Skip to content
/ terraform-vcd-nsxt-nat-rule Public

Terraform module which manages NSX-T NAT-Rule ressources on VMWare Cloud Director.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

noris-network/terraform-vcd-nsxt-nat-rule

BranchesTags

Repository files navigation

terraform-vcd-nsxt-nat-rule

Terraform module which manages NSX-T NAT-Rule ressources on VMWare Cloud Director.

Requirements

Name Version
terraform >= 1.1.9
vcd >= 3.9.0

Providers

Name Version
vcd 3.9.0

Modules

No modules.

Resources

Name Type
vcd_nsxt_nat_rule.nsxt_nat_rule resource
vcd_nsxt_app_port_profile.nsxt_app_port_profile data source
vcd_nsxt_edgegateway.nsxt_edgegateway data source
vcd_vdc_group.vdc_group data source

Inputs

Name Description Type Default Required
name A name for the NAT rule. string n/a yes
rule_type One of DNAT, NO_DNAT, SNAT, NO_SNAT, REFLEXIVE string n/a yes
vdc_edgegateway_name The name for the Edge Gateway. string n/a yes
vdc_group_name The name of the VDC group. string n/a yes
vdc_org_name The name of the organization to use. string n/a yes
app_port_profile Application Port Profile and its scope to which to apply the rule. The Application Port Profile includes a port, and a protocol that the incoming traffic uses on the edge gateway to connect to the internal network. map(string) null no
description A description for the NAT rule. string null no
dnat_external_port For DNAT only. This represents the external port number or port range when doing DNAT port forwarding from external to internal. The default dnatExternalPort is “ANY” meaning traffic on any port for the given IPs selected will be translated. number null no
enabled Enables or disables the NAT rule. bool true no
external_address The external address for the NAT Rule. This must be supplied as a single IP or Network CIDR. For a DNAT rule, this is the external facing IP Address for incoming traffic. For an SNAT rule, this is the external facing IP Address for outgoing traffic. These IPs are typically allocated/suballocated IP Addresses on the Edge Gateway. For a REFLEXIVE rule, these are the external facing IPs. string null no
firewall_match (VCD 10.2.2+) - You can set a firewall match rule to determine how firewall is applied during NAT. One of MATCH_INTERNAL_ADDRESS, MATCH_EXTERNAL_ADDRESS, BYPASS. string "MATCH_INTERNAL_ADDRESS" no
internal_address The internal address for the NAT Rule. This must be supplied as a single IP or Network CIDR. For a DNAT rule, this is the internal IP address for incoming traffic. For an SNAT rule, this is the internal IP Address for outgoing traffic. For a REFLEXIVE rule, these are the internal IPs. These IPs are typically the Private IPs that are allocated to workloads. string null no
logging Enable to have the address translation performed by this rule logged. Note User might lack rights (Organization Administrator role by default is missing Gateway -> Configure System Logging right) to enable logging, but API does not return error and it is not possible to validate it. terraform plan might show difference on every update. bool false no
priority (VCD 10.2.2+) - if an address has multiple NAT rules, you can assign these rules different priorities to determine the order in which they are applied. A lower value means a higher priority for this rule. number 0 no
snat_destination_address For SNAT only. The destination addresses to match in the SNAT Rule. This must be supplied as a single IP or Network CIDR. Providing no value for this field results in match with ANY destination network. string null no

Outputs

Name Description
id The ID of the NAT-Rule.

Examples

Single instance

module "nat_rule" {
  source               = "git::https://github.com/noris-network/terraform-vcd-nsxt-nat-rule?ref=1.0.1"
  name                 = "outbound_snat"
  vdc_org_name         = "1-2"
  vdc_group_name       = "1-2-nbg"
  vdc_edgegateway_name = "T1-1-2-nbg"
  rule_type            = "SNAT"
  external_address     = "123.234.123.234"
  internal_address     = "10.0.0.0/8"
}

Real world example

locals {
  nat_rules = [
    {
      name             = "outbound_nat"
      rule_type        = "SNAT"
      external_address = "123.234.123.235"
      internal_address = "192.168.0.0/24"
    },
    {
      name                     = "no_snat-192.168.0.0/24"
      rule_type                = "NO_SNAT"
      internal_address         = "192.168.0.0/24"
      snat_destination_address = "192.168.0.0/24"
    },
    {
      name               = "inbound_nat_ssh"
      rule_type          = "DNAT"
      external_address   = "123.234.123.236"
      internal_address   = "192.168.0.150"
      dnat_external_port = "10022"
      app_port_profile = {
        name  = "SSH"
        scope = "SYSTEM"
      }
    }
  ]
}

module "nat_rules" {
  source               = "git::https://github.com/noris-network/terraform-vcd-nsxt-nat-rule?ref=1.0.1"
  for_each             = { for nat_rule in locals.nat_rules : nat_rule.name => nat_rule }
  name                 = "${each.value.name}_${terraform.workspace}"
  vdc_org_name         = var.vdc_org_name
  vdc_edgegateway_name = var.vdc_edge_gateway_name
  vdc_group_name       = var.vdc_group_name
  rule_type            = each.value.rule_type
  external_address     = try(each.value.external_address, null)
  internal_address     = try(each.value.internal_address, null)
}

Changelog

  • v1.0.1 - Gather ID for Application Port Profiles
  • v1.0.0 - Initial release

About

Terraform module which manages NSX-T NAT-Rule ressources on VMWare Cloud Director.

Topics

terraform vcd

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

2 tags

Languages