VMware

NSX-T Tag and Security Group Matching with Terraform

As a seasoned VMware administrator, you understand the importance of security and policy management within your virtual infrastructure. One of the key features of NSX-T is its ability to implement security policies based on tags and security groups. In this blog post, we’ll explore how to create an NSX-T tag and match it with a security group using Terraform.

First, let’s take a look at the current state of our NSX-T environment. We have a virtual machine named “VM123” that we want to apply a security policy to. We can get the vmBIOS of this virtual machine from the NSX-T GUI by going to Inventory > Virtual Machines, and then selecting the appropriate virtual machine.

Next, we’ll create an NSX-T tag using Terraform. The scope of this tag will be “FWP” and the tag name will be “FWP-VPC-1000e-on-P15172”. Here’s the Terraform code for creating the tag:

“`less

resource “nsxt_policy_vm_tags” “VM123TAG” {

instance_id = var.vmBIOS

tag {

scope = “FWP”

tag = “FWP-VPC-1000e-on-P15172”

}

}

“`

Now that we have created the tag, we can create a security group that matches on this tag. We’ll use the following Terraform code to create the security group:

“`less

resource “nsxt_policy_group” “SG-FWP-VPC-1000e-on-P15172” {

display_name = “SG-FWP-VPC-1000e-on-P15172”

criteria {

condition {

key = “Tag”

member_type = “VirtualMachine”

operator = “EQUALS”

value = “FWP|FWP-VPC-1000e-on-P15172”

}

}

}

“`

In this code, we’ve defined a security group with the display name “SG-FWP-VPC-1000e-on-P15172”. The criteria for this security group is based on the tag we created earlier. The condition specifies that the key should be “Tag”, the member type should be “VirtualMachine”, and the operator should be “EQUALS”. The value specified is “FWP|FWP-VPC-1000e-on-P15172”, which matches the scope and tag name of the tag we created earlier.

Once we have created both the tag and security group, we can apply the security policy to our virtual machine. We’ll use the following Terraform code to assign the security group to the virtual machine:

“`less

resource “nsxt_policy_vm_groups” “VM123GROUP” {

instance_id = var.vmBIOS

group {

ref = nsxt_policy_group.SG-FWP-VPC-1000e-on-P15172

}

}

“`

In this code, we’ve assigned the security group “SG-FWP-VPC-1000e-on-P15172” to our virtual machine “VM123”.

That’s it! With these Terraform codes, you can create an NSX-T tag and match it with a security group. This will allow you to apply security policies based on tags and security groups within your NSX-T environment.