Terraform”-ing” Aviatrix useg

On my previous blog, Micro-Segmentation Cloud Architecture with Aviatrix, we came up with the following information we extracted from the micro-segmentation allow logs:

  • 10.255.230.37 can be considered a client
  • 10.255.240.36 can be considered a server
  • 10.255.230.37 can be allocated to a segment (app domain 1)
  • 10.255.240.36 can be allocated to a different segment (app domain 2)
  • a policy allowing app domain 1 to talk to app domain 2 on port 80 would be required

In this blog I’m going to create the configuration to comply with the information above but instead of using the CoPilot GUI as I have been using, I’m going to use the following Terraform modules:

The app domain terraform will look like:

resource "aviatrix_app_domain" "app_domain_web-client" {
name = "web-client"
selector {
match_expressions {
type = "vm"
tags = {
Name = "web-client"
}
}
}
}
resource "aviatrix_app_domain" "app_domain_server" {
name = "web-server"
selector {
match_expressions {
type = "vm"
tags = {
Name = "web-server"
}
}
}
}
view raw domains.tf hosted with ❤ by GitHub

And policies with the micro-segmentation policy:

Microseg Policy: https://registry.terraform.io/providers/AviatrixSystems/aviatrix/latest/docs/resources/aviatrix_microseg_policy_list

The file containing the policies will look like:

resource "aviatrix_microseg_policy_list" "microseg_policy_list_web-client-web-server" {
policies {
name = "web-client-web-server"
action = "PERMIT"
src_app_domains = [ aviatrix_app_domain.app_domain_web-server.uuid ]
dst_app_domains = [ aviatrix_app_domain.app_domain_web-client.uuid ]
port_ranges {
lo = 80
hi = 0
}
priority = 1
protocol = "TCP"
logging = true
watch = false
}
}
view raw policies.tf hosted with ❤ by GitHub

Source and destination domains fields uses the UUID instead names. Besides that, the examples above are simple but the idea is to introduce the terraform modules and show how to use them. More examples to come!

References

Leave a Reply