├── VMC-PCI ├── terraform_show.tfvars ├── versions.tf ├── vars.tf └── main.tf ├── localNSX ├── terraform_show.tfvars ├── versions.tf ├── vars.tf └── main.tf ├── versions.tf ├── vars.tf ├── terraform_show.tfvars ├── NOTICE.txt ├── .gitignore ├── .terraform.lock.hcl ├── LICENSE.txt ├── CONTRIBUTING.md ├── README.md ├── CODE_OF_CONDUCT.md └── main.tf /VMC-PCI/terraform_show.tfvars: -------------------------------------------------------------------------------- 1 | host = "192.168.110.41" 2 | username = "admin" 3 | password = "default" -------------------------------------------------------------------------------- /localNSX/terraform_show.tfvars: -------------------------------------------------------------------------------- 1 | host = "192.168.110.41" 2 | username = "admin" 3 | password = "default" -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | nsxt = { 4 | source = "vmware/nsxt" 5 | } 6 | } 7 | } -------------------------------------------------------------------------------- /VMC-PCI/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | nsxt = { 4 | source = "vmware/nsxt" 5 | } 6 | } 7 | } -------------------------------------------------------------------------------- /localNSX/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | nsxt = { 4 | source = "vmware/nsxt" 5 | } 6 | } 7 | } -------------------------------------------------------------------------------- /vars.tf: -------------------------------------------------------------------------------- 1 | variable "host" { 2 | description = "VMC NSX-T REVERSE PROXY URL" 3 | } 4 | variable "vmc_token" { 5 | description = "VMC Token" 6 | } 7 | -------------------------------------------------------------------------------- /terraform_show.tfvars: -------------------------------------------------------------------------------- 1 | # Generated by: tsauerer@vmware.com 2 | # Thomas Sauerer 3 | # 4 | # Updated on: 04/14/22 5 | 6 | 7 | 8 | 9 | vmc_token = "7DbeUiXXXXXXXXXXXXXXXXXXXX5Me" 10 | host = "nsx-XXX-XXX-XXX-Xaf66" 11 | -------------------------------------------------------------------------------- /VMC-PCI/vars.tf: -------------------------------------------------------------------------------- 1 | variable "host" { 2 | description = "Local NSX-T Manager" 3 | } 4 | 5 | variable "username" { 6 | description = "User Account" 7 | } 8 | 9 | 10 | variable "password" { 11 | description = "User Account Password" 12 | } 13 | -------------------------------------------------------------------------------- /localNSX/vars.tf: -------------------------------------------------------------------------------- 1 | 2 | variable "host" { 3 | description = "Local NSX-T Manager" 4 | } 5 | 6 | variable "username" { 7 | description = "User Account" 8 | } 9 | 10 | 11 | variable "password" { 12 | description = "User Account Password" 13 | } 14 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Blueprint for Horizon with VMC on AWS 2 | Copyright 2020 Omnissa, LLC. 3 | 4 | This product is licensed to you under the BSD-2 license (the "License"). You may not use this product except in compliance with the BSD-2 License. 5 | 6 | This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file. 7 | 8 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | terraform.tfvars 8 | # Crash log files 9 | crash.log 10 | 11 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 12 | # .tfvars files are managed as part of configuration and so should be included in 13 | # version control. 14 | # 15 | # example.tfvars 16 | 17 | # Ignore override files as they are usually used to override resources locally and so 18 | # are not checked in 19 | override.tf 20 | override.tf.json 21 | *_override.tf 22 | *_override.tf.json 23 | 24 | # Include override files you do wish to add to version control using negated pattern 25 | # 26 | # !example_override.tf 27 | 28 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 29 | # example: *tfplan* 30 | -------------------------------------------------------------------------------- /.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/terraform-providers/nsxt" { 5 | version = "3.2.3" 6 | hashes = [ 7 | "h1:Gws1OdfVen57D9jlJb0f8qAbolmB3GTCzBtj/7OMi2o=", 8 | "zh:12af89198910a03a8588959bcca27c22a7f2ab8dd187290fbb64a83a478e83e7", 9 | "zh:1aa60a2d944afac1da0424a6d86c07b2f1c9fdb94f7dc5b7ff01dfa08507f62e", 10 | "zh:215b721e95170f1c9b26098699cf3cc3b1782cbcd0e190b0fe381c4640989397", 11 | "zh:3d5c47af9096735c10f74a39ac7597197170935c139a1ee3f392712a7ea27107", 12 | "zh:4526aedf4367ca777f93f4179ef5ff110edb4964b7f5bacefdcaa5a8cb4351b8", 13 | "zh:57386fe5e3b9a26ce3c30cf0094b4aebf300ea64fa404528dc29adbff95d6884", 14 | "zh:733f3042d7935a55b07d7335cc531cb3fd6c31d833b0499dc924af1d797a6b0c", 15 | "zh:ae46c5a2f10791eb8cf097ba2a46c9b882861de707ea30fc4114c5b9ba49f3b0", 16 | "zh:b60055f02fd63686080aa8d84b1cca21709b25e6363b8b2533d39db52221a95c", 17 | "zh:c14830f890c959fe8bc1f652abfccf2ea5878e28ea44aa694454eb62c34d2682", 18 | "zh:c82136ddffa96864ba6fa2e0bfb863517f5af4fcce81f689c1b271c00b006f45", 19 | "zh:cd5cb7fef0a785b75220ce85ea0c9da8c77edb08e6e00ec5e2839481a29dd67e", 20 | "zh:ef2a8e8f5ceee0b75e39f14703fc3a7ec4ebe253ac829557852d8940f4732fb9", 21 | ] 22 | } 23 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Blueprint for Horizon with VMC on AWS 2 | The BSD-2 license (the "License") set forth below applies to all parts of the Blueprint for Horizon with VMC on AWS project. You may not use this file except in compliance with the License. 3 | 4 | BSD-2 License 5 | 6 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 7 | 8 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 9 | 10 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 11 | 12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 2 | # Contributing to blueprint-for-horizon-with-vmc-on-aws 3 | 4 | The blueprint-for-horizon-with-vmc-on-aws project team welcomes contributions from the community. 5 | 6 | ## Contribution Flow 7 | 8 | This is a rough outline of what a contributor's workflow looks like: 9 | 10 | - Create a topic branch from where you want to base your work 11 | - Make commits of logical units 12 | - Make sure your commit messages are in the proper format (see below) 13 | - Push your changes to a topic branch in your fork of the repository 14 | - Submit a pull request 15 | 16 | Example: 17 | 18 | ``` shell 19 | git remote add upstream https://github.com/omnissa-archive/blueprint-for-horizon-with-vmc-on-aws.git 20 | git checkout -b my-new-feature master 21 | git commit -a 22 | git push origin my-new-feature 23 | ``` 24 | 25 | ### Staying In Sync With Upstream 26 | 27 | When your branch gets out of sync with the omnissa-archive/master branch, use the following to update: 28 | 29 | ``` shell 30 | git checkout my-new-feature 31 | git fetch -a 32 | git pull --rebase upstream master 33 | git push --force-with-lease origin my-new-feature 34 | ``` 35 | 36 | ### Updating pull requests 37 | 38 | If your PR fails to pass CI or needs changes based on code review, you'll most likely want to squash these changes into 39 | existing commits. 40 | 41 | If your pull request contains a single commit or your changes are related to the most recent commit, you can simply 42 | amend the commit. 43 | 44 | ``` shell 45 | git add . 46 | git commit --amend 47 | git push --force-with-lease origin my-new-feature 48 | ``` 49 | 50 | If you need to squash changes into an earlier commit, you can use: 51 | 52 | ``` shell 53 | git add . 54 | git commit --fixup 55 | git rebase -i --autosquash master 56 | git push --force-with-lease origin my-new-feature 57 | ``` 58 | 59 | Be sure to add a comment to the PR indicating your new changes are ready to review, as GitHub does not generate a 60 | notification when you git push. 61 | 62 | ### Code Style 63 | 64 | ### Formatting Commit Messages 65 | 66 | We follow the conventions on [How to Write a Git Commit Message](http://chris.beams.io/posts/git-commit/). 67 | 68 | Be sure to include any related GitHub issue references in the commit message. See 69 | [GFM syntax](https://guides.github.com/features/mastering-markdown/#GitHub-flavored-markdown) for referencing issues 70 | and commits. 71 | 72 | ## Reporting Bugs and Creating Issues 73 | 74 | When opening a new issue, try to roughly follow the commit message format conventions above. 75 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # blueprint-for-horizon-with-vmc-on-aws 2 | 3 | # Overview 4 | 5 | Explanation can be found here: https://securefever.com/blog/terraform-blueprint-for-a-horizon7-ruleset-with-vmc-on-aws 6 | 7 | 8 | # Prerequisites 9 | 10 | 1. Terraform 11 | 2. NSX-T 12 | 13 | # Build & Run 14 | 15 | 1. install Terraform 16 | 2. clone repository 17 | 3. create a terraform.tfvars file for your secrets 18 | 4. initialize Terraform 19 | 5. plan and/or apply 20 | 6. fill your groups and make your changes 21 | 22 | # Documentation 23 | 24 | First of all, all my test ran at a lab platform… Use following code at your own risk, I won't be responsible for any issues you may run into. Thanks! 25 | 26 | In this repository I created a automated distributed Firewall Ruleset for a Horizon Environment, which can be used with 27 | Terraform on VMware Cloud or local installed NSX-T. 28 | 29 | It only apply Horizon related Services, groups and Distributed Firewall Sections and Rules. 30 | 31 | This code should support you to build a secured and least privilege Horizon Plattform or get a idea how you can secure your Horizon Environment. 32 | 33 | To get familiar with VMC and VMC NSX-T I highly recommend to take a look on the Blog posts from Nicolas Vibert: 34 | https://nicovibert.com 35 | 36 | I will keep on working on this script and add new services, rules and groups. 37 | 38 | # Support 39 | 40 | if you have any problems with the script, you always can reach out to me and I will try to support and help you as soon as possible! 41 | 42 | # Changelog 43 | 44 | 2021-04-14 45 | Removed legacy ports 46 | cosmentic changes 47 | 48 | 49 | # Contributing 50 | The blueprint-for-horizon-with-vmc-on-aws project team welcomes contributions from the community. Before you start working with blueprint-for-horizon-with-vmc-on-aws, please read our Developer Certificate of Origin. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. For more detailed information, refer to CONTRIBUTING.md. 51 | 52 | # License 53 | 54 | Blueprint for Horizon with VMC on AWS 55 | The BSD-2 license (the "License") set forth below applies to all parts of the Blueprint for Horizon with VMC on AWS project. You may not use this file except in compliance with the License. 56 | 57 | BSD-2 License 58 | 59 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 60 | 61 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 62 | 63 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 64 | 65 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 66 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | 2 | # Contributor Covenant Code of Conduct 3 | 4 | ## Our Pledge 5 | 6 | In the interest of fostering an open and welcoming environment, we as 7 | contributors and maintainers pledge to making participation in blueprint-for-horizon-with-vmc-on-aws project and 8 | our community a harassment-free experience for everyone, regardless of age, body 9 | size, disability, ethnicity, sex characteristics, gender identity and expression, 10 | level of experience, education, socio-economic status, nationality, personal 11 | appearance, race, religion, or sexual identity and orientation. 12 | 13 | ## Our Standards 14 | 15 | Examples of behavior that contributes to creating a positive environment 16 | include: 17 | 18 | * Using welcoming and inclusive language 19 | * Being respectful of differing viewpoints and experiences 20 | * Gracefully accepting constructive criticism 21 | * Focusing on what is best for the community 22 | * Showing empathy towards other community members 23 | 24 | Examples of unacceptable behavior by participants include: 25 | 26 | * The use of sexualized language or imagery and unwelcome sexual attention or 27 | advances 28 | * Trolling, insulting/derogatory comments, and personal or political attacks 29 | * Public or private harassment 30 | * Publishing others' private information, such as a physical or electronic 31 | address, without explicit permission 32 | * Other conduct which could reasonably be considered inappropriate in a 33 | professional setting 34 | 35 | ## Our Responsibilities 36 | 37 | Project maintainers are responsible for clarifying the standards of acceptable 38 | behavior and are expected to take appropriate and fair corrective action in 39 | response to any instances of unacceptable behavior. 40 | 41 | Project maintainers have the right and responsibility to remove, edit, or 42 | reject comments, commits, code, wiki edits, issues, and other contributions 43 | that are not aligned to this Code of Conduct, or to ban temporarily or 44 | permanently any contributor for other behaviors that they deem inappropriate, 45 | threatening, offensive, or harmful. 46 | 47 | ## Scope 48 | 49 | This Code of Conduct applies both within project spaces and in public spaces 50 | when an individual is representing the project or its community. Examples of 51 | representing a project or community include using an official project e-mail 52 | address, posting via an official social media account, or acting as an appointed 53 | representative at an online or offline event. Representation of a project may be 54 | further defined and clarified by project maintainers. 55 | 56 | ## Enforcement 57 | 58 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 59 | reported by contacting the project team at oss-coc@omnissa.com. All 60 | complaints will be reviewed and investigated and will result in a response that 61 | is deemed necessary and appropriate to the circumstances. The project team is 62 | obligated to maintain confidentiality with regard to the reporter of an incident. 63 | Further details of specific enforcement policies may be posted separately. 64 | 65 | Project maintainers who do not follow or enforce the Code of Conduct in good 66 | faith may face temporary or permanent repercussions as determined by other 67 | members of the project's leadership. 68 | 69 | ## Attribution 70 | 71 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 72 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 73 | 74 | [homepage]: https://www.contributor-covenant.org 75 | 76 | For answers to common questions about this code of conduct, see 77 | https://www.contributor-covenant.org/faq 78 | 79 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | # Generated by: tsauerer@vmware.com 2 | # Thomas Sauerer 3 | # 4 | # Updated on: 04/14/22 5 | 6 | 7 | provider "nsxt" { 8 | host = var.host 9 | vmc_token = var.vmc_token 10 | allow_unverified_ssl = true 11 | enforcement_point = "vmc-enforcementpoint" 12 | } 13 | 14 | ###################### creating Network Segments ###################### 15 | ###################### can be outcommented "/* */" or edited ###################### 16 | 17 | data "nsxt_policy_transport_zone" "TZ" { 18 | display_name = "vmc-overlay-tz" 19 | } 20 | 21 | resource "nsxt_policy_segment" "ManagementHorizon" { 22 | display_name = "Horizon_MGMT" 23 | description = "Horizon_MGMT Segment provisioned by Terraform" 24 | connectivity_path = "/infra/tier-1s/cgw" 25 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 26 | subnet { 27 | cidr = "172.16.199.1/24" 28 | dhcp_ranges = ["172.16.199.2-172.16.199.254"] 29 | } 30 | } 31 | resource "nsxt_policy_segment" "UAG_external" { 32 | display_name = "Horizon_UAG_external" 33 | description = "Horizon_UAG_external Segment provisioned by Terraform" 34 | connectivity_path = "/infra/tier-1s/cgw" 35 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 36 | subnet { 37 | cidr = "172.16.200.250/29" 38 | } 39 | } 40 | resource "nsxt_policy_segment" "Windows_Desktops" { 41 | display_name = "Horizon_Windows_Desktops" 42 | description = "Horizon_Windows_Desktops Segment provisioned by Terraform" 43 | connectivity_path = "/infra/tier-1s/cgw" 44 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 45 | subnet { 46 | cidr = "172.16.1.1/20" 47 | dhcp_ranges = ["172.16.1.2-172.16.15.254"] 48 | } 49 | } 50 | resource "nsxt_policy_segment" "Linux_Desktops" { 51 | display_name = "Horizon_Linux_Desktops" 52 | description = "Horizon_Linux_Desktops Segment provisioned by Terraform" 53 | connectivity_path = "/infra/tier-1s/cgw" 54 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 55 | subnet { 56 | cidr = "172.16.16.1/20" 57 | dhcp_ranges = ["172.16.16.2-172.16.31.254"] 58 | } 59 | } 60 | 61 | ###################### creating all Services ###################### 62 | 63 | // creating Services TCP 8443: 64 | resource "nsxt_policy_service" "Blast_TCP8443" { 65 | description = "Blast service provisioned by Terraform" 66 | display_name = "Blast_TCP8443" 67 | 68 | l4_port_set_entry { 69 | display_name = "TCP8443" 70 | description = "TCP port 8443 entry" 71 | protocol = "TCP" 72 | destination_ports = ["8443"] 73 | } 74 | } 75 | 76 | // creating Services UDP 8443: 77 | resource "nsxt_policy_service" "Blast_UDP8443" { 78 | description = "Blast service provisioned by Terraform" 79 | display_name = "Blast_UDP8443" 80 | 81 | l4_port_set_entry { 82 | display_name = "UDP8443" 83 | description = "UDP port 8443 entry" 84 | protocol = "UDP" 85 | destination_ports = ["8443"] 86 | } 87 | } 88 | 89 | // creating Services TCP 9443: 90 | resource "nsxt_policy_service" "Blast_TCP9443" { 91 | description = "Blast service provisioned by Terraform" 92 | display_name = "Blast_TCP9443" 93 | 94 | l4_port_set_entry { 95 | display_name = "TCP9443" 96 | description = "TCP port 9443 entry" 97 | protocol = "TCP" 98 | destination_ports = ["9443"] 99 | } 100 | } 101 | 102 | // creating Services TCP 22443: 103 | resource "nsxt_policy_service" "Blast_TCP22443" { 104 | description = "Blast service provisioned by Terraform" 105 | display_name = "Blast_TCP22443" 106 | 107 | l4_port_set_entry { 108 | display_name = "TCP22443" 109 | description = "TCP port 22443 entry" 110 | protocol = "TCP" 111 | destination_ports = ["22443"] 112 | } 113 | } 114 | 115 | // creating Services UDP 22443: 116 | resource "nsxt_policy_service" "Blast_UDP22443" { 117 | description = "Blast service provisioned by Terraform" 118 | display_name = "Blast_UDP22443" 119 | 120 | l4_port_set_entry { 121 | display_name = "UDP22443" 122 | description = "UDP port 22443 entry" 123 | protocol = "UDP" 124 | destination_ports = ["22443"] 125 | } 126 | } 127 | 128 | // creating Services TCP 4172: 129 | resource "nsxt_policy_service" "PCoIP_TCP4172" { 130 | description = "PCoIP service provisioned by Terraform" 131 | display_name = "PCoIP_TCP4172" 132 | 133 | l4_port_set_entry { 134 | display_name = "TCP4172" 135 | description = "TCP port 4172 entry" 136 | protocol = "TCP" 137 | destination_ports = ["4172"] 138 | } 139 | } 140 | 141 | // creating Services UDP 4172: 142 | resource "nsxt_policy_service" "PCoIP_UDP4172" { 143 | description = "PCoIP service provisioned by Terraform" 144 | display_name = "PCoIP_UDP4172" 145 | 146 | l4_port_set_entry { 147 | display_name = "UDP4172" 148 | description = "UDP port 4172 entry" 149 | protocol = "UDP" 150 | destination_ports = ["4172"] 151 | } 152 | } 153 | 154 | // creating Services UDP 443: 155 | resource "nsxt_policy_service" "Blast_UDP443" { 156 | description = "Blast service provisioned by Terraform" 157 | display_name = "Blast_UDP443" 158 | 159 | l4_port_set_entry { 160 | display_name = "UDP443" 161 | description = "UDP port 433 entry" 162 | protocol = "UDP" 163 | destination_ports = ["443"] 164 | } 165 | } 166 | 167 | // creating Services TCP 9427: 168 | resource "nsxt_policy_service" "CDR_MMR_TCP9427" { 169 | description = "CDR/MMR service provisioned by Terraform" 170 | display_name = "CDR/MMR_TCP9427" 171 | 172 | l4_port_set_entry { 173 | display_name = "TCP9427" 174 | description = "TCP port 9427 entry" 175 | protocol = "TCP" 176 | destination_ports = ["9427"] 177 | } 178 | } 179 | 180 | // creating Services TCP 32111: 181 | resource "nsxt_policy_service" "USB_TCP32111" { 182 | description = "USB service provisioned by Terraform" 183 | display_name = "USB_TCP32111" 184 | 185 | l4_port_set_entry { 186 | display_name = "TCP32111" 187 | description = "TCP port 32111 entry" 188 | protocol = "TCP" 189 | destination_ports = ["32111"] 190 | } 191 | } 192 | 193 | // creating Services TCP 1433: 194 | resource "nsxt_policy_service" "EventDB_TCP1433" { 195 | description = "USB service provisioned by Terraform" 196 | display_name = "EventDB_TCP1433" 197 | 198 | l4_port_set_entry { 199 | display_name = "TCP1433" 200 | description = "TCP port 1433 entry" 201 | protocol = "TCP" 202 | destination_ports = ["1433"] 203 | } 204 | } 205 | 206 | // creating Services SSL_TCP22: 207 | resource "nsxt_policy_service" "SSL_TCP22" { 208 | description = "USB service provisioned by Terraform" 209 | display_name = "EventDB_TCP22" 210 | 211 | l4_port_set_entry { 212 | display_name = "TCP22" 213 | description = "TCP port 22 entry" 214 | protocol = "TCP" 215 | destination_ports = ["22"] 216 | } 217 | } 218 | 219 | // creating Services TCP 3091: 220 | resource "nsxt_policy_service" "vROPS_TCP3091" { 221 | description = "vROPS service provisioned by Terraform" 222 | display_name = "vROPS_TCP3091" 223 | 224 | l4_port_set_entry { 225 | display_name = "TCP3091" 226 | description = "TCP port 3091 entry" 227 | protocol = "TCP" 228 | destination_ports = ["3091"] 229 | } 230 | } 231 | // creating Services TCP 3099: 232 | resource "nsxt_policy_service" "vROPS_TCP3099" { 233 | description = "vROPS service provisioned by Terraform" 234 | display_name = "vROPS_TCP3099" 235 | 236 | l4_port_set_entry { 237 | display_name = "TCP3099" 238 | description = "TCP port 3099 entry" 239 | protocol = "TCP" 240 | destination_ports = ["3099"] 241 | } 242 | } 243 | 244 | // creating Services TCP 3101: 245 | resource "nsxt_policy_service" "vROPS_TCP3101" { 246 | description = "vROPS service provisioned by Terraform" 247 | display_name = "vROPS_TCP3101" 248 | 249 | l4_port_set_entry { 250 | display_name = "TCP3101" 251 | description = "TCP port 3101 entry" 252 | protocol = "TCP" 253 | destination_ports = ["3101"] 254 | } 255 | } 256 | 257 | // creating Services TCP 3100: 258 | resource "nsxt_policy_service" "vROPS_TCP3100" { 259 | description = "vROPS service provisioned by Terraform" 260 | display_name = "vROPS_TCP3100" 261 | 262 | l4_port_set_entry { 263 | display_name = "TCP3100" 264 | description = "TCP port 3100 entry" 265 | protocol = "TCP" 266 | destination_ports = ["3100"] 267 | } 268 | } 269 | 270 | // creating Services TCP 22389: 271 | resource "nsxt_policy_service" "ADLDS_TCP22389" { 272 | description = "ADLDS service provisioned by Terraform" 273 | display_name = "ADLDS_TCP22389" 274 | 275 | l4_port_set_entry { 276 | display_name = "TCP22389" 277 | description = "TCP port 22389 entry" 278 | protocol = "TCP" 279 | destination_ports = ["22389"] 280 | } 281 | } 282 | 283 | // creating Services TCP 22636: 284 | resource "nsxt_policy_service" "ADLDS_TCP22636" { 285 | description = "ADLDS service provisioned by Terraform" 286 | display_name = "ADLDS_TCP22636" 287 | 288 | l4_port_set_entry { 289 | display_name = "TCP22636" 290 | description = "TCP port 22636 entry" 291 | protocol = "TCP" 292 | destination_ports = ["22636"] 293 | } 294 | } 295 | 296 | // creating Services TCP 8472: 297 | resource "nsxt_policy_service" "VIPA_TCP8472" { 298 | description = "VIPA service provisioned by Terraform" 299 | display_name = "VIPA_TCP8472" 300 | 301 | l4_port_set_entry { 302 | display_name = "TCP8472" 303 | description = "TCP port 8472 entry" 304 | protocol = "TCP" 305 | destination_ports = ["8472"] 306 | } 307 | } 308 | 309 | // creating Services TCP 4101: 310 | resource "nsxt_policy_service" "JMS_SSL_TCP4101" { 311 | description = "JMS_SSL service provisioned by Terraform" 312 | display_name = "JMS_SSL_TCP4101" 313 | 314 | l4_port_set_entry { 315 | display_name = "TCP4101" 316 | description = "TCP port 4101 entry" 317 | protocol = "TCP" 318 | destination_ports = ["4101"] 319 | } 320 | } 321 | 322 | // creating Services EHCache_TCP40002: 323 | resource "nsxt_policy_service" "EHCache_TCP40002" { 324 | description = "JMS_SSL service provisioned by Terraform" 325 | display_name = "EHCache_TCP40002" 326 | 327 | l4_port_set_entry { 328 | display_name = "TCP40002" 329 | description = "TCP port 40002 entry" 330 | protocol = "TCP" 331 | destination_ports = ["40002"] 332 | } 333 | } 334 | // creating Services EHCache_TCP40003: 335 | resource "nsxt_policy_service" "EHCache_TCP40003" { 336 | description = "JMS_SSL service provisioned by Terraform" 337 | display_name = "EHCache_TCP40003" 338 | 339 | l4_port_set_entry { 340 | display_name = "TCP40003" 341 | description = "TCP port 40003 entry" 342 | protocol = "TCP" 343 | destination_ports = ["40003"] 344 | } 345 | } 346 | 347 | // creating Services Audit_UDP54328: 348 | resource "nsxt_policy_service" "Audit_UDP54328" { 349 | description = "JMS_SSL service provisioned by Terraform" 350 | display_name = "Audit_UDP54328" 351 | 352 | l4_port_set_entry { 353 | display_name = "UDP54328" 354 | description = "UDP port 54328 entry" 355 | protocol = "UDP" 356 | destination_ports = ["54328"] 357 | } 358 | } 359 | 360 | // creating Services Audit_TCP9300: 361 | resource "nsxt_policy_service" "Audit_TCP9300" { 362 | description = "JMS_SSL service provisioned by Terraform" 363 | display_name = "Audit_TCP9300" 364 | 365 | l4_port_set_entry { 366 | display_name = "TCP9300" 367 | description = "UDP port 9300 entry" 368 | protocol = "UDP" 369 | destination_ports = ["9300"] 370 | } 371 | } 372 | 373 | // creating Services Audit_TCP9400: 374 | resource "nsxt_policy_service" "Audit_TCP9400" { 375 | description = "JMS_SSL service provisioned by Terraform" 376 | display_name = "Audit_TCP9400" 377 | 378 | l4_port_set_entry { 379 | display_name = "TCP9400" 380 | description = "UDP port 9400 entry" 381 | protocol = "UDP" 382 | destination_ports = ["9400"] 383 | } 384 | } 385 | 386 | // creating Services TCP 4002: 387 | resource "nsxt_policy_service" "JMS_SSL_TCP4002" { 388 | description = "JMS_SSL service provisioned by Terraform" 389 | display_name = "JMS_SSL_TCP4002" 390 | 391 | l4_port_set_entry { 392 | display_name = "TCP4002" 393 | description = "TCP port 4002 entry" 394 | protocol = "TCP" 395 | destination_ports = ["4002"] 396 | } 397 | } 398 | 399 | // creating Services TCP 11002: 400 | resource "nsxt_policy_service" "TCP11002" { 401 | description = "service provisioned by Terraform" 402 | display_name = "TCP11002" 403 | 404 | l4_port_set_entry { 405 | display_name = "TCP11002" 406 | description = "TCP port 11002 entry" 407 | protocol = "TCP" 408 | destination_ports = ["11002"] 409 | } 410 | } 411 | // creating Services replica_TCP135: 412 | resource "nsxt_policy_service" "replica_TCP135" { 413 | description = "service provisioned by Terraform" 414 | display_name = "replica_135" 415 | 416 | l4_port_set_entry { 417 | display_name = "TCP135" 418 | description = "TCP port 135 entry" 419 | protocol = "TCP" 420 | destination_ports = ["135"] 421 | } 422 | } 423 | 424 | // creating Services RADIUS_Server_TCP1812: 425 | resource "nsxt_policy_service" "RADIUS_Server_TCP1812" { 426 | description = "service provisioned by Terraform" 427 | display_name = "RADIUS_Server_TCP1812" 428 | 429 | l4_port_set_entry { 430 | display_name = "TCP1812" 431 | description = "TCP port 1812 entry" 432 | protocol = "TCP" 433 | destination_ports = ["1812"] 434 | } 435 | } 436 | 437 | // creating Services RADIUS_Server_TCP1813: 438 | resource "nsxt_policy_service" "RADIUS_Server_TCP1813" { 439 | description = "service provisioned by Terraform" 440 | display_name = "RADIUS_Server_TCP1813" 441 | 442 | l4_port_set_entry { 443 | display_name = "TCP1813" 444 | description = "TCP port 1813 entry" 445 | protocol = "TCP" 446 | destination_ports = ["1813"] 447 | } 448 | } 449 | 450 | // creating Services JMS_TCP4100: 451 | resource "nsxt_policy_service" "JMS_TCP4100" { 452 | description = "service provisioned by Terraform" 453 | display_name = "JMS_TCP4100" 454 | 455 | l4_port_set_entry { 456 | display_name = "JMS_TCP4100" 457 | description = "TCP port 4100 entry" 458 | protocol = "TCP" 459 | destination_ports = ["4100"] 460 | } 461 | } 462 | 463 | // creating Services RSA_SecureID_UDP5500: 464 | resource "nsxt_policy_service" "RSA_SecureID_UDP5500" { 465 | description = "service provisioned by Terraform" 466 | display_name = "RSA_SecureID_UDP5500" 467 | 468 | l4_port_set_entry { 469 | display_name = "RSA_SecureID_UDP5500" 470 | description = "UDP port 5500 entry" 471 | protocol = "UDP" 472 | destination_ports = ["5500"] 473 | } 474 | } 475 | 476 | // creating Services iOS_UDP88: 477 | resource "nsxt_policy_service" "iOS_UDP88" { 478 | description = "service provisioned by Terraform" 479 | display_name = "iOS_UDP88" 480 | 481 | l4_port_set_entry { 482 | display_name = "iOS_UDP88" 483 | description = "UDP port 88 entry" 484 | protocol = "UDP" 485 | destination_ports = ["88"] 486 | } 487 | } 488 | 489 | // creating Services iOS_TCP88: 490 | resource "nsxt_policy_service" "iOS_TCP88" { 491 | description = "service provisioned by Terraform" 492 | display_name = "iOS_TCP88" 493 | 494 | l4_port_set_entry { 495 | display_name = "iOS_TCP88" 496 | description = "TCP port 88 entry" 497 | protocol = "TCP" 498 | destination_ports = ["88"] 499 | } 500 | } 501 | 502 | // creating Services Android_TCP5262: 503 | resource "nsxt_policy_service" "Android_TCP5262" { 504 | description = "service provisioned by Terraform" 505 | display_name = "Android_TCP5262" 506 | 507 | l4_port_set_entry { 508 | display_name = "Android_TCP5262" 509 | description = "TCP port 5262 entry" 510 | protocol = "TCP" 511 | destination_ports = ["5262"] 512 | } 513 | } 514 | 515 | // creating Services SSL_cert_TCP7443: 516 | resource "nsxt_policy_service" "SSL_cert_TCP7443" { 517 | description = "service provisioned by Terraform" 518 | display_name = "SSL_cert_TCP7443" 519 | 520 | l4_port_set_entry { 521 | display_name = "SSL_cert_TCP7443" 522 | description = "TCP port 7443 entry" 523 | protocol = "TCP" 524 | destination_ports = ["7443"] 525 | } 526 | } 527 | 528 | // creating Services Log_Insight_TCP9543: 529 | resource "nsxt_policy_service" "Log_Insight_TCP9543" { 530 | description = "service provisioned by Terraform" 531 | display_name = "Log_Insight_TCP9543" 532 | 533 | l4_port_set_entry { 534 | display_name = "Log_Insight_TCP9543" 535 | description = "TCP port 9543 entry" 536 | protocol = "TCP" 537 | destination_ports = ["9543"] 538 | } 539 | } 540 | 541 | // creating Services ElasticSearch_TCP8200: 542 | resource "nsxt_policy_service" "ElasticSearch_TCP8200" { 543 | description = "service provisioned by Terraform" 544 | display_name = "ElasticSearch_TCP8200" 545 | 546 | l4_port_set_entry { 547 | display_name = "ElasticSearch_TCP8200" 548 | description = "TCP port 8200 entry" 549 | protocol = "TCP" 550 | destination_ports = ["8200"] 551 | } 552 | } 553 | 554 | // creating Services Hazelcast_cache_TCP5701: 555 | resource "nsxt_policy_service" "Hazelcast_cache_TCP5701" { 556 | description = "service provisioned by Terraform" 557 | display_name = "Hazelcast_cache_TCP5701" 558 | 559 | l4_port_set_entry { 560 | display_name = "Hazelcast_cache_TCP5701" 561 | description = "TCP port 5701 entry" 562 | protocol = "TCP" 563 | destination_ports = ["5701"] 564 | } 565 | } 566 | 567 | ###################### creating all Groups ###################### 568 | 569 | // creating Group for UAG_external: 570 | resource "nsxt_policy_group" "UAG_external" { 571 | display_name = "UAG_external" 572 | description = "Created from Terraform UAG_external" 573 | domain = "cgw" 574 | } 575 | 576 | // creating Group for UAG_internal: 577 | resource "nsxt_policy_group" "UAG_internal" { 578 | display_name = "UAG_internal" 579 | description = "Created from Terraform UAG_internal" 580 | domain = "cgw" 581 | } 582 | 583 | // creating Group for ConnectionServer: 584 | resource "nsxt_policy_group" "ConnectionServer" { 585 | display_name = "ConnectionServer" 586 | description = "Created from Terraform ConnectionServer" 587 | domain = "cgw" 588 | } 589 | 590 | // creating Group for VDI-Environment: 591 | resource "nsxt_policy_group" "VDI_Clients" { 592 | display_name = "VDI_Clients" 593 | description = "Created from Terraform VDI_Clients" 594 | domain = "cgw" 595 | } 596 | 597 | // creating Group for Log_Insight: 598 | resource "nsxt_policy_group" "Log_Insight" { 599 | display_name = "Log_Insight" 600 | description = "Created from Terraform Log_Insight" 601 | domain = "cgw" 602 | } 603 | 604 | // creating Group for RADIUS: 605 | resource "nsxt_policy_group" "RADIUS" { 606 | display_name = "RADIUS" 607 | description = "Created from Terraform RADIUS" 608 | domain = "cgw" 609 | } 610 | 611 | // creating Group for AppVolumes Manager: 612 | resource "nsxt_policy_group" "AppVol_MGMT" { 613 | display_name = "AppVol_MGMT" 614 | description = "Created from Terraform AppVol_MGMT" 615 | domain = "cgw" 616 | } 617 | 618 | // creating Group for Event_Database: 619 | resource "nsxt_policy_group" "Event_Database" { 620 | display_name = "Event_Database" 621 | description = "Created from Terraform Event_Database" 622 | domain = "cgw" 623 | } 624 | 625 | // creating Group for Admin_VMs: 626 | resource "nsxt_policy_group" "Admin_VMs" { 627 | display_name = "Admin_VMs" 628 | description = "Created from Terraform Admin_VMs" 629 | domain = "cgw" 630 | } 631 | 632 | // creating Group for vROPS: 633 | resource "nsxt_policy_group" "vROPS" { 634 | display_name = "vROPS" 635 | description = "Created from Terraform vROPS" 636 | domain = "cgw" 637 | } 638 | 639 | // creating Group for Workspace1_Connector: 640 | resource "nsxt_policy_group" "Workspace1_Connector" { 641 | display_name = "Workspace1_Connector" 642 | description = "Created from Terraform Workspace1_Connector" 643 | domain = "cgw" 644 | } 645 | 646 | // creating Group for Workspace1_Access: 647 | resource "nsxt_policy_group" "Workspace1_Access" { 648 | display_name = "Workspace1_Access" 649 | description = "Created from Terraform Workspace1_Access" 650 | domain = "cgw" 651 | } 652 | 653 | // creating Group for Horizon Cloud_Connector: 654 | resource "nsxt_policy_group" "Horizon_Cloud_Connector" { 655 | display_name = "Horizon_Cloud_Connector" 656 | description = "Created from Terraform Horizon_Cloud_Connector" 657 | domain = "cgw" 658 | } 659 | 660 | // creating Group for Enrollment_Server: 661 | resource "nsxt_policy_group" "Enrollment_Server" { 662 | display_name = "Enrollment_Server" 663 | description = "Created from Terraform Enrollment_Server" 664 | domain = "cgw" 665 | } 666 | 667 | // creating Group for JMP_Server: 668 | resource "nsxt_policy_group" "JMP_Server" { 669 | display_name = "JMP_Server" 670 | description = "Created from Terraform JMP_Server" 671 | domain = "cgw" 672 | } 673 | 674 | // creating Group for RFC_1918: 675 | resource "nsxt_policy_group" "RFC_1918" { 676 | display_name = "RFC_1918" 677 | description = "Created from Terraform RFC_1918" 678 | domain = "cgw" 679 | 680 | criteria { 681 | ipaddress_expression { 682 | ip_addresses = ["192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] 683 | } 684 | } 685 | } 686 | 687 | // creating Group for Syslog: 688 | resource "nsxt_policy_group" "Syslog" { 689 | display_name = "Syslog" 690 | description = "Created from Terraform Syslog" 691 | domain = "cgw" 692 | } 693 | 694 | // creating Group for DNS_Server: 695 | resource "nsxt_policy_group" "DNS_Server" { 696 | display_name = "DNS_Server" 697 | description = "Created from Terraform DNS_Server" 698 | domain = "cgw" 699 | } 700 | 701 | // creating Group for Domain_Controller: 702 | resource "nsxt_policy_group" "Domain_Controller" { 703 | display_name = "Domain_Controller" 704 | description = "Created from Terraform Domain_Controller" 705 | domain = "cgw" 706 | } 707 | // creating Group for RSA_SecureID_Server: 708 | resource "nsxt_policy_group" "RSA_SecureID_Server" { 709 | display_name = "RSA_SecureID_Server" 710 | description = "Created from Terraform RSA_SecureID_Server" 711 | domain = "cgw" 712 | } 713 | 714 | // creating Group for AD_cert: 715 | resource "nsxt_policy_group" "AD_cert" { 716 | display_name = "AD_cert" 717 | description = "Created from Terraform AD_cert" 718 | domain = "cgw" 719 | } 720 | 721 | // creating Group for AppVol_SQL: 722 | resource "nsxt_policy_group" "AppVol_SQL" { 723 | display_name = "AppVol_SQL" 724 | description = "Created from Terraform AppVol_SQL" 725 | domain = "cgw" 726 | } 727 | // creating Group for NTP_Server: 728 | resource "nsxt_policy_group" "NTP_Server" { 729 | display_name = "NTP_Server" 730 | description = "Created from Terraform NTP_Server" 731 | domain = "cgw" 732 | } 733 | 734 | // creating Group for Internet_Proxy: 735 | resource "nsxt_policy_group" "Internet_Proxy" { 736 | display_name = "Internet_Proxy" 737 | description = "Created from Terraform Internet_Proxy" 738 | domain = "cgw" 739 | } 740 | 741 | 742 | ###################### creating DFW Security Rules ###################### 743 | ###################### creating Ruleset Infrastructure ###################### 744 | ###################### creating Rules for DNS ###################### 745 | resource "nsxt_policy_security_policy" "DNS" { 746 | domain = "cgw" 747 | display_name = "DNS Service" 748 | description = "Terraform DNS Ruleset" 749 | category = "Infrastructure" 750 | 751 | rule { 752 | display_name = "DNS Service" 753 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 754 | destination_groups = ["${nsxt_policy_group.DNS_Server.path}"] 755 | action = "ALLOW" 756 | services = ["/infra/services/DNS", "/infra/services/DNS-UDP"] 757 | logged = true 758 | } 759 | rule { 760 | display_name = "DNS Service" 761 | source_groups = ["${nsxt_policy_group.DNS_Server.path}"] 762 | destination_groups = ["${nsxt_policy_group.RFC_1918.path}"] 763 | action = "ALLOW" 764 | services = ["/infra/services/DNS", "/infra/services/DNS-UDP"] 765 | logged = true 766 | } 767 | } 768 | 769 | ###################### creating Rules for NTP ###################### 770 | 771 | resource "nsxt_policy_security_policy" "NTP" { 772 | domain = "cgw" 773 | display_name = "NTP Service" 774 | description = "Terraform NTP Ruleset" 775 | category = "Infrastructure" 776 | 777 | rule { 778 | display_name = "NTP Service" 779 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 780 | destination_groups = ["${nsxt_policy_group.NTP_Server.path}"] 781 | action = "ALLOW" 782 | services = ["/infra/services/NTP"] 783 | logged = true 784 | } 785 | rule { 786 | display_name = "NTP Service" 787 | source_groups = ["${nsxt_policy_group.NTP_Server.path}"] 788 | destination_groups = ["${nsxt_policy_group.RFC_1918.path}"] 789 | action = "ALLOW" 790 | services = ["/infra/services/NTP"] 791 | logged = true 792 | } 793 | } 794 | ###################### creating Ruleset Environment ###################### 795 | ###################### creating Ruleset for Unified Access Gateway external ###################### 796 | 797 | resource "nsxt_policy_security_policy" "UAG_external" { 798 | domain = "cgw" 799 | display_name = "UAG_external" 800 | description = "Terraform UAG_external Ruleset" 801 | category = "Environment" 802 | 803 | rule { 804 | display_name = "UAG_external_Clients_Inbound" 805 | source_groups = [nsxt_policy_group.RFC_1918.path] 806 | sources_excluded = true 807 | destination_groups = [nsxt_policy_group.UAG_external.path] 808 | action = "ALLOW" 809 | services = ["/infra/services/HTTPS", nsxt_policy_service.Blast_TCP8443.path, nsxt_policy_service.Blast_UDP443.path, nsxt_policy_service.PCoIP_TCP4172.path, nsxt_policy_service.PCoIP_UDP4172.path] 810 | logged = true 811 | } 812 | 813 | rule { 814 | display_name = "UAG_external_VDI_Clients_Outbound" 815 | source_groups = [nsxt_policy_group.UAG_external.path] 816 | destination_groups = [nsxt_policy_group.VDI_Clients.path] 817 | action = "ALLOW" 818 | services = [nsxt_policy_service.Blast_TCP22443.path, "/infra/services/RDP", nsxt_policy_service.CDR_MMR_TCP9427.path, nsxt_policy_service.USB_TCP32111.path, nsxt_policy_service.PCoIP_TCP4172.path, nsxt_policy_service.PCoIP_UDP4172.path] 819 | logged = true 820 | } 821 | rule { 822 | display_name = "UAG_external_ConnectionServer_Outbound" 823 | source_groups = [nsxt_policy_group.UAG_external.path] 824 | destination_groups = [nsxt_policy_group.ConnectionServer.path] 825 | action = "ALLOW" 826 | services = ["/infra/services/HTTPS"] 827 | logged = true 828 | } 829 | rule { 830 | display_name = "UAG_external_RADIUS_Outbound" 831 | source_groups = [nsxt_policy_group.UAG_external.path] 832 | destination_groups = [nsxt_policy_group.RADIUS.path] 833 | action = "ALLOW" 834 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 835 | logged = true 836 | } 837 | } 838 | 839 | 840 | ###################### creating Ruleset for Unified Access Gateway internal ###################### 841 | 842 | resource "nsxt_policy_security_policy" "UAG_internal" { 843 | domain = "cgw" 844 | display_name = "UAG_internal" 845 | description = "Terraform UAG_internal Ruleset" 846 | category = "Environment" 847 | 848 | rule { 849 | display_name = "UAG_internal_Clients_Inbound" 850 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 851 | destination_groups = ["${nsxt_policy_group.UAG_internal.path}"] 852 | action = "ALLOW" 853 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.Blast_UDP443.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 854 | logged = true 855 | } 856 | 857 | rule { 858 | display_name = "UAG_internal_VDI_Clients_Outbound" 859 | source_groups = ["${nsxt_policy_group.UAG_internal.path}"] 860 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 861 | action = "ALLOW" 862 | services = ["${nsxt_policy_service.Blast_TCP22443.path}", "/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 863 | logged = true 864 | } 865 | 866 | rule { 867 | display_name = "UAG_internal_ConnectionServer_Outbound" 868 | source_groups = ["${nsxt_policy_group.UAG_internal.path}"] 869 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 870 | action = "ALLOW" 871 | services = ["/infra/services/HTTPS"] 872 | logged = true 873 | } 874 | rule { 875 | display_name = "UAG_internal_RADIUS_Outbound" 876 | source_groups = [nsxt_policy_group.UAG_internal.path] 877 | destination_groups = [nsxt_policy_group.RADIUS.path] 878 | action = "ALLOW" 879 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 880 | logged = true 881 | } 882 | } 883 | 884 | ###################### creating Ruleset for Internal Connections without internal UAGs ###################### 885 | 886 | resource "nsxt_policy_security_policy" "Internal_Client_Connection" { 887 | domain = "cgw" 888 | display_name = "Internal_Client_Connection" 889 | description = "Terraform Internal_Client_Connection Ruleset" 890 | category = "Environment" 891 | 892 | rule { 893 | display_name = "Internal_Client_Connection_VDI_Clients_Outbound" 894 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 895 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 896 | action = "ALLOW" 897 | services = ["/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}", "/infra/services/HTTPS"] 898 | logged = true 899 | } 900 | rule { 901 | display_name = "Internal_Client_Connection_Connection_Server_Outbound" 902 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 903 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 904 | action = "ALLOW" 905 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}"] 906 | logged = true 907 | } 908 | rule { 909 | display_name = "Internal_Client_Workspace_1_Access_Outbound" 910 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 911 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 912 | action = "ALLOW" 913 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.iOS_TCP88.path}", "${nsxt_policy_service.iOS_UDP88.path}", "${nsxt_policy_service.Android_TCP5262.path}", "${nsxt_policy_service.SSL_cert_TCP7443.path}"] 914 | logged = true 915 | } 916 | rule { 917 | display_name = "Internal_Client_Workspace_1_Connector_Outbound" 918 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 919 | destination_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 920 | action = "ALLOW" 921 | services = ["/infra/services/HTTPS"] 922 | logged = true 923 | } 924 | } 925 | 926 | ###################### creating Ruleset for Horizon Connection Server ###################### 927 | 928 | resource "nsxt_policy_security_policy" "Horizon_Connection_Server" { 929 | domain = "cgw" 930 | display_name = "Horizon_Connection_Server" 931 | description = "Terraform Horizon_Connection_Server Ruleset" 932 | category = "Environment" 933 | 934 | rule { 935 | display_name = "Horizon_Connection_Server_Connection_Server_In-/Outbound" 936 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 937 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 938 | action = "ALLOW" 939 | services = ["/infra/services/LDAP", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.replica_TCP135.path}", "${nsxt_policy_service.JMS_TCP4100.path}", "${nsxt_policy_service.JMS_SSL_TCP4101.path}", "${nsxt_policy_service.ADLDS_TCP22389.path}", "${nsxt_policy_service.ADLDS_TCP22636.path}", "${nsxt_policy_service.VIPA_TCP8472.path}"] 940 | logged = true 941 | } 942 | rule { 943 | display_name = "Horizon_Connection_Server_Event_DB_Outbound" 944 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 945 | destination_groups = ["${nsxt_policy_group.Event_Database.path}"] 946 | action = "ALLOW" 947 | services = ["${nsxt_policy_service.EventDB_TCP1433.path}"] 948 | logged = true 949 | } 950 | rule { 951 | display_name = "Horizon_Connection_Server_vCenter_Outbound" 952 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 953 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 954 | action = "ALLOW" 955 | services = ["/infra/services/HTTPS"] 956 | logged = true 957 | } 958 | rule { 959 | display_name = "Horizon_Connection_Server_VDI_Clients" 960 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 961 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 962 | action = "ALLOW" 963 | services = ["${nsxt_policy_service.Blast_TCP22443.path}", "/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 964 | logged = true 965 | } 966 | rule { 967 | display_name = "Horizon_Connection_Server_Enrollment_Server_Outbound" 968 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 969 | destination_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 970 | action = "ALLOW" 971 | services = ["${nsxt_policy_service.USB_TCP32111.path}"] 972 | logged = true 973 | } 974 | 975 | rule { 976 | display_name = "Horizon_Connection_Server_RSA_SecurID" 977 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 978 | destination_groups = ["${nsxt_policy_group.RSA_SecureID_Server.path}"] 979 | action = "ALLOW" 980 | services = ["${nsxt_policy_service.RSA_SecureID_UDP5500.path}"] 981 | logged = true 982 | } 983 | } 984 | 985 | ###################### creating Ruleset for Admin Access ###################### 986 | 987 | 988 | resource "nsxt_policy_security_policy" "Admin_Access" { 989 | domain = "cgw" 990 | display_name = "Admin_Access" 991 | description = "Terraform Admin_Access Ruleset" 992 | category = "Environment" 993 | 994 | rule { 995 | display_name = "ADMIN_UAG_External_Outbound" 996 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 997 | destination_groups = ["${nsxt_policy_group.UAG_external.path}"] 998 | action = "ALLOW" 999 | services = ["${nsxt_policy_service.Blast_TCP9443.path}"] 1000 | logged = true 1001 | } 1002 | rule { 1003 | display_name = "ADMIN_UAG_Internal_Outbound" 1004 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1005 | destination_groups = ["${nsxt_policy_group.UAG_internal.path}"] 1006 | action = "ALLOW" 1007 | services = ["${nsxt_policy_service.Blast_TCP9443.path}"] 1008 | logged = true 1009 | } 1010 | rule { 1011 | display_name = "ADMIN_Workspace1_Access_Outbound" 1012 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1013 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1014 | action = "ALLOW" 1015 | services = ["${nsxt_policy_service.Blast_TCP8443.path}", "/infra/services/HTTPS", "${nsxt_policy_service.SSL_TCP22.path}"] 1016 | logged = true 1017 | } 1018 | rule { 1019 | display_name = "ADMIN_Workspace1_Access_Outbound" 1020 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1021 | destination_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1022 | action = "ALLOW" 1023 | services = ["${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.SSL_TCP22.path}"] 1024 | logged = true 1025 | } 1026 | rule { 1027 | display_name = "Admin_Horizon_Connection_Server_Outbound" 1028 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1029 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1030 | action = "ALLOW" 1031 | services = ["/infra/services/HTTPS"] 1032 | logged = true 1033 | } 1034 | rule { 1035 | display_name = "Admin_Horizon_Connection_Server_Outbound" 1036 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1037 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 1038 | action = "ALLOW" 1039 | services = ["/infra/services/HTTPS"] 1040 | logged = true 1041 | } 1042 | rule { 1043 | display_name = "Admin_Microsoft_Remote_Controle" 1044 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1045 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1046 | action = "ALLOW" 1047 | services = ["/infra/services/RDP"] 1048 | logged = true 1049 | } 1050 | rule { 1051 | display_name = "Admin_Horizon_AppVol_Outbound" 1052 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1053 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1054 | action = "ALLOW" 1055 | services = ["/infra/services/HTTPS"] 1056 | logged = true 1057 | } 1058 | rule { 1059 | display_name = "Admin_Horizon_vROPS_Outbound" 1060 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1061 | destination_groups = ["${nsxt_policy_group.vROPS.path}"] 1062 | action = "ALLOW" 1063 | services = ["/infra/services/HTTPS"] 1064 | logged = true 1065 | } 1066 | rule { 1067 | display_name = "Admin_Horizon_Horizon_Cloud_Connector_Outbound" 1068 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1069 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1070 | action = "ALLOW" 1071 | services = ["/infra/services/HTTPS"] 1072 | logged = true 1073 | } 1074 | } 1075 | 1076 | ###################### creating Ruleset for Horizon VDI Clients ###################### 1077 | 1078 | resource "nsxt_policy_security_policy" "Horizon_VDI_Clients" { 1079 | domain = "cgw" 1080 | display_name = "Horizon_VDI_Clients" 1081 | description = "Terraform Horizon_VDI_Clients Ruleset" 1082 | category = "Environment" 1083 | 1084 | rule { 1085 | display_name = "VDI_Clients_Horizon_Connection_Server_Outbound" 1086 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1087 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1088 | action = "ALLOW" 1089 | services = ["/infra/services/LDAP","/infra/services/LDAP-over-SSL", "${nsxt_policy_service.JMS_SSL_TCP4002.path}"] 1090 | logged = true 1091 | } 1092 | rule { 1093 | display_name = "VDI_Clients_Horizon_AppVol_Outbound" 1094 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1095 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1096 | action = "ALLOW" 1097 | services = ["/infra/services/HTTPS"] 1098 | logged = true 1099 | } 1100 | rule { 1101 | display_name = "VDI_Clients_Horizon_vROPS_Outbound" 1102 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1103 | destination_groups = ["${nsxt_policy_group.vROPS.path}"] 1104 | action = "ALLOW" 1105 | services = ["${nsxt_policy_service.vROPS_TCP3091.path}", "${nsxt_policy_service.vROPS_TCP3099.path}"] 1106 | logged = true 1107 | } 1108 | rule { 1109 | display_name = "VDI_Clients_Horizon_Cloud_Connector_Inbound" 1110 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1111 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1112 | action = "ALLOW" 1113 | services = ["${nsxt_policy_service.TCP11002.path}"] 1114 | logged = true 1115 | }/* 1116 | rule { 1117 | display_name = "VDI_Clients_VDI_Client" 1118 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1119 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1120 | action = "DENY" 1121 | services = [] 1122 | logged = true 1123 | }*/ 1124 | 1125 | } 1126 | 1127 | ###################### creating Ruleset for Workspace1_Connector ###################### 1128 | 1129 | resource "nsxt_policy_security_policy" "Workspace1_Connector" { 1130 | domain = "cgw" 1131 | display_name = "Workspace1_Connector" 1132 | description = "Terraform Workspace1_Connector Ruleset" 1133 | category = "Environment" 1134 | 1135 | rule { 1136 | display_name = "Workspace_One_Connector_Horizon_Connection_Server_Outbound" 1137 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1138 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1139 | action = "ALLOW" 1140 | services = ["/infra/services/HTTPS", "/infra/services/LDAP", "/infra/services/LDAP-over-SSL"] 1141 | logged = true 1142 | } 1143 | rule { 1144 | display_name = "Workspace_One_Connector_Workspace_One_Access_Outbound" 1145 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1146 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1147 | action = "ALLOW" 1148 | services = ["/infra/services/HTTPS"] 1149 | logged = true 1150 | } 1151 | rule { 1152 | display_name = "Workspace_One_Connector_Domain_Controller" 1153 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1154 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1155 | action = "ALLOW" 1156 | services = ["/infra/services/LDAP", "/infra/services/LDAP-over-SSL", "/infra/services/LDAP_Global_Catalog", "/infra/services/Windows-Global-Catalog-over-SSL", "/infra/services/KERBEROS-UDP", "/infra/services/KERBEROS-TCP", "/infra/services/Active_Directory_Server", "/infra/services/Active_Directory_Server_UDP", "/infra/services/MS_RPC_TCP", ] 1157 | logged = true 1158 | } 1159 | rule { 1160 | display_name = "Workspace_One_Connector_Syslog_Server" 1161 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1162 | destination_groups = ["${nsxt_policy_group.Syslog.path}"] 1163 | action = "ALLOW" 1164 | services = ["/infra/services/Syslog-Server-UDP"] 1165 | logged = true 1166 | } 1167 | rule { 1168 | display_name = "Workspace_One_Connector_Log_Insight" 1169 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1170 | destination_groups = ["${nsxt_policy_group.Log_Insight.path}"] 1171 | action = "ALLOW" 1172 | services = ["${nsxt_policy_service.Log_Insight_TCP9543.path}"] 1173 | logged = true 1174 | } 1175 | rule { 1176 | display_name = "Workspace_One_Connector_RADIUS" 1177 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1178 | destination_groups = ["${nsxt_policy_group.RADIUS.path}"] 1179 | action = "ALLOW" 1180 | services = ["${nsxt_policy_service.RADIUS_Server_TCP1813.path}", "${nsxt_policy_service.RADIUS_Server_TCP1812.path}"] 1181 | logged = true 1182 | } 1183 | rule { 1184 | display_name = "Workspace_One_Connector_RSA_SecureID" 1185 | source_groups = [nsxt_policy_group.Workspace1_Connector.path] 1186 | destination_groups = [nsxt_policy_group.RSA_SecureID_Server.path] 1187 | action = "ALLOW" 1188 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 1189 | logged = true 1190 | } 1191 | rule { 1192 | display_name = "Workspace_One_Connector_Internet_Proxy" 1193 | source_groups = [nsxt_policy_group.Workspace1_Connector.path] 1194 | destination_groups = [nsxt_policy_group.Internet_Proxy.path] 1195 | action = "ALLOW" 1196 | services = ["/infra/services/HTTPS"] 1197 | logged = true 1198 | } 1199 | } 1200 | 1201 | ###################### creating Ruleset for Workspace1_Access ###################### 1202 | 1203 | resource "nsxt_policy_security_policy" "Workspace1_Access" { 1204 | domain = "cgw" 1205 | display_name = "Workspace1_Access" 1206 | description = "Terraform Workspace1_Access Ruleset" 1207 | category = "Environment" 1208 | 1209 | rule { 1210 | display_name = "Workspace1_Access_Workspace1_Access" 1211 | source_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1212 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1213 | action = "ALLOW" 1214 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.ElasticSearch_TCP8200.path}", "${nsxt_policy_service.Hazelcast_cache_TCP5701.path}", "${nsxt_policy_service.EHCache_TCP40002.path}", "${nsxt_policy_service.EHCache_TCP40003.path}", "${nsxt_policy_service.Audit_UDP54328.path}", "${nsxt_policy_service.Audit_TCP9300.path}", "${nsxt_policy_service.Audit_TCP9400.path}"] 1215 | logged = true 1216 | } 1217 | 1218 | rule { 1219 | display_name = "Workspace1_Access_Inbound" 1220 | source_groups = [] 1221 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1222 | action = "ALLOW" 1223 | services = ["/infra/services/HTTPS"] 1224 | logged = true 1225 | } 1226 | } 1227 | 1228 | 1229 | ###################### creating Ruleset for JMP_Server ###################### 1230 | 1231 | resource "nsxt_policy_security_policy" "JMP_Server" { 1232 | domain = "cgw" 1233 | display_name = "JMP_Server" 1234 | description = "Terraform JMP_Server Ruleset" 1235 | category = "Environment" 1236 | 1237 | rule { 1238 | display_name = "JMP_Server_AppVol_Outbound" 1239 | source_groups = ["${nsxt_policy_group.JMP_Server.path}"] 1240 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1241 | action = "ALLOW" 1242 | services = ["/infra/services/HTTPS"] 1243 | logged = true 1244 | } 1245 | rule { 1246 | display_name = "JMP_Server_ConnectionServer_Outbound" 1247 | source_groups = ["${nsxt_policy_group.JMP_Server.path}"] 1248 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1249 | action = "ALLOW" 1250 | services = ["/infra/services/HTTPS"] 1251 | logged = true 1252 | } 1253 | } 1254 | 1255 | ###################### creating Ruleset for AppVolumes ###################### 1256 | 1257 | resource "nsxt_policy_security_policy" "AppVolumes" { 1258 | domain = "cgw" 1259 | display_name = "AppVolumes" 1260 | description = "Terraform AppVolumes Ruleset" 1261 | category = "Environment" 1262 | 1263 | rule { 1264 | display_name = "AppVol_vCenter_Outbound" 1265 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1266 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 1267 | action = "ALLOW" 1268 | services = ["/infra/services/HTTPS"] 1269 | logged = true 1270 | } 1271 | rule { 1272 | display_name = "AppVol_ESXi_Outbound" 1273 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1274 | destination_groups = ["/infra/domains/mgw/groups/ESXI"] 1275 | action = "ALLOW" 1276 | services = ["/infra/services/HTTPS"] 1277 | logged = true 1278 | } 1279 | rule { 1280 | display_name = "AppVol_Domain_Controller_Outbound" 1281 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1282 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1283 | action = "ALLOW" 1284 | services = ["/infra/services/LDAP", "/infra/services/LDAP-over-SSL"] 1285 | logged = true 1286 | } 1287 | rule { 1288 | display_name = "AppVol_ESXi_Outbound" 1289 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1290 | destination_groups = ["${nsxt_policy_group.AppVol_SQL.path}"] 1291 | action = "ALLOW" 1292 | services = ["/infra/services/MS-SQL-S"] 1293 | logged = true 1294 | } 1295 | } 1296 | 1297 | ###################### creating Ruleset for Horizon_Cloud_Connector ###################### 1298 | 1299 | resource "nsxt_policy_security_policy" "Horizon_Cloud_Connector" { 1300 | domain = "cgw" 1301 | display_name = "Horizon_Cloud_Connector" 1302 | description = "Terraform Horizon_Cloud_Connector Ruleset" 1303 | category = "Environment" 1304 | rule { 1305 | display_name = "Cloud_Connector_ConnectionServer_Outbound" 1306 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1307 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1308 | action = "ALLOW" 1309 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.JMS_SSL_TCP4002.path}"] 1310 | logged = true 1311 | } 1312 | rule { 1313 | display_name = "Cloudconnector_internet" 1314 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1315 | destination_groups = ["${nsxt_policy_group.Internet_Proxy.path}"] 1316 | action = "ALLOW" 1317 | services = ["/infra/services/HTTPS"] 1318 | logged = true 1319 | } 1320 | rule { 1321 | display_name = "Cloudconnector_Clients_Inbound" 1322 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1323 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1324 | destinations_excluded = true 1325 | action = "ALLOW" 1326 | services = ["/infra/services/SSH"] 1327 | logged = true 1328 | } 1329 | 1330 | } 1331 | 1332 | ###################### creating Ruleset for Enrollment_Server ###################### 1333 | 1334 | resource "nsxt_policy_security_policy" "Enrollment_Server" { 1335 | domain = "cgw" 1336 | display_name = "Enrollment_Server" 1337 | description = "Terraform Enrollment_Server Ruleset" 1338 | category = "Environment" 1339 | 1340 | rule { 1341 | display_name = "Enrollment_Server_AD_Cert_Outbound" 1342 | source_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 1343 | destination_groups = ["${nsxt_policy_group.AD_cert.path}"] 1344 | action = "ALLOW" 1345 | services = ["${nsxt_policy_service.replica_TCP135.path}"] 1346 | logged = true 1347 | } 1348 | rule { 1349 | display_name = "Enrollment_Server_Domain_Controller_Outbound" 1350 | source_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 1351 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1352 | action = "ALLOW" 1353 | services = ["/infra/services/Microsoft_Active_Directory_V1"] 1354 | logged = true 1355 | } 1356 | } 1357 | -------------------------------------------------------------------------------- /VMC-PCI/main.tf: -------------------------------------------------------------------------------- 1 | # Generated by: tsauerer@vmware.com 2 | # Thomas Sauerer 3 | # 4 | # Updated on: 04/14/22 5 | 6 | 7 | provider "nsxt" { 8 | host = var.host 9 | username = var.username 10 | password = var.password 11 | vmc_auth_mode = "Basic" 12 | allow_unverified_ssl = true 13 | enforcement_point = "vmc-enforcementpoint" 14 | } 15 | 16 | ###################### creating Network Segments ###################### 17 | ###################### can be outcommented "/* */" or edited ###################### 18 | 19 | data "nsxt_policy_transport_zone" "TZ" { 20 | display_name = "vmc-overlay-tz" 21 | } 22 | 23 | resource "nsxt_policy_segment" "ManagementHorizon" { 24 | display_name = "Horizon_MGMT" 25 | description = "Horizon_MGMT Segment provisioned by Terraform" 26 | connectivity_path = "/infra/tier-1s/cgw" 27 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 28 | subnet { 29 | cidr = "172.16.199.1/24" 30 | dhcp_ranges = ["172.16.199.2-172.16.199.254"] 31 | } 32 | } 33 | resource "nsxt_policy_segment" "UAG_external" { 34 | display_name = "Horizon_UAG_external" 35 | description = "Horizon_UAG_external Segment provisioned by Terraform" 36 | connectivity_path = "/infra/tier-1s/cgw" 37 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 38 | subnet { 39 | cidr = "172.16.200.250/29" 40 | } 41 | } 42 | resource "nsxt_policy_segment" "Windows_Desktops" { 43 | display_name = "Horizon_Windows_Desktops" 44 | description = "Horizon_Windows_Desktops Segment provisioned by Terraform" 45 | connectivity_path = "/infra/tier-1s/cgw" 46 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 47 | subnet { 48 | cidr = "172.16.1.1/20" 49 | dhcp_ranges = ["172.16.1.2-172.16.15.254"] 50 | } 51 | } 52 | resource "nsxt_policy_segment" "Linux_Desktops" { 53 | display_name = "Horizon_Linux_Desktops" 54 | description = "Horizon_Linux_Desktops Segment provisioned by Terraform" 55 | connectivity_path = "/infra/tier-1s/cgw" 56 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 57 | subnet { 58 | cidr = "172.16.16.1/20" 59 | dhcp_ranges = ["172.16.16.2-172.16.31.254"] 60 | } 61 | } 62 | 63 | ###################### creating all Services ###################### 64 | 65 | // creating Services TCP 8443: 66 | resource "nsxt_policy_service" "Blast_TCP8443" { 67 | description = "Blast service provisioned by Terraform" 68 | display_name = "Blast_TCP8443" 69 | 70 | l4_port_set_entry { 71 | display_name = "TCP8443" 72 | description = "TCP port 8443 entry" 73 | protocol = "TCP" 74 | destination_ports = ["8443"] 75 | } 76 | } 77 | 78 | // creating Services UDP 8443: 79 | resource "nsxt_policy_service" "Blast_UDP8443" { 80 | description = "Blast service provisioned by Terraform" 81 | display_name = "Blast_UDP8443" 82 | 83 | l4_port_set_entry { 84 | display_name = "UDP8443" 85 | description = "UDP port 8443 entry" 86 | protocol = "UDP" 87 | destination_ports = ["8443"] 88 | } 89 | } 90 | 91 | // creating Services TCP 9443: 92 | resource "nsxt_policy_service" "Blast_TCP9443" { 93 | description = "Blast service provisioned by Terraform" 94 | display_name = "Blast_TCP9443" 95 | 96 | l4_port_set_entry { 97 | display_name = "TCP9443" 98 | description = "TCP port 9443 entry" 99 | protocol = "TCP" 100 | destination_ports = ["9443"] 101 | } 102 | } 103 | 104 | // creating Services TCP 22443: 105 | resource "nsxt_policy_service" "Blast_TCP22443" { 106 | description = "Blast service provisioned by Terraform" 107 | display_name = "Blast_TCP22443" 108 | 109 | l4_port_set_entry { 110 | display_name = "TCP22443" 111 | description = "TCP port 22443 entry" 112 | protocol = "TCP" 113 | destination_ports = ["22443"] 114 | } 115 | } 116 | 117 | // creating Services UDP 22443: 118 | resource "nsxt_policy_service" "Blast_UDP22443" { 119 | description = "Blast service provisioned by Terraform" 120 | display_name = "Blast_UDP22443" 121 | 122 | l4_port_set_entry { 123 | display_name = "UDP22443" 124 | description = "UDP port 22443 entry" 125 | protocol = "UDP" 126 | destination_ports = ["22443"] 127 | } 128 | } 129 | 130 | // creating Services TCP 4172: 131 | resource "nsxt_policy_service" "PCoIP_TCP4172" { 132 | description = "PCoIP service provisioned by Terraform" 133 | display_name = "PCoIP_TCP4172" 134 | 135 | l4_port_set_entry { 136 | display_name = "TCP4172" 137 | description = "TCP port 4172 entry" 138 | protocol = "TCP" 139 | destination_ports = ["4172"] 140 | } 141 | } 142 | 143 | // creating Services UDP 4172: 144 | resource "nsxt_policy_service" "PCoIP_UDP4172" { 145 | description = "PCoIP service provisioned by Terraform" 146 | display_name = "PCoIP_UDP4172" 147 | 148 | l4_port_set_entry { 149 | display_name = "UDP4172" 150 | description = "UDP port 4172 entry" 151 | protocol = "UDP" 152 | destination_ports = ["4172"] 153 | } 154 | } 155 | 156 | // creating Services UDP 443: 157 | resource "nsxt_policy_service" "Blast_UDP443" { 158 | description = "Blast service provisioned by Terraform" 159 | display_name = "Blast_UDP443" 160 | 161 | l4_port_set_entry { 162 | display_name = "UDP443" 163 | description = "UDP port 433 entry" 164 | protocol = "UDP" 165 | destination_ports = ["443"] 166 | } 167 | } 168 | 169 | // creating Services TCP 9427: 170 | resource "nsxt_policy_service" "CDR_MMR_TCP9427" { 171 | description = "CDR/MMR service provisioned by Terraform" 172 | display_name = "CDR/MMR_TCP9427" 173 | 174 | l4_port_set_entry { 175 | display_name = "TCP9427" 176 | description = "TCP port 9427 entry" 177 | protocol = "TCP" 178 | destination_ports = ["9427"] 179 | } 180 | } 181 | 182 | // creating Services TCP 32111: 183 | resource "nsxt_policy_service" "USB_TCP32111" { 184 | description = "USB service provisioned by Terraform" 185 | display_name = "USB_TCP32111" 186 | 187 | l4_port_set_entry { 188 | display_name = "TCP32111" 189 | description = "TCP port 32111 entry" 190 | protocol = "TCP" 191 | destination_ports = ["32111"] 192 | } 193 | } 194 | 195 | // creating Services TCP 1433: 196 | resource "nsxt_policy_service" "EventDB_TCP1433" { 197 | description = "USB service provisioned by Terraform" 198 | display_name = "EventDB_TCP1433" 199 | 200 | l4_port_set_entry { 201 | display_name = "TCP1433" 202 | description = "TCP port 1433 entry" 203 | protocol = "TCP" 204 | destination_ports = ["1433"] 205 | } 206 | } 207 | 208 | // creating Services SSL_TCP22: 209 | resource "nsxt_policy_service" "SSL_TCP22" { 210 | description = "USB service provisioned by Terraform" 211 | display_name = "EventDB_TCP22" 212 | 213 | l4_port_set_entry { 214 | display_name = "TCP22" 215 | description = "TCP port 22 entry" 216 | protocol = "TCP" 217 | destination_ports = ["22"] 218 | } 219 | } 220 | 221 | // creating Services TCP 3091: 222 | resource "nsxt_policy_service" "vROPS_TCP3091" { 223 | description = "vROPS service provisioned by Terraform" 224 | display_name = "vROPS_TCP3091" 225 | 226 | l4_port_set_entry { 227 | display_name = "TCP3091" 228 | description = "TCP port 3091 entry" 229 | protocol = "TCP" 230 | destination_ports = ["3091"] 231 | } 232 | } 233 | // creating Services TCP 3099: 234 | resource "nsxt_policy_service" "vROPS_TCP3099" { 235 | description = "vROPS service provisioned by Terraform" 236 | display_name = "vROPS_TCP3099" 237 | 238 | l4_port_set_entry { 239 | display_name = "TCP3099" 240 | description = "TCP port 3099 entry" 241 | protocol = "TCP" 242 | destination_ports = ["3099"] 243 | } 244 | } 245 | 246 | // creating Services TCP 3101: 247 | resource "nsxt_policy_service" "vROPS_TCP3101" { 248 | description = "vROPS service provisioned by Terraform" 249 | display_name = "vROPS_TCP3101" 250 | 251 | l4_port_set_entry { 252 | display_name = "TCP3101" 253 | description = "TCP port 3101 entry" 254 | protocol = "TCP" 255 | destination_ports = ["3101"] 256 | } 257 | } 258 | 259 | // creating Services TCP 3100: 260 | resource "nsxt_policy_service" "vROPS_TCP3100" { 261 | description = "vROPS service provisioned by Terraform" 262 | display_name = "vROPS_TCP3100" 263 | 264 | l4_port_set_entry { 265 | display_name = "TCP3100" 266 | description = "TCP port 3100 entry" 267 | protocol = "TCP" 268 | destination_ports = ["3100"] 269 | } 270 | } 271 | 272 | // creating Services TCP 22389: 273 | resource "nsxt_policy_service" "ADLDS_TCP22389" { 274 | description = "ADLDS service provisioned by Terraform" 275 | display_name = "ADLDS_TCP22389" 276 | 277 | l4_port_set_entry { 278 | display_name = "TCP22389" 279 | description = "TCP port 22389 entry" 280 | protocol = "TCP" 281 | destination_ports = ["22389"] 282 | } 283 | } 284 | 285 | // creating Services TCP 22636: 286 | resource "nsxt_policy_service" "ADLDS_TCP22636" { 287 | description = "ADLDS service provisioned by Terraform" 288 | display_name = "ADLDS_TCP22636" 289 | 290 | l4_port_set_entry { 291 | display_name = "TCP22636" 292 | description = "TCP port 22636 entry" 293 | protocol = "TCP" 294 | destination_ports = ["22636"] 295 | } 296 | } 297 | 298 | // creating Services TCP 8472: 299 | resource "nsxt_policy_service" "VIPA_TCP8472" { 300 | description = "VIPA service provisioned by Terraform" 301 | display_name = "VIPA_TCP8472" 302 | 303 | l4_port_set_entry { 304 | display_name = "TCP8472" 305 | description = "TCP port 8472 entry" 306 | protocol = "TCP" 307 | destination_ports = ["8472"] 308 | } 309 | } 310 | 311 | // creating Services TCP 4101: 312 | resource "nsxt_policy_service" "JMS_SSL_TCP4101" { 313 | description = "JMS_SSL service provisioned by Terraform" 314 | display_name = "JMS_SSL_TCP4101" 315 | 316 | l4_port_set_entry { 317 | display_name = "TCP4101" 318 | description = "TCP port 4101 entry" 319 | protocol = "TCP" 320 | destination_ports = ["4101"] 321 | } 322 | } 323 | 324 | // creating Services EHCache_TCP40002: 325 | resource "nsxt_policy_service" "EHCache_TCP40002" { 326 | description = "JMS_SSL service provisioned by Terraform" 327 | display_name = "EHCache_TCP40002" 328 | 329 | l4_port_set_entry { 330 | display_name = "TCP40002" 331 | description = "TCP port 40002 entry" 332 | protocol = "TCP" 333 | destination_ports = ["40002"] 334 | } 335 | } 336 | // creating Services EHCache_TCP40003: 337 | resource "nsxt_policy_service" "EHCache_TCP40003" { 338 | description = "JMS_SSL service provisioned by Terraform" 339 | display_name = "EHCache_TCP40003" 340 | 341 | l4_port_set_entry { 342 | display_name = "TCP40003" 343 | description = "TCP port 40003 entry" 344 | protocol = "TCP" 345 | destination_ports = ["40003"] 346 | } 347 | } 348 | 349 | // creating Services Audit_UDP54328: 350 | resource "nsxt_policy_service" "Audit_UDP54328" { 351 | description = "JMS_SSL service provisioned by Terraform" 352 | display_name = "Audit_UDP54328" 353 | 354 | l4_port_set_entry { 355 | display_name = "UDP54328" 356 | description = "UDP port 54328 entry" 357 | protocol = "UDP" 358 | destination_ports = ["54328"] 359 | } 360 | } 361 | 362 | // creating Services Audit_TCP9300: 363 | resource "nsxt_policy_service" "Audit_TCP9300" { 364 | description = "JMS_SSL service provisioned by Terraform" 365 | display_name = "Audit_TCP9300" 366 | 367 | l4_port_set_entry { 368 | display_name = "TCP9300" 369 | description = "UDP port 9300 entry" 370 | protocol = "UDP" 371 | destination_ports = ["9300"] 372 | } 373 | } 374 | 375 | // creating Services Audit_TCP9400: 376 | resource "nsxt_policy_service" "Audit_TCP9400" { 377 | description = "JMS_SSL service provisioned by Terraform" 378 | display_name = "Audit_TCP9400" 379 | 380 | l4_port_set_entry { 381 | display_name = "TCP9400" 382 | description = "UDP port 9400 entry" 383 | protocol = "UDP" 384 | destination_ports = ["9400"] 385 | } 386 | } 387 | 388 | // creating Services TCP 4002: 389 | resource "nsxt_policy_service" "JMS_SSL_TCP4002" { 390 | description = "JMS_SSL service provisioned by Terraform" 391 | display_name = "JMS_SSL_TCP4002" 392 | 393 | l4_port_set_entry { 394 | display_name = "TCP4002" 395 | description = "TCP port 4002 entry" 396 | protocol = "TCP" 397 | destination_ports = ["4002"] 398 | } 399 | } 400 | 401 | // creating Services TCP 11002: 402 | resource "nsxt_policy_service" "TCP11002" { 403 | description = "service provisioned by Terraform" 404 | display_name = "TCP11002" 405 | 406 | l4_port_set_entry { 407 | display_name = "TCP11002" 408 | description = "TCP port 11002 entry" 409 | protocol = "TCP" 410 | destination_ports = ["11002"] 411 | } 412 | } 413 | // creating Services replica_TCP135: 414 | resource "nsxt_policy_service" "replica_TCP135" { 415 | description = "service provisioned by Terraform" 416 | display_name = "replica_135" 417 | 418 | l4_port_set_entry { 419 | display_name = "TCP135" 420 | description = "TCP port 135 entry" 421 | protocol = "TCP" 422 | destination_ports = ["135"] 423 | } 424 | } 425 | 426 | // creating Services RADIUS_Server_TCP1812: 427 | resource "nsxt_policy_service" "RADIUS_Server_TCP1812" { 428 | description = "service provisioned by Terraform" 429 | display_name = "RADIUS_Server_TCP1812" 430 | 431 | l4_port_set_entry { 432 | display_name = "TCP1812" 433 | description = "TCP port 1812 entry" 434 | protocol = "TCP" 435 | destination_ports = ["1812"] 436 | } 437 | } 438 | 439 | // creating Services RADIUS_Server_TCP1813: 440 | resource "nsxt_policy_service" "RADIUS_Server_TCP1813" { 441 | description = "service provisioned by Terraform" 442 | display_name = "RADIUS_Server_TCP1813" 443 | 444 | l4_port_set_entry { 445 | display_name = "TCP1813" 446 | description = "TCP port 1813 entry" 447 | protocol = "TCP" 448 | destination_ports = ["1813"] 449 | } 450 | } 451 | 452 | // creating Services JMS_TCP4100: 453 | resource "nsxt_policy_service" "JMS_TCP4100" { 454 | description = "service provisioned by Terraform" 455 | display_name = "JMS_TCP4100" 456 | 457 | l4_port_set_entry { 458 | display_name = "JMS_TCP4100" 459 | description = "TCP port 4100 entry" 460 | protocol = "TCP" 461 | destination_ports = ["4100"] 462 | } 463 | } 464 | 465 | // creating Services RSA_SecureID_UDP5500: 466 | resource "nsxt_policy_service" "RSA_SecureID_UDP5500" { 467 | description = "service provisioned by Terraform" 468 | display_name = "RSA_SecureID_UDP5500" 469 | 470 | l4_port_set_entry { 471 | display_name = "RSA_SecureID_UDP5500" 472 | description = "UDP port 5500 entry" 473 | protocol = "UDP" 474 | destination_ports = ["5500"] 475 | } 476 | } 477 | 478 | // creating Services iOS_UDP88: 479 | resource "nsxt_policy_service" "iOS_UDP88" { 480 | description = "service provisioned by Terraform" 481 | display_name = "iOS_UDP88" 482 | 483 | l4_port_set_entry { 484 | display_name = "iOS_UDP88" 485 | description = "UDP port 88 entry" 486 | protocol = "UDP" 487 | destination_ports = ["88"] 488 | } 489 | } 490 | 491 | // creating Services iOS_TCP88: 492 | resource "nsxt_policy_service" "iOS_TCP88" { 493 | description = "service provisioned by Terraform" 494 | display_name = "iOS_TCP88" 495 | 496 | l4_port_set_entry { 497 | display_name = "iOS_TCP88" 498 | description = "TCP port 88 entry" 499 | protocol = "TCP" 500 | destination_ports = ["88"] 501 | } 502 | } 503 | 504 | // creating Services Android_TCP5262: 505 | resource "nsxt_policy_service" "Android_TCP5262" { 506 | description = "service provisioned by Terraform" 507 | display_name = "Android_TCP5262" 508 | 509 | l4_port_set_entry { 510 | display_name = "Android_TCP5262" 511 | description = "TCP port 5262 entry" 512 | protocol = "TCP" 513 | destination_ports = ["5262"] 514 | } 515 | } 516 | 517 | // creating Services SSL_cert_TCP7443: 518 | resource "nsxt_policy_service" "SSL_cert_TCP7443" { 519 | description = "service provisioned by Terraform" 520 | display_name = "SSL_cert_TCP7443" 521 | 522 | l4_port_set_entry { 523 | display_name = "SSL_cert_TCP7443" 524 | description = "TCP port 7443 entry" 525 | protocol = "TCP" 526 | destination_ports = ["7443"] 527 | } 528 | } 529 | 530 | // creating Services Log_Insight_TCP9543: 531 | resource "nsxt_policy_service" "Log_Insight_TCP9543" { 532 | description = "service provisioned by Terraform" 533 | display_name = "Log_Insight_TCP9543" 534 | 535 | l4_port_set_entry { 536 | display_name = "Log_Insight_TCP9543" 537 | description = "TCP port 9543 entry" 538 | protocol = "TCP" 539 | destination_ports = ["9543"] 540 | } 541 | } 542 | 543 | // creating Services ElasticSearch_TCP8200: 544 | resource "nsxt_policy_service" "ElasticSearch_TCP8200" { 545 | description = "service provisioned by Terraform" 546 | display_name = "ElasticSearch_TCP8200" 547 | 548 | l4_port_set_entry { 549 | display_name = "ElasticSearch_TCP8200" 550 | description = "TCP port 8200 entry" 551 | protocol = "TCP" 552 | destination_ports = ["8200"] 553 | } 554 | } 555 | 556 | // creating Services Hazelcast_cache_TCP5701: 557 | resource "nsxt_policy_service" "Hazelcast_cache_TCP5701" { 558 | description = "service provisioned by Terraform" 559 | display_name = "Hazelcast_cache_TCP5701" 560 | 561 | l4_port_set_entry { 562 | display_name = "Hazelcast_cache_TCP5701" 563 | description = "TCP port 5701 entry" 564 | protocol = "TCP" 565 | destination_ports = ["5701"] 566 | } 567 | } 568 | 569 | ###################### creating all Groups ###################### 570 | 571 | // creating Group for UAG_external: 572 | resource "nsxt_policy_group" "UAG_external" { 573 | display_name = "UAG_external" 574 | description = "Created from Terraform UAG_external" 575 | domain = "cgw" 576 | } 577 | 578 | // creating Group for UAG_internal: 579 | resource "nsxt_policy_group" "UAG_internal" { 580 | display_name = "UAG_internal" 581 | description = "Created from Terraform UAG_internal" 582 | domain = "cgw" 583 | } 584 | 585 | // creating Group for ConnectionServer: 586 | resource "nsxt_policy_group" "ConnectionServer" { 587 | display_name = "ConnectionServer" 588 | description = "Created from Terraform ConnectionServer" 589 | domain = "cgw" 590 | } 591 | 592 | // creating Group for VDI-Environment: 593 | resource "nsxt_policy_group" "VDI_Clients" { 594 | display_name = "VDI_Clients" 595 | description = "Created from Terraform VDI_Clients" 596 | domain = "cgw" 597 | } 598 | 599 | // creating Group for Log_Insight: 600 | resource "nsxt_policy_group" "Log_Insight" { 601 | display_name = "Log_Insight" 602 | description = "Created from Terraform Log_Insight" 603 | domain = "cgw" 604 | } 605 | 606 | // creating Group for RADIUS: 607 | resource "nsxt_policy_group" "RADIUS" { 608 | display_name = "RADIUS" 609 | description = "Created from Terraform RADIUS" 610 | domain = "cgw" 611 | } 612 | 613 | // creating Group for AppVolumes Manager: 614 | resource "nsxt_policy_group" "AppVol_MGMT" { 615 | display_name = "AppVol_MGMT" 616 | description = "Created from Terraform AppVol_MGMT" 617 | domain = "cgw" 618 | } 619 | 620 | // creating Group for Event_Database: 621 | resource "nsxt_policy_group" "Event_Database" { 622 | display_name = "Event_Database" 623 | description = "Created from Terraform Event_Database" 624 | domain = "cgw" 625 | } 626 | 627 | // creating Group for Admin_VMs: 628 | resource "nsxt_policy_group" "Admin_VMs" { 629 | display_name = "Admin_VMs" 630 | description = "Created from Terraform Admin_VMs" 631 | domain = "cgw" 632 | } 633 | 634 | // creating Group for vROPS: 635 | resource "nsxt_policy_group" "vROPS" { 636 | display_name = "vROPS" 637 | description = "Created from Terraform vROPS" 638 | domain = "cgw" 639 | } 640 | 641 | // creating Group for Workspace1_Connector: 642 | resource "nsxt_policy_group" "Workspace1_Connector" { 643 | display_name = "Workspace1_Connector" 644 | description = "Created from Terraform Workspace1_Connector" 645 | domain = "cgw" 646 | } 647 | 648 | // creating Group for Workspace1_Access: 649 | resource "nsxt_policy_group" "Workspace1_Access" { 650 | display_name = "Workspace1_Access" 651 | description = "Created from Terraform Workspace1_Access" 652 | domain = "cgw" 653 | } 654 | 655 | // creating Group for Horizon Cloud_Connector: 656 | resource "nsxt_policy_group" "Horizon_Cloud_Connector" { 657 | display_name = "Horizon_Cloud_Connector" 658 | description = "Created from Terraform Horizon_Cloud_Connector" 659 | domain = "cgw" 660 | } 661 | 662 | // creating Group for Enrollment_Server: 663 | resource "nsxt_policy_group" "Enrollment_Server" { 664 | display_name = "Enrollment_Server" 665 | description = "Created from Terraform Enrollment_Server" 666 | domain = "cgw" 667 | } 668 | 669 | // creating Group for JMP_Server: 670 | resource "nsxt_policy_group" "JMP_Server" { 671 | display_name = "JMP_Server" 672 | description = "Created from Terraform JMP_Server" 673 | domain = "cgw" 674 | } 675 | 676 | // creating Group for RFC_1918: 677 | resource "nsxt_policy_group" "RFC_1918" { 678 | display_name = "RFC_1918" 679 | description = "Created from Terraform RFC_1918" 680 | domain = "cgw" 681 | 682 | criteria { 683 | ipaddress_expression { 684 | ip_addresses = ["192.168.0.0/16", "172.16.0.0/16", "10.0.0.0/8"] 685 | } 686 | } 687 | } 688 | 689 | // creating Group for Syslog: 690 | resource "nsxt_policy_group" "Syslog" { 691 | display_name = "Syslog" 692 | description = "Created from Terraform Syslog" 693 | domain = "cgw" 694 | } 695 | 696 | // creating Group for DNS_Server: 697 | resource "nsxt_policy_group" "DNS_Server" { 698 | display_name = "DNS_Server" 699 | description = "Created from Terraform DNS_Server" 700 | domain = "cgw" 701 | } 702 | 703 | // creating Group for Domain_Controller: 704 | resource "nsxt_policy_group" "Domain_Controller" { 705 | display_name = "Domain_Controller" 706 | description = "Created from Terraform Domain_Controller" 707 | domain = "cgw" 708 | } 709 | // creating Group for RSA_SecureID_Server: 710 | resource "nsxt_policy_group" "RSA_SecureID_Server" { 711 | display_name = "RSA_SecureID_Server" 712 | description = "Created from Terraform RSA_SecureID_Server" 713 | domain = "cgw" 714 | } 715 | 716 | // creating Group for AD_cert: 717 | resource "nsxt_policy_group" "AD_cert" { 718 | display_name = "AD_cert" 719 | description = "Created from Terraform AD_cert" 720 | domain = "cgw" 721 | } 722 | 723 | // creating Group for AppVol_SQL: 724 | resource "nsxt_policy_group" "AppVol_SQL" { 725 | display_name = "AppVol_SQL" 726 | description = "Created from Terraform AppVol_SQL" 727 | domain = "cgw" 728 | } 729 | // creating Group for NTP_Server: 730 | resource "nsxt_policy_group" "NTP_Server" { 731 | display_name = "NTP_Server" 732 | description = "Created from Terraform NTP_Server" 733 | domain = "cgw" 734 | } 735 | 736 | // creating Group for Internet_Proxy: 737 | resource "nsxt_policy_group" "Internet_Proxy" { 738 | display_name = "Internet_Proxy" 739 | description = "Created from Terraform Internet_Proxy" 740 | domain = "cgw" 741 | } 742 | 743 | 744 | ###################### creating DFW Security Rules ###################### 745 | ###################### creating Ruleset Infrastructure ###################### 746 | ###################### creating Rules for DNS ###################### 747 | resource "nsxt_policy_security_policy" "DNS" { 748 | domain = "cgw" 749 | display_name = "DNS Service" 750 | description = "Terraform DNS Ruleset" 751 | category = "Infrastructure" 752 | 753 | rule { 754 | display_name = "DNS Service" 755 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 756 | destination_groups = ["${nsxt_policy_group.DNS_Server.path}"] 757 | action = "ALLOW" 758 | services = ["/infra/services/DNS", "/infra/services/DNS-UDP"] 759 | logged = true 760 | } 761 | rule { 762 | display_name = "DNS Service" 763 | source_groups = ["${nsxt_policy_group.DNS_Server.path}"] 764 | destination_groups = ["${nsxt_policy_group.RFC_1918.path}"] 765 | action = "ALLOW" 766 | services = ["/infra/services/DNS", "/infra/services/DNS-UDP"] 767 | logged = true 768 | } 769 | } 770 | 771 | ###################### creating Rules for NTP ###################### 772 | 773 | resource "nsxt_policy_security_policy" "NTP" { 774 | domain = "cgw" 775 | display_name = "NTP Service" 776 | description = "Terraform DNS Ruleset" 777 | category = "Infrastructure" 778 | 779 | rule { 780 | display_name = "NTP Service" 781 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 782 | destination_groups = ["${nsxt_policy_group.NTP_Server.path}"] 783 | action = "ALLOW" 784 | services = ["/infra/services/NTP"] 785 | logged = true 786 | } 787 | rule { 788 | display_name = "NTP Service" 789 | source_groups = ["${nsxt_policy_group.NTP_Server.path}"] 790 | destination_groups = ["${nsxt_policy_group.RFC_1918.path}"] 791 | action = "ALLOW" 792 | services = ["/infra/services/NTP"] 793 | logged = true 794 | } 795 | } 796 | ###################### creating Ruleset Environment ###################### 797 | ###################### creating Ruleset for Unified Access Gateway external ###################### 798 | 799 | resource "nsxt_policy_security_policy" "UAG_external" { 800 | domain = "cgw" 801 | display_name = "UAG_external" 802 | description = "Terraform UAG_external Ruleset" 803 | category = "Environment" 804 | 805 | rule { 806 | display_name = "UAG_external_Clients_Inbound" 807 | source_groups = [nsxt_policy_group.RFC_1918.path] 808 | sources_excluded = true 809 | destination_groups = [nsxt_policy_group.UAG_external.path] 810 | action = "ALLOW" 811 | services = ["/infra/services/HTTPS", nsxt_policy_service.Blast_TCP8443.path, nsxt_policy_service.Blast_UDP443.path, nsxt_policy_service.PCoIP_TCP4172.path, nsxt_policy_service.PCoIP_UDP4172.path] 812 | logged = true 813 | } 814 | 815 | rule { 816 | display_name = "UAG_external_VDI_Clients_Outbound" 817 | source_groups = [nsxt_policy_group.UAG_external.path] 818 | destination_groups = [nsxt_policy_group.VDI_Clients.path] 819 | action = "ALLOW" 820 | services = [nsxt_policy_service.Blast_TCP22443.path, "/infra/services/RDP", nsxt_policy_service.CDR_MMR_TCP9427.path, nsxt_policy_service.USB_TCP32111.path, nsxt_policy_service.PCoIP_TCP4172.path, nsxt_policy_service.PCoIP_UDP4172.path] 821 | logged = true 822 | } 823 | rule { 824 | display_name = "UAG_external_ConnectionServer_Outbound" 825 | source_groups = [nsxt_policy_group.UAG_external.path] 826 | destination_groups = [nsxt_policy_group.ConnectionServer.path] 827 | action = "ALLOW" 828 | services = ["/infra/services/HTTPS"] 829 | logged = true 830 | } 831 | rule { 832 | display_name = "UAG_external_RADIUS_Outbound" 833 | source_groups = [nsxt_policy_group.UAG_external.path] 834 | destination_groups = [nsxt_policy_group.RADIUS.path] 835 | action = "ALLOW" 836 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 837 | logged = true 838 | } 839 | } 840 | 841 | 842 | ###################### creating Ruleset for Unified Access Gateway internal ###################### 843 | 844 | resource "nsxt_policy_security_policy" "UAG_internal" { 845 | domain = "cgw" 846 | display_name = "UAG_internal" 847 | description = "Terraform UAG_internal Ruleset" 848 | category = "Environment" 849 | 850 | rule { 851 | display_name = "UAG_internal_Clients_Inbound" 852 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 853 | destination_groups = ["${nsxt_policy_group.UAG_internal.path}"] 854 | action = "ALLOW" 855 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.Blast_UDP443.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 856 | logged = true 857 | } 858 | 859 | rule { 860 | display_name = "UAG_internal_VDI_Clients_Outbound" 861 | source_groups = ["${nsxt_policy_group.UAG_internal.path}"] 862 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 863 | action = "ALLOW" 864 | services = ["${nsxt_policy_service.Blast_TCP22443.path}", "/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 865 | logged = true 866 | } 867 | 868 | rule { 869 | display_name = "UAG_internal_ConnectionServer_Outbound" 870 | source_groups = ["${nsxt_policy_group.UAG_internal.path}"] 871 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 872 | action = "ALLOW" 873 | services = ["/infra/services/HTTPS"] 874 | logged = true 875 | } 876 | rule { 877 | display_name = "UAG_internal_RADIUS_Outbound" 878 | source_groups = [nsxt_policy_group.UAG_internal.path] 879 | destination_groups = [nsxt_policy_group.RADIUS.path] 880 | action = "ALLOW" 881 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 882 | logged = true 883 | } 884 | } 885 | 886 | ###################### creating Ruleset for Internal Connections without internal UAGs ###################### 887 | 888 | resource "nsxt_policy_security_policy" "Internal_Client_Connection" { 889 | domain = "cgw" 890 | display_name = "Internal_Client_Connection" 891 | description = "Terraform Internal_Client_Connection Ruleset" 892 | category = "Environment" 893 | 894 | rule { 895 | display_name = "Internal_Client_Connection_VDI_Clients_Outbound" 896 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 897 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 898 | action = "ALLOW" 899 | services = ["/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}", "/infra/services/HTTPS"] 900 | logged = true 901 | } 902 | rule { 903 | display_name = "Internal_Client_Connection_Connection_Server_Outbound" 904 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 905 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 906 | action = "ALLOW" 907 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}"] 908 | logged = true 909 | } 910 | rule { 911 | display_name = "Internal_Client_Workspace_1_Access_Outbound" 912 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 913 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 914 | action = "ALLOW" 915 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.iOS_TCP88.path}", "${nsxt_policy_service.iOS_UDP88.path}", "${nsxt_policy_service.Android_TCP5262.path}", "${nsxt_policy_service.SSL_cert_TCP7443.path}"] 916 | logged = true 917 | } 918 | rule { 919 | display_name = "Internal_Client_Workspace_1_Connector_Outbound" 920 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 921 | destination_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 922 | action = "ALLOW" 923 | services = ["/infra/services/HTTPS"] 924 | logged = true 925 | } 926 | } 927 | 928 | ###################### creating Ruleset for Horizon Connection Server ###################### 929 | 930 | resource "nsxt_policy_security_policy" "Horizon_Connection_Server" { 931 | domain = "cgw" 932 | display_name = "Horizon_Connection_Server" 933 | description = "Terraform Horizon_Connection_Server Ruleset" 934 | category = "Environment" 935 | 936 | rule { 937 | display_name = "Horizon_Connection_Server_Connection_Server_In-/Outbound" 938 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 939 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 940 | action = "ALLOW" 941 | services = ["/infra/services/LDAP", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.replica_TCP135.path}", "${nsxt_policy_service.JMS_TCP4100.path}", "${nsxt_policy_service.JMS_SSL_TCP4101.path}", "${nsxt_policy_service.ADLDS_TCP22389.path}", "${nsxt_policy_service.ADLDS_TCP22636.path}", "${nsxt_policy_service.VIPA_TCP8472.path}"] 942 | logged = true 943 | } 944 | rule { 945 | display_name = "Horizon_Connection_Server_Event_DB_Outbound" 946 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 947 | destination_groups = ["${nsxt_policy_group.Event_Database.path}"] 948 | action = "ALLOW" 949 | services = ["${nsxt_policy_service.EventDB_TCP1433.path}"] 950 | logged = true 951 | } 952 | rule { 953 | display_name = "Horizon_Connection_Server_vCenter_Outbound" 954 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 955 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 956 | action = "ALLOW" 957 | services = ["/infra/services/HTTPS"] 958 | logged = true 959 | } 960 | rule { 961 | display_name = "Horizon_Connection_Server_VDI_Clients" 962 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 963 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 964 | action = "ALLOW" 965 | services = ["${nsxt_policy_service.Blast_TCP22443.path}", "/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 966 | logged = true 967 | } 968 | rule { 969 | display_name = "Horizon_Connection_Server_Enrollment_Server_Outbound" 970 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 971 | destination_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 972 | action = "ALLOW" 973 | services = ["${nsxt_policy_service.USB_TCP32111.path}"] 974 | logged = true 975 | } 976 | 977 | rule { 978 | display_name = "Horizon_Connection_Server_RSA_SecurID" 979 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 980 | destination_groups = ["${nsxt_policy_group.RSA_SecureID_Server.path}"] 981 | action = "ALLOW" 982 | services = ["${nsxt_policy_service.RSA_SecureID_UDP5500.path}"] 983 | logged = true 984 | } 985 | } 986 | 987 | ###################### creating Ruleset for Admin Access ###################### 988 | 989 | 990 | resource "nsxt_policy_security_policy" "Admin_Access" { 991 | domain = "cgw" 992 | display_name = "Admin_Access" 993 | description = "Terraform Admin_Access Ruleset" 994 | category = "Environment" 995 | 996 | rule { 997 | display_name = "ADMIN_UAG_External_Outbound" 998 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 999 | destination_groups = ["${nsxt_policy_group.UAG_external.path}"] 1000 | action = "ALLOW" 1001 | services = ["${nsxt_policy_service.Blast_TCP9443.path}"] 1002 | logged = true 1003 | } 1004 | rule { 1005 | display_name = "ADMIN_UAG_Internal_Outbound" 1006 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1007 | destination_groups = ["${nsxt_policy_group.UAG_internal.path}"] 1008 | action = "ALLOW" 1009 | services = ["${nsxt_policy_service.Blast_TCP9443.path}"] 1010 | logged = true 1011 | } 1012 | rule { 1013 | display_name = "ADMIN_Workspace1_Access_Outbound" 1014 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1015 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1016 | action = "ALLOW" 1017 | services = ["${nsxt_policy_service.Blast_TCP8443.path}", "/infra/services/HTTPS", "${nsxt_policy_service.SSL_TCP22.path}"] 1018 | logged = true 1019 | } 1020 | rule { 1021 | display_name = "ADMIN_Workspace1_Access_Outbound" 1022 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1023 | destination_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1024 | action = "ALLOW" 1025 | services = ["${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.SSL_TCP22.path}"] 1026 | logged = true 1027 | } 1028 | rule { 1029 | display_name = "Admin_Horizon_Connection_Server_Outbound" 1030 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1031 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1032 | action = "ALLOW" 1033 | services = ["/infra/services/HTTPS"] 1034 | logged = true 1035 | } 1036 | rule { 1037 | display_name = "Admin_Horizon_Connection_Server_Outbound" 1038 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1039 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 1040 | action = "ALLOW" 1041 | services = ["/infra/services/HTTPS"] 1042 | logged = true 1043 | } 1044 | rule { 1045 | display_name = "Admin_Microsoft_Remote_Controle" 1046 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1047 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1048 | action = "ALLOW" 1049 | services = ["/infra/services/RDP"] 1050 | logged = true 1051 | } 1052 | rule { 1053 | display_name = "Admin_Horizon_AppVol_Outbound" 1054 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1055 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1056 | action = "ALLOW" 1057 | services = ["/infra/services/HTTPS"] 1058 | logged = true 1059 | } 1060 | rule { 1061 | display_name = "Admin_Horizon_vROPS_Outbound" 1062 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1063 | destination_groups = ["${nsxt_policy_group.vROPS.path}"] 1064 | action = "ALLOW" 1065 | services = ["/infra/services/HTTPS"] 1066 | logged = true 1067 | } 1068 | rule { 1069 | display_name = "Admin_Horizon_Horizon_Cloud_Connector_Outbound" 1070 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1071 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1072 | action = "ALLOW" 1073 | services = ["/infra/services/HTTPS"] 1074 | logged = true 1075 | } 1076 | } 1077 | 1078 | ###################### creating Ruleset for Horizon VDI Clients ###################### 1079 | 1080 | resource "nsxt_policy_security_policy" "Horizon_VDI_Clients" { 1081 | domain = "cgw" 1082 | display_name = "Horizon_VDI_Clients" 1083 | description = "Terraform Horizon_VDI_Clients Ruleset" 1084 | category = "Environment" 1085 | 1086 | rule { 1087 | display_name = "VDI_Clients_Horizon_Connection_Server_Outbound" 1088 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1089 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1090 | action = "ALLOW" 1091 | services = ["/infra/services/LDAP","/infra/services/LDAP-over-SSL", "${nsxt_policy_service.JMS_SSL_TCP4002.path}"] 1092 | logged = true 1093 | } 1094 | rule { 1095 | display_name = "VDI_Clients_Horizon_AppVol_Outbound" 1096 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1097 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1098 | action = "ALLOW" 1099 | services = ["/infra/services/HTTPS"] 1100 | logged = true 1101 | } 1102 | rule { 1103 | display_name = "VDI_Clients_Horizon_vROPS_Outbound" 1104 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1105 | destination_groups = ["${nsxt_policy_group.vROPS.path}"] 1106 | action = "ALLOW" 1107 | services = ["${nsxt_policy_service.vROPS_TCP3091.path}", "${nsxt_policy_service.vROPS_TCP3099.path}"] 1108 | logged = true 1109 | } 1110 | rule { 1111 | display_name = "VDI_Clients_Horizon_Cloud_Connector_Inbound" 1112 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1113 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1114 | action = "ALLOW" 1115 | services = ["${nsxt_policy_service.TCP11002.path}"] 1116 | logged = true 1117 | }/* 1118 | rule { 1119 | display_name = "VDI_Clients_VDI_Client" 1120 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1121 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1122 | action = "DENY" 1123 | services = [] 1124 | logged = true 1125 | }*/ 1126 | 1127 | } 1128 | 1129 | ###################### creating Ruleset for Workspace1_Connector ###################### 1130 | 1131 | resource "nsxt_policy_security_policy" "Workspace1_Connector" { 1132 | domain = "cgw" 1133 | display_name = "Workspace1_Connector" 1134 | description = "Terraform Workspace1_Connector Ruleset" 1135 | category = "Environment" 1136 | 1137 | rule { 1138 | display_name = "Workspace_One_Connector_Horizon_Connection_Server_Outbound" 1139 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1140 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1141 | action = "ALLOW" 1142 | services = ["/infra/services/HTTPS", "/infra/services/LDAP", "/infra/services/LDAP-over-SSL"] 1143 | logged = true 1144 | } 1145 | rule { 1146 | display_name = "Workspace_One_Connector_Workspace_One_Access_Outbound" 1147 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1148 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1149 | action = "ALLOW" 1150 | services = ["/infra/services/HTTPS"] 1151 | logged = true 1152 | } 1153 | rule { 1154 | display_name = "Workspace_One_Connector_Domain_Controller" 1155 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1156 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1157 | action = "ALLOW" 1158 | services = ["/infra/services/LDAP", "/infra/services/LDAP-over-SSL", "/infra/services/LDAP_Global_Catalog", "/infra/services/Windows-Global-Catalog-over-SSL", "/infra/services/KERBEROS-UDP", "/infra/services/KERBEROS-TCP", "/infra/services/Active_Directory_Server", "/infra/services/Active_Directory_Server_UDP", "/infra/services/MS_RPC_TCP", ] 1159 | logged = true 1160 | } 1161 | rule { 1162 | display_name = "Workspace_One_Connector_Syslog_Server" 1163 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1164 | destination_groups = ["${nsxt_policy_group.Syslog.path}"] 1165 | action = "ALLOW" 1166 | services = ["/infra/services/Syslog-Server-UDP"] 1167 | logged = true 1168 | } 1169 | rule { 1170 | display_name = "Workspace_One_Connector_Log_Insight" 1171 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1172 | destination_groups = ["${nsxt_policy_group.Log_Insight.path}"] 1173 | action = "ALLOW" 1174 | services = ["${nsxt_policy_service.Log_Insight_TCP9543.path}"] 1175 | logged = true 1176 | } 1177 | rule { 1178 | display_name = "Workspace_One_Connector_RADIUS" 1179 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1180 | destination_groups = ["${nsxt_policy_group.RADIUS.path}"] 1181 | action = "ALLOW" 1182 | services = ["${nsxt_policy_service.RADIUS_Server_TCP1813.path}", "${nsxt_policy_service.RADIUS_Server_TCP1812.path}"] 1183 | logged = true 1184 | } 1185 | rule { 1186 | display_name = "Workspace_One_Connector_RSA_SecureID" 1187 | source_groups = [nsxt_policy_group.Workspace1_Connector.path] 1188 | destination_groups = [nsxt_policy_group.RSA_SecureID_Server.path] 1189 | action = "ALLOW" 1190 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 1191 | logged = true 1192 | } 1193 | rule { 1194 | display_name = "Workspace_One_Connector_Internet_Proxy" 1195 | source_groups = [nsxt_policy_group.Workspace1_Connector.path] 1196 | destination_groups = [nsxt_policy_group.Internet_Proxy.path] 1197 | action = "ALLOW" 1198 | services = ["/infra/services/HTTPS"] 1199 | logged = true 1200 | } 1201 | } 1202 | 1203 | ###################### creating Ruleset for Workspace1_Access ###################### 1204 | 1205 | resource "nsxt_policy_security_policy" "Workspace1_Access" { 1206 | domain = "cgw" 1207 | display_name = "Workspace1_Access" 1208 | description = "Terraform Workspace1_Access Ruleset" 1209 | category = "Environment" 1210 | 1211 | rule { 1212 | display_name = "Workspace1_Access_Workspace1_Access" 1213 | source_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1214 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1215 | action = "ALLOW" 1216 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.ElasticSearch_TCP8200.path}", "${nsxt_policy_service.Hazelcast_cache_TCP5701.path}", "${nsxt_policy_service.EHCache_TCP40002.path}", "${nsxt_policy_service.EHCache_TCP40003.path}", "${nsxt_policy_service.Audit_UDP54328.path}", "${nsxt_policy_service.Audit_TCP9300.path}", "${nsxt_policy_service.Audit_TCP9400.path}"] 1217 | logged = true 1218 | } 1219 | 1220 | rule { 1221 | display_name = "Workspace1_Access_Inbound" 1222 | source_groups = [] 1223 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1224 | action = "ALLOW" 1225 | services = ["/infra/services/HTTPS"] 1226 | logged = true 1227 | } 1228 | } 1229 | 1230 | 1231 | ###################### creating Ruleset for JMP_Server ###################### 1232 | 1233 | resource "nsxt_policy_security_policy" "JMP_Server" { 1234 | domain = "cgw" 1235 | display_name = "JMP_Server" 1236 | description = "Terraform JMP_Server Ruleset" 1237 | category = "Environment" 1238 | 1239 | rule { 1240 | display_name = "JMP_Server_AppVol_Outbound" 1241 | source_groups = ["${nsxt_policy_group.JMP_Server.path}"] 1242 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1243 | action = "ALLOW" 1244 | services = ["/infra/services/HTTPS"] 1245 | logged = true 1246 | } 1247 | rule { 1248 | display_name = "JMP_Server_ConnectionServer_Outbound" 1249 | source_groups = ["${nsxt_policy_group.JMP_Server.path}"] 1250 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1251 | action = "ALLOW" 1252 | services = ["/infra/services/HTTPS"] 1253 | logged = true 1254 | } 1255 | } 1256 | 1257 | ###################### creating Ruleset for AppVolumes ###################### 1258 | 1259 | resource "nsxt_policy_security_policy" "AppVolumes" { 1260 | domain = "cgw" 1261 | display_name = "AppVolumes" 1262 | description = "Terraform AppVolumes Ruleset" 1263 | category = "Environment" 1264 | 1265 | rule { 1266 | display_name = "AppVol_vCenter_Outbound" 1267 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1268 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 1269 | action = "ALLOW" 1270 | services = ["/infra/services/HTTPS"] 1271 | logged = true 1272 | } 1273 | rule { 1274 | display_name = "AppVol_ESXi_Outbound" 1275 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1276 | destination_groups = ["/infra/domains/mgw/groups/ESXI"] 1277 | action = "ALLOW" 1278 | services = ["/infra/services/HTTPS"] 1279 | logged = true 1280 | } 1281 | rule { 1282 | display_name = "AppVol_Domain_Controller_Outbound" 1283 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1284 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1285 | action = "ALLOW" 1286 | services = ["/infra/services/LDAP", "/infra/services/LDAP-over-SSL"] 1287 | logged = true 1288 | } 1289 | rule { 1290 | display_name = "AppVol_ESXi_Outbound" 1291 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1292 | destination_groups = ["${nsxt_policy_group.AppVol_SQL.path}"] 1293 | action = "ALLOW" 1294 | services = ["/infra/services/MS-SQL-S"] 1295 | logged = true 1296 | } 1297 | } 1298 | 1299 | ###################### creating Ruleset for Horizon_Cloud_Connector ###################### 1300 | 1301 | resource "nsxt_policy_security_policy" "Horizon_Cloud_Connector" { 1302 | domain = "cgw" 1303 | display_name = "Horizon_Cloud_Connector" 1304 | description = "Terraform Horizon_Cloud_Connector Ruleset" 1305 | category = "Environment" 1306 | rule { 1307 | display_name = "Cloud_Connector_ConnectionServer_Outbound" 1308 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1309 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1310 | action = "ALLOW" 1311 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.JMS_SSL_TCP4002.path}"] 1312 | logged = true 1313 | } 1314 | rule { 1315 | display_name = "Cloudconnector_internet" 1316 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1317 | destination_groups = ["${nsxt_policy_group.Internet_Proxy.path}"] 1318 | action = "ALLOW" 1319 | services = ["/infra/services/HTTPS"] 1320 | logged = true 1321 | } 1322 | rule { 1323 | display_name = "Cloudconnector_Clients_Inbound" 1324 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1325 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1326 | destinations_excluded = true 1327 | action = "ALLOW" 1328 | services = ["/infra/services/SSH"] 1329 | logged = true 1330 | } 1331 | 1332 | } 1333 | 1334 | ###################### creating Ruleset for Enrollment_Server ###################### 1335 | 1336 | resource "nsxt_policy_security_policy" "Enrollment_Server" { 1337 | domain = "cgw" 1338 | display_name = "Enrollment_Server" 1339 | description = "Terraform Enrollment_Server Ruleset" 1340 | category = "Environment" 1341 | 1342 | rule { 1343 | display_name = "Enrollment_Server_AD_Cert_Outbound" 1344 | source_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 1345 | destination_groups = ["${nsxt_policy_group.AD_cert.path}"] 1346 | action = "ALLOW" 1347 | services = ["${nsxt_policy_service.replica_TCP135.path}"] 1348 | logged = true 1349 | } 1350 | rule { 1351 | display_name = "Enrollment_Server_Domain_Controller_Outbound" 1352 | source_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 1353 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1354 | action = "ALLOW" 1355 | services = ["/infra/services/Microsoft_Active_Directory_V1"] 1356 | logged = true 1357 | } 1358 | } 1359 | -------------------------------------------------------------------------------- /localNSX/main.tf: -------------------------------------------------------------------------------- 1 | # Generated by: tsauerer@vmware.com 2 | # Thomas Sauerer 3 | # 4 | # Updated on: 04/14/22 5 | 6 | 7 | provider "nsxt" { 8 | host = var.host 9 | username = var.username 10 | password = var.password 11 | allow_unverified_ssl = true 12 | max_retries = 10 13 | retry_min_delay = 500 14 | retry_max_delay = 5000 15 | retry_on_status_codes = [429] 16 | } 17 | 18 | 19 | ###################### creating Network Segments ###################### 20 | ###################### can be outcommented "/* */" or edited ###################### 21 | 22 | data "nsxt_policy_transport_zone" "TZ" { 23 | display_name = "overlay-tz" 24 | } 25 | 26 | resource "nsxt_policy_segment" "ManagementHorizon" { 27 | display_name = "Horizon_MGMT" 28 | description = "Horizon_MGMT Segment provisioned by Terraform" 29 | connectivity_path = "/infra/tier-1s/cgw" 30 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 31 | subnet { 32 | cidr = "172.16.199.1/24" 33 | dhcp_ranges = ["172.16.199.2-172.16.199.254"] 34 | } 35 | } 36 | resource "nsxt_policy_segment" "UAG_external" { 37 | display_name = "Horizon_UAG_external" 38 | description = "Horizon_UAG_external Segment provisioned by Terraform" 39 | connectivity_path = "/infra/tier-1s/cgw" 40 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 41 | subnet { 42 | cidr = "172.16.200.250/29" 43 | } 44 | } 45 | resource "nsxt_policy_segment" "Windows_Desktops" { 46 | display_name = "Horizon_Windows_Desktops" 47 | description = "Horizon_Windows_Desktops Segment provisioned by Terraform" 48 | connectivity_path = "/infra/tier-1s/cgw" 49 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 50 | subnet { 51 | cidr = "172.16.1.1/20" 52 | dhcp_ranges = ["172.16.1.2-172.16.15.254"] 53 | } 54 | } 55 | resource "nsxt_policy_segment" "Linux_Desktops" { 56 | display_name = "Horizon_Linux_Desktops" 57 | description = "Horizon_Linux_Desktops Segment provisioned by Terraform" 58 | connectivity_path = "/infra/tier-1s/cgw" 59 | transport_zone_path = data.nsxt_policy_transport_zone.TZ.path 60 | subnet { 61 | cidr = "172.16.16.1/20" 62 | dhcp_ranges = ["172.16.16.2-172.16.31.254"] 63 | } 64 | } 65 | 66 | ###################### creating all Services ###################### 67 | 68 | // creating Services TCP 8443: 69 | resource "nsxt_policy_service" "Blast_TCP8443" { 70 | description = "Blast service provisioned by Terraform" 71 | display_name = "Blast_TCP8443" 72 | 73 | l4_port_set_entry { 74 | display_name = "TCP8443" 75 | description = "TCP port 8443 entry" 76 | protocol = "TCP" 77 | destination_ports = ["8443"] 78 | } 79 | } 80 | 81 | // creating Services UDP 8443: 82 | resource "nsxt_policy_service" "Blast_UDP8443" { 83 | description = "Blast service provisioned by Terraform" 84 | display_name = "Blast_UDP8443" 85 | 86 | l4_port_set_entry { 87 | display_name = "UDP8443" 88 | description = "UDP port 8443 entry" 89 | protocol = "UDP" 90 | destination_ports = ["8443"] 91 | } 92 | } 93 | 94 | // creating Services TCP 9443: 95 | resource "nsxt_policy_service" "Blast_TCP9443" { 96 | description = "Blast service provisioned by Terraform" 97 | display_name = "Blast_TCP9443" 98 | 99 | l4_port_set_entry { 100 | display_name = "TCP9443" 101 | description = "TCP port 9443 entry" 102 | protocol = "TCP" 103 | destination_ports = ["9443"] 104 | } 105 | } 106 | 107 | // creating Services TCP 22443: 108 | resource "nsxt_policy_service" "Blast_TCP22443" { 109 | description = "Blast service provisioned by Terraform" 110 | display_name = "Blast_TCP22443" 111 | 112 | l4_port_set_entry { 113 | display_name = "TCP22443" 114 | description = "TCP port 22443 entry" 115 | protocol = "TCP" 116 | destination_ports = ["22443"] 117 | } 118 | } 119 | 120 | // creating Services UDP 22443: 121 | resource "nsxt_policy_service" "Blast_UDP22443" { 122 | description = "Blast service provisioned by Terraform" 123 | display_name = "Blast_UDP22443" 124 | 125 | l4_port_set_entry { 126 | display_name = "UDP22443" 127 | description = "UDP port 22443 entry" 128 | protocol = "UDP" 129 | destination_ports = ["22443"] 130 | } 131 | } 132 | 133 | // creating Services TCP 4172: 134 | resource "nsxt_policy_service" "PCoIP_TCP4172" { 135 | description = "PCoIP service provisioned by Terraform" 136 | display_name = "PCoIP_TCP4172" 137 | 138 | l4_port_set_entry { 139 | display_name = "TCP4172" 140 | description = "TCP port 4172 entry" 141 | protocol = "TCP" 142 | destination_ports = ["4172"] 143 | } 144 | } 145 | 146 | // creating Services UDP 4172: 147 | resource "nsxt_policy_service" "PCoIP_UDP4172" { 148 | description = "PCoIP service provisioned by Terraform" 149 | display_name = "PCoIP_UDP4172" 150 | 151 | l4_port_set_entry { 152 | display_name = "UDP4172" 153 | description = "UDP port 4172 entry" 154 | protocol = "UDP" 155 | destination_ports = ["4172"] 156 | } 157 | } 158 | 159 | // creating Services UDP 443: 160 | resource "nsxt_policy_service" "Blast_UDP443" { 161 | description = "Blast service provisioned by Terraform" 162 | display_name = "Blast_UDP443" 163 | 164 | l4_port_set_entry { 165 | display_name = "UDP443" 166 | description = "UDP port 433 entry" 167 | protocol = "UDP" 168 | destination_ports = ["443"] 169 | } 170 | } 171 | 172 | // creating Services TCP 9427: 173 | resource "nsxt_policy_service" "CDR_MMR_TCP9427" { 174 | description = "CDR/MMR service provisioned by Terraform" 175 | display_name = "CDR/MMR_TCP9427" 176 | 177 | l4_port_set_entry { 178 | display_name = "TCP9427" 179 | description = "TCP port 9427 entry" 180 | protocol = "TCP" 181 | destination_ports = ["9427"] 182 | } 183 | } 184 | 185 | // creating Services TCP 32111: 186 | resource "nsxt_policy_service" "USB_TCP32111" { 187 | description = "USB service provisioned by Terraform" 188 | display_name = "USB_TCP32111" 189 | 190 | l4_port_set_entry { 191 | display_name = "TCP32111" 192 | description = "TCP port 32111 entry" 193 | protocol = "TCP" 194 | destination_ports = ["32111"] 195 | } 196 | } 197 | 198 | // creating Services TCP 1433: 199 | resource "nsxt_policy_service" "EventDB_TCP1433" { 200 | description = "USB service provisioned by Terraform" 201 | display_name = "EventDB_TCP1433" 202 | 203 | l4_port_set_entry { 204 | display_name = "TCP1433" 205 | description = "TCP port 1433 entry" 206 | protocol = "TCP" 207 | destination_ports = ["1433"] 208 | } 209 | } 210 | 211 | // creating Services SSL_TCP22: 212 | resource "nsxt_policy_service" "SSL_TCP22" { 213 | description = "USB service provisioned by Terraform" 214 | display_name = "EventDB_TCP22" 215 | 216 | l4_port_set_entry { 217 | display_name = "TCP22" 218 | description = "TCP port 22 entry" 219 | protocol = "TCP" 220 | destination_ports = ["22"] 221 | } 222 | } 223 | 224 | // creating Services TCP 3091: 225 | resource "nsxt_policy_service" "vROPS_TCP3091" { 226 | description = "vROPS service provisioned by Terraform" 227 | display_name = "vROPS_TCP3091" 228 | 229 | l4_port_set_entry { 230 | display_name = "TCP3091" 231 | description = "TCP port 3091 entry" 232 | protocol = "TCP" 233 | destination_ports = ["3091"] 234 | } 235 | } 236 | // creating Services TCP 3099: 237 | resource "nsxt_policy_service" "vROPS_TCP3099" { 238 | description = "vROPS service provisioned by Terraform" 239 | display_name = "vROPS_TCP3099" 240 | 241 | l4_port_set_entry { 242 | display_name = "TCP3099" 243 | description = "TCP port 3099 entry" 244 | protocol = "TCP" 245 | destination_ports = ["3099"] 246 | } 247 | } 248 | 249 | // creating Services TCP 3101: 250 | resource "nsxt_policy_service" "vROPS_TCP3101" { 251 | description = "vROPS service provisioned by Terraform" 252 | display_name = "vROPS_TCP3101" 253 | 254 | l4_port_set_entry { 255 | display_name = "TCP3101" 256 | description = "TCP port 3101 entry" 257 | protocol = "TCP" 258 | destination_ports = ["3101"] 259 | } 260 | } 261 | 262 | // creating Services TCP 3100: 263 | resource "nsxt_policy_service" "vROPS_TCP3100" { 264 | description = "vROPS service provisioned by Terraform" 265 | display_name = "vROPS_TCP3100" 266 | 267 | l4_port_set_entry { 268 | display_name = "TCP3100" 269 | description = "TCP port 3100 entry" 270 | protocol = "TCP" 271 | destination_ports = ["3100"] 272 | } 273 | } 274 | 275 | // creating Services TCP 22389: 276 | resource "nsxt_policy_service" "ADLDS_TCP22389" { 277 | description = "ADLDS service provisioned by Terraform" 278 | display_name = "ADLDS_TCP22389" 279 | 280 | l4_port_set_entry { 281 | display_name = "TCP22389" 282 | description = "TCP port 22389 entry" 283 | protocol = "TCP" 284 | destination_ports = ["22389"] 285 | } 286 | } 287 | 288 | // creating Services TCP 22636: 289 | resource "nsxt_policy_service" "ADLDS_TCP22636" { 290 | description = "ADLDS service provisioned by Terraform" 291 | display_name = "ADLDS_TCP22636" 292 | 293 | l4_port_set_entry { 294 | display_name = "TCP22636" 295 | description = "TCP port 22636 entry" 296 | protocol = "TCP" 297 | destination_ports = ["22636"] 298 | } 299 | } 300 | 301 | // creating Services TCP 8472: 302 | resource "nsxt_policy_service" "VIPA_TCP8472" { 303 | description = "VIPA service provisioned by Terraform" 304 | display_name = "VIPA_TCP8472" 305 | 306 | l4_port_set_entry { 307 | display_name = "TCP8472" 308 | description = "TCP port 8472 entry" 309 | protocol = "TCP" 310 | destination_ports = ["8472"] 311 | } 312 | } 313 | 314 | // creating Services TCP 4101: 315 | resource "nsxt_policy_service" "JMS_SSL_TCP4101" { 316 | description = "JMS_SSL service provisioned by Terraform" 317 | display_name = "JMS_SSL_TCP4101" 318 | 319 | l4_port_set_entry { 320 | display_name = "TCP4101" 321 | description = "TCP port 4101 entry" 322 | protocol = "TCP" 323 | destination_ports = ["4101"] 324 | } 325 | } 326 | 327 | // creating Services EHCache_TCP40002: 328 | resource "nsxt_policy_service" "EHCache_TCP40002" { 329 | description = "JMS_SSL service provisioned by Terraform" 330 | display_name = "EHCache_TCP40002" 331 | 332 | l4_port_set_entry { 333 | display_name = "TCP40002" 334 | description = "TCP port 40002 entry" 335 | protocol = "TCP" 336 | destination_ports = ["40002"] 337 | } 338 | } 339 | // creating Services EHCache_TCP40003: 340 | resource "nsxt_policy_service" "EHCache_TCP40003" { 341 | description = "JMS_SSL service provisioned by Terraform" 342 | display_name = "EHCache_TCP40003" 343 | 344 | l4_port_set_entry { 345 | display_name = "TCP40003" 346 | description = "TCP port 40003 entry" 347 | protocol = "TCP" 348 | destination_ports = ["40003"] 349 | } 350 | } 351 | 352 | // creating Services Audit_UDP54328: 353 | resource "nsxt_policy_service" "Audit_UDP54328" { 354 | description = "JMS_SSL service provisioned by Terraform" 355 | display_name = "Audit_UDP54328" 356 | 357 | l4_port_set_entry { 358 | display_name = "UDP54328" 359 | description = "UDP port 54328 entry" 360 | protocol = "UDP" 361 | destination_ports = ["54328"] 362 | } 363 | } 364 | 365 | // creating Services Audit_TCP9300: 366 | resource "nsxt_policy_service" "Audit_TCP9300" { 367 | description = "JMS_SSL service provisioned by Terraform" 368 | display_name = "Audit_TCP9300" 369 | 370 | l4_port_set_entry { 371 | display_name = "TCP9300" 372 | description = "UDP port 9300 entry" 373 | protocol = "UDP" 374 | destination_ports = ["9300"] 375 | } 376 | } 377 | 378 | // creating Services Audit_TCP9400: 379 | resource "nsxt_policy_service" "Audit_TCP9400" { 380 | description = "JMS_SSL service provisioned by Terraform" 381 | display_name = "Audit_TCP9400" 382 | 383 | l4_port_set_entry { 384 | display_name = "TCP9400" 385 | description = "UDP port 9400 entry" 386 | protocol = "UDP" 387 | destination_ports = ["9400"] 388 | } 389 | } 390 | 391 | // creating Services TCP 4002: 392 | resource "nsxt_policy_service" "JMS_SSL_TCP4002" { 393 | description = "JMS_SSL service provisioned by Terraform" 394 | display_name = "JMS_SSL_TCP4002" 395 | 396 | l4_port_set_entry { 397 | display_name = "TCP4002" 398 | description = "TCP port 4002 entry" 399 | protocol = "TCP" 400 | destination_ports = ["4002"] 401 | } 402 | } 403 | 404 | // creating Services TCP 11002: 405 | resource "nsxt_policy_service" "TCP11002" { 406 | description = "service provisioned by Terraform" 407 | display_name = "TCP11002" 408 | 409 | l4_port_set_entry { 410 | display_name = "TCP11002" 411 | description = "TCP port 11002 entry" 412 | protocol = "TCP" 413 | destination_ports = ["11002"] 414 | } 415 | } 416 | // creating Services replica_TCP135: 417 | resource "nsxt_policy_service" "replica_TCP135" { 418 | description = "service provisioned by Terraform" 419 | display_name = "replica_135" 420 | 421 | l4_port_set_entry { 422 | display_name = "TCP135" 423 | description = "TCP port 135 entry" 424 | protocol = "TCP" 425 | destination_ports = ["135"] 426 | } 427 | } 428 | 429 | // creating Services RADIUS_Server_TCP1812: 430 | resource "nsxt_policy_service" "RADIUS_Server_TCP1812" { 431 | description = "service provisioned by Terraform" 432 | display_name = "RADIUS_Server_TCP1812" 433 | 434 | l4_port_set_entry { 435 | display_name = "TCP1812" 436 | description = "TCP port 1812 entry" 437 | protocol = "TCP" 438 | destination_ports = ["1812"] 439 | } 440 | } 441 | 442 | // creating Services RADIUS_Server_TCP1813: 443 | resource "nsxt_policy_service" "RADIUS_Server_TCP1813" { 444 | description = "service provisioned by Terraform" 445 | display_name = "RADIUS_Server_TCP1813" 446 | 447 | l4_port_set_entry { 448 | display_name = "TCP1813" 449 | description = "TCP port 1813 entry" 450 | protocol = "TCP" 451 | destination_ports = ["1813"] 452 | } 453 | } 454 | 455 | // creating Services JMS_TCP4100: 456 | resource "nsxt_policy_service" "JMS_TCP4100" { 457 | description = "service provisioned by Terraform" 458 | display_name = "JMS_TCP4100" 459 | 460 | l4_port_set_entry { 461 | display_name = "JMS_TCP4100" 462 | description = "TCP port 4100 entry" 463 | protocol = "TCP" 464 | destination_ports = ["4100"] 465 | } 466 | } 467 | 468 | // creating Services RSA_SecureID_UDP5500: 469 | resource "nsxt_policy_service" "RSA_SecureID_UDP5500" { 470 | description = "service provisioned by Terraform" 471 | display_name = "RSA_SecureID_UDP5500" 472 | 473 | l4_port_set_entry { 474 | display_name = "RSA_SecureID_UDP5500" 475 | description = "UDP port 5500 entry" 476 | protocol = "UDP" 477 | destination_ports = ["5500"] 478 | } 479 | } 480 | 481 | // creating Services iOS_UDP88: 482 | resource "nsxt_policy_service" "iOS_UDP88" { 483 | description = "service provisioned by Terraform" 484 | display_name = "iOS_UDP88" 485 | 486 | l4_port_set_entry { 487 | display_name = "iOS_UDP88" 488 | description = "UDP port 88 entry" 489 | protocol = "UDP" 490 | destination_ports = ["88"] 491 | } 492 | } 493 | 494 | // creating Services iOS_TCP88: 495 | resource "nsxt_policy_service" "iOS_TCP88" { 496 | description = "service provisioned by Terraform" 497 | display_name = "iOS_TCP88" 498 | 499 | l4_port_set_entry { 500 | display_name = "iOS_TCP88" 501 | description = "TCP port 88 entry" 502 | protocol = "TCP" 503 | destination_ports = ["88"] 504 | } 505 | } 506 | 507 | // creating Services Android_TCP5262: 508 | resource "nsxt_policy_service" "Android_TCP5262" { 509 | description = "service provisioned by Terraform" 510 | display_name = "Android_TCP5262" 511 | 512 | l4_port_set_entry { 513 | display_name = "Android_TCP5262" 514 | description = "TCP port 5262 entry" 515 | protocol = "TCP" 516 | destination_ports = ["5262"] 517 | } 518 | } 519 | 520 | // creating Services SSL_cert_TCP7443: 521 | resource "nsxt_policy_service" "SSL_cert_TCP7443" { 522 | description = "service provisioned by Terraform" 523 | display_name = "SSL_cert_TCP7443" 524 | 525 | l4_port_set_entry { 526 | display_name = "SSL_cert_TCP7443" 527 | description = "TCP port 7443 entry" 528 | protocol = "TCP" 529 | destination_ports = ["7443"] 530 | } 531 | } 532 | 533 | // creating Services Log_Insight_TCP9543: 534 | resource "nsxt_policy_service" "Log_Insight_TCP9543" { 535 | description = "service provisioned by Terraform" 536 | display_name = "Log_Insight_TCP9543" 537 | 538 | l4_port_set_entry { 539 | display_name = "Log_Insight_TCP9543" 540 | description = "TCP port 9543 entry" 541 | protocol = "TCP" 542 | destination_ports = ["9543"] 543 | } 544 | } 545 | 546 | // creating Services ElasticSearch_TCP8200: 547 | resource "nsxt_policy_service" "ElasticSearch_TCP8200" { 548 | description = "service provisioned by Terraform" 549 | display_name = "ElasticSearch_TCP8200" 550 | 551 | l4_port_set_entry { 552 | display_name = "ElasticSearch_TCP8200" 553 | description = "TCP port 8200 entry" 554 | protocol = "TCP" 555 | destination_ports = ["8200"] 556 | } 557 | } 558 | 559 | // creating Services Hazelcast_cache_TCP5701: 560 | resource "nsxt_policy_service" "Hazelcast_cache_TCP5701" { 561 | description = "service provisioned by Terraform" 562 | display_name = "Hazelcast_cache_TCP5701" 563 | 564 | l4_port_set_entry { 565 | display_name = "Hazelcast_cache_TCP5701" 566 | description = "TCP port 5701 entry" 567 | protocol = "TCP" 568 | destination_ports = ["5701"] 569 | } 570 | } 571 | 572 | ###################### creating all Groups ###################### 573 | 574 | // creating Group for UAG_external: 575 | resource "nsxt_policy_group" "UAG_external" { 576 | display_name = "UAG_external" 577 | description = "Created from Terraform UAG_external" 578 | domain = "cgw" 579 | } 580 | 581 | // creating Group for UAG_internal: 582 | resource "nsxt_policy_group" "UAG_internal" { 583 | display_name = "UAG_internal" 584 | description = "Created from Terraform UAG_internal" 585 | domain = "cgw" 586 | } 587 | 588 | // creating Group for ConnectionServer: 589 | resource "nsxt_policy_group" "ConnectionServer" { 590 | display_name = "ConnectionServer" 591 | description = "Created from Terraform ConnectionServer" 592 | domain = "cgw" 593 | } 594 | 595 | // creating Group for VDI-Environment: 596 | resource "nsxt_policy_group" "VDI_Clients" { 597 | display_name = "VDI_Clients" 598 | description = "Created from Terraform VDI_Clients" 599 | domain = "cgw" 600 | } 601 | 602 | // creating Group for Log_Insight: 603 | resource "nsxt_policy_group" "Log_Insight" { 604 | display_name = "Log_Insight" 605 | description = "Created from Terraform Log_Insight" 606 | domain = "cgw" 607 | } 608 | 609 | // creating Group for RADIUS: 610 | resource "nsxt_policy_group" "RADIUS" { 611 | display_name = "RADIUS" 612 | description = "Created from Terraform RADIUS" 613 | domain = "cgw" 614 | } 615 | 616 | // creating Group for AppVolumes Manager: 617 | resource "nsxt_policy_group" "AppVol_MGMT" { 618 | display_name = "AppVol_MGMT" 619 | description = "Created from Terraform AppVol_MGMT" 620 | domain = "cgw" 621 | } 622 | 623 | // creating Group for Event_Database: 624 | resource "nsxt_policy_group" "Event_Database" { 625 | display_name = "Event_Database" 626 | description = "Created from Terraform Event_Database" 627 | domain = "cgw" 628 | } 629 | 630 | // creating Group for Admin_VMs: 631 | resource "nsxt_policy_group" "Admin_VMs" { 632 | display_name = "Admin_VMs" 633 | description = "Created from Terraform Admin_VMs" 634 | domain = "cgw" 635 | } 636 | 637 | // creating Group for vROPS: 638 | resource "nsxt_policy_group" "vROPS" { 639 | display_name = "vROPS" 640 | description = "Created from Terraform vROPS" 641 | domain = "cgw" 642 | } 643 | // creating Group for Workspace1_Connector: 644 | resource "nsxt_policy_group" "Workspace1_Connector" { 645 | display_name = "Workspace1_Connector" 646 | description = "Created from Terraform Workspace1_Connector" 647 | domain = "cgw" 648 | } 649 | 650 | // creating Group for Workspace1_Access: 651 | resource "nsxt_policy_group" "Workspace1_Access" { 652 | display_name = "Workspace1_Access" 653 | description = "Created from Terraform Workspace1_Access" 654 | domain = "cgw" 655 | } 656 | 657 | // creating Group for Horizon Cloud_Connector: 658 | resource "nsxt_policy_group" "Horizon_Cloud_Connector" { 659 | display_name = "Horizon_Cloud_Connector" 660 | description = "Created from Terraform Horizon_Cloud_Connector" 661 | domain = "cgw" 662 | } 663 | 664 | // creating Group for Enrollment_Server: 665 | resource "nsxt_policy_group" "Enrollment_Server" { 666 | display_name = "Enrollment_Server" 667 | description = "Created from Terraform Enrollment_Server" 668 | domain = "cgw" 669 | } 670 | 671 | // creating Group for JMP_Server: 672 | resource "nsxt_policy_group" "JMP_Server" { 673 | display_name = "JMP_Server" 674 | description = "Created from Terraform JMP_Server" 675 | domain = "cgw" 676 | } 677 | 678 | // creating Group for RFC_1918: 679 | resource "nsxt_policy_group" "RFC_1918" { 680 | display_name = "RFC_1918" 681 | description = "Created from Terraform RFC_1918" 682 | domain = "cgw" 683 | 684 | criteria { 685 | ipaddress_expression { 686 | ip_addresses = ["192.168.0.0/16", "172.16.0.0/16", "10.0.0.0/8"] 687 | } 688 | } 689 | } 690 | 691 | // creating Group for Syslog: 692 | resource "nsxt_policy_group" "Syslog" { 693 | display_name = "Syslog" 694 | description = "Created from Terraform Syslog" 695 | domain = "cgw" 696 | } 697 | 698 | // creating Group for DNS_Server: 699 | resource "nsxt_policy_group" "DNS_Server" { 700 | display_name = "DNS_Server" 701 | description = "Created from Terraform DNS_Server" 702 | domain = "cgw" 703 | } 704 | 705 | // creating Group for Domain_Controller: 706 | resource "nsxt_policy_group" "Domain_Controller" { 707 | display_name = "Domain_Controller" 708 | description = "Created from Terraform Domain_Controller" 709 | domain = "cgw" 710 | } 711 | // creating Group for RSA_SecureID_Server: 712 | resource "nsxt_policy_group" "RSA_SecureID_Server" { 713 | display_name = "RSA_SecureID_Server" 714 | description = "Created from Terraform RSA_SecureID_Server" 715 | domain = "cgw" 716 | } 717 | 718 | // creating Group for AD_cert: 719 | resource "nsxt_policy_group" "AD_cert" { 720 | display_name = "AD_cert" 721 | description = "Created from Terraform AD_cert" 722 | domain = "cgw" 723 | } 724 | 725 | // creating Group for AppVol_SQL: 726 | resource "nsxt_policy_group" "AppVol_SQL" { 727 | display_name = "AppVol_SQL" 728 | description = "Created from Terraform AppVol_SQL" 729 | domain = "cgw" 730 | } 731 | // creating Group for NTP_Server: 732 | resource "nsxt_policy_group" "NTP_Server" { 733 | display_name = "NTP_Server" 734 | description = "Created from Terraform NTP_Server" 735 | domain = "cgw" 736 | } 737 | 738 | // creating Group for Internet_Proxy: 739 | resource "nsxt_policy_group" "Internet_Proxy" { 740 | display_name = "Internet_Proxy" 741 | description = "Created from Terraform Internet_Proxy" 742 | domain = "cgw" 743 | } 744 | 745 | 746 | ###################### creating DFW Security Rules ###################### 747 | ###################### creating Ruleset Infrastructure ###################### 748 | ###################### creating Rules for DNS ###################### 749 | resource "nsxt_policy_security_policy" "DNS" { 750 | domain = "cgw" 751 | display_name = "DNS Service" 752 | description = "Terraform DNS Ruleset" 753 | category = "Infrastructure" 754 | 755 | rule { 756 | display_name = "DNS Service" 757 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 758 | destination_groups = ["${nsxt_policy_group.DNS_Server.path}"] 759 | action = "ALLOW" 760 | services = ["/infra/services/DNS", "/infra/services/DNS-UDP"] 761 | logged = true 762 | } 763 | rule { 764 | display_name = "DNS Service" 765 | source_groups = ["${nsxt_policy_group.DNS_Server.path}"] 766 | destination_groups = ["${nsxt_policy_group.RFC_1918.path}"] 767 | action = "ALLOW" 768 | services = ["/infra/services/DNS", "/infra/services/DNS-UDP"] 769 | logged = true 770 | } 771 | } 772 | 773 | ###################### creating Rules for NTP ###################### 774 | 775 | resource "nsxt_policy_security_policy" "NTP" { 776 | domain = "cgw" 777 | display_name = "NTP Service" 778 | description = "Terraform DNS Ruleset" 779 | category = "Infrastructure" 780 | 781 | rule { 782 | display_name = "NTP Service" 783 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 784 | destination_groups = ["${nsxt_policy_group.NTP_Server.path}"] 785 | action = "ALLOW" 786 | services = ["/infra/services/NTP"] 787 | logged = true 788 | } 789 | rule { 790 | display_name = "NTP Service" 791 | source_groups = ["${nsxt_policy_group.NTP_Server.path}"] 792 | destination_groups = ["${nsxt_policy_group.RFC_1918.path}"] 793 | action = "ALLOW" 794 | services = ["/infra/services/NTP"] 795 | logged = true 796 | } 797 | } 798 | ###################### creating Ruleset Environment ###################### 799 | ###################### creating Ruleset for Unified Access Gateway external ###################### 800 | 801 | resource "nsxt_policy_security_policy" "UAG_external" { 802 | domain = "cgw" 803 | display_name = "UAG_external" 804 | description = "Terraform UAG_external Ruleset" 805 | category = "Environment" 806 | 807 | rule { 808 | display_name = "UAG_external_Clients_Inbound" 809 | source_groups = [nsxt_policy_group.RFC_1918.path] 810 | sources_excluded = true 811 | destination_groups = [nsxt_policy_group.UAG_external.path] 812 | action = "ALLOW" 813 | services = ["/infra/services/HTTPS", nsxt_policy_service.Blast_TCP8443.path, nsxt_policy_service.Blast_UDP443.path, nsxt_policy_service.PCoIP_TCP4172.path, nsxt_policy_service.PCoIP_UDP4172.path] 814 | logged = true 815 | } 816 | 817 | rule { 818 | display_name = "UAG_external_VDI_Clients_Outbound" 819 | source_groups = [nsxt_policy_group.UAG_external.path] 820 | destination_groups = [nsxt_policy_group.VDI_Clients.path] 821 | action = "ALLOW" 822 | services = [nsxt_policy_service.Blast_TCP22443.path, "/infra/services/RDP", nsxt_policy_service.CDR_MMR_TCP9427.path, nsxt_policy_service.USB_TCP32111.path, nsxt_policy_service.PCoIP_TCP4172.path, nsxt_policy_service.PCoIP_UDP4172.path] 823 | logged = true 824 | } 825 | rule { 826 | display_name = "UAG_external_ConnectionServer_Outbound" 827 | source_groups = [nsxt_policy_group.UAG_external.path] 828 | destination_groups = [nsxt_policy_group.ConnectionServer.path] 829 | action = "ALLOW" 830 | services = ["/infra/services/HTTPS"] 831 | logged = true 832 | } 833 | rule { 834 | display_name = "UAG_external_RADIUS_Outbound" 835 | source_groups = [nsxt_policy_group.UAG_external.path] 836 | destination_groups = [nsxt_policy_group.RADIUS.path] 837 | action = "ALLOW" 838 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 839 | logged = true 840 | } 841 | } 842 | 843 | 844 | ###################### creating Ruleset for Unified Access Gateway internal ###################### 845 | 846 | resource "nsxt_policy_security_policy" "UAG_internal" { 847 | domain = "cgw" 848 | display_name = "UAG_internal" 849 | description = "Terraform UAG_internal Ruleset" 850 | category = "Environment" 851 | 852 | rule { 853 | display_name = "UAG_internal_Clients_Inbound" 854 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 855 | destination_groups = ["${nsxt_policy_group.UAG_internal.path}"] 856 | action = "ALLOW" 857 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.Blast_UDP443.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 858 | logged = true 859 | } 860 | 861 | rule { 862 | display_name = "UAG_internal_VDI_Clients_Outbound" 863 | source_groups = ["${nsxt_policy_group.UAG_internal.path}"] 864 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 865 | action = "ALLOW" 866 | services = ["${nsxt_policy_service.Blast_TCP22443.path}", "/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 867 | logged = true 868 | } 869 | 870 | rule { 871 | display_name = "UAG_internal_ConnectionServer_Outbound" 872 | source_groups = ["${nsxt_policy_group.UAG_internal.path}"] 873 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 874 | action = "ALLOW" 875 | services = ["/infra/services/HTTPS"] 876 | logged = true 877 | } 878 | rule { 879 | display_name = "UAG_internal_RADIUS_Outbound" 880 | source_groups = [nsxt_policy_group.UAG_internal.path] 881 | destination_groups = [nsxt_policy_group.RADIUS.path] 882 | action = "ALLOW" 883 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 884 | logged = true 885 | } 886 | } 887 | 888 | ###################### creating Ruleset for Internal Connections without internal UAGs ###################### 889 | 890 | resource "nsxt_policy_security_policy" "Internal_Client_Connection" { 891 | domain = "cgw" 892 | display_name = "Internal_Client_Connection" 893 | description = "Terraform Internal_Client_Connection Ruleset" 894 | category = "Environment" 895 | 896 | rule { 897 | display_name = "Internal_Client_Connection_VDI_Clients_Outbound" 898 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 899 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 900 | action = "ALLOW" 901 | services = ["/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}", "/infra/services/HTTPS"] 902 | logged = true 903 | } 904 | rule { 905 | display_name = "Internal_Client_Connection_Connection_Server_Outbound" 906 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 907 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 908 | action = "ALLOW" 909 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}"] 910 | logged = true 911 | } 912 | rule { 913 | display_name = "Internal_Client_Workspace_1_Access_Outbound" 914 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 915 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 916 | action = "ALLOW" 917 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.iOS_TCP88.path}", "${nsxt_policy_service.iOS_UDP88.path}", "${nsxt_policy_service.Android_TCP5262.path}", "${nsxt_policy_service.SSL_cert_TCP7443.path}"] 918 | logged = true 919 | } 920 | rule { 921 | display_name = "Internal_Client_Workspace_1_Connector_Outbound" 922 | source_groups = ["${nsxt_policy_group.RFC_1918.path}"] 923 | destination_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 924 | action = "ALLOW" 925 | services = ["/infra/services/HTTPS"] 926 | logged = true 927 | } 928 | } 929 | 930 | ###################### creating Ruleset for Horizon Connection Server ###################### 931 | 932 | resource "nsxt_policy_security_policy" "Horizon_Connection_Server" { 933 | domain = "cgw" 934 | display_name = "Horizon_Connection_Server" 935 | description = "Terraform Horizon_Connection_Server Ruleset" 936 | category = "Environment" 937 | 938 | rule { 939 | display_name = "Horizon_Connection_Server_Connection_Server_In-/Outbound" 940 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 941 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 942 | action = "ALLOW" 943 | services = ["/infra/services/LDAP", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.replica_TCP135.path}", "${nsxt_policy_service.JMS_TCP4100.path}", "${nsxt_policy_service.JMS_SSL_TCP4101.path}", "${nsxt_policy_service.ADLDS_TCP22389.path}", "${nsxt_policy_service.ADLDS_TCP22636.path}", "${nsxt_policy_service.VIPA_TCP8472.path}"] 944 | logged = true 945 | } 946 | rule { 947 | display_name = "Horizon_Connection_Server_Event_DB_Outbound" 948 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 949 | destination_groups = ["${nsxt_policy_group.Event_Database.path}"] 950 | action = "ALLOW" 951 | services = ["${nsxt_policy_service.EventDB_TCP1433.path}"] 952 | logged = true 953 | } 954 | rule { 955 | display_name = "Horizon_Connection_Server_vCenter_Outbound" 956 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 957 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 958 | action = "ALLOW" 959 | services = ["/infra/services/HTTPS"] 960 | logged = true 961 | } 962 | rule { 963 | display_name = "Horizon_Connection_Server_VDI_Clients" 964 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 965 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 966 | action = "ALLOW" 967 | services = ["${nsxt_policy_service.Blast_TCP22443.path}", "/infra/services/RDP", "${nsxt_policy_service.CDR_MMR_TCP9427.path}", "${nsxt_policy_service.USB_TCP32111.path}", "${nsxt_policy_service.PCoIP_TCP4172.path}", "${nsxt_policy_service.PCoIP_UDP4172.path}"] 968 | logged = true 969 | } 970 | rule { 971 | display_name = "Horizon_Connection_Server_Enrollment_Server_Outbound" 972 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 973 | destination_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 974 | action = "ALLOW" 975 | services = ["${nsxt_policy_service.USB_TCP32111.path}"] 976 | logged = true 977 | } 978 | 979 | rule { 980 | display_name = "Horizon_Connection_Server_RSA_SecurID" 981 | source_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 982 | destination_groups = ["${nsxt_policy_group.RSA_SecureID_Server.path}"] 983 | action = "ALLOW" 984 | services = ["${nsxt_policy_service.RSA_SecureID_UDP5500.path}"] 985 | logged = true 986 | } 987 | } 988 | 989 | ###################### creating Ruleset for Admin Access ###################### 990 | 991 | 992 | resource "nsxt_policy_security_policy" "Admin_Access" { 993 | domain = "cgw" 994 | display_name = "Admin_Access" 995 | description = "Terraform Admin_Access Ruleset" 996 | category = "Environment" 997 | 998 | rule { 999 | display_name = "ADMIN_UAG_External_Outbound" 1000 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1001 | destination_groups = ["${nsxt_policy_group.UAG_external.path}"] 1002 | action = "ALLOW" 1003 | services = ["${nsxt_policy_service.Blast_TCP9443.path}"] 1004 | logged = true 1005 | } 1006 | rule { 1007 | display_name = "ADMIN_UAG_Internal_Outbound" 1008 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1009 | destination_groups = ["${nsxt_policy_group.UAG_internal.path}"] 1010 | action = "ALLOW" 1011 | services = ["${nsxt_policy_service.Blast_TCP9443.path}"] 1012 | logged = true 1013 | } 1014 | rule { 1015 | display_name = "ADMIN_Workspace1_Access_Outbound" 1016 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1017 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1018 | action = "ALLOW" 1019 | services = ["${nsxt_policy_service.Blast_TCP8443.path}", "/infra/services/HTTPS", "${nsxt_policy_service.SSL_TCP22.path}"] 1020 | logged = true 1021 | } 1022 | rule { 1023 | display_name = "ADMIN_Workspace1_Access_Outbound" 1024 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1025 | destination_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1026 | action = "ALLOW" 1027 | services = ["${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.SSL_TCP22.path}"] 1028 | logged = true 1029 | } 1030 | rule { 1031 | display_name = "Admin_Horizon_Connection_Server_Outbound" 1032 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1033 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1034 | action = "ALLOW" 1035 | services = ["/infra/services/HTTPS"] 1036 | logged = true 1037 | } 1038 | rule { 1039 | display_name = "Admin_Horizon_Connection_Server_Outbound" 1040 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1041 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 1042 | action = "ALLOW" 1043 | services = ["/infra/services/HTTPS"] 1044 | logged = true 1045 | } 1046 | rule { 1047 | display_name = "Admin_Microsoft_Remote_Controle" 1048 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1049 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1050 | action = "ALLOW" 1051 | services = ["/infra/services/RDP"] 1052 | logged = true 1053 | } 1054 | rule { 1055 | display_name = "Admin_Horizon_AppVol_Outbound" 1056 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1057 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1058 | action = "ALLOW" 1059 | services = ["/infra/services/HTTPS"] 1060 | logged = true 1061 | } 1062 | rule { 1063 | display_name = "Admin_Horizon_vROPS_Outbound" 1064 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1065 | destination_groups = ["${nsxt_policy_group.vROPS.path}"] 1066 | action = "ALLOW" 1067 | services = ["/infra/services/HTTPS"] 1068 | logged = true 1069 | } 1070 | rule { 1071 | display_name = "Admin_Horizon_Horizon_Cloud_Connector_Outbound" 1072 | source_groups = ["${nsxt_policy_group.Admin_VMs.path}"] 1073 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1074 | action = "ALLOW" 1075 | services = ["/infra/services/HTTPS"] 1076 | logged = true 1077 | } 1078 | } 1079 | 1080 | ###################### creating Ruleset for Horizon VDI Clients ###################### 1081 | 1082 | resource "nsxt_policy_security_policy" "Horizon_VDI_Clients" { 1083 | domain = "cgw" 1084 | display_name = "Horizon_VDI_Clients" 1085 | description = "Terraform Horizon_VDI_Clients Ruleset" 1086 | category = "Environment" 1087 | 1088 | rule { 1089 | display_name = "VDI_Clients_Horizon_Connection_Server_Outbound" 1090 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1091 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1092 | action = "ALLOW" 1093 | services = ["/infra/services/LDAP","/infra/services/LDAP-over-SSL", "${nsxt_policy_service.JMS_SSL_TCP4002.path}"] 1094 | logged = true 1095 | } 1096 | rule { 1097 | display_name = "VDI_Clients_Horizon_AppVol_Outbound" 1098 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1099 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1100 | action = "ALLOW" 1101 | services = ["/infra/services/HTTPS"] 1102 | logged = true 1103 | } 1104 | rule { 1105 | display_name = "VDI_Clients_Horizon_vROPS_Outbound" 1106 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1107 | destination_groups = ["${nsxt_policy_group.vROPS.path}"] 1108 | action = "ALLOW" 1109 | services = ["${nsxt_policy_service.vROPS_TCP3091.path}", "${nsxt_policy_service.vROPS_TCP3099.path}"] 1110 | logged = true 1111 | } 1112 | rule { 1113 | display_name = "VDI_Clients_Horizon_Cloud_Connector_Inbound" 1114 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1115 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1116 | action = "ALLOW" 1117 | services = ["${nsxt_policy_service.TCP11002.path}"] 1118 | logged = true 1119 | }/* 1120 | rule { 1121 | display_name = "VDI_Clients_VDI_Client" 1122 | source_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1123 | destination_groups = ["${nsxt_policy_group.VDI_Clients.path}"] 1124 | action = "DENY" 1125 | services = [] 1126 | logged = true 1127 | }*/ 1128 | 1129 | } 1130 | 1131 | ###################### creating Ruleset for Workspace1_Connector ###################### 1132 | 1133 | resource "nsxt_policy_security_policy" "Workspace1_Connector" { 1134 | domain = "cgw" 1135 | display_name = "Workspace1_Connector" 1136 | description = "Terraform Workspace1_Connector Ruleset" 1137 | category = "Environment" 1138 | 1139 | rule { 1140 | display_name = "Workspace_One_Connector_Horizon_Connection_Server_Outbound" 1141 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1142 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1143 | action = "ALLOW" 1144 | services = ["/infra/services/HTTPS", "/infra/services/LDAP", "/infra/services/LDAP-over-SSL"] 1145 | logged = true 1146 | } 1147 | rule { 1148 | display_name = "Workspace_One_Connector_Workspace_One_Access_Outbound" 1149 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1150 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1151 | action = "ALLOW" 1152 | services = ["/infra/services/HTTPS"] 1153 | logged = true 1154 | } 1155 | rule { 1156 | display_name = "Workspace_One_Connector_Domain_Controller" 1157 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1158 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1159 | action = "ALLOW" 1160 | services = ["/infra/services/LDAP", "/infra/services/LDAP-over-SSL", "/infra/services/LDAP_Global_Catalog", "/infra/services/Windows-Global-Catalog-over-SSL", "/infra/services/KERBEROS-UDP", "/infra/services/KERBEROS-TCP", "/infra/services/Active_Directory_Server", "/infra/services/Active_Directory_Server_UDP", "/infra/services/MS_RPC_TCP", ] 1161 | logged = true 1162 | } 1163 | rule { 1164 | display_name = "Workspace_One_Connector_Syslog_Server" 1165 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1166 | destination_groups = ["${nsxt_policy_group.Syslog.path}"] 1167 | action = "ALLOW" 1168 | services = ["/infra/services/Syslog-Server-UDP"] 1169 | logged = true 1170 | } 1171 | rule { 1172 | display_name = "Workspace_One_Connector_Log_Insight" 1173 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1174 | destination_groups = ["${nsxt_policy_group.Log_Insight.path}"] 1175 | action = "ALLOW" 1176 | services = ["${nsxt_policy_service.Log_Insight_TCP9543.path}"] 1177 | logged = true 1178 | } 1179 | rule { 1180 | display_name = "Workspace_One_Connector_RADIUS" 1181 | source_groups = ["${nsxt_policy_group.Workspace1_Connector.path}"] 1182 | destination_groups = ["${nsxt_policy_group.RADIUS.path}"] 1183 | action = "ALLOW" 1184 | services = ["${nsxt_policy_service.RADIUS_Server_TCP1813.path}", "${nsxt_policy_service.RADIUS_Server_TCP1812.path}"] 1185 | logged = true 1186 | } 1187 | rule { 1188 | display_name = "Workspace_One_Connector_RSA_SecureID" 1189 | source_groups = [nsxt_policy_group.Workspace1_Connector.path] 1190 | destination_groups = [nsxt_policy_group.RSA_SecureID_Server.path] 1191 | action = "ALLOW" 1192 | services = [nsxt_policy_service.RSA_SecureID_UDP5500.path] 1193 | logged = true 1194 | } 1195 | rule { 1196 | display_name = "Workspace_One_Connector_Internet_Proxy" 1197 | source_groups = [nsxt_policy_group.Workspace1_Connector.path] 1198 | destination_groups = [nsxt_policy_group.Internet_Proxy.path] 1199 | action = "ALLOW" 1200 | services = ["/infra/services/HTTPS"] 1201 | logged = true 1202 | } 1203 | } 1204 | 1205 | ###################### creating Ruleset for Workspace1_Access ###################### 1206 | 1207 | resource "nsxt_policy_security_policy" "Workspace1_Access" { 1208 | domain = "cgw" 1209 | display_name = "Workspace1_Access" 1210 | description = "Terraform Workspace1_Access Ruleset" 1211 | category = "Environment" 1212 | 1213 | rule { 1214 | display_name = "Workspace1_Access_Workspace1_Access" 1215 | source_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1216 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1217 | action = "ALLOW" 1218 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.Blast_TCP8443.path}", "${nsxt_policy_service.ElasticSearch_TCP8200.path}", "${nsxt_policy_service.Hazelcast_cache_TCP5701.path}", "${nsxt_policy_service.EHCache_TCP40002.path}", "${nsxt_policy_service.EHCache_TCP40003.path}", "${nsxt_policy_service.Audit_UDP54328.path}", "${nsxt_policy_service.Audit_TCP9300.path}", "${nsxt_policy_service.Audit_TCP9400.path}"] 1219 | logged = true 1220 | } 1221 | 1222 | rule { 1223 | display_name = "Workspace1_Access_Inbound" 1224 | source_groups = [] 1225 | destination_groups = ["${nsxt_policy_group.Workspace1_Access.path}"] 1226 | action = "ALLOW" 1227 | services = ["/infra/services/HTTPS"] 1228 | logged = true 1229 | } 1230 | } 1231 | 1232 | 1233 | ###################### creating Ruleset for JMP_Server ###################### 1234 | 1235 | resource "nsxt_policy_security_policy" "JMP_Server" { 1236 | domain = "cgw" 1237 | display_name = "JMP_Server" 1238 | description = "Terraform JMP_Server Ruleset" 1239 | category = "Environment" 1240 | 1241 | rule { 1242 | display_name = "JMP_Server_AppVol_Outbound" 1243 | source_groups = ["${nsxt_policy_group.JMP_Server.path}"] 1244 | destination_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1245 | action = "ALLOW" 1246 | services = ["/infra/services/HTTPS"] 1247 | logged = true 1248 | } 1249 | rule { 1250 | display_name = "JMP_Server_ConnectionServer_Outbound" 1251 | source_groups = ["${nsxt_policy_group.JMP_Server.path}"] 1252 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1253 | action = "ALLOW" 1254 | services = ["/infra/services/HTTPS"] 1255 | logged = true 1256 | } 1257 | } 1258 | 1259 | ###################### creating Ruleset for AppVolumes ###################### 1260 | 1261 | resource "nsxt_policy_security_policy" "AppVolumes" { 1262 | domain = "cgw" 1263 | display_name = "AppVolumes" 1264 | description = "Terraform AppVolumes Ruleset" 1265 | category = "Environment" 1266 | 1267 | rule { 1268 | display_name = "AppVol_vCenter_Outbound" 1269 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1270 | destination_groups = ["/infra/domains/mgw/groups/VCENTER"] 1271 | action = "ALLOW" 1272 | services = ["/infra/services/HTTPS"] 1273 | logged = true 1274 | } 1275 | rule { 1276 | display_name = "AppVol_ESXi_Outbound" 1277 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1278 | destination_groups = ["/infra/domains/mgw/groups/ESXI"] 1279 | action = "ALLOW" 1280 | services = ["/infra/services/HTTPS"] 1281 | logged = true 1282 | } 1283 | rule { 1284 | display_name = "AppVol_Domain_Controller_Outbound" 1285 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1286 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1287 | action = "ALLOW" 1288 | services = ["/infra/services/LDAP", "/infra/services/LDAP-over-SSL"] 1289 | logged = true 1290 | } 1291 | rule { 1292 | display_name = "AppVol_ESXi_Outbound" 1293 | source_groups = ["${nsxt_policy_group.AppVol_MGMT.path}"] 1294 | destination_groups = ["${nsxt_policy_group.AppVol_SQL.path}"] 1295 | action = "ALLOW" 1296 | services = ["/infra/services/MS-SQL-S"] 1297 | logged = true 1298 | } 1299 | } 1300 | 1301 | ###################### creating Ruleset for Horizon_Cloud_Connector ###################### 1302 | 1303 | resource "nsxt_policy_security_policy" "Horizon_Cloud_Connector" { 1304 | domain = "cgw" 1305 | display_name = "Horizon_Cloud_Connector" 1306 | description = "Terraform Horizon_Cloud_Connector Ruleset" 1307 | category = "Environment" 1308 | rule { 1309 | display_name = "Cloud_Connector_ConnectionServer_Outbound" 1310 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1311 | destination_groups = ["${nsxt_policy_group.ConnectionServer.path}"] 1312 | action = "ALLOW" 1313 | services = ["/infra/services/HTTPS", "${nsxt_policy_service.JMS_SSL_TCP4002.path}"] 1314 | logged = true 1315 | } 1316 | rule { 1317 | display_name = "Cloudconnector_internet" 1318 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1319 | destination_groups = ["${nsxt_policy_group.Internet_Proxy.path}"] 1320 | action = "ALLOW" 1321 | services = ["/infra/services/HTTPS"] 1322 | logged = true 1323 | } 1324 | rule { 1325 | display_name = "Cloudconnector_Clients_Inbound" 1326 | source_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1327 | destination_groups = ["${nsxt_policy_group.Horizon_Cloud_Connector.path}"] 1328 | destinations_excluded = true 1329 | action = "ALLOW" 1330 | services = ["/infra/services/SSH"] 1331 | logged = true 1332 | } 1333 | 1334 | } 1335 | 1336 | ###################### creating Ruleset for Enrollment_Server ###################### 1337 | 1338 | resource "nsxt_policy_security_policy" "Enrollment_Server" { 1339 | domain = "cgw" 1340 | display_name = "Enrollment_Server" 1341 | description = "Terraform Enrollment_Server Ruleset" 1342 | category = "Environment" 1343 | 1344 | rule { 1345 | display_name = "Enrollment_Server_AD_Cert_Outbound" 1346 | source_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 1347 | destination_groups = ["${nsxt_policy_group.AD_cert.path}"] 1348 | action = "ALLOW" 1349 | services = ["${nsxt_policy_service.replica_TCP135.path}"] 1350 | logged = true 1351 | } 1352 | rule { 1353 | display_name = "Enrollment_Server_Domain_Controller_Outbound" 1354 | source_groups = ["${nsxt_policy_group.Enrollment_Server.path}"] 1355 | destination_groups = ["${nsxt_policy_group.Domain_Controller.path}"] 1356 | action = "ALLOW" 1357 | services = ["/infra/services/Microsoft_Active_Directory_V1"] 1358 | logged = true 1359 | } 1360 | } 1361 | --------------------------------------------------------------------------------