# vDefend Form-Driven Blueprint (VCF Automation 9)

This package contains:
- `blueprints/vdefend-form-driven.yaml` — Cloud Template that calls Terraform to create vDefend groups/services/rules.
- `blueprints/forms/vdefend-form.json` — Custom Form draft that pulls vCenter VMs via ABX and parses CSV ports.
- ABX actions:
  - `list_vcenter_vms` — exposes vCenter inventory for the form.
  - `apply_nsx_tags_for_tiers` — tags selected VMs with `tier` and `env`.
  - `send_email` — generic SMTP mailer.

## Wiring overview

1) **Create ABX actions** (Python 3):
   - `list_vcenter_vms`: set constants `VCENTER_SERVER`, `VCENTER_USERNAME`, `VCENTER_PASSWORD`.
   - `apply_nsx_tags_for_tiers`: none (reads blueprint inputs).
   - `send_email`: set constants `SMTP_HOST` (and optionally user/pass).

2) **Import the Terraform module** (re-use the `vdefend_baseline_module` from the previous kit, or point the blueprint to your Git path).

3) **Create the Cloud Template** from `vdefend-form-driven.yaml`. Map `nsx_*` inputs to **Project Secrets**.

4) **Attach Custom Form**:
   - Import `vdefend-form.json` into the Form Designer for this template.
   - Change the data source `actionId` on `vm_web`, `vm_app`, `vm_db` to the actual ABX ID of `list_vcenter_vms`.

5) **Event Subscriptions**:
   - Create a subscription: **Event = Deployment Completed**, **Filter by blueprint name = vdefend-form-driven**.
   - Add two actions in order:
     1. `apply_nsx_tags_for_tiers` — Map inputs from the deployment inputs (`vm_web`, `vm_app`, `vm_db`, `env_value`, `nsx_manager_url`, `nsx_username`, `nsx_password`).
     2. `send_email` — Build `body` and `to_email` using deployment inputs/outputs:
        - `to_email = requester_email`
        - `subject = "vDefend policy created: " + app_name`
        - `body` example:
          ```
          Application: ${app_name}
          Environment: ${env_value}

          NSX Section: ${outputs.sectionPath}
          Groups:
            Web: ${outputs.groups.web}
            App: ${outputs.groups.app}
            DB : ${outputs.groups.db}

          Ports:
            Web->App: ${inputs.ports_web_to_app}
            App->DB : ${inputs.ports_app_to_db}
          ```

## Notes
- The policy is tag-driven. After deployment, the ABX action tags your selected VMs: `{tier:web|app|db}` and `{env:<value>}`. The groups in NSX will immediately include them.
- To extend rules, add more arrays (e.g., `ports_web_to_db`) and mirror them in the Terraform module.
- For strict change control, protect the section with a **lock** or maintain via GitOps-only.