Skip to content

Latest commit

 

History

History
110 lines (91 loc) · 5.66 KB

File metadata and controls

110 lines (91 loc) · 5.66 KB

vcd-nsxt-distributed-firewall

Terraform module which manages the NSX-T Distributed Firewall on VMWare Cloud Director.

Requirements

Name Version
terraform >= 1.1.9
vcd >= 3.9.0

Providers

Name Version
vcd 3.9.0

Modules

No modules.

Resources

Name Type
vcd_nsxt_distributed_firewall.nsxt_distributed_firewall resource
vcd_nsxt_app_port_profile.nsxt_app_port_profile data source
vcd_nsxt_dynamic_security_group.nsxt_dynamic_security_groups data source
vcd_nsxt_edgegateway.nsxt_edgegateway data source
vcd_nsxt_ip_set.nsxt_ip_set data source
vcd_nsxt_security_group.nsxt_security_groups data source
vcd_vdc_group.vdc_group data source

Inputs

Name Description Type Default Required
vdc_edgegateway_name The name for the Edge Gateway. string n/a yes
vdc_group_name The name of the VDC group. string n/a yes
vdc_org_name The name of the organization to use. string n/a yes
app_port_profiles Map of app port profiles being used in this rule set with their corresponding scopes. These will be looked up with a data ressource. map(string) {} no
dynamic_security_group_names List of vcd_nsxt_dynamic_security_group names being used in this ruleset. These will be looked up with a data ressource. list(string) [] no
ip_set_names List of vcd_nsxt_ip_set names being used in this ruleset. These will be looked up with a data ressource. list(string) [] no
rules List of rules to apply.
list(object({
name = string
direction = string
ip_protocol = string
action = string
enabled = optional(bool)
logging = optional(bool)
source_ids = optional(list(string))
destination_ids = optional(list(string))
app_port_profile_ids = optional(list(string))
}))
[] no
security_group_names List of vcd_nsxt_security_group names being used in this ruleset. These will be looked up with a data ressource. list(string) [] no

Outputs

Name Description
nsxt_distributed_firewall_id The ID of the firewall
nsxt_distributed_firewall_rule_names The names of the firewall rules

Examples

Real world example

locals {
  distributed_firewall_rule = [
    {
      name                 = "kind of OUTBOUND HTTP/S"
      direction            = "IN_OUT"
      ip_protocol          = "IPV4"
      action               = "ALLOW"
      source_ids           = ["webserver"]
      destination_ids      = ["update_servers", "etc"]
      app_port_profile_ids = ["HTTP", "HTTPS"]
    },
    {
      name                 = "inbound HTTPS"
      direction            = "IN_OUT"
      ip_protocol          = "IPV4"
      action               = "ALLOW"
      source_ids           = ["loadbalancer"]
      destination_ids      = ["webserver"]
      app_port_profile_ids = ["myPort"]
    }
  ]
}

module "distributed_firewall" {
  source               = "git::https://github.com/noris-network/terraform-vcd-nsxt-distributed-firewall?ref=1.0.0"
  vdc_org_name         = var.vdc_org_name
  vdc_group_name       = var.vdc_group_name
  vdc_edgegateway_name = var.vdc_edge_gateway_name
  rules                = var.distributed_firewall_rule
  ip_set_names = [
    "webserver",
    "loadbalancer",
    "update_servers",
    "etc"
  ]
  app_port_profiles = {
    "app"      = "TENANT",
    "SSH"      = "SYSTEM",
    "HTTP"     = "SYSTEM",
    "HTTPS"    = "SYSTEM",
    "ICMP ALL" = "SYSTEM"
  }
  depends_on = [module.vcd_nsxt_app_port_profile, module.vcd_nsxt_ip_set]
}

Changelog

  • v1.0.1 - Implement lifecycle ignore_change rule on vdc_group_id to prevent destruction and recreation of the entire rule set upon creation of ip_set, app_port_profile or security groups
  • v1.0.0 - Initial release