netascode · camrossi · Aug 14, 2025 · Aug 19, 2025 · Aug 19, 2025
diff --git a/aci_tenants.tf b/aci_tenants.tf
@@ -694,6 +694,11 @@ locals {
             value       = sel.value
             description = try(sel.description, "")
           }]
+          ip_external_subnet_selectors = [for sel in try(esg.ip_external_subnet_selectors, []) : {
+            ip       = sel.ip
+            description = try(sel.description, "")
+            shared      = try(sel.shared, "false")
+          }]
         }
       ]
     ]
@@ -703,23 +708,24 @@ locals {
 module "aci_endpoint_security_group" {
   source = "./modules/terraform-aci-endpoint-security-group"
 
-  for_each                    = { for esg in local.endpoint_security_groups : esg.key => esg if local.modules.aci_endpoint_security_group && var.manage_tenants }
-  tenant                      = each.value.tenant
-  application_profile         = each.value.application_profile
-  name                        = each.value.name
-  description                 = each.value.description
-  vrf                         = each.value.vrf
-  shutdown                    = each.value.shutdown
-  intra_esg_isolation         = each.value.intra_esg_isolation
-  preferred_group             = each.value.preferred_group
-  contract_consumers          = each.value.contract_consumers
-  contract_providers          = each.value.contract_providers
-  contract_imported_consumers = each.value.contract_imported_consumers
-  contract_intra_esgs         = each.value.contract_intra_esgs
-  esg_contract_masters        = each.value.esg_contract_masters
-  tag_selectors               = each.value.tag_selectors
-  epg_selectors               = each.value.epg_selectors
-  ip_subnet_selectors         = each.value.ip_subnet_selectors
+  for_each                     = { for esg in local.endpoint_security_groups : esg.key => esg if local.modules.aci_endpoint_security_group && var.manage_tenants }
+  tenant                       = each.value.tenant
+  application_profile          = each.value.application_profile
+  name                         = each.value.name
+  description                  = each.value.description
+  vrf                          = each.value.vrf
+  shutdown                     = each.value.shutdown
+  intra_esg_isolation          = each.value.intra_esg_isolation
+  preferred_group              = each.value.preferred_group
+  contract_consumers           = each.value.contract_consumers
+  contract_providers           = each.value.contract_providers
+  contract_imported_consumers  = each.value.contract_imported_consumers
+  contract_intra_esgs          = each.value.contract_intra_esgs
+  esg_contract_masters         = each.value.esg_contract_masters
+  tag_selectors                = each.value.tag_selectors
+  epg_selectors                = each.value.epg_selectors
+  ip_subnet_selectors          = each.value.ip_subnet_selectors
+  ip_external_subnet_selectors = each.value.ip_external_subnet_selectors
 
   depends_on = [
     module.aci_tenant,
@@ -2510,6 +2516,9 @@ locals {
         external_endpoint_group        = try(policy.external_endpoint_group.name, null) != null ? "${policy.external_endpoint_group.name}${local.defaults.apic.tenants.l3outs.external_endpoint_groups.name_suffix}" : ""
         external_endpoint_group_l3out  = try(policy.external_endpoint_group.l3out, null) != null ? "${policy.external_endpoint_group.l3out}${local.defaults.apic.tenants.l3outs.name_suffix}" : ""
         external_endpoint_group_tenant = try(policy.external_endpoint_group.tenant, tenant.name)
+        endpoint_security_group        = try(policy.endpoint_security_group.name, null) != null ? "${policy.endpoint_security_group.name}${local.defaults.apic.tenants.application_profiles.name_suffix}" : ""
+        endpoint_security_group_app    = try(policy.endpoint_security_group.app, null) != null ? "${policy.endpoint_security_group.app}${local.defaults.apic.tenants.application_profiles.endpoint_security_groups.name_suffix}" : ""
+        endpoint_security_group_tenant = try(policy.endpoint_security_group.tenant, tenant.name)
       }
     ]
   ])

diff --git a/modules/terraform-aci-endpoint-security-group/README.md b/modules/terraform-aci-endpoint-security-group/README.md
@@ -75,6 +75,22 @@ module "aci_endpoint_security_group" {
       description = "foo"
     }
   ]
+  ip_external_subnet_selectors = [
+    {
+      ip = "1.1.5.0/24"
+    },
+    {
+      ip = "1.1.6.0/24"
+    },
+    {
+      ip = "1.1.7.0/24"
+    },
+    {
+      ip       = "1.1.8.0/24"
+      description = "foo"
+      shared = true
+    }
+  ]
 }
 ```
 

diff --git a/modules/terraform-aci-endpoint-security-group/examples/complete/README.md b/modules/terraform-aci-endpoint-security-group/examples/complete/README.md
@@ -78,6 +78,22 @@ module "aci_endpoint_security_group" {
       description = "foo"
     }
   ]
+ip_external_subnet_selectors = [
+    {
+      value = "1.1.5.0/24"
+    },
+    {
+      value = "1.1.6.0/24"
+    },
+    {
+      value = "1.1.7.0/24"
+    },
+    {
+      value       = "1.1.8.0/24"
+      description = "foo"
+      shared = true
+    }
+  ]
 }
 ```
 <!-- END_TF_DOCS -->
diff --git a/modules/terraform-aci-endpoint-security-group/examples/complete/main.tf b/modules/terraform-aci-endpoint-security-group/examples/complete/main.tf
@@ -64,4 +64,20 @@ module "aci_endpoint_security_group" {
       description = "foo"
     }
   ]
+  ip_external_subnet_selectors = [
+    {
+      ip = "1.1.1.0/24"
+    },
+    {
+      ip = "1.1.2.0/24"
+    },
+    {
+      ip = "1.1.3.0/24"
+    },
+    {
+      ip       = "1.1.4.0/24"
+      description = "foo"
+      shared      = true
+    }
+  ]
 }
diff --git a/modules/terraform-aci-endpoint-security-group/main.tf b/modules/terraform-aci-endpoint-security-group/main.tf
@@ -127,3 +127,17 @@ resource "aci_rest_managed" "fvEPSelector" {
     aci_rest_managed.fvRsScope,
   ]
 }
+
+resource "aci_rest_managed" "fvExternalSubnetSelector" {
+  for_each   = { for ess in var.ip_external_subnet_selectors : "${ess.ip}" => ess }
+  dn         = "${aci_rest_managed.fvESg.dn}/extsubselector-[${each.key}]"
+  class_name = "fvExternalSubnetSelector"
+  content = {
+    descr           = each.value.description
+    shared          = each.value.shared == true ? "yes" : "no"
+  }
+
+  depends_on = [
+    aci_rest_managed.fvRsScope,
+  ]
+}
diff --git a/modules/terraform-aci-endpoint-security-group/variables.tf b/modules/terraform-aci-endpoint-security-group/variables.tf
@@ -250,3 +250,27 @@ variable "ip_subnet_selectors" {
     error_message = "`description`: Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `\\`, `!`, `#`, `$`, `%`, `(`, `)`, `*`, `,`, `-`, `.`, `/`, `:`, `;`, `@`, ` `, `_`, `{`, `|`, }`, `~`, `?`, `&`, `+`. Maximum characters: 128."
   }
 }
+
+variable "ip_external_subnet_selectors" {
+  description = "List of IP subnet selectors."
+  type = list(object({
+    ip       = string
+    description = optional(string, "")
+    shared      = optional(bool, false)
+  }))
+  default = []
+
+  validation {
+    condition = alltrue([
+      for ess in var.ip_external_subnet_selectors : can(regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}\\/([0-9]){1,2}$", ess.ip))
+    ])
+    error_message = "`ip`: Valid ip format example: 192.168.1.0/24."
+  }
+
+  validation {
+    condition = alltrue([
+      for ess in var.ip_external_subnet_selectors : ess.description == null || can(regex("^[a-zA-Z0-9\\\\!#$%()*,-./:;@ _{|}~?&+]{0,128}$", ess.description))
+    ])
+    error_message = "`description`: Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `\\`, `!`, `#`, `$`, `%`, `(`, `)`, `*`, `,`, `-`, `.`, `/`, `:`, `;`, `@`, ` `, `_`, `{`, `|`, }`, `~`, `?`, `&`, `+`. Maximum characters: 128."
+  }
+}