vmware · annakhm · May 4, 2023 · May 2, 2023
diff --git a/nsxt/resource_nsxt_policy_group.go b/nsxt/resource_nsxt_policy_group.go
@@ -21,23 +21,50 @@ import (
 
 var conditionKeyValues = []string{
 	model.Condition_KEY_TAG,
-	model.Condition_KEY_COMPUTERNAME,
+	model.Condition_KEY_NAME,
 	model.Condition_KEY_OSNAME,
-	model.Condition_KEY_NAME}
+	model.Condition_KEY_COMPUTERNAME,
+	model.Condition_KEY_NODETYPE,
+	model.Condition_KEY_GROUPTYPE,
+	model.Condition_KEY_ALL,
+	model.Condition_KEY_IPADDRESS,
+	model.Condition_KEY_PODCIDR,
+}
+
 var conditionMemberTypeValues = []string{
 	model.Condition_MEMBER_TYPE_IPSET,
+	model.Condition_MEMBER_TYPE_VIRTUALMACHINE,
 	model.Condition_MEMBER_TYPE_LOGICALPORT,
 	model.Condition_MEMBER_TYPE_LOGICALSWITCH,
 	model.Condition_MEMBER_TYPE_SEGMENT,
 	model.Condition_MEMBER_TYPE_SEGMENTPORT,
-	model.Condition_MEMBER_TYPE_VIRTUALMACHINE,
+	model.Condition_MEMBER_TYPE_POD,
+	model.Condition_MEMBER_TYPE_SERVICE,
+	model.Condition_MEMBER_TYPE_NAMESPACE,
+	model.Condition_MEMBER_TYPE_TRANSPORTNODE,
+	model.Condition_MEMBER_TYPE_GROUP,
+	model.Condition_MEMBER_TYPE_DVPG,
+	model.Condition_MEMBER_TYPE_DVPORT,
+	model.Condition_MEMBER_TYPE_IPADDRESS,
+	model.Condition_MEMBER_TYPE_KUBERNETESCLUSTER,
+	model.Condition_MEMBER_TYPE_KUBERNETESNAMESPACE,
+	model.Condition_MEMBER_TYPE_ANTREAEGRESS,
+	model.Condition_MEMBER_TYPE_ANTREAIPPOOL,
+	model.Condition_MEMBER_TYPE_KUBERNETESINGRESS,
+	model.Condition_MEMBER_TYPE_KUBERNETESGATEWAY,
+	model.Condition_MEMBER_TYPE_KUBERNETESSERVICE,
+	model.Condition_MEMBER_TYPE_KUBERNETESNODE,
 }
+
 var conditionOperatorValues = []string{
+	model.Condition_OPERATOR_EQUALS,
 	model.Condition_OPERATOR_CONTAINS,
+	model.Condition_OPERATOR_STARTSWITH,
 	model.Condition_OPERATOR_ENDSWITH,
-	model.Condition_OPERATOR_EQUALS,
 	model.Condition_OPERATOR_NOTEQUALS,
-	model.Condition_OPERATOR_STARTSWITH,
+	model.Condition_OPERATOR_NOTIN,
+	model.Condition_OPERATOR_MATCHES,
+	model.Condition_OPERATOR_IN,
 }
 var conjunctionOperatorValues = []string{
 	model.ConjunctionOperator_CONJUNCTION_OPERATOR_OR,
@@ -324,9 +351,6 @@ func validateNestedGroupConditions(conditions []interface{}) (string, error) {
 		if memberType != "" && condMemberType != memberType {
 			return "", fmt.Errorf("Nested conditions must all use the same member_type, but found '%v' with '%v'", condMemberType, memberType)
 		}
-		if condMemberType != model.Condition_MEMBER_TYPE_VIRTUALMACHINE && condMap["key"] != model.Condition_KEY_TAG {
-			return "", fmt.Errorf("Only Tag can be used for the key of '%v'", condMemberType)
-		}
 		memberType = condMemberType
 	}
 	return memberType, nil
@@ -933,14 +957,13 @@ func resourceNsxtPolicyGroupRead(d *schema.ResourceData, m interface{}) error {
 	if err != nil {
 		return err
 	}
+	var extendedCriteria []map[string]interface{}
 	if len(identityGroups) > 0 {
 		identityGroupsMap := make(map[string]interface{})
 		identityGroupsMap["identity_group"] = identityGroups
-
-		var extendedCriteria []map[string]interface{}
 		extendedCriteria = append(extendedCriteria, identityGroupsMap)
-		d.Set("extended_criteria", extendedCriteria)
 	}
+	d.Set("extended_criteria", extendedCriteria)
 
 	return nil
 }

diff --git a/nsxt/resource_nsxt_policy_group_test.go b/nsxt/resource_nsxt_policy_group_test.go
@@ -33,7 +33,7 @@ func TestAccResourceNsxtPolicyGroup_basicImport(t *testing.T) {
 	})
 }
 
-func TestAccResourceNsxtPolicyGroup_AddressCriteria(t *testing.T) {
+func TestAccResourceNsxtPolicyGroup_addressCriteria(t *testing.T) {
 	name := getAccTestResourceName()
 	testResourceName := "nsxt_policy_group.test"
 
@@ -83,9 +83,10 @@ func TestAccResourceNsxtPolicyGroup_AddressCriteria(t *testing.T) {
 	})
 }
 
-func TestAccResourceNsxtPolicyGroup_GroupTypeIPAddressCriteria(t *testing.T) {
+func TestAccResourceNsxtPolicyGroup_groupTypeIPAddressCriteria(t *testing.T) {
 	name := getAccTestResourceName()
 	testResourceName := "nsxt_policy_group.test"
+	testResourceName2 := "nsxt_policy_group.test-2"
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck: func() {
@@ -101,6 +102,7 @@ func TestAccResourceNsxtPolicyGroup_GroupTypeIPAddressCriteria(t *testing.T) {
 				Config: testAccNsxtPolicyGroupIPAddressCreateTemplate(name),
 				Check: resource.ComposeTestCheckFunc(
 					testAccNsxtPolicyGroupExists(testResourceName, defaultDomain),
+					testAccNsxtPolicyGroupExists(testResourceName2, defaultDomain),
 					resource.TestCheckResourceAttr(testResourceName, "display_name", name),
 					resource.TestCheckResourceAttr(testResourceName, "description", "Acceptance Test"),
 					resource.TestCheckResourceAttr(testResourceName, "domain", defaultDomain),
@@ -110,6 +112,8 @@ func TestAccResourceNsxtPolicyGroup_GroupTypeIPAddressCriteria(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "criteria.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "criteria.0.ipaddress_expression.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "criteria.0.ipaddress_expression.0.ip_addresses.#", "2"),
+					resource.TestCheckResourceAttr(testResourceName2, "criteria.#", "1"),
+					resource.TestCheckResourceAttr(testResourceName2, "criteria.0.condition.#", "2"),
 				),
 			},
 			{
@@ -1421,7 +1425,25 @@ resource "nsxt_policy_group" "test" {
     tag   = "tag2"
   }
 }
-`, name)
+
+resource "nsxt_policy_group" "test-2" {
+  display_name = "%s"
+
+  criteria {
+    condition {
+      key         = "GroupType"
+      member_type = "Group"
+      operator    = "EQUALS"
+      value       = "IPAddress"
+    }
+    condition {
+      key         = "Tag"
+      member_type = "Group"
+      operator    = "EQUALS"
+      value       = "orange"
+    }
+  }
+}`, name, getAccTestResourceName())
 }
 
 func testAccNsxtPolicyGroupIPAddressUpdateTemplate(name string) string {

diff --git a/website/docs/r/policy_group.html.markdown b/website/docs/r/policy_group.html.markdown
@@ -173,9 +173,9 @@ The following arguments are supported:
       * `member_type` - (Optional) External ID member type. Must be one of: `VirtualMachine`, `VirtualNetworkInterface`, `CloudNativeServiceInstance`, or `PhysicalServer`. Defaults to `VirtualMachine`.
       * `external_ids` - (Required) List of external IDs for the specified member type.
   * `condition` (Optional) A repeatable condition block to select this Group's members. When multiple `condition` blocks are used in a single `criteria` they form a nested expression that's implicitly ANDed together and each nested condition must used the same `member_type`.
-      * `key` (Required) Specifies the attribute to query. Must be one of: `Tag`, `ComputerName`, `OSName` or `Name`. For a `member_type` other than `VirtualMachine`, only the `Tag` key is supported.
-      * `member_type` (Required) Specifies the type of resource to query. Must be one of: `IPSet`, `LogicalPort`, `LogicalSwitch`, `Segment`, `SegmentPort` or `VirtualMachine`.
-      * `operator` (Required) Specifies the query operator to use. Must be one of: `CONTAINS`, `ENDSWITH`, `EQUALS`, `NOTEQUALS` or `STARTSWITH`.
+      * `key` (Required) Specifies the attribute to query. Must be one of: `Tag`, `ComputerName`, `OSName`, `Name`, `NodeType`, `GroupType`, `ALL`, `IPAddress`, `PodCidr`. Please note that certain keys are only applicable to certain member types.
+      * `member_type` (Required) Specifies the type of resource to query. Must be one of: `IPSet`, `LogicalPort`, `LogicalSwitch`, `Segment`, `SegmentPort`, `VirtualMachine`, `Group`, `DVPG`, `DVPort`, `IPAddress`, `TransportNode`, `Pod`. `Service`, `Namespace`, `KubernetesCluster`, `KubernetesNamespace`, `KubernetesIngress`, `KubernetesService`, `KubernetesNode`, `AntreaEgress`, `AntreaIPPool`. Not that certain member types are only applicable to certain environments.
+      * `operator` (Required) Specifies the query operator to use. Must be one of: `CONTAINS`, `ENDSWITH`, `EQUALS`, `NOTEQUALS`, `STARTSWITH`, `IN`, `NOTIN`, `MATCHES`. Not that certain operators are only applicable to certain keys/member types.:w
       * `value` (Required) User specified string value to use in the query. For `Tag` criteria, use 'scope|value' notation if you wish to specify scope in criteria.
 * `conjunction` (Required for multiple `criteria`) When specifying multiple `criteria`, a conjunction is used to specify if the criteria should selected using `AND` or `OR`.
   * `operator` (Required) The operator to use. Must be one of `AND` or `OR`. If `AND` is used, then the `criteria` block before/after must be of the same type and if using `condition` then also must use the same `member_type`.