Skip to content
/ terraform-vcd-nsxt-firewall Public

Terraform module which manages the NSX-T Firewall on an Edge Gateway on VMWare Cloud Director.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

noris-network/terraform-vcd-nsxt-firewall

BranchesTags

Repository files navigation

vcd-nsxt-firewall

Terraform module which manages the NSX-T Firewall on an Edge Gateway on VMWare Cloud Director.

Requirements

Name Version
terraform >= 1.1.9
vcd >= 3.9.0

Providers

Name Version
vcd 3.9.0

Modules

No modules.

Resources

Name Type
vcd_nsxt_firewall.nsxt_firewall resource
vcd_nsxt_app_port_profile.nsxt_app_port_profile data source
vcd_nsxt_dynamic_security_group.nsxt_dynamic_security_groups data source
vcd_nsxt_edgegateway.nsxt_edgegateway data source
vcd_nsxt_ip_set.nsxt_ip_sets data source
vcd_nsxt_security_group.nsxt_security_groups data source
vcd_vdc_group.vdc_group data source

Inputs

Name Description Type Default Required
vdc_edgegateway_name The name for the Edge Gateway. string n/a yes
vdc_group_name The name of the VDC group. string n/a yes
vdc_org_name The name of the organization to use. string n/a yes
app_port_profiles Map of app port profiles used in this ruleset with their corresponding scopes. These will be looked up with a data ressource. map(string) {} no
dynamic_security_group_names List of vcd_nsxt_dynamic_security_group names being used in this ruleset. These will be looked up with a data ressource. list(string) [] no
ip_set_names List of vcd_nsxt_ip_set names being used in this ruleset. These will be looked up with a data ressource. list(string) [] no
rules List of rules to apply. 
list(object({
    name                 = string
    direction            = string
    ip_protocol          = string
    action               = string
    enabled              = optional(bool)
    logging              = optional(bool)
    source_ids           = optional(list(string))
    destination_ids      = optional(list(string))
    app_port_profile_ids = optional(list(string))
  }))
 [] no
security_group_names List of vcd_nsxt_security_group names being used in this ruleset. These will be looked up with a data ressource. list(string) [] no

Outputs

Name Description
firewall_id The ID of the firewall
firewall_rule_names The names of the firewall rules

Examples

Real world example

locals {
    edge_firewall_rule = [
    {
        name        = "any>vms_ssh"
        direction   = "IN_OUT"
        ip_protocol = "IPV4_IPV6"
        action      = "ALLOW"
        destination_ids = [
        "webserver",
        "db",
        ]
        app_port_profile_ids = ["SSH"]
    },
    {
        name                 = "any>loadbalancer_tcp443"
        direction            = "IN_OUT"
        ip_protocol          = "IPV4"
        action               = "ALLOW"
        destination_ids      = ["loadbalancer"]
        app_port_profile_ids = ["HTTPS", "myPort"]
    }
  ]
}

module "edge_firewall" {
  source               = "git::https://github.com/noris-network/terraform-vcd-nsxt-firewall?ref=1.0.0"
  vdc_org_name         = var.vdc_org_name
  vdc_group_name       = var.vdc_group_name
  vdc_edgegateway_name = var.vdc_edge_gateway_name
  rules                = var.edge_firewall_rule
  ip_set_names = [
    "loadbalancer_test",
    "loadbalancer_prod",
    "webserver",
  ]
  app_port_profiles = {
    "SSH"    = "SYSTEM",
    "HTTPS"  = "SYSTEM",
    "myPort" = "TENANT",
  }
  depends_on = [module.vcd_nsxt_app_port_profile, module.vcd_nsxt_ip_set]
}

Changelog

  • v1.0.1 - Implement lifecycle ignore_change rule on vdc_group_id to prevent destruction and recreation of the entire rule set upon creation of ip_set, app_port_profile or security groups
  • v1.0.0 - Initial release

About

Terraform module which manages the NSX-T Firewall on an Edge Gateway on VMWare Cloud Director.

Topics

terraform vcd

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

2 tags

Languages