Add nsxt_policy_security_policy_container_cluster resource

This resource will bind a container cluster to a security policy.

Fixes: #1230

Signed-off-by: Kobi Samoray <[email protected]>

Author: ksamoray

docs/resources/policy_security_policy_container_cluster.md

@@ -0,0 +1,62 @@
+---
+subcategory: "Beta"
+page_title: "NSXT: nsxt_policy_security_policy_container_cluster"
+description: A resource to configure a Security Policy Container Cluster.
+---
+
+# nsxt_policy_security_policy_container_cluster
+
+This resource provides a method for the management of Container Clusters associated with security policies.
+
+This resource is applicable to NSX Policy Manager.
+
+## Example Usage
+
+```hcl
+data "nsxt_policy_container_cluster" "cluster" {
+  display_name = "containercluster1"
+}
+
+resource "nsxt_policy_parent_security_policy" "policy1" {
+  display_name = "policy1"
+  category     = "Application"
+}
+
+resource "nsxt_policy_security_policy_container_cluster" "antreacluster" {
+  display_name           = "cluster1"
+  description            = "Terraform provisioned SecurityPolicyContainerCluster"
+  policy_path            = nsxt_policy_parent_security_policy.policy1.path
+  container_cluster_path = data.nsxt_policy_container_cluster.cluster.path
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `display_name` - (Required) Display name of the resource.
+* `description` - (Optional) Description of the resource.
+* `tag` - (Optional) A list of scope + tag pairs to associate with this resource.
+* `nsx_id` - (Optional) The NSX ID of this resource. If set, this ID will be used to create the resource.
+* `policy_path` - (Required) The path of the Security Policy which the object belongs to
+* `container_cluster_path` - (Required) Path to the container cluster entity in NSX
+
+## Attributes Reference
+
+In addition to arguments listed above, the following attributes are exported:
+
+* `id` - ID of the resource.
+* `revision` - Indicates current revision number of the object as seen by NSX-T API server. This attribute can be useful for debugging.
+* `path` - The NSX path of the policy resource.
+
+## Importing
+
+An existing object can be [imported][docs-import] into this resource, via the following command:
+
+[docs-import]: https://www.terraform.io/cli/import
+
+```shell
+terraform import nsxt_policy_security_policy_container_cluster.antreacluster PATH
+```
+
+The above command imports Security Policy Container Cluster named `antreacluster` with the NSX path `PATH`.

nsxt/provider.go

@@ -537,6 +537,7 @@ func Provider() *schema.Provider {
 			"nsxt_policy_gateway_connection":                           resourceNsxtPolicyGatewayConnection(),
 			"nsxt_policy_distributed_vlan_connection":                  resourceNsxtPolicyDistributedVlanConnection(),
 			"nsxt_policy_parent_gateway_policy":                        resourceNsxtPolicyParentGatewayPolicy(),
+			"nsxt_policy_security_policy_container_cluster":            resourceNsxtPolicySecurityPolicyContainerCluster(),
 			"nsxt_vpc":                                   resourceNsxtVpc(),
 			"nsxt_vpc_attachment":                        resourceNsxtVpcAttachment(),
 			"nsxt_vpc_nat_rule":                          resourceNsxtPolicyVpcNatRule(),

nsxt/resource_nsxt_policy_security_policy_container_cluster.go

@@ -0,0 +1,201 @@
+// © Broadcom. All Rights Reserved.
+// The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+// SPDX-License-Identifier: MPL-2.0
+
+package nsxt
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client"
+	"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/security_policies"
+	"github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
+)
+
+func resourceNsxtPolicySecurityPolicyContainerCluster() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceNsxtPolicySecurityPolicyContainerClusterCreate,
+		Read:   resourceNsxtPolicySecurityPolicyContainerClusterRead,
+		Update: resourceNsxtPolicySecurityPolicyContainerClusterUpdate,
+		Delete: resourceNsxtPolicySecurityPolicyContainerClusterDelete,
+		Importer: &schema.ResourceImporter{
+			State: nsxtSecurityPolicyContainerClusterImporter,
+		},
+		Schema: map[string]*schema.Schema{
+			"nsx_id":       getNsxIDSchema(),
+			"path":         getPathSchema(),
+			"display_name": getDataSourceDisplayNameSchema(),
+			"description":  getDataSourceDescriptionSchema(),
+			"revision":     getRevisionSchema(),
+			"tag":          getTagsSchema(),
+			"policy_path":  getPolicyPathSchema(true, true, "Security Policy path"),
+			"container_cluster_path": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "Path to the container cluster entity in NSX",
+			},
+		},
+	}
+}
+
+func resourceNsxtPolicySecurityPolicyContainerClusterExistsPartial(d *schema.ResourceData, m interface{}, policyPath string) func(string, client.Connector, bool) (bool, error) {
+	return func(id string, connector client.Connector, isGlobal bool) (bool, error) {
+		return resourceNsxtPolicySecurityPolicyContainerClusterExists(id, connector, policyPath)
+	}
+}
+
+func resourceNsxtPolicySecurityPolicyContainerClusterExists(id string, connector client.Connector, policyPath string) (bool, error) {
+	var err error
+
+	client := security_policies.NewContainerClusterSpanClient(connector)
+	domain := getDomainFromResourcePath(policyPath)
+	policyID := getPolicyIDFromPath(policyPath)
+
+	_, err = client.Get(domain, policyID, id)
+	if err == nil {
+		return true, nil
+	}
+
+	if isNotFoundError(err) {
+		return false, nil
+	}
+
+	return false, logAPIError("Error retrieving resource", err)
+}
+
+func resourceNsxtPolicySecurityPolicyContainerClusterCreate(d *schema.ResourceData, m interface{}) error {
+	connector := getPolicyConnector(m)
+	client := security_policies.NewContainerClusterSpanClient(connector)
+
+	policyPath := d.Get("policy_path").(string)
+	domain := getDomainFromResourcePath(policyPath)
+	policyID := getPolicyIDFromPath(policyPath)
+
+	id, err := getOrGenerateID(d, m, resourceNsxtPolicySecurityPolicyContainerClusterExistsPartial(d, m, policyPath))
+	if err != nil {
+		return err
+	}
+
+	displayName := d.Get("display_name").(string)
+	description := d.Get("description").(string)
+	containerClusterPath := d.Get("container_cluster_path").(string)
+	tags := getPolicyTagsFromSchema(d)
+
+	obj := model.SecurityPolicyContainerCluster{
+		DisplayName:          &displayName,
+		Description:          &description,
+		Tags:                 tags,
+		ContainerClusterPath: &containerClusterPath,
+	}
+
+	err = client.Patch(domain, policyID, id, obj)
+	if err != nil {
+		return handleCreateError("SecurityPolicyContainerCluster", id, err)
+	}
+
+	d.SetId(id)
+	d.Set("nsx_id", id)
+
+	return resourceNsxtPolicySecurityPolicyContainerClusterRead(d, m)
+}
+
+func resourceNsxtPolicySecurityPolicyContainerClusterRead(d *schema.ResourceData, m interface{}) error {
+	connector := getPolicyConnector(m)
+
+	id := d.Id()
+	if id == "" {
+		return fmt.Errorf("Error obtaining SecurityPolicyContainerCluster ID")
+	}
+	policyPath := d.Get("policy_path").(string)
+	domain := getDomainFromResourcePath(policyPath)
+	policyID := getPolicyIDFromPath(policyPath)
+
+	client := security_policies.NewContainerClusterSpanClient(connector)
+
+	obj, err := client.Get(domain, policyID, id)
+	if err != nil {
+		return handleReadError(d, "SecurityPolicyContainerCluster", id, err)
+	}
+
+	setPolicyTagsInSchema(d, obj.Tags)
+	d.Set("nsx_id", id)
+	d.Set("display_name", obj.DisplayName)
+	d.Set("description", obj.Description)
+	d.Set("revision", obj.Revision)
+	d.Set("path", obj.Path)
+	d.Set("container_cluster_path", obj.ContainerClusterPath)
+
+	return nil
+}
+
+func resourceNsxtPolicySecurityPolicyContainerClusterUpdate(d *schema.ResourceData, m interface{}) error {
+	connector := getPolicyConnector(m)
+
+	id := d.Id()
+	if id == "" {
+		return fmt.Errorf("Error obtaining SecurityPolicyContainerCluster ID")
+	}
+
+	policyPath := d.Get("policy_path").(string)
+	domain := getDomainFromResourcePath(policyPath)
+	policyID := getPolicyIDFromPath(policyPath)
+	description := d.Get("description").(string)
+	displayName := d.Get("display_name").(string)
+	tags := getPolicyTagsFromSchema(d)
+	containerClusterPath := d.Get("container_cluster_path").(string)
+
+	revision := int64(d.Get("revision").(int))
+
+	obj := model.SecurityPolicyContainerCluster{
+		DisplayName:          &displayName,
+		Description:          &description,
+		Tags:                 tags,
+		Revision:             &revision,
+		ContainerClusterPath: &containerClusterPath,
+	}
+
+	client := security_policies.NewContainerClusterSpanClient(connector)
+	_, err := client.Update(domain, policyID, id, obj)
+	if err != nil {
+		return handleUpdateError("SecurityPolicyContainerCluster", id, err)
+	}
+
+	return resourceNsxtPolicySecurityPolicyContainerClusterRead(d, m)
+}
+
+func resourceNsxtPolicySecurityPolicyContainerClusterDelete(d *schema.ResourceData, m interface{}) error {
+	id := d.Id()
+	if id == "" {
+		return fmt.Errorf("Error obtaining SecurityPolicyContainerCluster ID")
+	}
+	policyPath := d.Get("policy_path").(string)
+	domain := getDomainFromResourcePath(policyPath)
+	policyID := getPolicyIDFromPath(policyPath)
+
+	connector := getPolicyConnector(m)
+
+	client := security_policies.NewContainerClusterSpanClient(connector)
+	err := client.Delete(domain, policyID, id)
+
+	if err != nil {
+		return handleDeleteError("SecurityPolicyContainerCluster", id, err)
+	}
+
+	return nil
+}
+
+func nsxtSecurityPolicyContainerClusterImporter(d *schema.ResourceData, m interface{}) ([]*schema.ResourceData, error) {
+	importID := d.Id()
+	rd, err := nsxtPolicyPathResourceImporterHelper(d, m)
+	if err != nil {
+		return rd, err
+	}
+	ruleIdx := strings.Index(importID, "container-cluster-span")
+	if ruleIdx <= 0 {
+		return nil, fmt.Errorf("invalid path of SecurityPolicyContainerCluster to import")
+	}
+	d.Set("policy_path", importID[:ruleIdx-1])
+	return []*schema.ResourceData{d}, nil
+}