From 39658ffa77b41e2590012acbc4f3613295a0ccea Mon Sep 17 00:00:00 2001 From: Tripti Attavar Date: Mon, 3 Jun 2019 14:15:04 -0700 Subject: [PATCH] Add NSXT sample for NAT and CGW firewall CRUD Public IP CRUD NAT Rule CRUD Group CRUD CGW Firewall Signed-Off-By: Tripti Attavar --- .../vmc/networks_nsxt/cgw_firewall_crud.py | 160 ++++++++++++++++++ samples/vmc/networks_nsxt/nat_crud.py | 147 ++++++++++++++++ 2 files changed, 307 insertions(+) create mode 100644 samples/vmc/networks_nsxt/cgw_firewall_crud.py create mode 100644 samples/vmc/networks_nsxt/nat_crud.py diff --git a/samples/vmc/networks_nsxt/cgw_firewall_crud.py b/samples/vmc/networks_nsxt/cgw_firewall_crud.py new file mode 100644 index 00000000..2e3db326 --- /dev/null +++ b/samples/vmc/networks_nsxt/cgw_firewall_crud.py @@ -0,0 +1,160 @@ +#!/usr/bin/env python + +""" +* ******************************************************* +* Copyright (c) VMware, Inc. 2019. All Rights Reserved. +* SPDX-License-Identifier: MIT +* ******************************************************* +* +* DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, +* EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED +* WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, +* NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. +""" + +__author__ = 'VMware, Inc.' +__vcenter_version__ = '6.8.0+' + +import argparse +import requests +from com.vmware.nsx_policy_client_for_vmc import create_nsx_policy_client_for_vmc +from com.vmware.nsx_policy.model_client import IPAddressExpression +from com.vmware.nsx_policy.model_client import Group +from com.vmware.nsx_policy.model_client import Rule +from vmware.vapi.bindings.struct import PrettyPrinter as NsxPrettyPrinter +from com.vmware.nsx_policy.model_client import ApiError + +# format NSXT objects for readability +nsx_pp = NsxPrettyPrinter() + + +class NSXPolicyCGWFirewall(object): + """ + e.g. Demonstrate access to NSX Policy Manager and + show access to infra and CGW firewall CRUD operations + """ + + def __init__(self): + parser = argparse.ArgumentParser( + formatter_class=argparse.ArgumentDefaultsHelpFormatter) + + parser.add_argument('--refresh_token', + required=True, + help='Refresh token obtained from CSP') + + parser.add_argument('--org_id', + required=True, + help='Orgization ID') + + parser.add_argument('--sddc_id', + required=True, + help='Sddc ID') + + args = parser.parse_args() + + self.nsx_client = create_nsx_policy_client_for_vmc( + refresh_token=args.refresh_token, + org_id=args.org_id, + sddc_id=args.sddc_id) + + def get_infra(self): + print(' Infra '.center(70, '=')) + self.infra = self.nsx_client.Infra.get() + nsx_pp.pprint(self.infra) + return self.infra + + def get_domains(self): + print(' Domains '.center(70, '=')) + self.domains = self.nsx_client.infra.Domains.list() + nsx_pp.pprint(self.domains) + return self.domains + + def get_group(self): + print(' Get Group '.center(70, '=')) + self.cgw_group = self.nsx_client.infra.domains.Groups.get('cgw', 'VM1_Group') + nsx_pp.pprint(self.cgw_group) + return self.cgw_group + + def patch_group(self): + print(' Create Group '.center(70, '=')) + try: + ip_address_expression_obj = IPAddressExpression(ip_addresses=['172.16.1.2']) # IP Address of a VM + group_obj = Group(display_name='VM1_Group', expression=[ip_address_expression_obj]) + self.nsx_client.infra.domains.Groups.patch('cgw', 'VM1_Group', group_obj) + except Exception as ex: + print(ex) + self.log_error(ex) + + def delete_group(self): + print(' Delete Group '.center(70, '=')) + try: + self.nsx_client.infra.domains.Groups.delete('cgw', 'VM1_Group') + except Exception as ex: + print(ex) + self.log_error(ex) + + def get_cgw_gateway_firewall_rules(self): + print(' CGW Firewall Rules '.center(70, '=')) + self.cgw_policies = self.nsx_client.infra.domains.GatewayPolicies.get('cgw', 'default') + self.cgw_rules = self.cgw_policies.rules + nsx_pp.pprint(self.cgw_rules) + return self.cgw_rules + + def patch_cgw_gateway_firewall_rule(self): + print(' Create CGW Firewall Rule '.center(70, '=')) + self.patch_group() + cgw_group = self.get_group() + try: + rule_obj = Rule(action='ALLOW', + scope=['/infra/labels/cgw-all'], + services=['/infra/services/ICMP-ALL'], + source_groups=['ANY'], + destination_groups=[cgw_group.path], + display_name='AllowPingToVM1', sequence_number=0) + + self.nsx_client.infra.domains.gateway_policies.Rules.patch('cgw', 'default', 'AllowPingToVM1', + rule_obj) + except Exception as ex: + print(ex) + self.log_error(ex) + + def delete_cgw_gateway_firewall_rule(self): + print(' Delete CGW Firewall Rule '.center(70, '=')) + try: + self.nsx_client.infra.domains.gateway_policies.Rules.delete('cgw', 'default', 'AllowPingToVM1') + except Exception as ex: + print(ex) + self.log_error(ex) + + def log_error(self, ex): + """ + Generic error logger that will use NSXT API Error message decoders for + more descriptive information on errors + """ + api_error = ex.data.convert_to(ApiError) + print("Error configuring {}".format(api_error.error_message)) + print("{}".format(api_error.__dict__)) + print("{}".format(api_error.details)) + + def run(self): + self.get_infra() + self.get_domains() + self.get_cgw_gateway_firewall_rules() + self.patch_cgw_gateway_firewall_rule() + self.get_cgw_gateway_firewall_rules() + + def cleanup(self): + self.delete_cgw_gateway_firewall_rule() + self.get_cgw_gateway_firewall_rules() + self.delete_group() + + +def main(): + nsx = NSXPolicyCGWFirewall() + nsx.run() + nsx.cleanup() + + +if __name__ == '__main__': + main() diff --git a/samples/vmc/networks_nsxt/nat_crud.py b/samples/vmc/networks_nsxt/nat_crud.py new file mode 100644 index 00000000..66fcfe7d --- /dev/null +++ b/samples/vmc/networks_nsxt/nat_crud.py @@ -0,0 +1,147 @@ +#!/usr/bin/env python + +""" +* ******************************************************* +* Copyright (c) VMware, Inc. 2019. All Rights Reserved. +* SPDX-License-Identifier: MIT +* ******************************************************* +* +* DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, +* EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED +* WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, +* NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. +""" + +__author__ = 'VMware, Inc.' +__vcenter_version__ = '6.8.1+' + +import argparse +import requests +from com.vmware.nsx_policy_client_for_vmc import create_nsx_policy_client_for_vmc +from com.vmware.nsx_vmc_app_client_for_vmc import create_nsx_vmc_app_client_for_vmc +from com.vmware.nsx_vmc_app.model_client import PublicIp +from com.vmware.nsx_policy.model_client import PolicyNatRule +from vmware.vapi.bindings.struct import PrettyPrinter as NsxPrettyPrinter +from com.vmware.nsx_policy.model_client import ApiError + +# format NSXT objects for readability +nsx_pp = NsxPrettyPrinter() + + +class NSXPolicyNAT(object): + """ + e.g. Demonstrate access to NSX Policy Manager and + show access to NAT CRUD operations + """ + + def __init__(self): + parser = argparse.ArgumentParser( + formatter_class=argparse.ArgumentDefaultsHelpFormatter) + + parser.add_argument('--refresh_token', + required=True, + help='Refresh token obtained from CSP') + + parser.add_argument('--org_id', + required=True, + help='Orgization ID') + + parser.add_argument('--sddc_id', + required=True, + help='Sddc ID') + + args = parser.parse_args() + + self.nsx_client = create_nsx_policy_client_for_vmc( + refresh_token=args.refresh_token, + org_id=args.org_id, + sddc_id=args.sddc_id) + + self.nsx_vmc_app_client = create_nsx_vmc_app_client_for_vmc( + refresh_token=args.refresh_token, + org_id=args.org_id, + sddc_id=args.sddc_id) + + def get_public_ip(self): + print(' Public IPs '.center(70, '=')) + self.public_ips = self.nsx_vmc_app_client.infra.PublicIps.get('VM1_IP') + self.public_ip = self.public_ips.ip + nsx_pp.pprint(self.public_ip) + return self.public_ip + + def update_public_ip(self): + print(' Create Public IP '.center(70, '=')) + try: + public_ip_obj = PublicIp(display_name='VM1_IP') + self.nsx_vmc_app_client.infra.PublicIps.update('VM1_IP', public_ip_obj) + except Exception as ex: + print(ex) + self.log_error(ex) + + def delete_public_ip(self): + print(' Delete Public IP '.center(70, '=')) + try: + self.nsx_vmc_app_client.infra.PublicIps.delete('VM1_IP') + except Exception as ex: + print(ex) + self.log_error(ex) + + def get_nat_rules(self): + print(' NAT Rules '.center(70, '=')) + self.nat = self.nsx_client.infra.tier_1s.nat.NatRules.list('cgw', 'USER') + self.nat_rules = self.nat.results + nsx_pp.pprint(self.nat_rules) + return self.nat_rules + + def patch_nat_rule(self): + print(' Create NAT Rule '.center(70, '=')) + self.update_public_ip() + public_ip = self.get_public_ip() + try: + nat_obj = PolicyNatRule(action='REFLEXIVE', + scope=['/infra/labels/cgw-public'], + source_network='172.16.1.2', + translated_network=public_ip, + display_name='VM1NatRule', sequence_number=1) + self.nsx_client.infra.tier_1s.nat.NatRules.patch('cgw', 'USER', 'VM1NatRule', nat_obj) + except Exception as ex: + print(ex) + self.log_error(ex) + + def delete_nat_rule(self): + print(' Delete NAT Rule '.center(70, '=')) + try: + self.nsx_client.infra.tier_1s.nat.NatRules.delete('cgw', 'USER', 'VM1NatRule') + except Exception as ex: + print(ex) + self.log_error(ex) + + def log_error(self, ex): + """ + Generic error logger that will use NSXT API Error message decoders for + more descriptive information on errors + """ + api_error = ex.data.convert_to(ApiError) + print("Error configuring {}".format(api_error.error_message)) + print("{}".format(api_error.__dict__)) + print("{}".format(api_error.details)) + + def run(self): + self.patch_nat_rule() + self.get_nat_rules() + + def cleanup(self): + self.delete_nat_rule() + self.get_nat_rules() + self.delete_public_ip() + + +def main(): + nsx = NSXPolicyNAT() + nsx.run() + nsx.cleanup() + + +if __name__ == '__main__': + main()