We have a new release of Terraform VMware Cloud Director Provider. Version 3.3.0 is now available, with some substantial improvements. We have expanded support for NSX-T with six new resources and corresponding data sources:
vcd_nsxt_security_group
groups VMs to which the firewall rules applyvcd_nsxt_ip_set
groups IP addresses to which the firewall rules applyvcd_nsxt_app_port_profile
allows users to combine a protocol and a port, or a group of ports, that are used for firewall and NAT services on NSX-T Edge Gatewaysvcd_nsxt_firewall
controls incoming and outgoing network traffic to and from an NSX-T Edge Gatewaysvcd_nsxt_nat_rule
controls NAT behavior on NSX-T Edge Gatewaysvcd_nsxt_ipsec_vpn_tunnel
offers site-to-site connectivity between Edge Gateways and remote sites
Some of these resources like vcd_nsxt_nat_rule
are ready to consume new VCD 10.3 features (Reflexive NAT rule)
The release also introduces roles and rights management, with a dedicated operations guide, that explains what providers and tenants can do with the new resources. There are three resources and four data sources:
vcd_role
allows providers and tenants to create, modify, and delete rolesvcd_global_role
allows providers to define roles for tenantsvcd_rights_bundle
allows providers to manage tenants rights allocationvcd_right
allows providers and tenants to inspect individual rights (only data source).
IPsec VPN tunnel in action
VMware Cloud Director (starting with 10.1) supports IPSec VPN. IPSec VPN offers site-to-site connectivity between an edge gateway and remote sites which also use NSX-T Data Center or which have either third-party hardware routers or VPN gateways that support IPSec.
Here is a quick minimal example to configure IPSec VPN Tunnel on NSX-T Edge Gateway using Terraform:
1 2 3 4 5 |
data "vcd_nsxt_edgegateway" "existing" { org = "org" vdc = "nsxt-vdc" name = "nsxt-gateway" } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
resource "vcd_nsxt_ipsec_vpn_tunnel" "first-tunnel" { org = "org" vdc = "nsxt-vdc" edge_gateway_id = data.vcd_nsxt_edgegateway.existing.id name = "IPSec VPN tunnel 3.3.0" # The pre-shared key must be the same on the other end of the IPSec VPN tunnel. pre_shared_key = "secret-shared-key" # Primary IP address extracted from Edge Gateway data source local_ip_address = tolist(data.vcd_nsxt_edgegateway.existing.subnet)[0].primary_ip local_networks = ["10.10.10.0/24"] # Remote peer IP address remote_ip_address = "1.2.3.4" remote_networks = ["192.168.1.0/24", "192.168.10.0/24", "192.168.20.0/28"] } |
This example uses default security profile, but it can be customized using security_profile_customization
block.
A taste of roles management
Global roles are roles templates defined at provider level and inherited by tenants, Using a combination of the new resources and a built-in Terraform function, we can create a new global role by combining the rights of two existing roles, and adding a custom right:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
data "vcd_global_role" "vapp-author" { name = "vApp Author" } data "vcd_global_role" "catalog-author" { name = "Catalog Author" } # super-vapp-author combines the rights of "vApp Author" and "Catalog Author" resource "vcd_global_role" "super-vapp-author" { name = "super-vapp-author" description = "A global role from CLI" publish_to_all_tenants = true rights = setunion( data.vcd_global_role.vapp-author.rights, # rights from existing global role data.vcd_global_role.catalog-author.rights, # rights from existing global role ["API Explorer: View"], # more rights to be added ) } |
Further information
This 3.3.0 release is hosted in the Terraform registry and supports the latest Terraform 1.0 version.
Provider is available in the registry as of 3.0.0 release.
Documentation can be accessed on the site.