vmware
diff --git a/‎api/infra/domains/intrusion_service_policies/rule.go‎
Lines changed: 136 additions & 0 deletions b/‎api/infra/domains/intrusion_service_policies/rule.go‎
Lines changed: 136 additions & 0 deletions
diff --git a/‎docs/data-sources/policy_intrusion_service_policy.md‎
Lines changed: 53 additions & 0 deletions b/‎docs/data-sources/policy_intrusion_service_policy.md‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎docs/resources/policy_intrusion_service_policy_rule.md‎
Lines changed: 125 additions & 0 deletions b/‎docs/resources/policy_intrusion_service_policy_rule.md‎
Lines changed: 125 additions & 0 deletions
@@ -0,0 +1,136 @@
+//nolint:revive
+package intrusionservicepolicies
+
+import (
+	"errors"
+
+	vapiProtocolClient_ "github.com/vmware/vsphere-automation-sdk-go/runtime/protocol/client"
+	client0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/infra/domains/intrusion_service_policies"
+	model0 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/model"
+	client1 "github.com/vmware/vsphere-automation-sdk-go/services/nsxt/orgs/projects/infra/domains/intrusion_service_policies"
+
+	utl "github.com/vmware/terraform-provider-nsxt/api/utl"
+)
+
+type IntrusionServicePolicyRuleClientContext utl.ClientContext
+
+func NewRulesClient(sessionContext utl.SessionContext, connector vapiProtocolClient_.Connector) *IntrusionServicePolicyRuleClientContext {
+	var client interface{}
+
+	switch sessionContext.ClientType {
+
+	case utl.Local:
+		client = client0.NewRulesClient(connector)
+
+	case utl.Multitenancy:
+		client = client1.NewRulesClient(connector)
+
+	default:
+		return nil
+	}
+	return &IntrusionServicePolicyRuleClientContext{Client: client, ClientType: sessionContext.ClientType, ProjectID: sessionContext.ProjectID, VPCID: sessionContext.VPCID}
+}
+
+func (c IntrusionServicePolicyRuleClientContext) Get(domainIdParam string, policyIdParam string, ruleIdParam string) (model0.IdsRule, error) {
+	var obj model0.IdsRule
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.Get(domainIdParam, policyIdParam, ruleIdParam)
+		if err != nil {
+			return obj, err
+		}
+
+	case utl.Multitenancy:
+		client := c.Client.(client1.RulesClient)
+		obj, err = client.Get(utl.DefaultOrgID, c.ProjectID, domainIdParam, policyIdParam, ruleIdParam)
+		if err != nil {
+			return obj, err
+		}
+
+	default:
+		return obj, errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
+
+func (c IntrusionServicePolicyRuleClientContext) Delete(domainIdParam string, policyIdParam string, ruleIdParam string) error {
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		err = client.Delete(domainIdParam, policyIdParam, ruleIdParam)
+
+	case utl.Multitenancy:
+		client := c.Client.(client1.RulesClient)
+		err = client.Delete(utl.DefaultOrgID, c.ProjectID, domainIdParam, policyIdParam, ruleIdParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return err
+}
+
+func (c IntrusionServicePolicyRuleClientContext) Patch(domainIdParam string, policyIdParam string, ruleIdParam string, idsRuleParam model0.IdsRule) error {
+	var err error
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		err = client.Patch(domainIdParam, policyIdParam, ruleIdParam, idsRuleParam)
+
+	case utl.Multitenancy:
+		client := c.Client.(client1.RulesClient)
+		err = client.Patch(utl.DefaultOrgID, c.ProjectID, domainIdParam, policyIdParam, ruleIdParam, idsRuleParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return err
+}
+
+func (c IntrusionServicePolicyRuleClientContext) Update(domainIdParam string, policyIdParam string, ruleIdParam string, idsRuleParam model0.IdsRule) (model0.IdsRule, error) {
+	var err error
+	var obj model0.IdsRule
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.Update(domainIdParam, policyIdParam, ruleIdParam, idsRuleParam)
+
+	case utl.Multitenancy:
+		client := c.Client.(client1.RulesClient)
+		obj, err = client.Update(utl.DefaultOrgID, c.ProjectID, domainIdParam, policyIdParam, ruleIdParam, idsRuleParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
+
+func (c IntrusionServicePolicyRuleClientContext) List(domainIdParam string, policyIdParam string, cursorParam *string, includeMarkForDeleteObjectsParam *bool, includedFieldsParam *string, pageSizeParam *int64, sortAscendingParam *bool, sortByParam *string) (model0.IdsRuleListResult, error) {
+	var err error
+	var obj model0.IdsRuleListResult
+
+	switch c.ClientType {
+
+	case utl.Local:
+		client := c.Client.(client0.RulesClient)
+		obj, err = client.List(domainIdParam, policyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)
+
+	case utl.Multitenancy:
+		client := c.Client.(client1.RulesClient)
+		obj, err = client.List(utl.DefaultOrgID, c.ProjectID, domainIdParam, policyIdParam, cursorParam, includeMarkForDeleteObjectsParam, includedFieldsParam, pageSizeParam, sortAscendingParam, sortByParam)
+
+	default:
+		err = errors.New("invalid infrastructure for model")
+	}
+	return obj, err
+}
@@ -0,0 +1,53 @@
+---
+subcategory: "Beta"
+layout: "nsxt"
+page_title: "NSXT: nsxt_policy_intrusion_service_policy"
+description: A data source to retrieve an Intrusion Service (IDS) Policy.
+---
+
+# nsxt_policy_intrusion_service_policy
+
+This data source provides information about an existing Intrusion Service (IDS) Policy configured on NSX.
+This data source can be useful for fetching policy path to use in `nsxt_policy_intrusion_service_policy_rule` resource.
+
+~> **NOTE:** This data source retrieves only the policy metadata (id, display_name, description, path). It does not retrieve the rules within the policy. To manage rules, use the `nsxt_policy_intrusion_service_policy_rule` resource with the policy path obtained from this data source.
+
+This data source is applicable to NSX Policy Manager and VMC (NSX version 3.1.0 onwards).
+
+## Example Usage
+
+```hcl
+data "nsxt_policy_intrusion_service_policy" "ids_policy" {
+  display_name = "intrusion-service-policy"
+}
+```
+
+## Example Usage - Multi-Tenancy
+
+```hcl
+data "nsxt_policy_project" "demoproj" {
+  display_name = "demoproj"
+}
+
+data "nsxt_policy_intrusion_service_policy" "ids_policy" {
+  context {
+    project_id = data.nsxt_policy_project.demoproj.id
+  }
+  display_name = "intrusion-service-policy"
+}
+```
+
+## Argument Reference
+
+* `id` - (Optional) The ID of the policy to retrieve.
+* `display_name` - (Optional) The display name of the policy to retrieve.
+* `domain` - (Optional) The domain of the policy. Defaults to `default`.
+* `context` - (Optional) The context which the object belongs to
+    * `project_id` - (Required) The ID of the project which the object belongs to
+
+## Attributes Reference
+
+In addition to arguments listed above, the following attributes are exported:
+
+* `description` - The description of the resource.
+* `path` - The NSX path of the policy resource.
@@ -0,0 +1,125 @@
+---
+subcategory: "Beta"
+layout: "nsxt"
+page_title: "NSXT: nsxt_policy_intrusion_service_policy_rule"
+description: A resource to configure a single rule in an Intrusion Service (IDS) Policy.
+---
+
+# nsxt_policy_intrusion_service_policy_rule
+
+This resource provides a method for the management of a single rule in an Intrusion Service (IDS) Policy for East-West traffic (Distributed Firewall context).
+
+Note: to avoid unexpected behavior, don't use this resource and resource `nsxt_policy_intrusion_service_policy` to manage rules under an intrusion service policy at the same time.
+Instead, please use this resource with resource `nsxt_policy_parent_intrusion_service_policy` to manage an intrusion service policy and its rules separately, and use `nsxt_policy_intrusion_service_policy` to manage a policy and its rules in one single resource.
+
+This resource is applicable to NSX Policy Manager and VMC (NSX version 3.1.0 onwards).
+
+## Example Usage
+
+```hcl
+data "nsxt_policy_intrusion_service_profile" "default" {
+  display_name = "DefaultIDSProfile"
+}
+
+resource "nsxt_policy_parent_intrusion_service_policy" "parent" {
+  display_name    = "tf-intrusion-svc-parent-policy"
+  locked          = false
+  sequence_number = 3
+  stateful        = true
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "nsxt_policy_intrusion_service_policy_rule" "detect_rule" {
+  display_name       = "detect-threats"
+  description        = "Detect threats in East-West traffic"
+  policy_path        = nsxt_policy_parent_intrusion_service_policy.parent.path
+  action             = "DETECT"
+  direction          = "IN"
+  sequence_number    = 1
+  source_groups      = [nsxt_policy_group.web_servers.path]
+  destination_groups = [nsxt_policy_group.db_servers.path]
+  services           = [nsxt_policy_service.http.path]
+  ids_profiles       = [data.nsxt_policy_intrusion_service_profile.default.path]
+  logged             = true
+}
+```
+
+## Example Usage - Multi-Tenancy
+
+```hcl
+data "nsxt_policy_project" "demoproj" {
+  display_name = "demoproj"
+}
+
+resource "nsxt_policy_parent_intrusion_service_policy" "parent" {
+  context {
+    project_id = data.nsxt_policy_project.demoproj.id
+  }
+  display_name    = "tf-intrusion-svc-parent-policy"
+  locked          = false
+  sequence_number = 3
+  stateful        = true
+}
+
+resource "nsxt_policy_intrusion_service_policy_rule" "detect_rule" {
+  context {
+    project_id = data.nsxt_policy_project.demoproj.id
+  }
+  display_name    = "detect-threats"
+  policy_path     = nsxt_policy_parent_intrusion_service_policy.parent.path
+  action          = "DETECT"
+  direction       = "IN_OUT"
+  sequence_number = 1
+  ids_profiles    = [data.nsxt_policy_intrusion_service_profile.default.path]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `display_name` - (Required) Display name of the resource.
+* `description` - (Optional) Description of the resource.
+* `policy_path` - (Required) Path of the Intrusion Service Policy this rule belongs to. ForceNew.
+* `nsx_id` - (Optional) The NSX ID of this resource. If set, this ID will be used to create the resource.
+* `context` - (Optional) The context which the object belongs to. If it's not provided, it will be derived from `policy_path`.
+    * `project_id` - (Required) The ID of the project which the object belongs to
+* `destination_groups` - (Optional) Set of group paths that serve as the destination for this rule.
+* `destinations_excluded` - (Optional) Negation of destination groups. Default is `false`.
+* `direction` - (Optional) Traffic direction. One of `IN`, `OUT`, or `IN_OUT`. Default is `IN_OUT`.
+* `disabled` - (Optional) Flag to disable the rule. Default is `false`.
+* `ip_version` - (Optional) IP version. One of `IPV4`, `IPV6`, or `IPV4_IPV6`. Default is `IPV4_IPV6`.
+* `logged` - (Optional) Flag to enable packet logging. Default is `false`.
+* `notes` - (Optional) Text for additional notes on changes.
+* `scope` - (Optional) Set of policy object paths where the rule is applied.
+* `services` - (Optional) Set of service paths to match.
+* `source_groups` - (Optional) Set of group paths that serve as the source for this rule.
+* `sources_excluded` - (Optional) Negation of source groups. Default is `false`.
+* `log_label` - (Optional) Additional information which will be propagated to the rule syslog.
+* `tag` - (Optional) A list of scope + tag pairs to associate with this rule.
+* `action` - (Optional) Rule action. One of `DETECT` or `DETECT_PREVENT`. Default is `DETECT`.
+* `ids_profiles` - (Required) Set of IDS profile paths for this rule.
+* `sequence_number` - (Required) Sequence number of this rule.
+
+## Attributes Reference
+
+In addition to arguments listed above, the following attributes are exported:
+
+* `id` - ID of the resource.
+* `revision` - Indicates current revision number of the object as seen by NSX-T API server.
+* `path` - The NSX path of the policy resource.
+
+## Importing
+
+An existing Intrusion Service Policy Rule can be [imported][docs-import] into this resource, via the following command:
+
+[docs-import]: https://www.terraform.io/cli/import
+
+```shell
+terraform import nsxt_policy_intrusion_service_policy_rule.detect_rule RULE_PATH
+```
+
+Example: `/infra/domains/default/intrusion-service-policies/ids-policy/rules/detect-rule`.