diff --git a/.changes/v2.22.0/628-improvements.md b/.changes/v2.22.0/628-improvements.md new file mode 100644 index 000000000..d1158b7a7 --- /dev/null +++ b/.changes/v2.22.0/628-improvements.md @@ -0,0 +1,2 @@ +* `types.IpSpace` support Firewall and NAT rule autocreation configuration using + `types.DefaultGatewayServiceConfig` on VCD 10.5.0+ [GH-628] diff --git a/govcd/ip_space_test.go b/govcd/ip_space_test.go index 8b4738311..a2c536351 100644 --- a/govcd/ip_space_test.go +++ b/govcd/ip_space_test.go @@ -112,7 +112,6 @@ func (vcd *TestVCD) Test_IpSpaceShared(check *C) { }, } ipSpaceChecks(vcd, check, ipSpaceConfig) - } func (vcd *TestVCD) Test_IpSpacePrivate(check *C) { @@ -217,6 +216,20 @@ func ipSpaceChecks(vcd *TestVCD, check *C, ipSpaceConfig *types.IpSpace) { check.Assert(updatedIpSpace, NotNil) check.Assert(len(ipSpaceConfig.IPSpaceInternalScope), Equals, len(updatedIpSpace.IpSpace.IPSpaceInternalScope)) + if vcd.client.Client.APIVCDMaxVersionIs(">= 38.0") { + fmt.Println("# Testing NAT and Firewall rule autocreation flags for VCD 10.5.0+") + ipSpaceConfig.Name = check.TestName() + "-GatewayServiceConfig" + ipSpaceConfig.DefaultGatewayServiceConfig = &types.IpSpaceDefaultGatewayServiceConfig{ + EnableDefaultFirewallRuleCreation: true, + EnableDefaultNoSnatRuleCreation: true, + EnableDefaultSnatRuleCreation: true, + } + + updatedIpSpace, err = updatedIpSpace.Update(ipSpaceConfig) + check.Assert(err, IsNil) + check.Assert(updatedIpSpace.IpSpace.DefaultGatewayServiceConfig, DeepEquals, ipSpaceConfig.DefaultGatewayServiceConfig) + } + err = createdIpSpace.Delete() check.Assert(err, IsNil) diff --git a/govcd/openapi_endpoints.go b/govcd/openapi_endpoints.go index 241b746b3..50e9fbe83 100644 --- a/govcd/openapi_endpoints.go +++ b/govcd/openapi_endpoints.go @@ -209,6 +209,10 @@ var endpointElevatedApiVersions = map[string][]string{ //"37.1", // Introduced support "37.2", // Adds 'value' field }, + types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointIpSpaces: { + //"37.1", // Introduced support + "38.0", // Adds 'DefaultGatewayServiceConfig' structure for firewall and NAT rule creation + }, } // checkOpenApiEndpointCompatibility checks if VCD version (to which the client is connected) is sufficient to work with diff --git a/types/v56/ip_space.go b/types/v56/ip_space.go index a8305909c..bdd41359f 100644 --- a/types/v56/ip_space.go +++ b/types/v56/ip_space.go @@ -69,10 +69,59 @@ type IpSpace struct { // if the associated Provider Gateway is owned by the Organization. RouteAdvertisementEnabled bool `json:"routeAdvertisementEnabled"` + // DefaultGatewayServiceConfig specifies default gateway services configurations such as NAT and + // Firewall rules that a user can apply on either the Provider Gateway or Edge Gateway depending + // on the network topology. Note that re-applying the default services on the Provider Gateway + // or Edge Gateway may delete/update/create services that are managed/created by VCD. + // + // Requires VCD 10.5.0+ (API v38.0+) + DefaultGatewayServiceConfig *IpSpaceDefaultGatewayServiceConfig `json:"defaultGatewayServiceConfig,omitempty"` + // Status is one of `PENDING`, `CONFIGURING`, `REALIZED`, `REALIZATION_FAILED`, `UNKNOWN` Status string `json:"status,omitempty"` } +// IpSpaceDefaultGatewayServiceConfig specified the default gateway services configurations such as NAT and Firewall rules +// that a user can apply on either the Provider Gateway or Edge Gateway depending on the network +// topology. Below is an example of the ordering of NAT rule: +// * If IP Space's external scope maps to any network such as "0.0.0.0/0", the NO SNAT rules +// priority is 1001 and the default SNAT rules will have priority 1000 +// * All other default SNAT rules has priority 100 +// * All other default NO SNAT rules has priority 0 +// * User-created NAT rules has default priority 50 +// +// Requires VCD 10.5.0+ (API v38.0+) +type IpSpaceDefaultGatewayServiceConfig struct { + // If true, the user can choose to later apply the default firewall rules on either the Provider + // Gateway or Edge Gateway. These firewall rules are created only if the corresponding + // associated default No SNAT and NAT rules are configured. False means that the default + // firewall rules will not be created. + // For the associated default SNAT rule, the source is ANY and the destination is the IP Space's + // external scope. + // For the associated default No SNAT rule, the source is the IP Space's internal scopes and the + // destination is the IP Space's external scope. + EnableDefaultFirewallRuleCreation bool `json:"enableDefaultFirewallRuleCreation,omitempty"` + // If true, the user can choose to later apply the default No SNAT rules on either the Provider + // Gateway or Edge Gateway. + // False means that the default No SNAT rule will not be created. + // An example of a default No NAT rule is that the source CIDR is the IP Space's internal scope + // and the destination CIDR is the IP Space's external scope. This allows traffic to and from + // the IP Space's internal and external scope to not be affected by any NAT rule. An example of + // such traffic is that an Organization VDC Network within IP Space's internal scope will be + // able to route out to the internet. This means that this configuration can allow both + // fully-routed topology and also NAT-routed topology. + EnableDefaultNoSnatRuleCreation bool `json:"enableDefaultNoSnatRuleCreation,omitempty"` + // If true, the user can choose to later apply the default SNAT rules on either the Provider + // Gateway or Edge Gateway. + // False means that the default SNAT rule will not be created. + // An example of a default NAT rule is that the source CIDR is ANY, the destination CIDR is the + // IP Space's external scope. This allows all traffic such as from a private network to be able + // to access the external destination IPs specified by the IP Space's external scope such as the + // internet. Note that the translated external IP will be allocated from this IP Space if there + // are no free ones to be used for the SNAT rules. + EnableDefaultSnatRuleCreation bool `json:"enableDefaultSnatRuleCreation,omitempty"` +} + type FloatingIPs struct { // TotalCount holds the number of IP addresses or IP Prefixes defined by the IP Space. If user // does not own this IP Space, this is the quota that the user's organization is granted. A '-1'