diff --git a/samples/vmc/networks_nsxt/segments_firewall_crud.py b/samples/vmc/networks_nsxt/segments_firewall_crud.py new file mode 100644 index 00000000..8a5b3cab --- /dev/null +++ b/samples/vmc/networks_nsxt/segments_firewall_crud.py @@ -0,0 +1,145 @@ +#!/usr/bin/env python + +""" +* ******************************************************* +* Copyright (c) VMware, Inc. 2019. All Rights Reserved. +* SPDX-License-Identifier: MIT +* ******************************************************* +* +* DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, +* EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED +* WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, +* NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. +""" + +__author__ = 'VMware, Inc.' + + +import argparse +import requests +from com.vmware.nsx_policy_client_for_vmc import create_nsx_policy_client_for_vmc +from com.vmware.nsx_policy.model_client import Rule +from vmware.vapi.bindings.struct import PrettyPrinter as NsxPrettyPrinter +from com.vmware.nsx_policy.model_client import ApiError + +# format NSXT objects for readability +nsx_pp = NsxPrettyPrinter() + + +class NSXPolicySegmentFirewall(object): + """ + e.g. Demonstrate access to NSX Policy Manager and show + access to infra, tier1s, segments and firewall CRUD operations + """ + + def __init__(self): + parser = argparse.ArgumentParser( + formatter_class=argparse.ArgumentDefaultsHelpFormatter) + + parser.add_argument('--refresh_token', + required=True, + help='Refresh token obtained from CSP') + + parser.add_argument('--org_id', + required=True, + help='Orgization ID') + + parser.add_argument('--sddc_id', + required=True, + help='Sddc ID') + + args = parser.parse_args() + + self.nsx_client = create_nsx_policy_client_for_vmc( + refresh_token=args.refresh_token, + org_id=args.org_id, + sddc_id=args.sddc_id) + + def get_infra(self): + print(' Infra '.center(70, '=')) + self.infra = self.nsx_client.Infra.get() + nsx_pp.pprint(self.infra) + return self.infra + + def get_tier1s(self): + print(' Tier1s '.center(70, '=')) + self.tier1s = self.nsx_client.infra.Tier1s.list() + nsx_pp.pprint(self.tier1s) + return self.tier1s + + def get_segments(self): + print(' Segments '.center(70, '=')) + self.segments = self.nsx_client.infra.tier_1s.Segments.list('cgw') + nsx_pp.pprint(self.segments) + return self.segments + + def get_domains(self): + print(' Domains '.center(70, '=')) + self.domains = self.nsx_client.infra.Domains.list() + nsx_pp.pprint(self.domains) + return self.domains + + def get_mgw_gateway_firewall_rules(self): + print(' Firewall Rules '.center(70, '=')) + self.mgw_policies = self.nsx_client.infra.domains.GatewayPolicies.get('mgw', 'default') + self.mgw_rules = self.mgw_policies.rules + nsx_pp.pprint(self.mgw_rules) + return self.mgw_rules + + def patch_mgw_gateway_firewall_rule(self): + print(' Patch Vcenter inbound '.center(70, '=')) + try: + rule_obj = Rule(action='ALLOW', + scope=['/infra/labels/mgw'], + services=['/infra/services/HTTPS'], + source_groups=['ANY'], + destination_groups=['/infra/domains/mgw/groups/VCENTER'], + display_name='InboundAccess-vCenter', sequence_number=0) + + self.nsx_client.infra.domains.gateway_policies.Rules.patch('mgw', 'default', 'InboundAccess-vCenter', + rule_obj) + except Exception as ex: + print(ex) + self.log_error(ex) + + def delete_mgw_gateway_firewall_rule(self): + print(' Deleting Vcenter inbound FW Rule '.center(70, '=')) + try: + self.nsx_client.infra.domains.gateway_policies.Rules.delete('mgw', 'default', 'InboundAccess-vCenter') + except Exception as ex: + print(ex) + self.log_error(ex) + + def log_error(self, ex): + """ + Generic error logger that will use NSXT API Error message decoders for + more descriptive information on errors + """ + api_error = ex.data.convert_to(ApiError) + print("Error configuring {}".format(api_error.error_message)) + print("{}".format(api_error.__dict__)) + print("{}".format(api_error.details)) + + def run(self): + self.get_infra() + self.get_tier1s() + self.get_segments() + self.get_domains() + self.get_mgw_gateway_firewall_rules() + self.patch_mgw_gateway_firewall_rule() + self.get_mgw_gateway_firewall_rules() + + def cleanup(self): + self.delete_mgw_gateway_firewall_rule() + self.get_mgw_gateway_firewall_rules() # check to ensure deletion + + +def main(): + nsx = NSXPolicySegmentFirewall() + nsx.run() + nsx.cleanup() + + +if __name__ == '__main__': + main()