vcd-nsxt-firewall

Terraform module which manages the NSX-T Firewall on an Edge Gateway on VMWare Cloud Director.

Requirements

Name	Version
terraform	>= 1.1.9
vcd	>= 3.9.0

Providers

Name	Version
vcd	3.9.0

Modules

No modules.

Resources

Name	Type
vcd_nsxt_firewall.nsxt_firewall	resource
vcd_nsxt_app_port_profile.nsxt_app_port_profile	data source
vcd_nsxt_dynamic_security_group.nsxt_dynamic_security_groups	data source
vcd_nsxt_edgegateway.nsxt_edgegateway	data source
vcd_nsxt_ip_set.nsxt_ip_sets	data source
vcd_nsxt_security_group.nsxt_security_groups	data source
vcd_vdc_group.vdc_group	data source

Inputs

Name	Description	Type	Default	Required
vdc_edgegateway_name	The name for the Edge Gateway.	string	n/a	yes
vdc_group_name	The name of the VDC group.	string	n/a	yes
vdc_org_name	The name of the organization to use.	string	n/a	yes
app_port_profiles	Map of app port profiles used in this ruleset with their corresponding scopes. These will be looked up with a data ressource.	map(string)	{}	no
dynamic_security_group_names	List of vcd_nsxt_dynamic_security_group names being used in this ruleset. These will be looked up with a data ressource.	list(string)	[]	no
ip_set_names	List of vcd_nsxt_ip_set names being used in this ruleset. These will be looked up with a data ressource.	list(string)	[]	no
rules	List of rules to apply.	list(object({ name = string direction = string ip_protocol = string action = string enabled = optional(bool) logging = optional(bool) source_ids = optional(list(string)) destination_ids = optional(list(string)) app_port_profile_ids = optional(list(string)) }))	[]	no
security_group_names	List of vcd_nsxt_security_group names being used in this ruleset. These will be looked up with a data ressource.	list(string)	[]	no

Outputs

Name	Description
firewall_id	The ID of the firewall
firewall_rule_names	The names of the firewall rules

Examples

Real world example

locals {
    edge_firewall_rule = [
    {
        name        = "any>vms_ssh"
        direction   = "IN_OUT"
        ip_protocol = "IPV4_IPV6"
        action      = "ALLOW"
        destination_ids = [
        "webserver",
        "db",
        ]
        app_port_profile_ids = ["SSH"]
    },
    {
        name                 = "any>loadbalancer_tcp443"
        direction            = "IN_OUT"
        ip_protocol          = "IPV4"
        action               = "ALLOW"
        destination_ids      = ["loadbalancer"]
        app_port_profile_ids = ["HTTPS", "myPort"]
    }
  ]
}

module "edge_firewall" {
  source               = "git::https://github.com/noris-network/terraform-vcd-nsxt-firewall?ref=1.0.0"
  vdc_org_name         = var.vdc_org_name
  vdc_group_name       = var.vdc_group_name
  vdc_edgegateway_name = var.vdc_edge_gateway_name
  rules                = var.edge_firewall_rule
  ip_set_names = [
    "loadbalancer_test",
    "loadbalancer_prod",
    "webserver",
  ]
  app_port_profiles = {
    "SSH"    = "SYSTEM",
    "HTTPS"  = "SYSTEM",
    "myPort" = "TENANT",
  }
  depends_on = [module.vcd_nsxt_app_port_profile, module.vcd_nsxt_ip_set]
}

Changelog

• v1.0.1 - Implement lifecycle ignore_change rule on vdc_group_id to prevent destruction and recreation of the entire rule set upon creation of ip_set, app_port_profile or security groups
• v1.0.0 - Initial release