Added Release Version 1.1.0 of the vcd_nsxt_firewall Module to the global-vmware GitHub Organization

scafeman · scafeman · commit ee3b9efd313a · 2023-06-01T17:00:21.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,33 @@
+# Local .terraform directories
+**/.terraform/*
+.terraform.*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+secrets.tfvars
+secrets.auto.tfvars
+providers.tf
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
diff --git a/README.md b/README.md
@@ -1 +1,92 @@
-# vcd_nsxt_firewall
+# VCD NSX-T Edge Gateway Firewall Rules Terraform Module
+
+This Terraform module deploys NSX-T Edge Gateway Firewall Rules into an existing VMware Cloud Director (VCD) environment. It enables the provisioning of new Edge Gateway Firewall Rules into [Rackspace Technology SDDC Flex](https://www.rackspace.com/cloud/private/software-defined-data-center-flex) VCD Data Center Regions.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 1.2 |
+| vcd | ~> 3.8 |
+
+## Resources
+
+| Name                                                                 | Type         |
+|----------------------------------------------------------------------|--------------|
+| [vcd_nsxt_edgegateway](https://registry.terraform.io/providers/vmware/vcd/latest/docs/data-sources/nsxt_edgegateway) | Data Source |
+| [vcd_vdc_group](https://registry.terraform.io/providers/vmware/vcd/latest/docs/data-sources/vdc_group)| Data Source |
+| [vcd_nsxt_security_group](https://registry.terraform.io/providers/vmware/vcd/latest/docs/resources/nsxt_security_group) | Data Source |
+| [vcd_nsxt_firewall](https://registry.terraform.io/providers/vmware/vcd/latest/docs/resources/nsxt_firewall) | Resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|----------|
+| vdc_org_name | The name of the Data Center Group Organization in VCD | string | - | yes |
+| vdc_group_name | The name of the Data Center Group in VCD | string | - | yes |
+| vdc_edge_name | Name of the Data Center Group Edge Gateway | string | - | yes |
+| app_port_profiles | Map of app port profiles with their corresponding scopes | map(string) | {} | no |
+| ip_set_names | List of IP set names | list(string) | [] | yes |
+| dynamic_security_group_names | List of dynamic security group names | list(string) | [] | no |
+| security_group_names | List of security group names | list(string) | [] | no |
+| rules | List of rules to apply | list(object({ name = string, direction = string, ip_protocol = string, action = string, enabled = optional(bool), logging = optional(bool), source_ids = optional(list(string)), destination_ids = optional(list(string)), app_port_profile_ids = optional(list(string)) })) | [] | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| firewall_id | The ID of the firewall |
+| firewall_rule_names | The names of the firewall rules |
+
+## Example Usage
+
+```terraform
+module "vcd_nsxt_firewall" {
+  source = "github.com/global-vmware/vcd_nsxt_firewall.git?ref=v1.1.0"
+
+  vdc_org_name          = "<VDC-ORG-NAME>"
+  vdc_group_name        = "<VDC-GRP-NAME>"
+  vdc_edge_name         = "<VDC-EDGE-NAME>"
+
+  app_port_profiles = {
+  "HTTPS"       = "SYSTEM",
+  }
+
+  ip_set_names = [
+    "US1-Segment-01-Network_172.16.0.0/24_IP-Set",
+    "US1-Segment-02-Network_172.16.1.0/24_IP-Set",
+    "US1-Segment-03-Network_172.16.2.0/24_IP-Set",
+    "US1-Segment-04-Network_172.16.3.0/24_IP-Set",
+    "US1-Segment-05-Network_172.16.4.0/24_IP-Set",
+    "Prod-App-NSXT-ALB-VIP"
+  ]
+
+  rules = [
+    {
+      name                  = "Allow_HTTPS-->Prod-App-NSXT-ALB-VIP"
+      direction             = "IN_OUT"
+      ip_protocol           = "IPV4"
+      action                = "ALLOW"
+      app_port_profile_ids  = ["HTTPS"]
+      destination_ids       = ["Prod-App-NSXT-ALB-VIP"]
+    },
+    {
+      name                  = "Allow_Outbound-Internet"
+      direction             = "IN_OUT"
+      ip_protocol           = "IPV4"
+      action                = "ALLOW"
+      source_ids            = [
+        "US1-Segment-01-Network_172.16.0.0/24_IP-Set",
+        "US1-Segment-02-Network_172.16.1.0/24_IP-Set",
+        "US1-Segment-03-Network_172.16.2.0/24_IP-Set",
+        "US1-Segment-04-Network_172.16.3.0/24_IP-Set",
+        "US1-Segment-05-Network_172.16.4.0/24_IP-Set"
+      ]
+    }
+  ]
+}
+```
+
+## Authors
+
+This module is maintained by the [Global VMware Cloud Automation Services Team](https://github.com/global-vmware).
diff --git a/main.tf b/main.tf
@@ -0,0 +1,73 @@
+terraform {
+  required_version = "~> 1.2"
+
+  required_providers {
+    vcd = {
+      source  = "vmware/vcd"
+      version = "~> 3.8"
+    }
+  }
+}
+
+# Create the Datacenter Group data source
+data "vcd_vdc_group" "dcgroup" {
+  name            = var.vdc_group_name
+}
+
+# Create the NSX-T Edge Gateway data source
+data "vcd_nsxt_edgegateway" "edge_gateway" {  
+  org             = var.vdc_org_name
+  owner_id        = data.vcd_vdc_group.dcgroup.id
+  name            = var.vdc_edge_name
+}
+
+# Create the NSX-T Data Center Edge Gateway Firewall data source
+data "vcd_nsxt_firewall" "edge_fw" {
+  edge_gateway_id = data.vcd_nsxt_edgegateway.edge_gateway.id
+}
+
+data "vcd_nsxt_app_port_profile" "app_port_profiles" {
+  for_each = var.app_port_profiles
+  name  = each.key
+  scope = each.value
+}
+
+data "vcd_nsxt_ip_set" "ip_sets" {
+  for_each        = toset(var.ip_set_names)
+  edge_gateway_id = data.vcd_nsxt_edgegateway.edge_gateway.id
+  name            = each.value
+}
+
+data "vcd_nsxt_dynamic_security_group" "dynamic_security_groups" {
+  for_each      = toset(var.dynamic_security_group_names)
+  vdc_group_id  = data.vcd_vdc_group.dcgroup.id
+  name          = each.value
+}
+
+data "vcd_nsxt_security_group" "security_groups" {
+  for_each        = toset(var.security_group_names)
+  edge_gateway_id = data.vcd_nsxt_edgegateway.edge_gateway.id
+  name            = each.value
+}
+
+resource "vcd_nsxt_firewall" "edge_firewall" {
+  edge_gateway_id = data.vcd_nsxt_edgegateway.edge_gateway.id
+
+  dynamic "rule" {
+    for_each = var.rules
+    content {
+      name                 = rule.value["name"]
+      direction            = rule.value["direction"]
+      ip_protocol          = rule.value["ip_protocol"]
+      action               = rule.value["action"]
+      enabled              = lookup(rule.value, "enabled", true)
+      logging              = lookup(rule.value, "logging", false)
+      source_ids           = try(length(rule.value["source_ids"]), 0) > 0 ? [for id in rule.value["source_ids"]: try(data.vcd_nsxt_security_group.security_groups[id].id, try(data.vcd_nsxt_dynamic_security_group.dynamic_security_groups[id].id, data.vcd_nsxt_ip_set.ip_sets[id].id)) if id != null && id != ""] : null
+      destination_ids      = try(length(rule.value["destination_ids"]), 0) > 0 ? [for id in rule.value["destination_ids"]: try(data.vcd_nsxt_security_group.security_groups[id].id, try(data.vcd_nsxt_dynamic_security_group.dynamic_security_groups[id].id, data.vcd_nsxt_ip_set.ip_sets[id].id)) if id != null && id != ""] : null
+      app_port_profile_ids = try(length(rule.value["app_port_profile_ids"]), 0) > 0 ? [for name in rule.value["app_port_profile_ids"]: data.vcd_nsxt_app_port_profile.app_port_profiles[name].id if name != null && name != ""] : null
+    }
+  }
+}
+
+
+
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,9 @@
+output "firewall_id" {
+  description = "The ID of the firewall"
+  value       = vcd_nsxt_firewall.edge_firewall.id
+}
+
+output "firewall_rule_names" {
+  description = "The names of the firewall rules"
+  value       = [for r in vcd_nsxt_firewall.edge_firewall.rule: r.name]
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,42 @@
+variable "vdc_org_name" {}
+
+variable "vdc_group_name" {}
+
+variable "vdc_edge_name" {}
+
+variable "app_port_profiles" {
+  description = "Map of app port profiles with their corresponding scopes"
+  type = map(string)
+  default = {}
+}
+
+variable "ip_set_names" {
+  type = list(string)
+  default = []
+}
+
+variable "dynamic_security_group_names" {
+  type = list(string)
+  default = []
+}
+
+variable "security_group_names" {
+  type = list(string)
+  default = []
+}
+
+variable "rules" {
+  description = "List of rules to apply"
+  type = list(object({
+    name                 = string
+    direction            = string
+    ip_protocol          = string
+    action               = string
+    enabled              = optional(bool)
+    logging              = optional(bool)
+    source_ids           = optional(list(string))
+    destination_ids      = optional(list(string))
+    app_port_profile_ids = optional(list(string))
+  }))
+  default = []
+}
