Support service entries in policy rules

This follows API change on NSX that allows to specify
explicit service entries on rule, as an alternative to
service path.

Signed-off-by: Anna Khmelnitsky <akhmelnitsky@vmware.com>

nsxt/policy_common.go

@@ -271,6 +271,15 @@ func getSecurityPolicyAndGatewayRuleSchema(scopeRequired bool, isIds bool, nsxID
 			},
 			Optional: true,
 		},
+		"service_entries": {
+			Type:        schema.TypeList,
+			Description: "List of services to match",
+			Elem: &schema.Resource{
+				Schema: getPolicyServiceEntrySchema(),
+			},
+			Optional: true,
+			MaxItems: 1,
+		},
 		"source_groups": {
 			Type:        schema.TypeSet,
 			Description: "List of source groups",
@@ -330,6 +339,17 @@ func getPolicyGatewayPolicySchema(isVPC bool) map[string]*schema.Schema {
 	return secPolicy
 }
 
+func getPolicyServiceEntrySchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		"icmp_entry":           getIcmpEntrySchema(),
+		"l4_port_set_entry":    getL4PortSetEntrySchema(),
+		"igmp_entry":           getIgmpEntrySchema(),
+		"ether_type_entry":     getEtherEntrySchema(false),
+		"ip_protocol_entry":    getIPProtocolEntrySchema(),
+		"algorithm_entry":      getAlgorithmEntrySchema(),
+	}
+}
+
 func getPolicySecurityPolicySchema(isIds, withContext, withRule, isVPC bool) map[string]*schema.Schema {
 	result := map[string]*schema.Schema{
 		"nsx_id":       getNsxIDSchema(),
@@ -485,6 +505,14 @@ func setPolicyRulesInSchema(d *schema.ResourceData, rules []model.Rule) error {
 		}
 		elem["tag"] = tagList
 
+		if len(rule.ServiceEntries) > 0 {
+			var entryList []map[string]interface{}
+			entry := make(map[string]interface{})
+			setServiceEntriesInSchema(entry, rule.ServiceEntries, false)
+			entryList = append(entryList, entry)
+			elem["service_entries"] = entryList
+		}
+
 		rulesList = append(rulesList, elem)
 	}
 
@@ -579,6 +607,13 @@ func getPolicyRulesFromSchema(d *schema.ResourceData) []model.Rule {
 			SequenceNumber:       &sequenceNumber,
 		}
 
+		schemaServiceEntries := data["service_entries"].([]interface{})
+		if len(schemaServiceEntries) > 0 {
+			schemaServiceEntry := schemaServiceEntries[0].(map[string]interface{})
+			serviceEntries, _ := getServiceEntriesFromSchema(schemaServiceEntry)
+			elem.ServiceEntries = serviceEntries
+		}
+
 		ruleList = append(ruleList, elem)
 	}
 

nsxt/resource_nsxt_policy_gateway_policy_test.go

@@ -501,6 +501,7 @@ func TestAccResourceNsxtPolicyGatewayPolicy_withIPCidrRange(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.source_groups.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.source_groups.0", policyRange),
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.destination_groups.#", "1"),
+					resource.TestCheckResourceAttr(testResourceName, "rule.5.service_entries.#", "1"),
 				),
 			},
 			{
@@ -560,6 +561,7 @@ func TestAccResourceNsxtPolicyGatewayPolicy_withIPCidrRange(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.source_groups.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.source_groups.0", updatedPolicyRange),
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.destination_groups.#", "1"),
+					resource.TestCheckResourceAttr(testResourceName, "rule.5.service_entries.#", "1"),
 				),
 			},
 		},
@@ -952,48 +954,58 @@ func testAccNsxtPolicyGatewayPolicyWithIPCidrRange(name string, destIP string, d
 		}
 
 		rule {
-			display_name          = "rule2"
-			source_groups         = [nsxt_policy_group.group1.path]			
-			destination_groups    = ["%s"]
-			services              = [nsxt_policy_service.icmp.path]
-			scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]			
-			action                = "ALLOW"
-		  }
+		  display_name          = "rule2"
+		  source_groups         = [nsxt_policy_group.group1.path]			
+		  destination_groups    = ["%s"]
+		  services              = [nsxt_policy_service.icmp.path]
+		  scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]			
+		  action                = "ALLOW"
+	        }
 
-		  rule {
-			display_name          = "rule3"
-			source_groups         = [nsxt_policy_group.group1.path]
-			destination_groups    = ["%s"]
-			services              = [nsxt_policy_service.icmp.path]
-			scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]			
-			action                = "ALLOW"
-		  }
+		rule {
+		  display_name          = "rule3"
+		  source_groups         = [nsxt_policy_group.group1.path]
+		  destination_groups    = ["%s"]
+		  services              = [nsxt_policy_service.icmp.path]
+		  scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]			
+		  action                = "ALLOW"
+		}
 
-		  rule {
-			display_name          = "rule4"
-			source_groups         = ["%s"]
-			destination_groups    = [nsxt_policy_group.group2.path]
-			services              = [nsxt_policy_service.icmp.path]
-			scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]		  
-			action                = "ALLOW"
-		  }
+		rule {
+		  display_name          = "rule4"
+		  source_groups         = ["%s"]
+		  destination_groups    = [nsxt_policy_group.group2.path]
+		  services              = [nsxt_policy_service.icmp.path]
+		  scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]		  
+		  action                = "ALLOW"
+		}
   
-		  rule {
-			  display_name          = "rule5"
-			  source_groups         = ["%s"]			
-			  destination_groups    = [nsxt_policy_group.group2.path]
-			  services              = [nsxt_policy_service.icmp.path]
-			  scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]			
-			  action                = "ALLOW"
-			}
+		rule {
+		  display_name          = "rule5"
+		  source_groups         = ["%s"]			
+		  destination_groups    = [nsxt_policy_group.group2.path]
+		  services              = [nsxt_policy_service.icmp.path]
+		  scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]			
+		  action                = "ALLOW"
+		}
   
-			rule {
-			  display_name          = "rule6"
-			  source_groups         = ["%s"]
-			  destination_groups    = [nsxt_policy_group.group2.path]
-			  services              = [nsxt_policy_service.icmp.path]
-			  scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]			
-			  action                = "ALLOW"
-			}
+		rule {
+		  display_name          = "rule6"
+		  source_groups         = ["%s"]
+		  destination_groups    = [nsxt_policy_group.group2.path]
+		  services              = [nsxt_policy_service.icmp.path]
+		  scope                 = [nsxt_policy_tier1_gateway.gwt1test.path]			
+	          action                = "ALLOW"
+		  service_entries {
+		    algorithm_entry {
+		      algorithm         = "TFTP"
+		      destination_port  = "9000"
+	            }
+
+		    ether_type_entry {
+		      ether_type = "1536"
+		    }
+		  }
+		}
 }`, name, destIP, destCidr, destIPRange, sourceIP, sourceCidr, sourceIPRange)
 }

nsxt/resource_nsxt_policy_security_policy_rule.go

@@ -100,7 +100,7 @@ func securityPolicyRuleSchemaToModel(d *schema.ResourceData, id string) model.Ru
 	tagStructs := getPolicyTagsFromSet(d.Get("tag").(*schema.Set))
 
 	resourceType := "Rule"
-	return model.Rule{
+	rule := model.Rule{
 		ResourceType:         &resourceType,
 		Id:                   &id,
 		DisplayName:          &displayName,
@@ -122,6 +122,14 @@ func securityPolicyRuleSchemaToModel(d *schema.ResourceData, id string) model.Ru
 		Profiles:             getPathListFromSchema(d, "profiles"),
 		SequenceNumber:       &sequenceNumber,
 	}
+
+	schemaServiceEntries := d.Get("service_entries").([]interface{})
+	if len(schemaServiceEntries) > 0 {
+		schemaServiceEntry := schemaServiceEntries[0].(map[string]interface{})
+		serviceEntries, _ := getServiceEntriesFromSchema(schemaServiceEntry)
+		rule.ServiceEntries = serviceEntries
+	}
+	return rule
 }
 
 func resourceNsxtPolicySecurityPolicyRuleExistsPartial(d *schema.ResourceData, m interface{}, policyPath string) func(sessionContext utl.SessionContext, id string, connector client.Connector) (bool, error) {
@@ -210,6 +218,14 @@ func securityPolicyRuleModelToSchema(d *schema.ResourceData, rule model.Rule) {
 	d.Set("nsx_id", rule.Id)
 	d.Set("rule_id", rule.RuleId)
 
+	var entryList []map[string]interface{}
+	if len(rule.ServiceEntries) > 0 {
+		entry := make(map[string]interface{})
+		setServiceEntriesInSchema(entry, rule.ServiceEntries, false)
+		entryList = append(entryList, entry)
+	}
+	d.Set("service_entries", entryList)
+
 	setPolicyTagsInSchema(d, rule.Tags)
 }
 

nsxt/resource_nsxt_policy_security_policy_rule_test.go

@@ -70,6 +70,9 @@ func testAccResourceNsxtPolicySecurityPolicyRuleBasic(t *testing.T, withContext
 					resource.TestCheckResourceAttr(ruleResourceName, "direction", direction),
 					resource.TestCheckResourceAttr(ruleResourceName, "ip_version", proto),
 					resource.TestCheckResourceAttr(ruleResourceName, "sequence_number", seqNum),
+					resource.TestCheckResourceAttr(ruleResourceName, "service_entries.#", "1"),
+					resource.TestCheckResourceAttr(ruleResourceName, "service_entries.0.igmp_entry.#", "1"),
+					resource.TestCheckResourceAttr(ruleResourceName, "service_entries.0.l4_port_set_entry.#", "2"),
 				),
 			},
 			{
@@ -282,6 +285,24 @@ resource "nsxt_policy_security_policy_rule" "%s" {
   ip_version      = "%s"
   sequence_number = %s
 
+  service_entries {
+    igmp_entry {
+      display_name = "test"
+    }
+    
+    l4_port_set_entry {
+      display_name      = "entry-2"
+      protocol          = "TCP"
+      destination_ports = [ "443" ]
+    }
+
+    l4_port_set_entry {
+      display_name      = "entry-3"
+      protocol          = "TCP"
+      destination_ports = [ "80" ]
+    }
+  }
+
   tag {
     scope = "color"
     tag   = "orange"

nsxt/resource_nsxt_policy_security_policy_test.go

@@ -359,6 +359,7 @@ func TestAccResourceNsxtPolicySecurityPolicy_withIPCidrRange(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.source_groups.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.source_groups.0", policyRange),
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.destination_groups.#", "1"),
+					resource.TestCheckResourceAttr(testResourceName, "rule.5.service_entries.#", "1"),
 				),
 			},
 			{
@@ -418,6 +419,7 @@ func TestAccResourceNsxtPolicySecurityPolicy_withIPCidrRange(t *testing.T) {
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.source_groups.#", "1"),
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.source_groups.0", updatedPolicyRange),
 					resource.TestCheckResourceAttr(testResourceName, "rule.5.destination_groups.#", "1"),
+					resource.TestCheckResourceAttr(testResourceName, "rule.5.service_entries.#", "1"),
 				),
 			},
 		},
@@ -870,7 +872,6 @@ resource "nsxt_policy_service" "tcp778" {
 }`
 }
 
-// TODO: add profiles when available
 func testAccNsxtPolicySecurityPolicyWithDepsCreate(name string) string {
 	return testAccNsxtPolicySecurityPolicyDeps() + fmt.Sprintf(`
 resource "nsxt_policy_security_policy" "test" {
@@ -963,44 +964,54 @@ func testAccNsxtPolicySecurityPolicyWithIPCidrRange(name string, destIP string,
 		}
 
 		rule {
-			display_name          = "rule2"
-			source_groups         = [nsxt_policy_group.group1.path]			
-			destination_groups    = ["%s"]
-			services              = [nsxt_policy_service.icmp.path]
-			action                = "ALLOW"
+		  display_name          = "rule2"
+		  source_groups         = [nsxt_policy_group.group1.path]			
+		  destination_groups    = ["%s"]
+	          services              = [nsxt_policy_service.icmp.path]
+		  action                = "ALLOW"
 		}
 
 		rule {
-			display_name          = "rule3"
-			source_groups         = [nsxt_policy_group.group1.path]
-			destination_groups    = ["%s"]
-			services              = [nsxt_policy_service.icmp.path]
-			action                = "ALLOW"
-			sequence_number       = 50
+		  display_name          = "rule3"
+		  source_groups         = [nsxt_policy_group.group1.path]
+		  destination_groups    = ["%s"]
+		  services              = [nsxt_policy_service.icmp.path]
+		  action                = "ALLOW"
+		  sequence_number       = 50
 		}
 		rule {
-			display_name          = "rule4"
-			source_groups         = ["%s"]
-			destination_groups    = [nsxt_policy_group.group2.path]
-			services              = [nsxt_policy_service.icmp.path]
-			action                = "ALLOW"
+		  display_name          = "rule4"
+		  source_groups         = ["%s"]
+		  destination_groups    = [nsxt_policy_group.group2.path]
+		  services              = [nsxt_policy_service.icmp.path]
+		  action                = "ALLOW"
 		}
   
 		rule {
-			  display_name          = "rule5"
-			  source_groups         = ["%s"]			
-			  destination_groups    = [nsxt_policy_group.group2.path]
-			  services              = [nsxt_policy_service.icmp.path]
-			  action                = "ALLOW"
-			  sequence_number       = 105
+		  display_name          = "rule5"
+		  source_groups         = ["%s"]			
+		  destination_groups    = [nsxt_policy_group.group2.path]
+		  services              = [nsxt_policy_service.icmp.path]
+		  action                = "ALLOW"
+		  sequence_number       = 105
                 }
   
 		rule {
-			  display_name          = "rule6"
-			  source_groups         = ["%s"]
-			  destination_groups    = [nsxt_policy_group.group2.path]
-			  services              = [nsxt_policy_service.icmp.path]
-			  action                = "ALLOW"
+		  display_name          = "rule6"
+		  source_groups         = ["%s"]
+		  destination_groups    = [nsxt_policy_group.group2.path]
+		  service_entries {
+		    icmp_entry {
+			display_name = "test"
+			icmp_type    = "3"
+			protocol     = "ICMPv4"
+		    }
+		    l4_port_set_entry {
+			protocol          = "TCP"
+			destination_ports = ["8000-8080"]
+		    }
+		  }
+		  action                = "ALLOW"
 		}
 }`, name, destIP, destCidr, destIPRange, sourceIP, sourceCidr, sourceIPRange)
 }