria defines list of rules where criteria represents boolean OR for
+// matching There can be up to 3 criteria
+type NsxtFirewallGroupVmCriteria struct {
+	// VmCriteria is a list of rules where each rule represents boolean AND for matching VMs
+	VmCriteriaRule []NsxtFirewallGroupVmCriteriaRule `json:"rules,omitempty"`
+}
+
+// NsxtFirewallGroupVmCriteriaRule defines a single rule for matching VM
+// There can be up to 4 rules in a single criteria
+type NsxtFirewallGroupVmCriteriaRule struct {
+	AttributeType  string `json:"attributeType,omitempty"`
+	AttributeValue string `json:"attributeValue,omitempty"`
+	Operator       string `json:"operator,omitempty"`
 }
 
 // NsxtFirewallGroupMemberVms is a structure to read NsxtFirewallGroup associated VMs when its type