[Core-Library] Add ability to specify direction and ethetype for groups
Previously there was no way to specify in which direction security rule should be applied, only ingress was supported. Also it was impossible to create IPv6 rules. This patch added ability to specify direction and ethertype for Neutron security groups and direction - for AWS security groups Change-Id: Iba5be7a8a94c34eab3e0e06f95e5358a84a5dd7b Closes-Bug: #1532317
This commit is contained in:
Dmytro Dovbii
parent
eca6ab588e
commit
186612daf7
@ -27,6 +27,37 @@ Methods:
|
||||
ToPort: $.int().notNull()
|
||||
IpProtocol: $.string().notNull()
|
||||
External: $.bool().notNull()
|
||||
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
||||
- groupName:
|
||||
Contract: $.string().notNull()
|
||||
Default: $this.defaultGroupName
|
||||
Body:
|
||||
- $._addGroup(ingress, $rules, $groupName)
|
||||
|
||||
addGroupEgress:
|
||||
Arguments:
|
||||
- rules:
|
||||
Contract:
|
||||
- FromPort: $.int().notNull()
|
||||
ToPort: $.int().notNull()
|
||||
IpProtocol: $.string().notNull()
|
||||
External: $.bool().notNull()
|
||||
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
||||
- groupName:
|
||||
Contract: $.string().notNull()
|
||||
Default: $this.defaultGroupName
|
||||
Body:
|
||||
- $._addGroup(egress, $rules, $groupName)
|
||||
|
||||
_addGroup:
|
||||
Arguments:
|
||||
- rules:
|
||||
Contract:
|
||||
- FromPort: $.int().notNull()
|
||||
ToPort: $.int().notNull()
|
||||
IpProtocol: $.string().notNull()
|
||||
External: $.bool().notNull()
|
||||
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
||||
- groupName:
|
||||
Contract: $.string().notNull()
|
||||
Default: $this.defaultGroupName
|
||||
@ -39,6 +70,15 @@ Methods:
|
||||
ext_key: remote_mode
|
||||
ext_val: remote_group_id
|
||||
|
||||
- $ethertype: $rules.where($.get(Ethertype) = IPv6)
|
||||
- If: len($ethertype) > 0
|
||||
Then:
|
||||
- $msg: 'Unable to add security group. IPv6 is not supported.'
|
||||
- $._environment.reporter.report_error($this, $msg)
|
||||
- Throw: UnsupportedPropertyValue
|
||||
Message: $msg
|
||||
- $groupDirection: dict(egress => SecurityGroupEgress).get($direction, SecurityGroupIngress)
|
||||
|
||||
- $stack: $.environment.stack
|
||||
- $template:
|
||||
resources:
|
||||
@ -46,14 +86,14 @@ Methods:
|
||||
type: 'AWS::EC2::SecurityGroup'
|
||||
properties:
|
||||
GroupDescription: format('Composite security group of Murano environment {0}', $.environment.name)
|
||||
SecurityGroupIngress:
|
||||
$groupDirection:
|
||||
- FromPort: '-1'
|
||||
ToPort: '-1'
|
||||
IpProtocol: icmp
|
||||
CidrIp: '0.0.0.0/0'
|
||||
- $.environment.stack.updateTemplate($template)
|
||||
|
||||
- $ingress: $rules.select(dict(
|
||||
- $rulesList: $rules.select(dict(
|
||||
FromPort => str($.FromPort),
|
||||
ToPort => str($.ToPort),
|
||||
IpProtocol => $.IpProtocol,
|
||||
@ -65,5 +105,5 @@ Methods:
|
||||
$groupName:
|
||||
type: 'AWS::EC2::SecurityGroup'
|
||||
properties:
|
||||
SecurityGroupIngress: $ingress
|
||||
$groupDirection: $rulesList
|
||||
- $.environment.stack.updateTemplate($template)
|
||||
|
||||
@ -27,9 +27,41 @@ Methods:
|
||||
ToPort: $.int().notNull()
|
||||
IpProtocol: $.string().notNull()
|
||||
External: $.bool().notNull()
|
||||
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
||||
- groupName:
|
||||
Contract: $.string().notNull()
|
||||
Default: $this.defaultGroupName
|
||||
Body:
|
||||
- $._addGroup(ingress, $rules, $groupName)
|
||||
|
||||
addGroupEgress:
|
||||
Arguments:
|
||||
- rules:
|
||||
Contract:
|
||||
- FromPort: $.int().notNull()
|
||||
ToPort: $.int().notNull()
|
||||
IpProtocol: $.string().notNull()
|
||||
External: $.bool().notNull()
|
||||
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
||||
- groupName:
|
||||
Contract: $.string().notNull()
|
||||
Default: $this.defaultGroupName
|
||||
Body:
|
||||
- $._addGroup(egress, $rules, $groupName)
|
||||
|
||||
_addGroup:
|
||||
Arguments:
|
||||
- direction:
|
||||
Contract: $.string().notNull().check($ in list(ingress, egress))
|
||||
- rules:
|
||||
Contract:
|
||||
- FromPort: $.int().notNull()
|
||||
ToPort: $.int().notNull()
|
||||
IpProtocol: $.string().notNull()
|
||||
External: $.bool().notNull()
|
||||
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
||||
- groupName:
|
||||
Contract: $.string().notNull()
|
||||
Body:
|
||||
- $ext_keys:
|
||||
true:
|
||||
@ -53,11 +85,13 @@ Methods:
|
||||
remote_ip_prefix: '0.0.0.0/0'
|
||||
- $.environment.stack.updateTemplate($template)
|
||||
|
||||
- $ingress: $rules.select(dict(
|
||||
- $rulesList: $rules.select(dict(
|
||||
port_range_min => $.FromPort,
|
||||
port_range_max => $.ToPort,
|
||||
protocol => $.IpProtocol,
|
||||
$ext_keys.get($.External).ext_key => $ext_keys.get($.External).ext_val
|
||||
ethertype => $.get(Ethertype, IPv4),
|
||||
$ext_keys.get($.External).ext_key => $ext_keys.get($.External).ext_val,
|
||||
direction => $direction
|
||||
))
|
||||
|
||||
- $template:
|
||||
@ -65,5 +99,5 @@ Methods:
|
||||
$groupName:
|
||||
type: 'OS::Neutron::SecurityGroup'
|
||||
properties:
|
||||
rules: $ingress
|
||||
rules: $rulesList
|
||||
- $.environment.stack.updateTemplate($template)
|
||||
@ -33,6 +33,20 @@ Methods:
|
||||
ToPort: $.int().notNull()
|
||||
IpProtocol: $.string().notNull()
|
||||
External: $.bool().notNull()
|
||||
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
||||
- groupName:
|
||||
Contract: $.string().notNull()
|
||||
Default: $this.defaultGroupName
|
||||
|
||||
addGroupEgress:
|
||||
Arguments:
|
||||
- rules:
|
||||
Contract:
|
||||
- FromPort: $.int().notNull()
|
||||
ToPort: $.int().notNull()
|
||||
IpProtocol: $.string().notNull()
|
||||
External: $.bool().notNull()
|
||||
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
||||
- groupName:
|
||||
Contract: $.string().notNull()
|
||||
Default: $this.defaultGroupName
|
||||
Loading…
Reference in New Issue
Block a user