7216781c03
Closes-Bug: #1541477 Change-Id: I76c9d3bc7e1f25a734393f15c32896437bd7230a
113 lines
3.7 KiB
YAML
113 lines
3.7 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
Namespaces:
|
|
=: io.murano.system
|
|
std: io.murano
|
|
|
|
Name: AwsSecurityGroupManager
|
|
|
|
Extends: SecurityGroupManager
|
|
|
|
Methods:
|
|
addGroupIngress:
|
|
Arguments:
|
|
- rules:
|
|
Contract:
|
|
- FromPort: $.int().notNull()
|
|
ToPort: $.int().notNull()
|
|
IpProtocol: $.string().notNull()
|
|
External: $.bool().notNull()
|
|
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
|
- groupName:
|
|
Contract: $.string().notNull()
|
|
Default: $this.defaultGroupName
|
|
Body:
|
|
- $._addGroup(ingress, $rules, $groupName)
|
|
|
|
addGroupEgress:
|
|
Arguments:
|
|
- rules:
|
|
Contract:
|
|
- FromPort: $.int().notNull()
|
|
ToPort: $.int().notNull()
|
|
IpProtocol: $.string().notNull()
|
|
External: $.bool().notNull()
|
|
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
|
- groupName:
|
|
Contract: $.string().notNull()
|
|
Default: $this.defaultGroupName
|
|
Body:
|
|
- $._addGroup(egress, $rules, $groupName)
|
|
|
|
_addGroup:
|
|
Arguments:
|
|
- direction:
|
|
Contract: $.string().notNull().check($ in list(ingress, egress))
|
|
Default: ingress
|
|
- rules:
|
|
Contract:
|
|
- FromPort: $.int().notNull()
|
|
ToPort: $.int().notNull()
|
|
IpProtocol: $.string().notNull()
|
|
External: $.bool().notNull()
|
|
Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
|
|
- groupName:
|
|
Contract: $.string().notNull()
|
|
Default: $this.defaultGroupName
|
|
Body:
|
|
- $ext_keys:
|
|
true:
|
|
ext_key: remote_ip_prefix
|
|
ext_val: '0.0.0.0/0'
|
|
false:
|
|
ext_key: remote_mode
|
|
ext_val: remote_group_id
|
|
|
|
- $ethertype: $rules.where($.get(Ethertype) = IPv6)
|
|
- If: len($ethertype) > 0
|
|
Then:
|
|
- $msg: 'Unable to add security group. IPv6 is not supported.'
|
|
- $._environment.reporter.report_error($this, $msg)
|
|
- Throw: UnsupportedPropertyValue
|
|
Message: $msg
|
|
- $groupDirection: dict(egress => SecurityGroupEgress).get($direction, SecurityGroupIngress)
|
|
|
|
- $stack: $.environment.stack
|
|
- $template:
|
|
resources:
|
|
$groupName:
|
|
type: 'AWS::EC2::SecurityGroup'
|
|
properties:
|
|
GroupDescription: format('Composite security group of Murano environment {0}', $.environment.name)
|
|
$groupDirection:
|
|
- FromPort: '-1'
|
|
ToPort: '-1'
|
|
IpProtocol: icmp
|
|
CidrIp: '0.0.0.0/0'
|
|
- $.environment.stack.updateTemplate($template)
|
|
|
|
- $rulesList: $rules.select(dict(
|
|
FromPort => str($.FromPort),
|
|
ToPort => str($.ToPort),
|
|
IpProtocol => $.IpProtocol,
|
|
CidrIp => '0.0.0.0/0'
|
|
))
|
|
|
|
- $template:
|
|
resources:
|
|
$groupName:
|
|
type: 'AWS::EC2::SecurityGroup'
|
|
properties:
|
|
$groupDirection: $rulesList
|
|
- $.environment.stack.updateTemplate($template)
|