In this blog, I developed a very simple Python scripts to create NSX security group whose membership is based on Security Tag. Please note this script is to show you the basic, which has not been ready for a production environment.
Two Python functions are includes in this script:
- create_tag is used to create a NSX security tag;
- create_sg is used to create a security group and define a criterion to add all virtual machines tagged with the specified security tag into this newly created security group;
import requests from base64 import b64encode import getpass username=raw_input('Enter Your NSXManager Username: ') yourpass = getpass.getpass('Enter Your NSXManager Password: ') sg_name=raw_input('Enter Security Group Name: ') vm_tag=raw_input('Enter Tag Name: ') userandpass=username+":"+yourpass userpass = b64encode(userandpass).decode("ascii") auth ="Basic " + userpass payload_tag="<securityTag>\r\n<objectTypeName>SecurityTag</objectTypeName>\r\n<type>\r\n<typeName>SecurityTag</typeName>\r\n</type>\r\n<name>"+vm_tag+"</name>\r\n<isUniversal>false</isUniversal>\r\n<description>This tage is created by API</description>\r\n<extendedAttributes></extendedAttributes>\r\n</securityTag>" payload_sg= "<securitygroup>\r\n <objectId></objectId>\r\n <objectTypeName>SecurityGroup</objectTypeName>\r\n <type>\r\n <typeName>SecurityGroup</typeName>\r\n </type>\r\n <description></description>\r\n <name>"+sg_name+"</name>\r\n <revision>0</revision>\r\n<dynamicMemberDefinition>\r\n <dynamicSet>\r\n <operator>OR</operator>\r\n <dynamicCriteria>\r\n <operator>OR</operator>\r\n <key>VM.SECURITY_TAG</key>\r\n <criteria>contains</criteria>\r\n <value>"+vm_tag+"</value>\r\n </dynamicCriteria>\r\n </dynamicSet>\r\n</dynamicMemberDefinition>\r\n</securitygroup>" def create_tag(): try: response = requests.post( url="https://NSX-Manager-IP/api/2.0/services/securitytags/tag", verify=False, headers={ "Authorization": auth, "Content-Type": "application/xml", }, data=payload_tag ) print('Response HTTP Status Code: {status_code}'.format(status_code=response.status_code)) #print('Response HTTP Response Body: {content}'.format(content=response.content)) if response.status_code == 403: print "***********************************************************************" print "WARNING: your username or password is wrong, please retry again!" print "***********************************************************************" if response.status_code == 201: print "***********************************************************************" print('Response HTTP Response Body: {content}'.format(content=response.content)) api_response=response.text print api_response except requests.exceptions.RequestException: print('HTTP Request failed') def create_sg(): try: response = requests.post( url="https://NSX-Manager-IP/api/2.0/services/securitygroup/bulk/globalroot-0", verify=False, headers={ "Authorization": auth, "Content-Type": "application/xml", }, data=payload_sg ) print('Response HTTP Status Code: {status_code}'.format(status_code=response.status_code)) #print('Response HTTP Response Body: {content}'.format(content=response.content)) if response.status_code == 403: print "***********************************************************************" print "WARNING: your username or password is wrong, please retry again!" print "***********************************************************************" if response.status_code == 201: print "***********************************************************************" print('Response HTTP Response Body: {content}'.format(content=response.content)) api_response=response.text print api_response except requests.exceptions.RequestException: print('HTTP Request failed')
Run this script in our O-Dev:
[root]$ python create_sg_dynamic_member_20170429.py
Enter Your NSXManager UserName: admin
Enter Your NSXManager Passowrd:
Enter Security Group Name: sg_app1_web
Enter Tag Name: tag_app1_web
Response HTTP Status Code: 201
***********************************************************************
Response HTTP Response Body: securitytag-14
securitytag-14
Response HTTP Status Code: 201
***********************************************************************
Response HTTP Response Body: securitygroup-485
securitygroup-485
In NSX manager, we can see a securtiy group sg_app1_web is created as below:
And its dynamic membeship criterion is: