NSX-T resources in VMC

 

We will create some NSX components on VMC via Terraform

1.1. Segments

You have to use this resource nsxt_policy_fixed_segment , if you try to use the normal resource of the on premises NSX-T , that will not work and you will get an error.

# you can replace the variables with names or numbers as you like

resource "nsxt_policy_fixed_segment" "projectLSW" {
  display_name      = "LSW-VMC-${var.lswNumber}-01"
  connectivity_path =  var.connectivity_path  

   subnet {
    cidr = var.subnet
  }
   tag {
    scope = "LSW"
    tag   = "LSW-VMC-${var.lswNumber}-01"
  }
  advanced_config {
    connectivity = "ON"
  }
}

1.2. SEC Groups

Whenever you create a group in VMC, you have to specify the domain of this group. The domain will be either cgw or mgw

cgw: used for compute groups that will be used in the compute FW rules

mgw: used for the management groups that will be used in the management FW rules

# the below SEC Group will have the LSW as a member {it will match the TAG which we are applying on the Segment}

resource "nsxt_policy_group" "projectSG" {
  display_name = "SG-VMC-VPC-${var.lswNumber}"
  domain       = "cgw"
  criteria {
    condition {
      key         = "Tag"
      member_type = "Segment"
      operator    = "EQUALS"
      value       = "LSW-VMC-${var.lswNumber}-01"
    }
  }
}

1.3. IP SET

# NSX-T is unlike NSX-V , you have to create SEC group and put your subnet as a member in this SEC group, because there is no option to create IPSET directly

 

resource "nsxt_policy_group" "SG-IPSET-5_5_5_5_32-To-VPC-7e" {
  display_name = "SG-IPSET-5_5_5_5_32-To-VPC-7e"
  domain       = "cgw"
  criteria {
    ipaddress_expression {
      ip_addresses = ["5.5.5.5"]
    }
  }
}

1.4. Service

resource "nsxt_policy_service" "SRV-TCP-P-4444" {
  display_name = "SRV-TCP-P-4444"

 l4_port_set_entry {
    display_name = "SRV-TCP-P-4444"
    protocol     = "TCP"
    destination_ports = ["4444"]
  }
}

1.5. SEC TAG

# I am using here a dummy VM to apply all the NSX-T Tags on it , because if the TAG is not applied on any resource, the NSX will delete it automatically 

resource "nsxt_policy_vm_tags" "projectTAGs" {
  instance_id = var.vmBIOS  tag {
    scope = "FWP"
    tag   = "FWP-${var.lswNumber}-Dummy"
  }
}

1.6. FW Policy

Whenever you create a FW policy, you have to specify the domain of the policy. The domain will be either cgw or mgw

  resource "nsxt_policy_security_policy" "projectFWP" {
  display_name = "FWP-VPC-${var.lswNumber}"
  category   = "Application"
  scope      = [nsxt_policy_group.projectSG.path]
  domain       = "cgw"
  locked     = false
  stateful   = true
  tcp_strict = false

Terraform on VMC series

 It will be a small series to show you how you can use Terraform on your VMware cloud env. on AWS.

1. Collecting the needed information: Part-1
2. Generate your Token: Part-2
3. Create your first resource on VMC: Part-3
4. Create some NSX-T resources on VMC via Terraform: Part-4
5. Full example with LSW, SG, FW Policy and FW rule: Part-5
6. Create env. variable for your Terraform variable: Part-6

Using Terraform on NSX-T on VMC/AWS - Part 3

 Create your first resource on VMC via Terraform

The HCL code on githup

terraform {

  required_providers {

    nsxt = {

      source = "vmware/nsxt"

      version = "3.2.5"

    }

  }

}

# The below Token and NSX host are just for explanation :-) , they are not real data

provider "nsxt" {

  host                 = "https://nsx-1-38-60-79.rp.vmwarevmc.com/vmc/reverse-proxy/api/orgs/53045f5a-59f7-4921-8bcb-0b09e8c3ac16/sddcs/24163dc6-2b22-475b-b197-167932ef5124/sks-nsxt-manager"

  vmc_token            = "12345IZf8Elb9VFTorfvnoyk6CsDXi15678utfdsFHfdsdafsadfasfIUTdghuy7815"

  allow_unverified_ssl = true

  enforcement_point    = "vmc-enforcementpoint"

}

resource "nsxt_policy_fixed_segment" "Terraform-segment1" {

  display_name      = "Terraform-segment1"

  description       = "Terraform provisioned Segment"

  connectivity_path = "/infra/tier-1s/cgw"

  subnet {

    cidr        = "12.12.2.1/24"

    dhcp_ranges = ["12.12.2.100-12.12.2.160"]

    dhcp_v4_config {

      server_address = "12.12.2.2/24"

      lease_time     = 36000

    

    }

  }

}

Using Terraform on NSX-T on VMC/AWS - Part 2

 How can you generate access token for your account on VMC?

• Open your VMC portal https://console.cloud.vmware
• Write your username and password
• On the top right corner press on your account and choose my account

• Press on API Tokens 
• Press on generate Token.
• Write your Token name.
• Choose your Token TTL "As per your company policy, I choose it never expire because this is just a demo"

• Copy your Token and keep it in a secure place.

Using Terraform on NSX-T on VMC/AWS - Part 1

 How to use Terraform on NSX-T on VMC/AWS ?

The first step is to collect the needed information like your NSX-T host on your VMC environment.

The second step is to create access token for your account to be able to connect to the NSX-T.

1. How to get your NSX-T host on your VMC env.:

1.  Login to your VMC env.
2.  Choose VMware Cloud on AWS
3.  Choose Inventory
4.  Choose your SDDC 
5.  Choose developer Center
6.  Press on VMware Cloud on AWS
7.  Press on Notifications 2
8.  Press on NSX VMC Policy API
9.  Choose your SDDC one more time, in case you have more than 1 SDDC
10.  Copy your NSX-T host proxy from the service information part 

 it should be something like that

https://nsx-1-38-60-79.rp.vmwarevmc.com/vmc/reverse-proxy/api/orgs/53045f5a-59f7-4921-8bcb-0b09e8c3ac16/sddcs/24163dc6-2b22-475b-b197-167932ef5124

you will need to add at the end of the URL of your host /sks-nsxt-manager

so in Terraform your host will be like that 

host = "https://nsx-1-38-60-79.rp.vmwarevmc.com/vmc/reverse-proxy/api/orgs/53045f5a-59f7-4921-8bcb-0b09e8c3ac16/sddcs/24163dc6-2b22-475b-b197-167932ef5124/sks-nsxt-manager"

in the second article I will show you can create access token for yourself to be able to authenticate with it and to create some resources with Terraform

Create NSX-T TAG and Security Group match on this TAG with Terraform

 How to create NSX-T TAG and Security Group match on this TAG with Terraform?

resource "nsxt_policy_vm_tags" "VM123TAG" {

  instance_id = var.vmBIOS

# you can get the vmBIOS from the NSX-T GUI , go to inventory and then Virtual machines

  tag {

    scope = "FWP"

    tag   = "FWP-VPC-1000e-on-P15172"

  }

}

resource "nsxt_policy_group" "SG-FWP-VPC-1000e-on-P15172"{

  display_name = "SG-FWP-VPC-1000e-on-P15172"

  criteria {

    condition {

      key         = "Tag"

      member_type = "VirtualMachine"

      operator    = "EQUALS"

      value       = "FWP|FWP-VPC-1000e-on-P15172"

    }

  }

}

Create NSX-T Service with Terraform

 How to create  NSX-T Service with Terraform?

resource "nsxt_policy_service" "SRV-TCP-P-22-SSH" {

  display_name = "SRV-TCP-P-22-SSH"

  l4_port_set_entry {

    display_name = "SRV-TCP-P-22-SSH"

    protocol     = "TCP"

    destination_ports = ["22"]

  }

}

Create Service Group on NSX-T with Terraform

 How to create Service Group on NSX-T with Terraform?

resource "nsxt_policy_service" "SRV-GRP-TCP-P-1024-To-1064-443-22" {

  display_name = "SRV-GRP-TCP-P-1024-To-1064-443-22"

 l4_port_set_entry {

    display_name = "SRV-TCP-P-1024-To-1064"

    protocol     = "TCP"

    destination_ports = ["1024-1064"]

  }

   l4_port_set_entry {

    display_name = "SRV-TCP-P-443"

    protocol     = "TCP"

    destination_ports = ["443"]

  }

  l4_port_set_entry {

    display_name = "SRV-TCP-P-22-ssh"

    protocol     = "TCP"

    destination_ports = ["22"]

  }

}

Create NSX-T IPSET with Terraform

 How to create  NSX-T IPSET with Terraform

resource "nsxt_policy_group" "SG-IPSET-172_25_11_104_32" {

  display_name = "SG-IPSET-172_25_11_104_32"

  criteria {

    ipaddress_expression {

      ip_addresses = ["172.25.11.104"]

    }

  }

}

Note: you are free to put any preferred resource name and display name, but from my point of view, this is the best way of naming because once you see it in the GUI, you will know directly what is the IP or the subnet included in this IP-SET