Add constraint for Security Group

Change-Id: I8b2918b1dc1ccef1723028680914a597580664dc

heat/engine/clients/os/neutron/neutron_constraints.py

@@ -75,6 +75,10 @@ class SubnetPoolConstraint(NeutronConstraint):
     resource_name = 'subnetpool'
 
 
+class SecurityGroupConstraint(NeutronConstraint):
+    resource_name = 'security_group'
+
+
 class AddressScopeConstraint(NeutronConstraint):
     resource_name = 'address_scope'
     extension = 'address-scope'

heat/engine/resources/openstack/neutron/security_group.py

@@ -110,7 +110,10 @@ class SecurityGroup(neutron.NeutronResource):
             _('The remote group ID to be associated with this security group '
               'rule. If no value is specified then this rule will use this '
               'security group for the remote_group_id. The remote mode '
-              'parameter must be set to "remote_group_id".')
+              'parameter must be set to "remote_group_id".'),
+            constraints=[
+                constraints.CustomConstraint('neutron.security_group')
+            ]
         ),
         RULE_REMOTE_IP_PREFIX: properties.Schema(
             properties.Schema.STRING,

heat/tests/clients/test_neutron_client.py

@@ -168,7 +168,11 @@ class NeutronConstraintsValidate(common.HeatTestCase):
         ('validate_qos_policy',
             dict(constraint_class=nc.QoSPolicyConstraint,
                  resource_type='policy',
-                 cmd_resource='qos_policy'))
+                 cmd_resource='qos_policy')),
+        ('validate_security_group',
+            dict(constraint_class=nc.SecurityGroupConstraint,
+                 resource_type='security_group',
+                 cmd_resource=None))
     ]
 
     def test_validate(self):

heat/tests/openstack/neutron/test_neutron_security_group.py

@@ -11,7 +11,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import mox
+
 from neutronclient.common import exceptions as neutron_exc
+from neutronclient.neutron import v2_0 as neutronV20
 from neutronclient.v2_0 import client as neutronclient
 from novaclient.v2 import security_group_rules as nova_sgr
 from novaclient.v2 import security_groups as nova_sg
@@ -103,6 +106,7 @@ resources:
         self.m.StubOutWithMock(neutronclient.Client, 'update_security_group')
         self.patchobject(neutron.NeutronClientPlugin, 'has_extension',
                          return_value=True)
+        self.m.StubOutWithMock(neutronV20, 'find_resourceid_by_name_or_id')
 
     def create_stack(self, templ):
         t = template_format.parse(templ)
@@ -202,6 +206,18 @@ resources:
 
         # create script
         sg_name = utils.PhysName('test_stack', 'the_sg')
+        neutronV20.find_resourceid_by_name_or_id(
+            mox.IsA(neutronclient.Client),
+            'security_group',
+            'wwww',
+            cmd_resource=None,
+        ).MultipleTimes().AndReturn('wwww')
+        neutronV20.find_resourceid_by_name_or_id(
+            mox.IsA(neutronclient.Client),
+            'security_group',
+            'xxxx',
+            cmd_resource=None,
+        ).MultipleTimes().AndReturn('xxxx')
         neutronclient.Client.create_security_group({
             'security_group': {
                 'name': sg_name,
@@ -544,6 +560,18 @@ resources:
     def test_security_group_exception(self):
         # create script
         sg_name = utils.PhysName('test_stack', 'the_sg')
+        neutronV20.find_resourceid_by_name_or_id(
+            mox.IsA(neutronclient.Client),
+            'security_group',
+            'wwww',
+            cmd_resource=None,
+        ).MultipleTimes().AndReturn('wwww')
+        neutronV20.find_resourceid_by_name_or_id(
+            mox.IsA(neutronclient.Client),
+            'security_group',
+            'xxxx',
+            cmd_resource=None,
+        ).MultipleTimes().AndReturn('xxxx')
         neutronclient.Client.create_security_group({
             'security_group': {
                 'name': sg_name,

setup.cfg

@@ -118,6 +118,7 @@ heat.constraints =
     neutron.port = heat.engine.clients.os.neutron.neutron_constraints:PortConstraint
     neutron.qos_policy = heat.engine.clients.os.neutron.neutron_constraints:QoSPolicyConstraint
     neutron.router = heat.engine.clients.os.neutron.neutron_constraints:RouterConstraint
+    neutron.security_group = heat.engine.clients.os.neutron.neutron_constraints:SecurityGroupConstraint
     neutron.subnet = heat.engine.clients.os.neutron.neutron_constraints:SubnetConstraint
     neutron.subnetpool = heat.engine.clients.os.neutron.neutron_constraints:SubnetPoolConstraint
     nova.flavor = heat.engine.clients.os.nova:FlavorConstraint