From 38d80e57b05487cba8fcb09c03ace6b856ee7036 Mon Sep 17 00:00:00 2001 From: Florian Haas Date: Wed, 19 Feb 2025 11:02:46 +0100 Subject: [PATCH] Consider the VPNService resource complete if its Neutron object is in PENDING_CREATE When a Neutron VPN service is created, it starts out in the PENDING_CREATE state and doesn't hit the ACTIVE status until it has a matching site-to-site connection. However, it is required that the OS::Neutron::VPNService resource be in CREATE_COMPLETE, in order for any dependent OS::Neutron::IPsecSiteConnection resource to progress to CREATE_IN_PROGRESS. Thus, without this change is it is not possible to create a VPNService resource and a matching IPsecSiteConnection resource in one stack. Also, if one omits the IPsecSiteConnection resource definition from the template entirely, the stack can never reach the CREATE_COMPLETE state on its own, because the VPNService resource remains perpetually stuck in CREATE_IN_PROGRESS. (This can only be worked around by creating the site-to-site connection manually, which isn't the point of orchestration.) To resolve this catch-22, consider the VPNService resource complete, even when its underlying Neutron VPN service object is still in PENDING_CREATE. Change-Id: I2c8b431265ab92174b5e1efab8a5b4ae673452db --- .../engine/resources/openstack/neutron/vpnservice.py | 12 +++++++++--- .../openstack/neutron/test_neutron_vpnservice.py | 1 - .../vpnservice-pending-create-f261c5dfc290a734.yaml | 6 ++++++ 3 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/vpnservice-pending-create-f261c5dfc290a734.yaml diff --git a/heat/engine/resources/openstack/neutron/vpnservice.py b/heat/engine/resources/openstack/neutron/vpnservice.py index 2e2b4bef1a..1c4f85ec41 100644 --- a/heat/engine/resources/openstack/neutron/vpnservice.py +++ b/heat/engine/resources/openstack/neutron/vpnservice.py @@ -197,9 +197,15 @@ class VPNService(neutron.NeutronResource): def check_create_complete(self, data): attributes = self._show_resource() status = attributes['status'] - if status == 'PENDING_CREATE': - return False - elif status == 'ACTIVE': + # The Neutron VPN service doesn't hit the ACTIVE status until + # it has a matching site-to-site connection. However, it is + # required that the VPNService resource be in CREATE_COMPLETE, + # in order for the IPsecSiteConnection resource to progress to + # CREATE_IN_PROGRESS. The only way to resolve this catch-22 is + # to already consider the VPNService resource complete, even + # when its underlying Neutron VPN service object is still in + # PENDING_CREATE. + if status in ['PENDING_CREATE', 'ACTIVE']: return True elif status == 'ERROR': raise exception.ResourceInError( diff --git a/heat/tests/openstack/neutron/test_neutron_vpnservice.py b/heat/tests/openstack/neutron/test_neutron_vpnservice.py index 003d5bdd6f..1d1b4d3b6d 100644 --- a/heat/tests/openstack/neutron/test_neutron_vpnservice.py +++ b/heat/tests/openstack/neutron/test_neutron_vpnservice.py @@ -187,7 +187,6 @@ class VPNServiceTest(common.HeatTestCase): rsrc = self.create_vpnservice() self.mockclient.show_vpnservice.side_effect = [ - {'vpnservice': {'status': 'PENDING_CREATE'}}, {'vpnservice': {'status': 'ERROR'}}, ] diff --git a/releasenotes/notes/vpnservice-pending-create-f261c5dfc290a734.yaml b/releasenotes/notes/vpnservice-pending-create-f261c5dfc290a734.yaml new file mode 100644 index 0000000000..97b01097c8 --- /dev/null +++ b/releasenotes/notes/vpnservice-pending-create-f261c5dfc290a734.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Enable the creation of an ``OS::Neutron::VPNService`` resource, + and an ``OS::Neutron::IPsecSiteConnection`` resource that depends + on it, within the same stack.