How to filter NSX-T GET API call

 I faced a small issue today. I am creating all the NSX-T segments by Terraform and one of my customers asked me to enable DHCP relay on his segment, and he told me that we will need to do that in the future for other NSX-T segments.

As I am lazy, I started to think how can I automate this kind of requests. and I found 2 possibilities:

1. Providing him a way to edit in his Terraform config. file , and by this way he will have a high priv. on the NSX-T which is not a good idea at all.

2. Create for him a VRO workflow to write in it the segment name and the workflow will add the DHCP relay configuration to his segment.

I decided to proceed with the second option. and I found 2 issues:

1. I have to add a life cycle in the NSX-T segment resource in the Terraform. to avoid rolling back during the next apply :-)

2. I have to get the LSW by its name via API , to be able to edit in it and make post API with the DHCP relay config.

The second point was really tough point. because the segments have been created via terraform and they have random ID in their API path. so I have to find a way to get the segment with its name not with its API path

making GET API call to the below URL after editing it with your data, will get for you the segment 

https://YOUR_NSX_T_FQDN/policy/api/v1/search/query?query=display_name:YOUR_SEGMENT_NAME

Set Env. variable for Terraform on Windows

 We will explain how you can put your Terraform variable in your windows environment variables.

Note: you can for example put your VMC Token in your windows variables. This will avoid you from 2 things:

1. Put the token in the code itself, which is not recommended at all for security reasons.

2. Write the token every time when you plan or apply the code.

Note: The below variable is changeable based on the variable name in your code.

Set-Item -Path env:TF_VAR_token -Value “token_value“

To set the backend access key and secret key:

Set-Item -Path env:AWS_ACCESS_KEY_ID -Value "xyxyxyxyxyx12345"

Set-Item -Path env:AWS_SECRET_ACCESS_KEY -Value "abcabcabcabcabcabcabc12345"

Source: https://www.terraform.io/language/settings/backends/s3 

NSX-T resources in VMC

 

We will create some NSX components on VMC via Terraform

1.1. Segments

You have to use this resource nsxt_policy_fixed_segment , if you try to use the normal resource of the on premises NSX-T , that will not work and you will get an error.

# you can replace the variables with names or numbers as you like

resource "nsxt_policy_fixed_segment" "projectLSW" {
  display_name      = "LSW-VMC-${var.lswNumber}-01"
  connectivity_path =  var.connectivity_path  

   subnet {
    cidr = var.subnet
  }
   tag {
    scope = "LSW"
    tag   = "LSW-VMC-${var.lswNumber}-01"
  }
  advanced_config {
    connectivity = "ON"
  }
}

1.2. SEC Groups

Whenever you create a group in VMC, you have to specify the domain of this group. The domain will be either cgw or mgw

cgw: used for compute groups that will be used in the compute FW rules

mgw: used for the management groups that will be used in the management FW rules

# the below SEC Group will have the LSW as a member {it will match the TAG which we are applying on the Segment}

resource "nsxt_policy_group" "projectSG" {
  display_name = "SG-VMC-VPC-${var.lswNumber}"
  domain       = "cgw"
  criteria {
    condition {
      key         = "Tag"
      member_type = "Segment"
      operator    = "EQUALS"
      value       = "LSW-VMC-${var.lswNumber}-01"
    }
  }
}

1.3. IP SET

# NSX-T is unlike NSX-V , you have to create SEC group and put your subnet as a member in this SEC group, because there is no option to create IPSET directly

 

resource "nsxt_policy_group" "SG-IPSET-5_5_5_5_32-To-VPC-7e" {
  display_name = "SG-IPSET-5_5_5_5_32-To-VPC-7e"
  domain       = "cgw"
  criteria {
    ipaddress_expression {
      ip_addresses = ["5.5.5.5"]
    }
  }
}

1.4. Service

resource "nsxt_policy_service" "SRV-TCP-P-4444" {
  display_name = "SRV-TCP-P-4444"

 l4_port_set_entry {
    display_name = "SRV-TCP-P-4444"
    protocol     = "TCP"
    destination_ports = ["4444"]
  }
}

1.5. SEC TAG

# I am using here a dummy VM to apply all the NSX-T Tags on it , because if the TAG is not applied on any resource, the NSX will delete it automatically 

resource "nsxt_policy_vm_tags" "projectTAGs" {
  instance_id = var.vmBIOS  tag {
    scope = "FWP"
    tag   = "FWP-${var.lswNumber}-Dummy"
  }
}

1.6. FW Policy

Whenever you create a FW policy, you have to specify the domain of the policy. The domain will be either cgw or mgw

  resource "nsxt_policy_security_policy" "projectFWP" {
  display_name = "FWP-VPC-${var.lswNumber}"
  category   = "Application"
  scope      = [nsxt_policy_group.projectSG.path]
  domain       = "cgw"
  locked     = false
  stateful   = true
  tcp_strict = false

Terraform on VMC series

 It will be a small series to show you how you can use Terraform on your VMware cloud env. on AWS.

1. Collecting the needed information: Part-1
2. Generate your Token: Part-2
3. Create your first resource on VMC: Part-3
4. Create some NSX-T resources on VMC via Terraform: Part-4
5. Full example with LSW, SG, FW Policy and FW rule: Part-5
6. Create env. variable for your Terraform variable: Part-6

Using Terraform on NSX-T on VMC/AWS - Part 3

 Create your first resource on VMC via Terraform

The HCL code on githup

terraform {

  required_providers {

    nsxt = {

      source = "vmware/nsxt"

      version = "3.2.5"

    }

  }

}

# The below Token and NSX host are just for explanation :-) , they are not real data

provider "nsxt" {

  host                 = "https://nsx-1-38-60-79.rp.vmwarevmc.com/vmc/reverse-proxy/api/orgs/53045f5a-59f7-4921-8bcb-0b09e8c3ac16/sddcs/24163dc6-2b22-475b-b197-167932ef5124/sks-nsxt-manager"

  vmc_token            = "12345IZf8Elb9VFTorfvnoyk6CsDXi15678utfdsFHfdsdafsadfasfIUTdghuy7815"

  allow_unverified_ssl = true

  enforcement_point    = "vmc-enforcementpoint"

}

resource "nsxt_policy_fixed_segment" "Terraform-segment1" {

  display_name      = "Terraform-segment1"

  description       = "Terraform provisioned Segment"

  connectivity_path = "/infra/tier-1s/cgw"

  subnet {

    cidr        = "12.12.2.1/24"

    dhcp_ranges = ["12.12.2.100-12.12.2.160"]

    dhcp_v4_config {

      server_address = "12.12.2.2/24"

      lease_time     = 36000

    

    }

  }

}

Using Terraform on NSX-T on VMC/AWS - Part 2

 How can you generate access token for your account on VMC?

• Open your VMC portal https://console.cloud.vmware
• Write your username and password
• On the top right corner press on your account and choose my account

• Press on API Tokens 
• Press on generate Token.
• Write your Token name.
• Choose your Token TTL "As per your company policy, I choose it never expire because this is just a demo"

• Copy your Token and keep it in a secure place.

Using Terraform on NSX-T on VMC/AWS - Part 1

 How to use Terraform on NSX-T on VMC/AWS ?

The first step is to collect the needed information like your NSX-T host on your VMC environment.

The second step is to create access token for your account to be able to connect to the NSX-T.

1. How to get your NSX-T host on your VMC env.:

1.  Login to your VMC env.
2.  Choose VMware Cloud on AWS
3.  Choose Inventory
4.  Choose your SDDC 
5.  Choose developer Center
6.  Press on VMware Cloud on AWS
7.  Press on Notifications 2
8.  Press on NSX VMC Policy API
9.  Choose your SDDC one more time, in case you have more than 1 SDDC
10.  Copy your NSX-T host proxy from the service information part 

 it should be something like that

https://nsx-1-38-60-79.rp.vmwarevmc.com/vmc/reverse-proxy/api/orgs/53045f5a-59f7-4921-8bcb-0b09e8c3ac16/sddcs/24163dc6-2b22-475b-b197-167932ef5124

you will need to add at the end of the URL of your host /sks-nsxt-manager

so in Terraform your host will be like that 

host = "https://nsx-1-38-60-79.rp.vmwarevmc.com/vmc/reverse-proxy/api/orgs/53045f5a-59f7-4921-8bcb-0b09e8c3ac16/sddcs/24163dc6-2b22-475b-b197-167932ef5124/sks-nsxt-manager"

in the second article I will show you can create access token for yourself to be able to authenticate with it and to create some resources with Terraform

Create NSX-T TAG and Security Group match on this TAG with Terraform

 How to create NSX-T TAG and Security Group match on this TAG with Terraform?

resource "nsxt_policy_vm_tags" "VM123TAG" {

  instance_id = var.vmBIOS

# you can get the vmBIOS from the NSX-T GUI , go to inventory and then Virtual machines

  tag {

    scope = "FWP"

    tag   = "FWP-VPC-1000e-on-P15172"

  }

}

resource "nsxt_policy_group" "SG-FWP-VPC-1000e-on-P15172"{

  display_name = "SG-FWP-VPC-1000e-on-P15172"

  criteria {

    condition {

      key         = "Tag"

      member_type = "VirtualMachine"

      operator    = "EQUALS"

      value       = "FWP|FWP-VPC-1000e-on-P15172"

    }

  }

}

Create NSX-T Service with Terraform

 How to create  NSX-T Service with Terraform?

resource "nsxt_policy_service" "SRV-TCP-P-22-SSH" {

  display_name = "SRV-TCP-P-22-SSH"

  l4_port_set_entry {

    display_name = "SRV-TCP-P-22-SSH"

    protocol     = "TCP"

    destination_ports = ["22"]

  }

}

Create Service Group on NSX-T with Terraform

 How to create Service Group on NSX-T with Terraform?

resource "nsxt_policy_service" "SRV-GRP-TCP-P-1024-To-1064-443-22" {

  display_name = "SRV-GRP-TCP-P-1024-To-1064-443-22"

 l4_port_set_entry {

    display_name = "SRV-TCP-P-1024-To-1064"

    protocol     = "TCP"

    destination_ports = ["1024-1064"]

  }

   l4_port_set_entry {

    display_name = "SRV-TCP-P-443"

    protocol     = "TCP"

    destination_ports = ["443"]

  }

  l4_port_set_entry {

    display_name = "SRV-TCP-P-22-ssh"

    protocol     = "TCP"

    destination_ports = ["22"]

  }

}

Create NSX-T IPSET with Terraform

 How to create  NSX-T IPSET with Terraform

resource "nsxt_policy_group" "SG-IPSET-172_25_11_104_32" {

  display_name = "SG-IPSET-172_25_11_104_32"

  criteria {

    ipaddress_expression {

      ip_addresses = ["172.25.11.104"]

    }

  }

}

Note: you are free to put any preferred resource name and display name, but from my point of view, this is the best way of naming because once you see it in the GUI, you will know directly what is the IP or the subnet included in this IP-SET

Upgrade Terraform Provider

I am trying now to upgrade the Terraform provider which I am using for my NSX-T

First you have to put the new provider version in your main.tf file 

terraform {

  required_providers {

    nsxt = {

    source  = "vmware/nsxt"

      version = "3.2.5"

    }

  }

}

Second is to execute the below command

 .\terraform init -upgrade

once you execute the above command you will find output like the below output. That means that you upgraded your Terraform provider successfully