netascode · camrossi · Aug 15, 2025
diff --git a/aci_tenants.tf b/aci_tenants.tf
@@ -2510,6 +2510,9 @@ locals {
         external_endpoint_group        = try(policy.external_endpoint_group.name, null) != null ? "${policy.external_endpoint_group.name}${local.defaults.apic.tenants.l3outs.external_endpoint_groups.name_suffix}" : ""
         external_endpoint_group_l3out  = try(policy.external_endpoint_group.l3out, null) != null ? "${policy.external_endpoint_group.l3out}${local.defaults.apic.tenants.l3outs.name_suffix}" : ""
         external_endpoint_group_tenant = try(policy.external_endpoint_group.tenant, tenant.name)
+        endpoint_security_group        = try(policy.endpoint_security_group.name, null) != null ? "${policy.endpoint_security_group.name}${local.defaults.apic.tenants.application_profiles.name_suffix}" : ""
+        endpoint_security_group_app    = try(policy.endpoint_security_group.app, null) != null ? "${policy.endpoint_security_group.app}${local.defaults.apic.tenants.application_profiles.endpoint_security_groups.name_suffix}" : ""
+        endpoint_security_group_tenant = try(policy.endpoint_security_group.tenant, tenant.name)
       }
     ]
   ])
@@ -2542,6 +2545,9 @@ module "aci_set_rule" {
   external_endpoint_group        = each.value.external_endpoint_group
   external_endpoint_group_l3out  = each.value.external_endpoint_group_l3out
   external_endpoint_group_tenant = each.value.external_endpoint_group_tenant
+  endpoint_security_group        = each.value.endpoint_security_group
+  endpoint_security_group_app    = each.value.endpoint_security_group_app
+  endpoint_security_group_tenant = each.value.endpoint_security_group_tenant
 
   depends_on = [
     module.aci_tenant,

diff --git a/modules/terraform-aci-set-rule/main.tf b/modules/terraform-aci-set-rule/main.tf
@@ -161,7 +161,7 @@ resource "aci_rest_managed" "rtctrlSetRedistMultipath" {
 }
 
 resource "aci_rest_managed" "rtctrlSetPolicyTag" {
-  count      = var.external_endpoint_group != "" && var.external_endpoint_group_l3out != "" ? 1 : 0
+  count      = var.external_endpoint_group != "" && var.external_endpoint_group_l3out != "" || var.endpoint_security_group != "" && var.endpoint_security_group_app != "" ? 1 : 0
   dn         = "${aci_rest_managed.rtctrlAttrP.dn}/sptag"
   class_name = "rtctrlSetPolicyTag"
   content = {
@@ -177,3 +177,12 @@ resource "aci_rest_managed" "rtctrlRsSetPolicyTagToInstP" {
     "tDn" = "uni/tn-${try(var.external_endpoint_group_tenant, var.tenant)}/out-${var.external_endpoint_group_l3out}/instP-${var.external_endpoint_group}"
   }
 }
+
+resource "aci_rest_managed" "rtctrlRsSetPolicyTagToESg" {
+  count      = var.endpoint_security_group != "" && var.endpoint_security_group_app != "" ? 1 : 0
+  dn         = "${aci_rest_managed.rtctrlSetPolicyTag[0].dn}/rssetPolicyTagToESg"
+  class_name = "rtctrlRsSetPolicyTagToESg"
+  content = {
+    "tDn" = "uni/tn-${try(var.endpoint_security_group_tenant, var.tenant)}/ap-${var.endpoint_security_group_app}/esg-${var.endpoint_security_group}"
+  }
+}
diff --git a/modules/terraform-aci-set-rule/variables.tf b/modules/terraform-aci-set-rule/variables.tf
@@ -252,3 +252,41 @@ variable "external_endpoint_group_tenant" {
     error_message = "Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `:`, `-`. Maximum characters: 64."
   }
 }
+
+// ESG Support
+variable "endpoint_security_group" {
+  description = "Endpoint Security group name."
+  type        = string
+  default     = ""
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9_.:-]{0,64}$", var.endpoint_security_group))
+    error_message = "Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `:`, `-`. Maximum characters: 64."
+  }
+  validation {
+    condition     = !(var.external_endpoint_group != "" && var.endpoint_security_group != "")
+    error_message = "Cannot specify both external_endpoint_group and endpoint_security_group. Only one can be configured."
+  }
+}
+
+variable "endpoint_security_group_app" {
+  description = "Endpoint security group app name."
+  type        = string
+  default     = ""
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9_.:-]{0,64}$", var.endpoint_security_group_app))
+    error_message = "Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `:`, `-`. Maximum characters: 64."
+  }
+}
+
+variable "endpoint_security_group_tenant" {
+  description = "Endpoint security group tenant name."
+  type        = string
+  default     = ""
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9_.:-]{0,64}$", var.endpoint_security_group_tenant))
+    error_message = "Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `:`, `-`. Maximum characters: 64."
+  }
+}