IP Space autocreate NAT and Firewall rules

.changes/v2.22.0/628-improvements.md

@@ -0,0 +1,2 @@
+* `types.IpSpace` support Firewall and NAT rule autocreation configuration using
+  `types.DefaultGatewayServiceConfig` on VCD 10.5.0+ [GH-628]

govcd/ip_space_test.go

@@ -112,7 +112,6 @@ func (vcd *TestVCD) Test_IpSpaceShared(check *C) {
 		},
 	}
 	ipSpaceChecks(vcd, check, ipSpaceConfig)
-
 }
 
 func (vcd *TestVCD) Test_IpSpacePrivate(check *C) {
@@ -217,6 +216,20 @@ func ipSpaceChecks(vcd *TestVCD, check *C, ipSpaceConfig *types.IpSpace) {
 	check.Assert(updatedIpSpace, NotNil)
 	check.Assert(len(ipSpaceConfig.IPSpaceInternalScope), Equals, len(updatedIpSpace.IpSpace.IPSpaceInternalScope))
 
+	if vcd.client.Client.APIVCDMaxVersionIs(">= 38.0") {
+		fmt.Println("# Testing NAT and Firewall rule autocreation flags for VCD 10.5.0+")
+		ipSpaceConfig.Name = check.TestName() + "-GatewayServiceConfig"
+		ipSpaceConfig.DefaultGatewayServiceConfig = &types.IpSpaceDefaultGatewayServiceConfig{
+			EnableDefaultFirewallRuleCreation: true,
+			EnableDefaultNoSnatRuleCreation:   true,
+			EnableDefaultSnatRuleCreation:     true,
+		}
+
+		updatedIpSpace, err = updatedIpSpace.Update(ipSpaceConfig)
+		check.Assert(err, IsNil)
+		check.Assert(updatedIpSpace.IpSpace.DefaultGatewayServiceConfig, DeepEquals, ipSpaceConfig.DefaultGatewayServiceConfig)
+	}
+
 	err = createdIpSpace.Delete()
 	check.Assert(err, IsNil)
 

govcd/openapi_endpoints.go

@@ -209,6 +209,10 @@ var endpointElevatedApiVersions = map[string][]string{
 		//"37.1", // Introduced support
 		"37.2", // Adds 'value' field
 	},
+	types.OpenApiPathVersion1_0_0 + types.OpenApiEndpointIpSpaces: {
+		//"37.1", // Introduced support
+		"38.0", // Adds 'DefaultGatewayServiceConfig' structure for firewall and NAT rule creation
+	},
 }
 
 // checkOpenApiEndpointCompatibility checks if VCD version (to which the client is connected) is sufficient to work with

types/v56/ip_space.go

@@ -69,10 +69,59 @@ type IpSpace struct {
 	// if the associated Provider Gateway is owned by the Organization.
 	RouteAdvertisementEnabled bool `json:"routeAdvertisementEnabled"`
 
+	// DefaultGatewayServiceConfig specifies default gateway services configurations such as NAT and
+	// Firewall rules that a user can apply on either the Provider Gateway or Edge Gateway depending
+	// on the network topology. Note that re-applying the default services on the Provider Gateway
+	// or Edge Gateway may delete/update/create services that are managed/created by VCD.
+	//
+	// Requires VCD 10.5.0+ (API v38.0+)
+	DefaultGatewayServiceConfig *IpSpaceDefaultGatewayServiceConfig `json:"defaultGatewayServiceConfig,omitempty"`
+
 	// Status is one of `PENDING`,   `CONFIGURING`,   `REALIZED`,   `REALIZATION_FAILED`,   `UNKNOWN`
 	Status string `json:"status,omitempty"`
 }
 
+// IpSpaceDefaultGatewayServiceConfig specified the default gateway services configurations such as NAT and Firewall rules
+// that a user can apply on either the Provider Gateway or Edge Gateway depending on the network
+// topology. Below is an example of the ordering of NAT rule:
+// * If IP Space's external scope maps to any network such as "0.0.0.0/0", the NO SNAT rules
+// priority is 1001 and the default SNAT rules will have priority 1000
+// * All other default SNAT rules has priority 100
+// * All other default NO SNAT rules has priority 0
+// * User-created NAT rules has default priority 50
+//
+// Requires VCD 10.5.0+ (API v38.0+)
+type IpSpaceDefaultGatewayServiceConfig struct {
+	// If true, the user can choose to later apply the default firewall rules on either the Provider
+	// Gateway or Edge Gateway. These firewall rules are created only if the corresponding
+	// associated default No SNAT and NAT rules are configured. False means that the default
+	// firewall rules will not be created.
+	// For the associated default SNAT rule, the source is ANY and the destination is the IP Space's
+	// external scope.
+	// For the associated default No SNAT rule, the source is the IP Space's internal scopes and the
+	// destination is the IP Space's external scope.
+	EnableDefaultFirewallRuleCreation bool `json:"enableDefaultFirewallRuleCreation,omitempty"`
+	// If true, the user can choose to later apply the default No SNAT rules on either the Provider
+	// Gateway or Edge Gateway.
+	// False means that the default No SNAT rule will not be created.
+	// An example of a default No NAT rule is that the source CIDR is the IP Space's internal scope
+	// and the destination CIDR is the IP Space's external scope. This allows traffic to and from
+	// the IP Space's internal and external scope to not be affected by any NAT rule. An example of
+	// such traffic is that an Organization VDC Network within IP Space's internal scope will be
+	// able to route out to the internet. This means that this configuration can allow both
+	// fully-routed topology and also NAT-routed topology.
+	EnableDefaultNoSnatRuleCreation bool `json:"enableDefaultNoSnatRuleCreation,omitempty"`
+	// If true, the user can choose to later apply the default SNAT rules on either the Provider
+	// Gateway or Edge Gateway.
+	// False means that the default SNAT rule will not be created.
+	// An example of a default NAT rule is that the source CIDR is ANY, the destination CIDR is the
+	// IP Space's external scope. This allows all traffic such as from a private network to be able
+	// to access the external destination IPs specified by the IP Space's external scope such as the
+	// internet. Note that the translated external IP will be allocated from this IP Space if there
+	// are no free ones to be used for the SNAT rules.
+	EnableDefaultSnatRuleCreation bool `json:"enableDefaultSnatRuleCreation,omitempty"`
+}
+
 type FloatingIPs struct {
 	// TotalCount holds the number of IP addresses or IP Prefixes defined by the IP Space. If user
 	// does not own this IP Space, this is the quota that the user's organization is granted. A '-1'