vcd-nsxt-distributed-firewall

Terraform module which manages the NSX-T Distributed Firewall on VMWare Cloud Director.

Requirements

Name	Version
terraform	>= 1.1.9
vcd	>= 3.9.0

Providers

Name	Version
vcd	3.9.0

Modules

No modules.

Resources

Name	Type
vcd_nsxt_distributed_firewall.nsxt_distributed_firewall	resource
vcd_nsxt_app_port_profile.nsxt_app_port_profile	data source
vcd_nsxt_dynamic_security_group.nsxt_dynamic_security_groups	data source
vcd_nsxt_edgegateway.nsxt_edgegateway	data source
vcd_nsxt_ip_set.nsxt_ip_set	data source
vcd_nsxt_security_group.nsxt_security_groups	data source
vcd_vdc_group.vdc_group	data source

Inputs

Name	Description	Type	Default	Required
vdc_edgegateway_name	The name for the Edge Gateway.	string	n/a	yes
vdc_group_name	The name of the VDC group.	string	n/a	yes
vdc_org_name	The name of the organization to use.	string	n/a	yes
app_port_profiles	Map of app port profiles being used in this rule set with their corresponding scopes. These will be looked up with a data ressource.	map(string)	{}	no
dynamic_security_group_names	List of vcd_nsxt_dynamic_security_group names being used in this ruleset. These will be looked up with a data ressource.	list(string)	[]	no
ip_set_names	List of vcd_nsxt_ip_set names being used in this ruleset. These will be looked up with a data ressource.	list(string)	[]	no
rules	List of rules to apply.	list(object({ name = string direction = string ip_protocol = string action = string enabled = optional(bool) logging = optional(bool) source_ids = optional(list(string)) destination_ids = optional(list(string)) app_port_profile_ids = optional(list(string)) }))	[]	no
security_group_names	List of vcd_nsxt_security_group names being used in this ruleset. These will be looked up with a data ressource.	list(string)	[]	no

Outputs

Name	Description
nsxt_distributed_firewall_id	The ID of the firewall
nsxt_distributed_firewall_rule_names	The names of the firewall rules

Examples

Real world example

locals {
  distributed_firewall_rule = [
    {
      name                 = "kind of OUTBOUND HTTP/S"
      direction            = "IN_OUT"
      ip_protocol          = "IPV4"
      action               = "ALLOW"
      source_ids           = ["webserver"]
      destination_ids      = ["update_servers", "etc"]
      app_port_profile_ids = ["HTTP", "HTTPS"]
    },
    {
      name                 = "inbound HTTPS"
      direction            = "IN_OUT"
      ip_protocol          = "IPV4"
      action               = "ALLOW"
      source_ids           = ["loadbalancer"]
      destination_ids      = ["webserver"]
      app_port_profile_ids = ["myPort"]
    }
  ]
}

module "distributed_firewall" {
  source               = "git::https://github.com/noris-network/terraform-vcd-nsxt-distributed-firewall?ref=1.0.0"
  vdc_org_name         = var.vdc_org_name
  vdc_group_name       = var.vdc_group_name
  vdc_edgegateway_name = var.vdc_edge_gateway_name
  rules                = var.distributed_firewall_rule
  ip_set_names = [
    "webserver",
    "loadbalancer",
    "update_servers",
    "etc"
  ]
  app_port_profiles = {
    "app"      = "TENANT",
    "SSH"      = "SYSTEM",
    "HTTP"     = "SYSTEM",
    "HTTPS"    = "SYSTEM",
    "ICMP ALL" = "SYSTEM"
  }
  depends_on = [module.vcd_nsxt_app_port_profile, module.vcd_nsxt_ip_set]
}

Changelog

• v1.0.1 - Implement lifecycle ignore_change rule on vdc_group_id to prevent destruction and recreation of the entire rule set upon creation of ip_set, app_port_profile or security groups
• v1.0.0 - Initial release