From 7898937cfae109b20df6bf036ad110806c6874aa Mon Sep 17 00:00:00 2001
From: Salvatore Orlando <sorlando@vmware.com>
Date: Mon, 26 Apr 2021 08:51:30 -0700
Subject: [PATCH] [MP2P] Amend default security group post migration

Ensure the expression captures both migrated ports and newly
created ports.

Change-Id: I0664d7aee37430f4d1c31aac408b2528430e6ab7
---
 .../plugins/nsxv3/resources/migration.py      | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/vmware_nsx/shell/admin/plugins/nsxv3/resources/migration.py b/vmware_nsx/shell/admin/plugins/nsxv3/resources/migration.py
index dc52d778f0..49992dda81 100644
--- a/vmware_nsx/shell/admin/plugins/nsxv3/resources/migration.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv3/resources/migration.py
@@ -49,6 +49,7 @@ from vmware_nsxlib.v3 import nsx_constants
 from vmware_nsxlib.v3.policy import constants as policy_constants
 from vmware_nsxlib.v3.policy import core_resources as policy_resources
 from vmware_nsxlib.v3.policy import utils as policy_utils
+from vmware_nsxlib.v3 import security
 
 LOG = logging.getLogger(__name__)
 
@@ -1394,6 +1395,27 @@ def post_migration_actions(nsxlib, nsxpolicy, nsxpolicy_admin, plugin):
     LOG.info("Starting post-migration actions")
     ctx = context.get_admin_context()
 
+    # -- Amend default security group criteria
+    mp_scope_and_tag = "%s|%s" % (security.PORT_SG_SCOPE,
+                                  v3_plugin.NSX_V3_DEFAULT_SECTION)
+    p_scope_and_tag = "%s|" % (p_plugin.NSX_P_PORT_RESOURCE_TYPE)
+    mp_condition = nsxpolicy.group.build_condition(
+        cond_val=mp_scope_and_tag,
+        cond_key=policy_constants.CONDITION_KEY_TAG,
+        cond_member_type=policy_constants.CONDITION_MEMBER_PORT)
+    p_condition = nsxpolicy.group.build_condition(
+        cond_val=p_scope_and_tag,
+        cond_key=policy_constants.CONDITION_KEY_TAG,
+        cond_member_type=policy_constants.CONDITION_MEMBER_PORT)
+    final_conditions = nsxpolicy.group.build_union_condition(
+        conditions=[mp_condition, p_condition])
+
+    nsxpolicy.group.update_with_conditions(
+        p_plugin.NSX_P_GLOBAL_DOMAIN_ID,
+        p_plugin.NSX_P_DEFAULT_GROUP,
+        conditions=final_conditions)
+    LOG.info("Match criteria for default SG group updated")
+
     # -- Update Lb tags on loadbalancer service
     pol_lb_services = nsxpolicy.load_balancer.lb_service.list()
     for lb_srv in pol_lb_services: