Zsoldier/Set-NSXTSegmentProfiles.ps1

## Set-NSXTSegmentProfiles.ps1
#Change Segment Profiles

$Credential = Get-Credential
$skipcertcheck = $true
$AuthMethod = “Basic”
$NSXMgr=”IPorDNSName”
$policyapi = "/policy/api/v1"
$base_url = ("https://" + $NSXMgr + $policyapi)
#Change these to the name of the various profiles you want to remap all your segments to.
$TargetIPDPName = "default-ip-discovery-profile"
$TargetMacDPName = "default-mac-discovery-profile"
$TargetQoSDPName = "" # This doesn't typically exist unless created so it is omitted from script.
$TargetSGName = "default-spoofguard-profile"
$targetSecName = "default-segment-security-profile"

#Get Segment List to loop through.
$SegmentEndPoint = "/infra/segments"
$Segments = Invoke-restmethod -Uri ($base_url + $segmentendpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod

#I would check to see what segments are returned before modifying to make sure you are hitting only the segments you want.
#You can do this by simply calling $segments.results
$segments.results | select id, display_name

#IP, Mac, QoS, SpoofGuard, Security, Discovery Profiles
$IPDPs = Invoke-restmethod -Uri ($base_url + "/infra/ip-discovery-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
$MacDPs = Invoke-restmethod -Uri ($base_url + "/infra/mac-discovery-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
$QoSPs = Invoke-restmethod -Uri ($base_url + "/infra/qos-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
$SGPs = Invoke-restmethod -Uri ($base_url + "/infra/spoofguard-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
$SecPs = Invoke-restmethod -Uri ($base_url + "/infra/segment-security-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod

#Target Segment Profiles that you want.
$TargetIPDP = $IPDPs.results | Where-Object {$_.display_name -eq $TargetIPDPName}
$TargetMacDP = $MacDPs.results | Where-Object {$_.display_name -eq $TargetMacDPName}
$TargetQoSP = $QoSPs.results | Where-Object {$_.display_name -eq $TargetQoSDPName}
$TargetSGP = $SGPs.results | Where-Object {$_.display_name -eq $TargetSGName}
$TargetSecP = $SecPs.results | Where-Object {$_.display_name -eq $TargetSecName}

#I have a where statement here because I only want to change my HCX-Uplink segment.  Remove it if you want to work against everything in $segments.results.
Foreach ($Segment in ($Segments.results | Where-object {$_.display_name -match "HCX-Uplink"}))
{
    #Sets the Discovery Segment Profiles if mac or ip don't match what you've defined.
    $endpoint = "/segment-discovery-profile-binding-maps"
    $Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
    If ($Binding.Result_count -eq 0 ){
        $MapGuid = New-Guid
        $Body = ('{ "resource_type":"SegmentDiscoveryProfileBindingMap","mac_discovery_profile_path":"' + $TargetMacDP.path + '","ip_discovery_profile_path":"' + $targetIPDP.path +'"}')
        Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
    }
    If ($Binding.results.ip_discovery_profile_path -ne $TargetIPDP.path -or $Binding.results.mac_discovery_profile_path -ne $TargetMacDP.path)
    {
        $Body = ('{ "resource_type":"SegmentDiscoveryProfileBindingMap","mac_discovery_profile_path":"' + $TargetMacDP.path + '","ip_discovery_profile_path":"' + $targetIPDP.path +'"}')
        Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
    }

    #Sets QoS profile if one found, otherwise skips
    $endpoint= "/segment-qos-profile-binding-maps"
    If (![string]::IsNullorEmpty($TargetQoSP))
    {
        $Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
        If ($Binding.Result_count -eq 0 ){
            $MapGuid = New-Guid
            $Body = ('{ "resource_type":"SegmentQoSProfileBindingMap","qos_profile_path":"' + $TargetQoSP.path + '"}')
            Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
        }
        ElseIf ($Binding.results.qos_profile_path -ne $TargetQoS.path)
        {
        $Body = ('{ "resource_type":"SegmentQoSProfileBindingMap","qos_profile_path":"' + $TargetQoSP.path + '"}')
        Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
        }
    }

    #Sets spoofguard or security profiles if they don't match what's defined.  Creates new security profile binding map if one does not exist.
    $endpoint= "/segment-security-profile-binding-maps"
    $Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method Get -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
    If ($Binding.Result_count -eq 0 ){
        $MapGuid = New-Guid
        $Body = ('{ "resource_type":"SegmentSecurityProfileBindingMap","segment_security_profile_path":"' + $TargetSecP.path + '","spoofguard_profile_path":"' + $TargetSGP.path +'"}')
        Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
    }
    ElseIf ($Binding.results.spoofguard_profile_path -ne $TargetSGP.path -or $Binding.results.segment_security_profile_path -ne $TargetSecP.path)
    {
        $Body = ('{ "resource_type":"SegmentSecurityProfileBindingMap","segment_security_profile_path":"' + $TargetSecP.path + '","spoofguard_profile_path":"' + $TargetSGP.path +'"}')
        Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
    }

}
	#Change Segment Profiles

	$Credential = Get-Credential
	$skipcertcheck = $true
	$AuthMethod = “Basic”
	$NSXMgr=”IPorDNSName”
	$policyapi = "/policy/api/v1"
	$base_url = ("https://" + $NSXMgr + $policyapi)
	#Change these to the name of the various profiles you want to remap all your segments to.
	$TargetIPDPName = "default-ip-discovery-profile"
	$TargetMacDPName = "default-mac-discovery-profile"
	$TargetQoSDPName = "" # This doesn't typically exist unless created so it is omitted from script.
	$TargetSGName = "default-spoofguard-profile"
	$targetSecName = "default-segment-security-profile"

	#Get Segment List to loop through.
	$SegmentEndPoint = "/infra/segments"
	$Segments = Invoke-restmethod -Uri ($base_url + $segmentendpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod

	#I would check to see what segments are returned before modifying to make sure you are hitting only the segments you want.
	#You can do this by simply calling $segments.results
	$segments.results \| select id, display_name

	#IP, Mac, QoS, SpoofGuard, Security, Discovery Profiles
	$IPDPs = Invoke-restmethod -Uri ($base_url + "/infra/ip-discovery-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
	$MacDPs = Invoke-restmethod -Uri ($base_url + "/infra/mac-discovery-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
	$QoSPs = Invoke-restmethod -Uri ($base_url + "/infra/qos-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
	$SGPs = Invoke-restmethod -Uri ($base_url + "/infra/spoofguard-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
	$SecPs = Invoke-restmethod -Uri ($base_url + "/infra/segment-security-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod

	#Target Segment Profiles that you want.
	$TargetIPDP = $IPDPs.results \| Where-Object {$_.display_name -eq $TargetIPDPName}
	$TargetMacDP = $MacDPs.results \| Where-Object {$_.display_name -eq $TargetMacDPName}
	$TargetQoSP = $QoSPs.results \| Where-Object {$_.display_name -eq $TargetQoSDPName}
	$TargetSGP = $SGPs.results \| Where-Object {$_.display_name -eq $TargetSGName}
	$TargetSecP = $SecPs.results \| Where-Object {$_.display_name -eq $TargetSecName}

	#I have a where statement here because I only want to change my HCX-Uplink segment. Remove it if you want to work against everything in $segments.results.
	Foreach ($Segment in ($Segments.results \| Where-object {$_.display_name -match "HCX-Uplink"}))
	{
	#Sets the Discovery Segment Profiles if mac or ip don't match what you've defined.
	$endpoint = "/segment-discovery-profile-binding-maps"
	$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
	If ($Binding.Result_count -eq 0 ){
	$MapGuid = New-Guid
	$Body = ('{ "resource_type":"SegmentDiscoveryProfileBindingMap","mac_discovery_profile_path":"' + $TargetMacDP.path + '","ip_discovery_profile_path":"' + $targetIPDP.path +'"}')
	Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
	}
	If ($Binding.results.ip_discovery_profile_path -ne $TargetIPDP.path -or $Binding.results.mac_discovery_profile_path -ne $TargetMacDP.path)
	{
	$Body = ('{ "resource_type":"SegmentDiscoveryProfileBindingMap","mac_discovery_profile_path":"' + $TargetMacDP.path + '","ip_discovery_profile_path":"' + $targetIPDP.path +'"}')
	Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
	}

	#Sets QoS profile if one found, otherwise skips
	$endpoint= "/segment-qos-profile-binding-maps"
	If (![string]::IsNullorEmpty($TargetQoSP))
	{
	$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
	If ($Binding.Result_count -eq 0 ){
	$MapGuid = New-Guid
	$Body = ('{ "resource_type":"SegmentQoSProfileBindingMap","qos_profile_path":"' + $TargetQoSP.path + '"}')
	Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
	}
	ElseIf ($Binding.results.qos_profile_path -ne $TargetQoS.path)
	{
	$Body = ('{ "resource_type":"SegmentQoSProfileBindingMap","qos_profile_path":"' + $TargetQoSP.path + '"}')
	Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
	}
	}

	#Sets spoofguard or security profiles if they don't match what's defined. Creates new security profile binding map if one does not exist.
	$endpoint= "/segment-security-profile-binding-maps"
	$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method Get -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
	If ($Binding.Result_count -eq 0 ){
	$MapGuid = New-Guid
	$Body = ('{ "resource_type":"SegmentSecurityProfileBindingMap","segment_security_profile_path":"' + $TargetSecP.path + '","spoofguard_profile_path":"' + $TargetSGP.path +'"}')
	Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
	}
	ElseIf ($Binding.results.spoofguard_profile_path -ne $TargetSGP.path -or $Binding.results.segment_security_profile_path -ne $TargetSecP.path)
	{
	$Body = ('{ "resource_type":"SegmentSecurityProfileBindingMap","segment_security_profile_path":"' + $TargetSecP.path + '","spoofguard_profile_path":"' + $TargetSGP.path +'"}')
	Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
	}

	}