Added policy_based_vpn_mode to NAT resource

Signed-off-by: Wouter van der Waal <w.vanderwaal@iqmessenger.com>
vmware · Mar 7, 2024 · 4cbf619 · 4cbf619
1 parent 0c0ec19
commit 4cbf619
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 56 deletions.
diff --git a/nsxt/resource_nsxt_policy_nat_rule.go b/nsxt/resource_nsxt_policy_nat_rule.go
@@ -34,6 +34,11 @@ var policyNATRuleFirewallMatchTypeValues = []string{
 	model.PolicyNatRule_FIREWALL_MATCH_BYPASS,
 }
 
+var policyNATRulePolicyBasedVpnModeTypeValues = []string{
+	model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS,
+	model.PolicyNatRule_POLICY_BASED_VPN_MODE_MATCH,
+}
+
 func resourceNsxtPolicyNATRule() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceNsxtPolicyNATRuleCreate,
@@ -131,6 +136,13 @@ func resourceNsxtPolicyNATRule() *schema.Resource {
 				Computed:    true,
 				Elem:        getElemPolicyPathSchema(),
 			},
+			"policy_based_vpn_mode": {
+				Type:         schema.TypeString,
+				Description:  "Policy based vpn mode match flag. DNAT only",
+				Optional:     true,
+				Default:      model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS,
+				ValidateFunc: validation.StringInSlice(policyNATRulePolicyBasedVpnModeTypeValues, false),
+			},
 		},
 	}
 }
@@ -263,6 +275,7 @@ func resourceNsxtPolicyNATRuleRead(d *schema.ResourceData, m interface{}) error
 	}
 	d.Set("translated_ports", obj.TranslatedPorts)
 	d.Set("scope", obj.Scope)
+	d.Set("policy_based_vpn_mode", obj.PolicyBasedVpnMode)
 
 	d.SetId(id)
 
@@ -305,6 +318,7 @@ func resourceNsxtPolicyNATRuleCreate(d *schema.ResourceData, m interface{}) erro
 	priority := int64(d.Get("rule_priority").(int))
 	service := d.Get("service").(string)
 	ports := d.Get("translated_ports").(string)
+	pbvmMatch := d.Get("policy_based_vpn_mode").(string)
 	dNets := stringListToCommaSeparatedString(interfaceListToStringList(d.Get("destination_networks").([]interface{})))
 	sNets := stringListToCommaSeparatedString(interfaceListToStringList(d.Get("source_networks").([]interface{})))
 	tNets := stringListToCommaSeparatedString(interfaceListToStringList(d.Get("translated_networks").([]interface{})))
@@ -334,6 +348,9 @@ func resourceNsxtPolicyNATRuleCreate(d *schema.ResourceData, m interface{}) erro
 	if ports != "" {
 		ruleStruct.TranslatedPorts = &ports
 	}
+	if pbvmMatch != "" {
+		ruleStruct.PolicyBasedVpnMode = &pbvmMatch
+	}
 
 	log.Printf("[INFO] Creating NAT Rule with ID %s", id)
 
@@ -404,6 +421,10 @@ func resourceNsxtPolicyNATRuleUpdate(d *schema.ResourceData, m interface{}) erro
 	if tPorts != "" {
 		ruleStruct.TranslatedPorts = &tPorts
 	}
+	pbvmMatch := d.Get("policy_based_vpn_mode").(string)
+	if pbvmMatch != "" {
+		ruleStruct.PolicyBasedVpnMode = &pbvmMatch
+	}
 
 	log.Printf("[INFO] Updating NAT Rule with ID %s", id)
 	err := patchNsxtPolicyNATRule(context, connector, gwID, ruleStruct, isT0)

diff --git a/nsxt/resource_nsxt_policy_nat_rule_test.go b/nsxt/resource_nsxt_policy_nat_rule_test.go
@@ -92,6 +92,7 @@ func testAccResourceNsxtPolicyNATRuleBasicT1(t *testing.T, withContext bool, pre
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_BYPASS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
 				),
@@ -112,6 +113,7 @@ func testAccResourceNsxtPolicyNATRuleBasicT1(t *testing.T, withContext bool, pre
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_BYPASS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
 				),
@@ -131,6 +133,7 @@ func testAccResourceNsxtPolicyNATRuleBasicT1(t *testing.T, withContext bool, pre
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_MATCH),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
 				),
@@ -169,6 +172,7 @@ func TestAccResourceNsxtPolicyNATRule_basicT0(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "scope.#", "2"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
@@ -188,6 +192,7 @@ func TestAccResourceNsxtPolicyNATRule_basicT0(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "scope.#", "2"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
@@ -277,6 +282,7 @@ func TestAccResourceNsxtPolicyNATRule_nat64T1(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_BYPASS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
 				),
@@ -297,6 +303,7 @@ func TestAccResourceNsxtPolicyNATRule_nat64T1(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_BYPASS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
 				),
@@ -334,6 +341,7 @@ func TestAccResourceNsxtPolicyNATRuleNoSnatWithoutTNet(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
 				),
@@ -352,6 +360,7 @@ func TestAccResourceNsxtPolicyNATRuleNoSnatWithoutTNet(t *testing.T) {
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "action", action),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "logging", "false"),
 					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "firewall_match", model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS),
+					resource.TestCheckResourceAttr(testAccResourcePolicyNATRuleName, "policy_based_vpn_mode", model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "path"),
 					resource.TestCheckResourceAttrSet(testAccResourcePolicyNATRuleName, "revision"),
 				),
@@ -455,16 +464,17 @@ data "nsxt_policy_service" "test" {
 
 resource "nsxt_policy_nat_rule" "test" {
 %s
-  display_name         = "%s"
-  description          = "Acceptance Test"
-  gateway_path         = nsxt_policy_tier1_gateway.test.path
-  action               = "%s"
-  source_networks      = ["%s"]
-  destination_networks = ["%s"]
-  translated_networks  = ["%s"]
-  logging              = false
-  firewall_match       = "%s"
-  service              = data.nsxt_policy_service.test.path 
+  display_name          = "%s"
+  description           = "Acceptance Test"
+  gateway_path          = nsxt_policy_tier1_gateway.test.path
+  action                = "%s"
+  source_networks       = ["%s"]
+  destination_networks  = ["%s"]
+  translated_networks   = ["%s"]
+  logging               = false
+  firewall_match        = "%s"
+  service               = data.nsxt_policy_service.test.path 
+  policy_based_vpn_mode = "%s"
 
   tag {
     scope = "scope1"
@@ -476,7 +486,7 @@ resource "nsxt_policy_nat_rule" "test" {
     tag   = "tag2"
   }
 }
-`, context, name, action, sourceNet, destNet, translatedNet, model.PolicyNatRule_FIREWALL_MATCH_BYPASS)
+`, context, name, action, sourceNet, destNet, translatedNet, model.PolicyNatRule_FIREWALL_MATCH_BYPASS, model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS)
 }
 
 func testAccNsxtPolicyNATRuleTier1UpdateMultipleSourceNetworksTemplate(name string, action string, sourceNet1 string, sourceNet2 string, destNet string, translatedNet string, withContext bool) string {
@@ -488,15 +498,16 @@ func testAccNsxtPolicyNATRuleTier1UpdateMultipleSourceNetworksTemplate(name stri
 		testAccNsxtPolicyTier1WithEdgeClusterTemplate("test", false, withContext) + fmt.Sprintf(`
 resource "nsxt_policy_nat_rule" "test" {
 %s
-  display_name         = "%s"
-  description          = "Acceptance Test"
-  gateway_path         = nsxt_policy_tier1_gateway.test.path
-  action               = "%s"
-  source_networks      = ["%s", "%s"]
-  destination_networks = ["%s"]
-  translated_networks  = ["%s"]
-  logging              = false
-  firewall_match       = "%s"
+  display_name          = "%s"
+  description           = "Acceptance Test"
+  gateway_path          = nsxt_policy_tier1_gateway.test.path
+  action                = "%s"
+  source_networks       = ["%s", "%s"]
+  destination_networks  = ["%s"]
+  translated_networks   = ["%s"]
+  logging               = false
+  firewall_match        = "%s"
+  policy_based_vpn_mode = "%s"
 
   tag {
     scope = "scope1"
@@ -508,7 +519,7 @@ resource "nsxt_policy_nat_rule" "test" {
     tag   = "tag2"
   }
 }
-`, context, name, action, sourceNet1, sourceNet2, destNet, translatedNet, model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS)
+`, context, name, action, sourceNet1, sourceNet2, destNet, translatedNet, model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS, model.PolicyNatRule_POLICY_BASED_VPN_MODE_MATCH)
 }
 
 func testAccNsxtPolicyNATRuleTier0CreateTemplate(name string, action string, sourceNet string, translatedNet string) string {
@@ -549,15 +560,16 @@ resource "nsxt_policy_tier0_gateway_interface" "test" {
 }
 
 resource "nsxt_policy_nat_rule" "test" {
-  display_name         = "%s"
-  description          = "Acceptance Test"
-  gateway_path         = nsxt_policy_tier0_gateway.test.path
-  action               = "%s"
-  source_networks      = ["%s"]
-  translated_networks  = ["%s"]
-  logging              = false
-  firewall_match       = "%s"
-  scope                = [nsxt_policy_tier0_gateway_interface.test[1].path, nsxt_policy_tier0_gateway_interface.test[0].path]
+  display_name          = "%s"
+  description           = "Acceptance Test"
+  gateway_path          = nsxt_policy_tier0_gateway.test.path
+  action                = "%s"
+  source_networks       = ["%s"]
+  translated_networks   = ["%s"]
+  logging               = false
+  firewall_match        = "%s"
+  scope                 = [nsxt_policy_tier0_gateway_interface.test[1].path, nsxt_policy_tier0_gateway_interface.test[0].path]
+  policy_based_vpn_mode = "%s"
 
   tag {
     scope = "scope1"
@@ -570,21 +582,22 @@ resource "nsxt_policy_nat_rule" "test" {
   }
 }
 
-`, interfaceSite, name, action, sourceNet, translatedNet, model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS)
+`, interfaceSite, name, action, sourceNet, translatedNet, model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS, model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS)
 }
 
 func testAccNsxPolicyNatRuleNoTranslatedNetworkTemplate(name string, action string, sourceNet string, destNet string) string {
 	return testAccNsxtPolicyEdgeClusterReadTemplate(getEdgeClusterName()) +
 		testAccNsxtPolicyTier1WithEdgeClusterTemplate("test", false, false) + fmt.Sprintf(`
 	resource "nsxt_policy_nat_rule" "test" {
-	  display_name         = "%s"
-	  description          = "Acceptance Test"
-	  gateway_path         = nsxt_policy_tier1_gateway.test.path
-	  action               = "%s"
-	  source_networks      = ["%s"]
-	  destination_networks = ["%s"]
-	  logging              = false
-	  firewall_match       = "%s"
+	  display_name          = "%s"
+	  description           = "Acceptance Test"
+	  gateway_path          = nsxt_policy_tier1_gateway.test.path
+	  action                = "%s"
+	  source_networks       = ["%s"]
+	  destination_networks  = ["%s"]
+	  logging               = false
+	  firewall_match        = "%s"
+	  policy_based_vpn_mode = "%s"
 	
 	  tag {
 		scope = "scope1"
@@ -596,5 +609,5 @@ func testAccNsxPolicyNatRuleNoTranslatedNetworkTemplate(name string, action stri
 		tag   = "tag2"
 	  }
 	}
-	`, name, action, sourceNet, destNet, model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS)
+	`, name, action, sourceNet, destNet, model.PolicyNatRule_FIREWALL_MATCH_MATCH_EXTERNAL_ADDRESS, model.PolicyNatRule_POLICY_BASED_VPN_MODE_BYPASS)
 }
diff --git a/website/docs/r/policy_nat_rule.html.markdown b/website/docs/r/policy_nat_rule.html.markdown
@@ -15,14 +15,15 @@ This resource is applicable to NSX Global Manager, NSX Policy Manager and VMC.
 
 ```hcl
 resource "nsxt_policy_nat_rule" "dnat1" {
-  display_name         = "dnat_rule1"
-  action               = "DNAT"
-  source_networks      = ["9.1.1.1", "9.2.1.1"]
-  destination_networks = ["11.1.1.1"]
-  translated_networks  = ["10.1.1.1"]
-  gateway_path         = nsxt_policy_tier1_gateway.t1gateway.path
-  logging              = false
-  firewall_match       = "MATCH_INTERNAL_ADDRESS"
+  display_name          = "dnat_rule1"
+  action                = "DNAT"
+  source_networks       = ["9.1.1.1", "9.2.1.1"]
+  destination_networks  = ["11.1.1.1"]
+  translated_networks   = ["10.1.1.1"]
+  gateway_path          = nsxt_policy_tier1_gateway.t1gateway.path
+  logging               = false
+  firewall_match        = "MATCH_INTERNAL_ADDRESS"
+  policy_based_vpn_mode = "BYPASS"
 
   tag {
     scope = "color"
@@ -42,14 +43,15 @@ resource "nsxt_policy_nat_rule" "dnat1" {
   context {
     project_id = data.nsxt_policy_project.demoproj.id
   }
-  display_name         = "dnat_rule1"
-  action               = "DNAT"
-  source_networks      = ["9.1.1.1", "9.2.1.1"]
-  destination_networks = ["11.1.1.1"]
-  translated_networks  = ["10.1.1.1"]
-  gateway_path         = nsxt_policy_tier1_gateway.t1gateway.path
-  logging              = false
-  firewall_match       = "MATCH_INTERNAL_ADDRESS"
+  display_name          = "dnat_rule1"
+  action                = "DNAT"
+  source_networks       = ["9.1.1.1", "9.2.1.1"]
+  destination_networks  = ["11.1.1.1"]
+  translated_networks   = ["10.1.1.1"]
+  gateway_path          = nsxt_policy_tier1_gateway.t1gateway.path
+  logging               = false
+  firewall_match        = "MATCH_INTERNAL_ADDRESS"
+  policy_based_vpn_mode = "BYPASS"
 
   tag {
     scope = "color"
@@ -80,6 +82,7 @@ The following arguments are supported:
 * `translated_networks` - (Optional) A list of translated network IP addresses or CIDR.
 * `translated_ports` - (Optional) Port number or port range. For use with `DNAT` action only.
 * `scope` - (Optional) A list of paths to interfaces and/or labels where the NAT Rule is enforced.
+* `policy_based_vpn_mode` - (Optional) Policy based VPN mode. One of `BYPASS`, `MATCH`
 
 ## Attributes Reference