diff --git a/aci_tenants.tf b/aci_tenants.tf index 05059404..9fa1a4f8 100644 --- a/aci_tenants.tf +++ b/aci_tenants.tf @@ -694,6 +694,11 @@ locals { value = sel.value description = try(sel.description, "") }] + ip_external_subnet_selectors = [for sel in try(esg.ip_external_subnet_selectors, []) : { + ip = sel.ip + description = try(sel.description, "") + shared = try(sel.shared, "false") + }] } ] ] @@ -703,23 +708,24 @@ locals { module "aci_endpoint_security_group" { source = "./modules/terraform-aci-endpoint-security-group" - for_each = { for esg in local.endpoint_security_groups : esg.key => esg if local.modules.aci_endpoint_security_group && var.manage_tenants } - tenant = each.value.tenant - application_profile = each.value.application_profile - name = each.value.name - description = each.value.description - vrf = each.value.vrf - shutdown = each.value.shutdown - intra_esg_isolation = each.value.intra_esg_isolation - preferred_group = each.value.preferred_group - contract_consumers = each.value.contract_consumers - contract_providers = each.value.contract_providers - contract_imported_consumers = each.value.contract_imported_consumers - contract_intra_esgs = each.value.contract_intra_esgs - esg_contract_masters = each.value.esg_contract_masters - tag_selectors = each.value.tag_selectors - epg_selectors = each.value.epg_selectors - ip_subnet_selectors = each.value.ip_subnet_selectors + for_each = { for esg in local.endpoint_security_groups : esg.key => esg if local.modules.aci_endpoint_security_group && var.manage_tenants } + tenant = each.value.tenant + application_profile = each.value.application_profile + name = each.value.name + description = each.value.description + vrf = each.value.vrf + shutdown = each.value.shutdown + intra_esg_isolation = each.value.intra_esg_isolation + preferred_group = each.value.preferred_group + contract_consumers = each.value.contract_consumers + contract_providers = each.value.contract_providers + contract_imported_consumers = each.value.contract_imported_consumers + contract_intra_esgs = each.value.contract_intra_esgs + esg_contract_masters = each.value.esg_contract_masters + tag_selectors = each.value.tag_selectors + epg_selectors = each.value.epg_selectors + ip_subnet_selectors = each.value.ip_subnet_selectors + ip_external_subnet_selectors = each.value.ip_external_subnet_selectors depends_on = [ module.aci_tenant, @@ -2510,6 +2516,9 @@ locals { external_endpoint_group = try(policy.external_endpoint_group.name, null) != null ? "${policy.external_endpoint_group.name}${local.defaults.apic.tenants.l3outs.external_endpoint_groups.name_suffix}" : "" external_endpoint_group_l3out = try(policy.external_endpoint_group.l3out, null) != null ? "${policy.external_endpoint_group.l3out}${local.defaults.apic.tenants.l3outs.name_suffix}" : "" external_endpoint_group_tenant = try(policy.external_endpoint_group.tenant, tenant.name) + endpoint_security_group = try(policy.endpoint_security_group.name, null) != null ? "${policy.endpoint_security_group.name}${local.defaults.apic.tenants.application_profiles.name_suffix}" : "" + endpoint_security_group_app = try(policy.endpoint_security_group.app, null) != null ? "${policy.endpoint_security_group.app}${local.defaults.apic.tenants.application_profiles.endpoint_security_groups.name_suffix}" : "" + endpoint_security_group_tenant = try(policy.endpoint_security_group.tenant, tenant.name) } ] ]) diff --git a/modules/terraform-aci-endpoint-security-group/README.md b/modules/terraform-aci-endpoint-security-group/README.md index 8a03e4e8..aa4b889f 100644 --- a/modules/terraform-aci-endpoint-security-group/README.md +++ b/modules/terraform-aci-endpoint-security-group/README.md @@ -75,6 +75,22 @@ module "aci_endpoint_security_group" { description = "foo" } ] + ip_external_subnet_selectors = [ + { + ip = "1.1.5.0/24" + }, + { + ip = "1.1.6.0/24" + }, + { + ip = "1.1.7.0/24" + }, + { + ip = "1.1.8.0/24" + description = "foo" + shared = true + } + ] } ``` diff --git a/modules/terraform-aci-endpoint-security-group/examples/complete/README.md b/modules/terraform-aci-endpoint-security-group/examples/complete/README.md index 314a8239..099b3063 100644 --- a/modules/terraform-aci-endpoint-security-group/examples/complete/README.md +++ b/modules/terraform-aci-endpoint-security-group/examples/complete/README.md @@ -78,6 +78,22 @@ module "aci_endpoint_security_group" { description = "foo" } ] +ip_external_subnet_selectors = [ + { + value = "1.1.5.0/24" + }, + { + value = "1.1.6.0/24" + }, + { + value = "1.1.7.0/24" + }, + { + value = "1.1.8.0/24" + description = "foo" + shared = true + } + ] } ``` \ No newline at end of file diff --git a/modules/terraform-aci-endpoint-security-group/examples/complete/main.tf b/modules/terraform-aci-endpoint-security-group/examples/complete/main.tf index d2b2eb14..975da419 100644 --- a/modules/terraform-aci-endpoint-security-group/examples/complete/main.tf +++ b/modules/terraform-aci-endpoint-security-group/examples/complete/main.tf @@ -64,4 +64,20 @@ module "aci_endpoint_security_group" { description = "foo" } ] + ip_external_subnet_selectors = [ + { + ip = "1.1.1.0/24" + }, + { + ip = "1.1.2.0/24" + }, + { + ip = "1.1.3.0/24" + }, + { + ip = "1.1.4.0/24" + description = "foo" + shared = true + } + ] } diff --git a/modules/terraform-aci-endpoint-security-group/main.tf b/modules/terraform-aci-endpoint-security-group/main.tf index 532008c8..837cb68a 100644 --- a/modules/terraform-aci-endpoint-security-group/main.tf +++ b/modules/terraform-aci-endpoint-security-group/main.tf @@ -127,3 +127,17 @@ resource "aci_rest_managed" "fvEPSelector" { aci_rest_managed.fvRsScope, ] } + +resource "aci_rest_managed" "fvExternalSubnetSelector" { + for_each = { for ess in var.ip_external_subnet_selectors : "${ess.ip}" => ess } + dn = "${aci_rest_managed.fvESg.dn}/extsubselector-[${each.key}]" + class_name = "fvExternalSubnetSelector" + content = { + descr = each.value.description + shared = each.value.shared == true ? "yes" : "no" + } + + depends_on = [ + aci_rest_managed.fvRsScope, + ] +} \ No newline at end of file diff --git a/modules/terraform-aci-endpoint-security-group/variables.tf b/modules/terraform-aci-endpoint-security-group/variables.tf index b82926fe..5ec25ebf 100644 --- a/modules/terraform-aci-endpoint-security-group/variables.tf +++ b/modules/terraform-aci-endpoint-security-group/variables.tf @@ -250,3 +250,27 @@ variable "ip_subnet_selectors" { error_message = "`description`: Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `\\`, `!`, `#`, `$`, `%`, `(`, `)`, `*`, `,`, `-`, `.`, `/`, `:`, `;`, `@`, ` `, `_`, `{`, `|`, }`, `~`, `?`, `&`, `+`. Maximum characters: 128." } } + +variable "ip_external_subnet_selectors" { + description = "List of IP subnet selectors." + type = list(object({ + ip = string + description = optional(string, "") + shared = optional(bool, false) + })) + default = [] + + validation { + condition = alltrue([ + for ess in var.ip_external_subnet_selectors : can(regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}\\/([0-9]){1,2}$", ess.ip)) + ]) + error_message = "`ip`: Valid ip format example: 192.168.1.0/24." + } + + validation { + condition = alltrue([ + for ess in var.ip_external_subnet_selectors : ess.description == null || can(regex("^[a-zA-Z0-9\\\\!#$%()*,-./:;@ _{|}~?&+]{0,128}$", ess.description)) + ]) + error_message = "`description`: Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `\\`, `!`, `#`, `$`, `%`, `(`, `)`, `*`, `,`, `-`, `.`, `/`, `:`, `;`, `@`, ` `, `_`, `{`, `|`, }`, `~`, `?`, `&`, `+`. Maximum characters: 128." + } +} \ No newline at end of file