Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Dynamic Security Groups #487

Merged
merged 3 commits into from
Jul 27, 2022
Merged
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .changes/v2.16.0/487-features.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
* Add support for Dynamic Security Groups in VCD 10.3 by expanding `types.NsxtFirewallGroup` to
accommodate fields required for dynamic security groups, implemented automatic API elevation to
v36.0. Added New functions `VdcGroup.CreateNsxtFirewallGroup`,
`NsxtFirewallGroup.IsDynamicSecurityGroup` [GH-487]
16 changes: 9 additions & 7 deletions govcd/api_vcd_test.go
Original file line number Diff line number Diff line change
@@ -165,13 +165,15 @@ type TestConfig struct {
ExternalNetworkPortGroupType string `yaml:"externalNetworkPortGroupType,omitempty"`
VimServer string `yaml:"vimServer,omitempty"`
Nsxt struct {
Manager string `yaml:"manager"`
Tier0router string `yaml:"tier0router"`
Tier0routerVrf string `yaml:"tier0routerVrf"`
Vdc string `yaml:"vdc"`
ExternalNetwork string `yaml:"externalNetwork"`
EdgeGateway string `yaml:"edgeGateway"`
NsxtImportSegment string `yaml:"nsxtImportSegment"`
Manager string `yaml:"manager"`
Tier0router string `yaml:"tier0router"`
Tier0routerVrf string `yaml:"tier0routerVrf"`
Vdc string `yaml:"vdc"`
ExternalNetwork string `yaml:"externalNetwork"`
EdgeGateway string `yaml:"edgeGateway"`
NsxtImportSegment string `yaml:"nsxtImportSegment"`
VdcGroup string `yaml:"vdcGroup"`
VdcGroupEdgeGateway string `yaml:"vdcGroupEdgeGateway"`

NsxtAlbControllerUrl string `yaml:"nsxtAlbControllerUrl"`
NsxtAlbControllerUser string `yaml:"nsxtAlbControllerUser"`
73 changes: 52 additions & 21 deletions govcd/nsxt_firewall_group.go
Original file line number Diff line number Diff line change
@@ -36,6 +36,11 @@ func (egw *NsxtEdgeGateway) CreateNsxtFirewallGroup(firewallGroupConfig *types.N
return createNsxtFirewallGroup(egw.client, firewallGroupConfig)
}

// CreateNsxtFirewallGroup allows users to create NSX-T Firewall Group
func (vdcGroup *VdcGroup) CreateNsxtFirewallGroup(firewallGroupConfig *types.NsxtFirewallGroup) (*NsxtFirewallGroup, error) {
return createNsxtFirewallGroup(vdcGroup.client, firewallGroupConfig)
}

// GetAllNsxtFirewallGroups allows users to retrieve all Firewall Groups for Org
// firewallGroupType can be one of the following:
// * types.FirewallGroupTypeSecurityGroup - for NSX-T Security Groups
@@ -57,8 +62,9 @@ func (egw *NsxtEdgeGateway) CreateNsxtFirewallGroup(firewallGroupConfig *types.N
// 'networkProviderId' is NSX-T manager ID
func (org *Org) GetAllNsxtFirewallGroups(queryParameters url.Values, firewallGroupType string) ([]*NsxtFirewallGroup, error) {
queryParams := copyOrNewUrlValues(queryParameters)
filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(org.client)
if firewallGroupType != "" {
queryParams = queryParameterFilterAnd("type=="+firewallGroupType, queryParams)
queryParams = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
}

return getAllNsxtFirewallGroups(org.client, queryParams)
@@ -80,8 +86,9 @@ func (vdc *Vdc) GetAllNsxtFirewallGroups(queryParameters url.Values, firewallGro
func (egw *NsxtEdgeGateway) GetAllNsxtFirewallGroups(queryParameters url.Values, firewallGroupType string) ([]*NsxtFirewallGroup, error) {
queryParams := copyOrNewUrlValues(queryParameters)

filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(egw.client)
if firewallGroupType != "" {
queryParams = queryParameterFilterAnd("type=="+firewallGroupType, queryParams)
queryParams = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
}

// Automatically inject Edge Gateway filter because this is an Edge Gateway scoped query
@@ -100,8 +107,9 @@ func (egw *NsxtEdgeGateway) GetAllNsxtFirewallGroups(queryParameters url.Values,
// of the same type cannot exist) and firewallGroupType is left empty.
func (org *Org) GetNsxtFirewallGroupByName(name, firewallGroupType string) (*NsxtFirewallGroup, error) {
queryParameters := url.Values{}
filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(org.client)
if firewallGroupType != "" {
queryParameters = queryParameterFilterAnd("type=="+firewallGroupType, queryParameters)
queryParameters = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
}

return getNsxtFirewallGroupByName(org.client, name, queryParameters)
@@ -118,15 +126,17 @@ func (org *Org) GetNsxtFirewallGroupByName(name, firewallGroupType string) (*Nsx
func (vdc *Vdc) GetNsxtFirewallGroupByName(name, firewallGroupType string) (*NsxtFirewallGroup, error) {

queryParameters := url.Values{}
filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(vdc.client)
if firewallGroupType != "" {
queryParameters = queryParameterFilterAnd("type=="+firewallGroupType, queryParameters)
queryParameters = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
}
return getNsxtFirewallGroupByName(vdc.client, name, queryParameters)
}

// GetNsxtFirewallGroupByName allows users to retrieve Firewall Group by Name in a particular VDC Group
// firewallGroupType can be one of the following:
// * types.FirewallGroupTypeSecurityGroup - for NSX-T Security Groups
// * types.FirewallGroupTypeSecurityGroup - for NSX-T Static Security Groups
// * types.FirewallGroupTypeVmCriteria - for NSX-T Dynamic Security Groups
// * types.FirewallGroupTypeIpSet - for NSX-T IP Sets
// * "" (empty) - search will not be limited and will get both - IP Sets and Security Groups
//
@@ -135,8 +145,9 @@ func (vdc *Vdc) GetNsxtFirewallGroupByName(name, firewallGroupType string) (*Nsx
func (vdcGroup *VdcGroup) GetNsxtFirewallGroupByName(name string, firewallGroupType string) (*NsxtFirewallGroup, error) {
queryParameters := url.Values{}

filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(vdcGroup.client)
if firewallGroupType != "" {
queryParameters = queryParameterFilterAnd("type=="+firewallGroupType, queryParameters)
queryParameters = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
}

// Automatically inject Edge Gateway filter because this is an Edge Gateway scoped query
@@ -156,8 +167,9 @@ func (vdcGroup *VdcGroup) GetNsxtFirewallGroupByName(name string, firewallGroupT
func (egw *NsxtEdgeGateway) GetNsxtFirewallGroupByName(name string, firewallGroupType string) (*NsxtFirewallGroup, error) {
queryParameters := url.Values{}

filteringTypeFieldName := getFirewallGroupTypeFilterFieldName(egw.client)
if firewallGroupType != "" {
queryParameters = queryParameterFilterAnd("type=="+firewallGroupType, queryParameters)
queryParameters = queryParameterFilterAnd(fmt.Sprintf("%s==%s", filteringTypeFieldName, firewallGroupType), queryParameters)
}

// Automatically inject Edge Gateway filter because this is an Edge Gateway scoped query
@@ -189,7 +201,7 @@ func (vdcGroup *VdcGroup) GetNsxtFirewallGroupById(id string) (*NsxtFirewallGrou
// Update allows users to update NSX-T Firewall Group
func (firewallGroup *NsxtFirewallGroup) Update(firewallGroupConfig *types.NsxtFirewallGroup) (*NsxtFirewallGroup, error) {
endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
minimumApiVersion, err := firewallGroup.client.checkOpenApiEndpointCompatibility(endpoint)
apiVersion, err := firewallGroup.client.getOpenApiHighestElevatedVersion(endpoint)
if err != nil {
return nil, err
}
@@ -208,7 +220,7 @@ func (firewallGroup *NsxtFirewallGroup) Update(firewallGroupConfig *types.NsxtFi
client: firewallGroup.client,
}

err = firewallGroup.client.OpenApiPutItem(minimumApiVersion, urlRef, nil, firewallGroupConfig, returnObject.NsxtFirewallGroup, nil)
err = firewallGroup.client.OpenApiPutItem(apiVersion, urlRef, nil, firewallGroupConfig, returnObject.NsxtFirewallGroup, nil)
if err != nil {
return nil, fmt.Errorf("error updating NSX-T firewall group: %s", err)
}
@@ -219,7 +231,7 @@ func (firewallGroup *NsxtFirewallGroup) Update(firewallGroupConfig *types.NsxtFi
// Delete allows users to delete NSX-T Firewall Group
func (firewallGroup *NsxtFirewallGroup) Delete() error {
endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
minimumApiVersion, err := firewallGroup.client.checkOpenApiEndpointCompatibility(endpoint)
apiVersion, err := firewallGroup.client.getOpenApiHighestElevatedVersion(endpoint)
if err != nil {
return err
}
@@ -233,7 +245,7 @@ func (firewallGroup *NsxtFirewallGroup) Delete() error {
return err
}

err = firewallGroup.client.OpenApiDeleteItem(minimumApiVersion, urlRef, nil, nil)
err = firewallGroup.client.OpenApiDeleteItem(apiVersion, urlRef, nil, nil)

if err != nil {
return fmt.Errorf("error deleting NSX-T Firewall Group: %s", err)
@@ -248,7 +260,7 @@ func (firewallGroup *NsxtFirewallGroup) Delete() error {
// similar to: "only Security Groups have associated VMs. This Firewall Group has type 'IP_SET'"
func (firewallGroup *NsxtFirewallGroup) GetAssociatedVms() ([]*types.NsxtFirewallGroupMemberVms, error) {
endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
minimumApiVersion, err := firewallGroup.client.checkOpenApiEndpointCompatibility(endpoint)
apiVersion, err := firewallGroup.client.getOpenApiHighestElevatedVersion(endpoint)
if err != nil {
return nil, err
}
@@ -257,7 +269,7 @@ func (firewallGroup *NsxtFirewallGroup) GetAssociatedVms() ([]*types.NsxtFirewal
return nil, fmt.Errorf("cannot retrieve associated VMs for NSX-T Firewall Group without ID")
}

if !firewallGroup.IsSecurityGroup() {
if !firewallGroup.IsSecurityGroup() && !firewallGroup.IsDynamicSecurityGroup() {
return nil, fmt.Errorf("only Security Groups have associated VMs. This Firewall Group has type '%s'",
firewallGroup.NsxtFirewallGroup.Type)
}
@@ -269,7 +281,7 @@ func (firewallGroup *NsxtFirewallGroup) GetAssociatedVms() ([]*types.NsxtFirewal

associatedVms := []*types.NsxtFirewallGroupMemberVms{{}}

err = firewallGroup.client.OpenApiGetAllItems(minimumApiVersion, urlRef, nil, &associatedVms, nil)
err = firewallGroup.client.OpenApiGetAllItems(apiVersion, urlRef, nil, &associatedVms, nil)

if err != nil {
return nil, fmt.Errorf("error retrieving associated VMs: %s", err)
@@ -278,11 +290,16 @@ func (firewallGroup *NsxtFirewallGroup) GetAssociatedVms() ([]*types.NsxtFirewal
return associatedVms, nil
}

// IsSecurityGroup allows users to check if Firewall Group is a Security Group
// IsSecurityGroup allows users to check if Firewall Group is a Static Security Group
func (firewallGroup *NsxtFirewallGroup) IsSecurityGroup() bool {
return firewallGroup.NsxtFirewallGroup.Type == types.FirewallGroupTypeSecurityGroup
}

// IsDynamicSecurityGroup allows users to check if Firewall Group is a Dynamic Security Group
func (firewallGroup *NsxtFirewallGroup) IsDynamicSecurityGroup() bool {
return firewallGroup.NsxtFirewallGroup.TypeValue == types.FirewallGroupTypeVmCriteria
}

// IsIpSet allows users to check if Firewall Group is an IP Set
func (firewallGroup *NsxtFirewallGroup) IsIpSet() bool {
return firewallGroup.NsxtFirewallGroup.Type == types.FirewallGroupTypeIpSet
@@ -317,7 +334,7 @@ func getNsxtFirewallGroupByName(client *Client, name string, queryParameters url

func getNsxtFirewallGroupById(client *Client, id string) (*NsxtFirewallGroup, error) {
endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
minimumApiVersion, err := client.checkOpenApiEndpointCompatibility(endpoint)
apiVersion, err := client.getOpenApiHighestElevatedVersion(endpoint)
if err != nil {
return nil, err
}
@@ -336,7 +353,7 @@ func getNsxtFirewallGroupById(client *Client, id string) (*NsxtFirewallGroup, er
client: client,
}

err = client.OpenApiGetItem(minimumApiVersion, urlRef, nil, fwGroup.NsxtFirewallGroup, nil)
err = client.OpenApiGetItem(apiVersion, urlRef, nil, fwGroup.NsxtFirewallGroup, nil)
if err != nil {
return nil, err
}
@@ -346,7 +363,7 @@ func getNsxtFirewallGroupById(client *Client, id string) (*NsxtFirewallGroup, er

func getAllNsxtFirewallGroups(client *Client, queryParameters url.Values) ([]*NsxtFirewallGroup, error) {
endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
minimumApiVersion, err := client.checkOpenApiEndpointCompatibility(endpoint)
apiVersion, err := client.getOpenApiHighestElevatedVersion(endpoint)
if err != nil {
return nil, err
}
@@ -359,7 +376,7 @@ func getAllNsxtFirewallGroups(client *Client, queryParameters url.Values) ([]*Ns
}

typeResponses := []*types.NsxtFirewallGroup{{}}
err = client.OpenApiGetAllItems(minimumApiVersion, urlRef, queryParameters, &typeResponses, nil)
err = client.OpenApiGetAllItems(apiVersion, urlRef, queryParameters, &typeResponses, nil)
if err != nil {
return nil, err
}
@@ -378,7 +395,7 @@ func getAllNsxtFirewallGroups(client *Client, queryParameters url.Values) ([]*Ns

func createNsxtFirewallGroup(client *Client, firewallGroupConfig *types.NsxtFirewallGroup) (*NsxtFirewallGroup, error) {
endpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups
minimumApiVersion, err := client.checkOpenApiEndpointCompatibility(endpoint)
apiVersion, err := client.getOpenApiHighestElevatedVersion(endpoint)
if err != nil {
return nil, err
}
@@ -393,10 +410,24 @@ func createNsxtFirewallGroup(client *Client, firewallGroupConfig *types.NsxtFire
client: client,
}

err = client.OpenApiPostItem(minimumApiVersion, urlRef, nil, firewallGroupConfig, returnObject.NsxtFirewallGroup, nil)
err = client.OpenApiPostItem(apiVersion, urlRef, nil, firewallGroupConfig, returnObject.NsxtFirewallGroup, nil)
if err != nil {
return nil, fmt.Errorf("error creating NSX-T Firewall Group: %s", err)
}

return returnObject, nil
}

// getFirewallGroupTypeFilterFieldName is a helper that returns the field name to use for filtering
// TODO - remove this function when VCD 10.2 is no longer supported
// by type.
// For VCD < 10.3.0, the type field is called "type" and for VCD >= 10.3.0, the type field is called
// "typeValue".
func getFirewallGroupTypeFilterFieldName(client *Client) string {
// Starting with API 36.0 new field 'typeValue' was introduced instead of deprecated `type` field.
filteringTypeFieldName := "typeValue"
if client.APIVCDMaxVersionIs(" < 36.0") {
filteringTypeFieldName = "type"
}
return filteringTypeFieldName
}
103 changes: 103 additions & 0 deletions govcd/nsxt_firewall_group_dynamic_security_group_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
//go:build network || nsxt || functional || openapi || ALL
// +build network nsxt functional openapi ALL

package govcd

import (
"github.com/vmware/go-vcloud-director/v2/types/v56"
. "gopkg.in/check.v1"
)

// Test_NsxtDynamicSecurityGroup tests out CRUD of Dynamic NSX-T Security Group
//
// Note. Dynamic Security Group is one type of Firewall Group. Other types are IP-Set and Static
// Security Group.
func (vcd *TestVCD) Test_NsxtDynamicSecurityGroup(check *C) {
skipNoNsxtConfiguration(vcd, check)
skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups)

if vcd.client.Client.APIVCDMaxVersionIs("< 36.0") {
check.Skip("Dynamic security groups require VCD 10.3+")
}

adminOrg, err := vcd.client.GetAdminOrgByName(vcd.config.VCD.Org)
check.Assert(err, IsNil)

vdcGroup, err := adminOrg.GetVdcGroupByName(vcd.config.VCD.Nsxt.VdcGroup)
check.Assert(err, IsNil)

// vdcGroupEdgeGateway.

dynamicSecGroupDefinition := &types.NsxtFirewallGroup{
Name: check.TestName(),
Description: check.TestName() + "-Description",
TypeValue: types.FirewallGroupTypeVmCriteria,
OwnerRef: &types.OpenApiReference{ID: vdcGroup.VdcGroup.Id},
VmCriteria: []types.NsxtFirewallGroupVmCriteria{
{
[]types.NsxtFirewallGroupVmCriteriaRule{
{
AttributeType: "VM_TAG",
Operator: "EQUALS",
AttributeValue: "string",
}, // Boolean AND
{
AttributeType: "VM_TAG",
Operator: "CONTAINS",
AttributeValue: "substring",
}, // Boolean AND
{
AttributeType: "VM_TAG",
Operator: "STARTS_WITH",
AttributeValue: "substring",
}, // Boolean AND
{
AttributeType: "VM_TAG",
Operator: "ENDS_WITH",
AttributeValue: "substring",
}, // Boolean AND
},
}, // Boolean OR
{
[]types.NsxtFirewallGroupVmCriteriaRule{
{
AttributeType: "VM_NAME",
Operator: "CONTAINS",
AttributeValue: "substring",
}, // Boolean AND
{
AttributeType: "VM_NAME",
Operator: "STARTS_WITH",
AttributeValue: "substring",
}, // Boolean AND
},
},
},
}

createdDynamicGroup, err := vdcGroup.CreateNsxtFirewallGroup(dynamicSecGroupDefinition)
check.Assert(err, IsNil)
check.Assert(createdDynamicGroup, NotNil)

openApiEndpoint := types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups + createdDynamicGroup.NsxtFirewallGroup.ID
AddToCleanupListOpenApi(createdDynamicGroup.NsxtFirewallGroup.Name, check.TestName(), openApiEndpoint)

check.Assert(createdDynamicGroup.NsxtFirewallGroup.ID, Not(Equals), "")
check.Assert(createdDynamicGroup.NsxtFirewallGroup.OwnerRef.Name, Equals, vcd.config.VCD.Nsxt.VdcGroup)
check.Assert(createdDynamicGroup.NsxtFirewallGroup.TypeValue, Equals, types.FirewallGroupTypeVmCriteria)

// Update
createdDynamicGroup.NsxtFirewallGroup.Description = "updated-description"
createdDynamicGroup.NsxtFirewallGroup.Name = check.TestName() + "-updated"

updatedDynamicGroup, err := createdDynamicGroup.Update(createdDynamicGroup.NsxtFirewallGroup)
check.Assert(err, IsNil)
check.Assert(updatedDynamicGroup, NotNil)
check.Assert(updatedDynamicGroup.NsxtFirewallGroup, DeepEquals, createdDynamicGroup.NsxtFirewallGroup)

check.Assert(updatedDynamicGroup, DeepEquals, createdDynamicGroup)

// Remove
err = updatedDynamicGroup.Delete()
check.Assert(err, IsNil)
}
Original file line number Diff line number Diff line change
@@ -8,10 +8,10 @@ import (
. "gopkg.in/check.v1"
)

// Test_NsxtSecurityGroup tests out CRUD of NSX-T Security Group
// Test_NsxtSecurityGroup tests out CRUD of Static NSX-T Security Group
//
// Note. Security Group is one type of Firewall Group
func (vcd *TestVCD) Test_NsxtSecurityGroup(check *C) {
func (vcd *TestVCD) Test_NsxtStaticSecurityGroup(check *C) {
skipNoNsxtConfiguration(vcd, check)
skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups)

18 changes: 12 additions & 6 deletions govcd/openapi_endpoints.go
Original file line number Diff line number Diff line change
@@ -28,12 +28,14 @@ var endpointMinApiVersions = map[string]string{
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointImportableTier0Routers: "32.0",
// OpenApiEndpointExternalNetworks endpoint support was introduced with version 32.0 however it was still not stable
// enough to be used. (i.e. it did not support update "PUT")
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointExternalNetworks: "33.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointVdcComputePolicies: "32.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointVdcAssignedComputePolicies: "33.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointSessionCurrent: "34.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointEdgeClusters: "34.0", // VCD 10.1+
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointEdgeGateways: "34.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointExternalNetworks: "33.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointVdcComputePolicies: "32.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointVdcAssignedComputePolicies: "33.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointSessionCurrent: "34.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointEdgeClusters: "34.0", // VCD 10.1+
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointEdgeGateways: "34.0",

// Static security groups and IP sets in VCD 10.2, Dynamic security groups in VCD 10.3+
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups: "34.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointNsxtNatRules: "34.0",
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointNsxtFirewallRules: "34.0",
@@ -94,6 +96,10 @@ var endpointElevatedApiVersions = map[string][]string{
//"32.0", // Basic minimum required version
"36.1", // Adds support for dnsServers
},
types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointFirewallGroups: {
//"34.0", // Basic minimum required version
"36.0", // Adds support for Dynamic Security Groups by deprecating `Type` field in favor of `TypeValue`
},
}

// checkOpenApiEndpointCompatibility checks if VCD version (to which the client is connected) is sufficient to work with
12 changes: 8 additions & 4 deletions types/v56/constants.go
Original file line number Diff line number Diff line change
@@ -434,12 +434,16 @@ const (
)

const (
// FirewallGroupTypeSecurityGroup can be used in types.NsxtFirewallGroup for 'type' field to
// create Security Group
// FirewallGroupTypeSecurityGroup can be used in types.NsxtFirewallGroup for 'TypeValue' field
// to create Security Group
FirewallGroupTypeSecurityGroup = "SECURITY_GROUP"
// FirewallGroupTypeIpSet can be used in types.NsxtFirewallGroup for 'type' field to create IP
// Set
// FirewallGroupTypeIpSet can be used in types.NsxtFirewallGroup for 'TypeValue' field to create
// IP Set
FirewallGroupTypeIpSet = "IP_SET"

// FirewallGroupTypeVmCriteria can be used in types.NsxtFirewallGroup for 'TypeValue' field to
// create Dynamic Security Group (VCD 10.3+)
FirewallGroupTypeVmCriteria = "VM_CRITERIA"
)

// These constants can be used to pick type of NSX-T NAT Rule
34 changes: 31 additions & 3 deletions types/v56/nsxt_types.go
Original file line number Diff line number Diff line change
@@ -255,7 +255,7 @@ type OpenApiOrgVdcNetworkDhcpPools struct {
type NsxtFirewallGroup struct {
// ID contains Firewall Group ID (URN format)
// e.g. urn:vcloud:firewallGroup:d7f4e0b4-b83f-4a07-9f22-d242c9c0987a
ID string `json:"id"`
ID string `json:"id,omitempty"`
// Name of Firewall Group. Name are unique per 'Type'. There cannot be two SECURITY_GROUP or two
// IP_SET objects with the same name, but there can be one object of Type SECURITY_GROUP and one
// of Type IP_SET named the same.
@@ -276,6 +276,13 @@ type NsxtFirewallGroup struct {
// groups )
Members []OpenApiReference `json:"members,omitempty"`

// VmCriteria (VCD 10.3+) defines list of dynamic criteria that determines whether a VM belongs
// to a dynamic firewall group. A VM needs to meet at least one criteria to belong to the
// firewall group. In other words, the logical AND is used for rules within a single criteria
// and the logical OR is used in between each criteria. This is only applicable for Dynamic
// Security Groups (VM_CRITERIA Firewall Groups).
VmCriteria []NsxtFirewallGroupVmCriteria `json:"vmCriteria,omitempty"`

// OwnerRef replaces EdgeGatewayRef in API V35.0+ and can accept both - NSX-T Edge Gateway or a
// VDC group ID
// Sample VDC Group URN - urn:vcloud:vdcGroup:89a53000-ef41-474d-80dc-82431ff8a020
@@ -289,8 +296,29 @@ type NsxtFirewallGroup struct {
// value is only populated in this field (not OwnerRef)
EdgeGatewayRef *OpenApiReference `json:"edgeGatewayRef,omitempty"`

// Type is either SECURITY_GROUP or IP_SET
Type string `json:"type"`
// Type is deprecated starting with API 36.0 (VCD 10.3+)
Type string `json:"type,omitempty"`

// TypeValue replaces Type starting with API 36.0 (VCD 10.3+) and can be one of:
// SECURITY_GROUP, IP_SET, VM_CRITERIA(VCD 10.3+ only)
// Constants `types.FirewallGroupTypeSecurityGroup`, `types.FirewallGroupTypeIpSet`,
// `types.FirewallGroupTypeVmCriteria` can be used to set the value.
TypeValue string `json:"typeValue,omitempty"`
}

// NsxtFirewallGroupVmCriteria defines list of rules where criteria represents boolean OR for
// matching There can be up to 3 criteria
type NsxtFirewallGroupVmCriteria struct {
// VmCriteria is a list of rules where each rule represents boolean AND for matching VMs
VmCriteriaRule []NsxtFirewallGroupVmCriteriaRule `json:"rules,omitempty"`
}

// NsxtFirewallGroupVmCriteriaRule defines a single rule for matching VM
// There can be up to 4 rules in a single criteria
type NsxtFirewallGroupVmCriteriaRule struct {
AttributeType string `json:"attributeType,omitempty"`
AttributeValue string `json:"attributeValue,omitempty"`
Operator string `json:"operator,omitempty"`
}

// NsxtFirewallGroupMemberVms is a structure to read NsxtFirewallGroup associated VMs when its type