{"id":1660,"date":"2022-02-03T10:33:50","date_gmt":"2022-02-03T09:33:50","guid":{"rendered":"https:\/\/nine30.info\/?p=1660"},"modified":"2022-02-03T10:33:50","modified_gmt":"2022-02-03T09:33:50","slug":"salt-sddc-modules-manage-vmc-security-groups-and-rules","status":"publish","type":"post","link":"https:\/\/nine30.nxt70.com\/index.php\/2022\/02\/03\/salt-sddc-modules-manage-vmc-security-groups-and-rules\/","title":{"rendered":"Salt SDDC Modules \u2013 Manage VMC Security Groups and Rules"},"content":{"rendered":"\n

After two SDDC Extension Modules introductory posts about getting started<\/a> and state files<\/a>, in this post I cover something more juicy from my point of view: managing VMware Cloud on AWS (VMC) Security Groups and Security Rules. Of course as a pre-requisite, in addition to having Salt Master with SDDC extensions modules, you need to have access to a VMC SDDC. For this lab activity I was supported by Matteo Concilio<\/a> who is a true VMC and VCF expert and a super nice person!<\/p>\n\n\n\n

In order to manage VMC SDDC Networking & Security configuration we will leverage modules named vmc_security_group<\/code> and vmc_security_rules<\/code>, but to collect all the required info we will also use module named vmc_sddc<\/code>. <\/p>\n\n\n\n

Required information and how to collect it<\/h2>\n\n\n\n

These are the information you need to collect before creating your state files.<\/p>\n\n\n\n

refresh_key<\/code><\/p>\n\n\n\n

This is your VMware CSP API Token, here<\/a> is the doc page “How Do I Generate API Tokens” for VMware Cloud Console. The grants I used for this use case are showed in the picture below, they might be a bit beyond the minimum required. <\/p>\n\n\n\n

\n
\"\"<\/figure>\n<\/figure>\n\n\n\n

authorization_host<\/code><\/p>\n\n\n\n

This is a constant value console.cloud.vmware.com<\/code><\/p>\n\n\n\n

org_id<\/code><\/p>\n\n\n\n

This is the Organization ID of the SDDC instance to be managed. On the Cloud Services Console toolbar, click your username and copy the Organization ID. There is little icon button that helps you in this.<\/p>\n\n\n\n

\n
\"\"<\/figure>\n<\/figure>\n\n\n\n

hostname<\/code><\/p>\n\n\n\n

This is the hostname of NSX-T manager of your SDDC. In order to obtain this info you can use the get<\/code> function from the vmc_sddc<\/code> module as follows:<\/p>\n\n\n\n

salt-call vmc_sddc.get hostname=vmc.vmware.com refresh_key=<Your_CSP_API_Token> authorization_host=console.cloud.vmware.com org_id=<Your_Org_ID> verify_ssl=False cert=None > ~\/sddcs.yaml<\/code><\/pre>\n\n\n\n
In the ~\/sddcs.yaml<\/code> file look for the parameter named nsx_reverse_proxy_url<\/code> and this would be something like https:\/\/nsx-11-22-33-44.rp.vmwarevmc.com\/vmc\/reverse-proxy\/api\/<\/code> here you just need to save the FQDN of that URL, nsx-11-22-33-44.rp.vmwarevmc.com<\/code> in the example.<\/p>\n\n\n\n
It is a good practice to store this sensitive data in a Pillar, so you can add a new Pillar file ~\/salt\/srv\/pillar\/smea_vmc_conf.sls<\/code> with the following structure:<\/p>\n\n\n\n
nsx_hostname: <Your_NSX_Hostname>\nrefresh_key: <Your_Refresh_Key>\nauthorization_host: console.cloud.vmware.com\norg_id: <Your_Org_ID>\nsddc_id: <Your_SDDC_ID><\/code><\/pre>\n\n\n\n
Then you need to modify the Pillar Top file by adding the newly created pillar file as follows:<\/p>\n\n\n\n
base:\n  master_minion:\n    - my_vsphere_conf\n    - semea_vmc_conf<\/code><\/pre>\n\n\n\n
To make sure the new Pillar data is assigned to your minion you can run the following command:<\/p>\n\n\n\n
salt-call pillar.items<\/code><\/pre>\n\n\n\n
The output should include both my_vpshere_conf <\/code>and semea_vmc_conf<\/code> contents.<\/p>\n\n\n\n
\n
\"\"<\/figure>\n<\/figure>\n\n\n\n
Now we have the basic info required to authenticate to our SDDC instance.<\/p>\n\n\n\n
State Files<\/h2>\n\n\n\n
The first state file will be used to create a new Security Group, please note that we could have all the configuration in a single state file. Add ~\/salt\/srv\/salt\/group_create.sls<\/code> State file with the content reported in the snippet below. You may need to use a different path if you didn’t configure your Master as per instructions from my Salt SDDC Modules \u2013 Getting Started<\/a> post.<\/p>\n\n\n\n
#Create a new Security Group\ngroup_present:\n  module.run:\n    - name: vmc_security_groups.create\n    - hostname: {{ pillar['nsx_hostname'] }} \n    - refresh_key: {{ pillar['refresh_key'] }} \n    - authorization_host: {{ pillar['authorization_host'] }} \n    - org_id: {{ pillar['org_id'] }} \n    - sddc_id: {{ pillar['sddc_id'] }} \n    - domain_id: cgw \n    - verify_ssl: False \n    - cert: None \n    - security_group_id: paolo<\/code><\/pre>\n\n\n\n
Relevant information in the state above:<\/p>\n\n\n\n