Terraform Support For NSX-T Policy API

Posted by

The next release of Terraform’s NSX-T provider will add support for the NSX-T policy API. I know many people (including myself) have been waiting for this so it’s kind of a big thing within that space.

While the new NSX-T provider is not released yet (it’s still being tested), the source code is available on GitHub and can be compiled by anybody that wants to play around with the new functionality.

In today’s article I’ll do a quick demonstration of how to build a piece of NSX-T infrastructure using the new Terraform NSX-T provider leveraging the policy API.


The diagram below shows the NSX-T infrastructure we’re going to deploy:

To keep things simple we will focus on building the NSX-T infrastructure for the tenant: A Tier-1 gateway and three connected segments.
The “Provider” infrastructure is already in place. Let’s get started!

Terraform files

The following files are used for this deployment:

\❯ tree 
├── main.tf 
├── terraform.tfvars
├── variables.tf

I’ve uploaded them to GitHub in case you want to have a look.

  • main.tf – contains the instructions that will build the NSX-T infrastructure
  • terraform.tfvars – contains the values for variables used
  • variables.tf – contains the variable definitions

Let’s have a quick look at some of the content in main.tf.

The Tier-1 gateway resource is defined like this:

# Create Tier-1 Gateway
resource "nsxt_policy_tier1_gateway" "tier1-01" {
  description     = "Tier-1 gateway created by Terraform"
  display_name    = "tf-tier-1"
  edge_cluster_path = data.nsxt_policy_edge_cluster.edge_cluster-01.path
  tier0_path      = data.nsxt_policy_tier0_gateway.tier0_gateway.path
  enable_standby_relocation = "false"
  enable_firewall = false
  failover_mode   = "NON_PREEMPTIVE"
  route_advertisement_types = [

As you can see we define the resource as “nsxt_policy_tier1_gateway”. This instructs Terraform’s NSX-T provider that the object is to be created/managed using the NSX-T policy API.

The same goes for segments which are defined as “nsxt_policy_segment”:

# Create segment web
resource "nsxt_policy_segment" "segment1" {
  description       = "Web segment"
  display_name      = "tf-web"
  transport_zone_path = data.nsxt_policy_transport_zone.overlay_tz.path
  connectivity_path = nsxt_policy_tier1_gateway.tier1-01.path
  subnet {
    cidr    = ""
  tag {
    scope = var.nsx_tag_scope
    tag   = var.nsx_tag
  tag {
    scope = "tier"
    tag   = "web"

Terraform plan

Time to run a “terraform plan” which does a sanity check of our code and generates an execution plan:

terraform plan

According to the execution plan four new objects will be added which seems to be correct (one Tier-1 and three segments).

Terraform apply

With an execution plan in place we can continue with applying it. This effectively creates the NSX-T infrastructure as defined in main.tf:

terraform apply

No issues here. Terraform tells us that the 4 resources have been added.


See is believe so let’s have a look in NSX Manager’s simplified UI:

The Tier-1 gateway is indeed there. Connected to the Tier-0 and all.

And there are the three segments connected to the Tier-1 with subnets defined. It seems that Terraform was successful in deploying our small tenant infrastructure.


This looks promising. I’ve always liked Terraform and now that it (soon officially) supports the NSX-T policy API it might very well become my go-to tool for managing NSX-T infrastructure.

Thanks for reading.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.