Re-add FWaaS support

Neutron FWaaS was revived in 2022[1] and was recently added back to
RDO.

[1] a9f26b81e28359e6ccacf95a97557ad3005adc5f

Change-Id: I79b50dcade4a97368a9a07fcdda3f3c35f2c5869
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>

lib/puppet/provider/neutron_fwaas_agent_config/ini_setting.rb

@@ -0,0 +1,10 @@
+Puppet::Type.type(:neutron_fwaas_agent_config).provide(
+  :ini_setting,
+  :parent => Puppet::Type.type(:openstack_config).provider(:ini_setting)
+) do
+
+  def self.file_path
+    '/etc/neutron/fwaas_driver.ini'
+  end
+
+end

lib/puppet/provider/neutron_fwaas_service_config/openstackconfig.rb

@@ -0,0 +1,10 @@
+Puppet::Type.type(:neutron_fwaas_service_config).provide(
+  :openstackconfig,
+  :parent => Puppet::Type.type(:openstack_config).provider(:ruby)
+) do
+
+  def self.file_path
+    '/etc/neutron/neutron_fwaas.conf'
+  end
+
+end

lib/puppet/type/neutron_fwaas_agent_config.rb

@@ -0,0 +1,28 @@
+Puppet::Type.newtype(:neutron_fwaas_agent_config) do
+
+  ensurable
+
+  newparam(:name, :namevar => true) do
+    desc 'Section/setting name to manage from fwaas_driver.ini'
+    newvalues(/\S+\/\S+/)
+  end
+
+  newproperty(:value) do
+    desc 'The value of the setting to be defined.'
+    munge do |value|
+      value = value.to_s.strip
+      value.capitalize! if value =~ /^(true|false)$/i
+      value
+    end
+  end
+
+  newparam(:ensure_absent_val) do
+    desc 'A value that is specified as the value property will behave as if ensure => absent was specified'
+    defaultto('<SERVICE DEFAULT>')
+  end
+
+  autorequire(:anchor) do
+    ['neutron::install::end']
+  end
+
+end

lib/puppet/type/neutron_fwaas_service_config.rb

@@ -0,0 +1,40 @@
+Puppet::Type.newtype(:neutron_fwaas_service_config) do
+
+  ensurable
+
+  newparam(:name, :namevar => true) do
+    desc 'Section/setting name to manage from neutron_fwaas.conf'
+    newvalues(/\S+\/\S+/)
+  end
+
+  newproperty(:value, :array_matching => :all) do
+    desc 'The value of the setting to be defined.'
+    def insync?(is)
+      return true if @should.empty?
+      return false unless is.is_a? Array
+      return false unless is.length == @should.length
+      # we don't care about the order of items in array, hence
+      # it is necessary to override insync
+      return (
+        is & @should == is or
+        is & @should.map(&:to_s) == is
+      )
+    end
+
+    munge do |value|
+      value = value.to_s.strip
+      value.capitalize! if value =~ /^(true|false)$/i
+      value
+    end
+  end
+
+  newparam(:ensure_absent_val) do
+    desc 'A value that is specified as the value property will behave as if ensure => absent was specified'
+    defaultto('<SERVICE DEFAULT>')
+  end
+
+  autorequire(:anchor) do
+    ['neutron::install::end']
+  end
+
+end

manifests/agents/fwaas.pp

@@ -0,0 +1,69 @@
+# == Class: neutron::agents:fwaas
+#
+# Setups Neutron FWaaS agent.
+#
+# === Parameters
+#
+# [*package_ensure*]
+#   (optional) Ensure state for package. Defaults to 'present'.
+#
+# [*driver*]
+#   (optional) Name of the FWaaS driver.
+#   Defaults to $facts['os_service_default'].
+#
+# [*enabled*]
+#   (optional) Enable FWaaS.
+#   Defaults to $facts['os_service_default'].
+#
+# [*conntrack_driver*]
+#   (optional) Name of the firewall l3 driver.
+#   Defaults to $facts['os_service_default'].
+#
+# [*firewall_l2_driver*]
+#   (optional) Name of the firewall l2 driver.
+#   Defaults to $facts['os_service_default'].
+#
+# [*purge_config*]
+#   (optional) Whether to set only the specified config options
+#   in the fwaas config.
+#   Defaults to false.
+#
+class neutron::agents::fwaas (
+  $package_ensure       = present,
+  $driver               = $facts['os_service_default'],
+  $enabled              = $facts['os_service_default'],
+  $conntrack_driver     = $facts['os_service_default'],
+  $firewall_l2_driver   = $facts['os_service_default'],
+  Boolean $purge_config = false,
+) {
+
+  include neutron::deps
+  include neutron::params
+
+  resources { 'neutron_fwaas_agent_config':
+    purge => $purge_config,
+  }
+
+  # NOTE(tkajinam): options for l3 agent extension
+  neutron_fwaas_agent_config {
+    'fwaas/driver':             value => $driver;
+    'fwaas/enabled':            value => $enabled;
+    'fwaas/conntrack_driver':   value => $conntrack_driver;
+    'fwaas/firewall_l2_driver': value => $firewall_l2_driver;
+  }
+  Neutron_fwaas_agent_config<||> ~> Service<| title == 'neutron-l3' |>
+
+  # NOTE(tkajinam): options for l2 agent extension
+  neutron_plugin_ml2 {
+    'fwaas/driver':             value => $driver;
+    'fwaas/enabled':            value => $enabled;
+    'fwaas/conntrack_driver':   value => $conntrack_driver;
+    'fwaas/firewall_l2_driver': value => $firewall_l2_driver;
+  }
+
+  ensure_packages( 'neutron-fwaas', {
+    'ensure' => $package_ensure,
+    'name'   => $::neutron::params::fwaas_package,
+    'tag'    => ['openstack', 'neutron-package'],
+  })
+}

manifests/config.pp

@@ -72,6 +72,12 @@
 # [*metering_agent_config*]
 #   (optional) Manage configuration of metering_agent.ini
 #
+# [*fwaas_agent_config*]
+#   (optional) Manage configuration of fwaas_driver.ini
+#
+# [*fwaas_service_config*]
+#   (optional) Manage configuration of neutron_fwaas.conf
+#
 # [*vpnaas_agent_config*]
 #   (optional) Manage configuration of vpn_agent.ini
 #
@@ -111,6 +117,8 @@ class neutron::config (
   Hash $metadata_agent_config         = {},
   Hash $ovn_metadata_agent_config     = {},
   Hash $metering_agent_config         = {},
+  Hash $fwaas_agent_config            = {},
+  Hash $fwaas_service_config          = {},
   Hash $vpnaas_agent_config           = {},
   Hash $vpnaas_service_config         = {},
   Hash $ovn_vpn_agent_config          = {},
@@ -138,6 +146,8 @@ class neutron::config (
   create_resources('neutron_metadata_agent_config', $metadata_agent_config)
   create_resources('ovn_metadata_agent_config', $ovn_metadata_agent_config)
   create_resources('neutron_metering_agent_config', $metering_agent_config)
+  create_resources('neutron_fwaas_agent_config', $fwaas_agent_config)
+  create_resources('neutron_fwaas_service_config', $fwaas_service_config)
   create_resources('neutron_vpnaas_agent_config', $vpnaas_agent_config)
   create_resources('neutron_vpnaas_service_config', $vpnaas_service_config)
   create_resources('neutron_ovn_vpn_agent_config', $ovn_vpn_agent_config)

manifests/deps.pp

@@ -51,6 +51,8 @@ class neutron::deps {
   Anchor['neutron::config::begin'] -> Neutron_l2gw_service_config<||> ~> Anchor['neutron::config::end']
   Anchor['neutron::config::begin'] -> Neutron_plugin_ml2<||> ~> Anchor['neutron::config::end']
   Anchor['neutron::config::begin'] -> Neutron_sriov_agent_config<||> -> Anchor['neutron::config::end']
+  Anchor['neutron::config::begin'] -> Neutron_fwaas_agent_config<||> ~> Anchor['neutron::config::end']
+  Anchor['neutron::config::begin'] -> Neutron_fwaas_service_config<||> ~> Anchor['neutron::config::end']
   Anchor['neutron::config::begin'] -> Neutron_vpnaas_agent_config<||> -> Anchor['neutron::config::end']
   Anchor['neutron::config::begin'] -> Neutron_vpnaas_service_config<||> ~> Anchor['neutron::config::end']
   Anchor['neutron::config::begin'] -> Neutron_rootwrap_config<||> ~> Anchor['neutron::config::end']

manifests/params.pp

@@ -43,6 +43,7 @@ class neutron::params {
       $macvtap_agent_package              = 'openstack-neutron-macvtap-agent'
       $dhcp_agent_package                 = undef
       $metering_agent_package             = 'openstack-neutron-metering-agent'
+      $fwaas_package                      = 'openstack-neutron-fwaas'
       $vpnaas_agent_package               = 'openstack-neutron-vpnaas'
       $vpnaas_ovn_vpn_agent_package       = 'openstack-neutron-vpnaas-ovn-vpn-agent'
       $vpnaas_ovn_vpn_agent_service       = 'neutron-vpnaas-ovn-vpn-agent'
@@ -105,6 +106,7 @@ class neutron::params {
       $macvtap_agent_package              = 'neutron-macvtap-agent'
       $dhcp_agent_package                 = 'neutron-dhcp-agent'
       $metering_agent_package             = 'neutron-metering-agent'
+      $fwaas_package                      = 'python3-neutron-fwaas'
       $vpnaas_agent_package               = 'python3-neutron-vpnaas'
       $vpnaas_ovn_vpn_agent_package       = undef
       $vpnaas_ovn_vpn_agent_service       = undef

manifests/quota/fwaas.pp

@@ -0,0 +1,32 @@
+# == Class: neutron::quota::fwaas
+#
+# Setups neutron quota for neutron-fwaas.
+#
+# === Parameters
+#
+# [*quota_firewall_group*]
+#  (Optional) Number of firewall groups allowed per tenant.
+#  Defaults to $facts['os_service_default'].
+#
+# [*quota_firewall_policy*]
+#  (Optional) Number of firewall policies allowed per tenant.
+#  Defaults to $facts['os_service_default'].
+#
+# [*quota_firewall_rule*]
+#  (Optional) Number of firewall rules allowed per tenant.
+#  Defaults to $facts['os_service_default'].
+#
+class neutron::quota::fwaas (
+  $quota_firewall_group  = $facts['os_service_default'],
+  $quota_firewall_policy = $facts['os_service_default'],
+  $quota_firewall_rule   = $facts['os_service_default'],
+) {
+
+  include neutron::deps
+
+  neutron_config {
+    'quotas/quota_firewall_group':  value => $quota_firewall_group;
+    'quotas/quota_firewall_policy': value => $quota_firewall_policy;
+    'quotas/quota_firewall_rule':   value => $quota_firewall_rule;
+  }
+}

manifests/services/fwaas.pp

@@ -0,0 +1,68 @@
+# This class installs and configures fwaas Neutron Plugin.
+#
+# === Parameters
+#
+# [*package_ensure*]
+#   (optional) Ensure state for package.
+#   Defaults to 'present'.
+#
+# [*service_providers*]
+#   (optional) Array of allowed service types includes fwaas
+#   Must be in form: <service_type>:<name>:<driver>[:default]
+#   Defaults to $facts['os_service_default']
+#
+# [*sync_db*]
+#   Whether 'neutron-db-manage' should run to create and/or synchronize the
+#   database with neutron-fwaas specific tables.
+#   Default to false
+#
+# [*purge_config*]
+#   (optional) Whether to set only the specified config options
+#   in the fwaas config.
+#   Defaults to false.
+#
+class neutron::services::fwaas (
+  $package_ensure       = 'present',
+  $service_providers    = $facts['os_service_default'],
+  Boolean $sync_db      = false,
+  Boolean $purge_config = false,
+) {
+
+  include neutron::deps
+  include neutron::params
+
+  ensure_packages( 'neutron-fwaas', {
+    'ensure' => $package_ensure,
+    'name'   => $::neutron::params::fwaas_package,
+    'tag'    => ['openstack', 'neutron-package'],
+  })
+
+  resources { 'neutron_fwaas_service_config':
+    purge => $purge_config,
+  }
+
+  if is_service_default($service_providers) {
+    $service_providers_real = 'FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default'
+  } else {
+    $service_providers_real = $service_providers
+  }
+
+  neutron_fwaas_service_config {
+    'service_providers/service_provider': value => $service_providers_real;
+  }
+
+  if $sync_db {
+    exec { 'fwaas-db-sync':
+      command     => 'neutron-db-manage --subproject neutron-fwaas upgrade head',
+      path        => '/usr/bin',
+      user        => $::neutron::params::user,
+      subscribe   => [
+        Anchor['neutron::install::end'],
+        Anchor['neutron::config::end'],
+        Anchor['neutron::dbsync::begin']
+      ],
+      notify      => Anchor['neutron::dbsync::end'],
+      refreshonly => true
+    }
+  }
+}

releasenotes/notes/readd-fwaas-11eca81423fbb74d.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Support for Neutron FWaaS was readded.

spec/acceptance/99_neutron_config_spec.rb

@@ -11,6 +11,8 @@ describe 'basic neutron_config resource' do
                      '/etc/neutron/l2gw_plugin.ini',
                      '/etc/neutron/l2gateway_agent.ini',
                      '/etc/neutron/plugins/ml2/ml2_conf.ini',
+                     '/etc/neutron/fwaas_driver.ini',
+                     '/etc/neutron/neutron_fwaas.conf',
                      '/etc/neutron/vpn_agent.ini',
                      '/etc/neutron/neutron_vpnaas.conf',
                      '/etc/neutron/ovn_vpn_agent.ini',
@@ -31,6 +33,8 @@ describe 'basic neutron_config resource' do
   File <||> -> Neutron_metering_agent_config <||>
   File <||> -> Neutron_plugin_ml2 <||>
   File <||> -> Neutron_l2gw_service_config <||>
+  File <||> -> Neutron_fwaas_agent_config <||>
+  File <||> -> Neutron_fwaas_service_config <||>
   File <||> -> Neutron_vpnaas_agent_config <||>
   File <||> -> Neutron_vpnaas_service_config <||>
   File <||> -> Neutron_ovn_vpn_agent_config <||>
@@ -55,6 +59,8 @@ describe 'basic neutron_config resource' do
                      '/etc/neutron/l2gw_plugin.ini',
                      '/etc/neutron/l2gateway_agent.ini',
                      '/etc/neutron/plugins/ml2/ml2_conf.ini',
+                     '/etc/neutron/fwaas_driver.ini',
+                     '/etc/neutron/neutron_fwaas.conf',
                      '/etc/neutron/vpn_agent.ini',
                      '/etc/neutron/neutron_vpnaas.conf',
                      '/etc/neutron/ovn_vpn_agent.ini',
@@ -198,6 +204,42 @@ describe 'basic neutron_config resource' do
     ensure_absent_val => 'toto',
   }
 
+  neutron_fwaas_agent_config { 'DEFAULT/thisshouldexist' :
+    value => 'foo',
+  }
+
+  neutron_fwaas_agent_config { 'DEFAULT/thisshouldnotexist' :
+    value => '<SERVICE DEFAULT>',
+  }
+
+  neutron_fwaas_agent_config { 'DEFAULT/thisshouldexist2' :
+    value             => '<SERVICE DEFAULT>',
+    ensure_absent_val => 'toto',
+  }
+
+  neutron_fwaas_agent_config { 'DEFAULT/thisshouldnotexist2' :
+    value             => 'toto',
+    ensure_absent_val => 'toto',
+  }
+
+  neutron_fwaas_service_config { 'DEFAULT/thisshouldexist' :
+    value => 'foo',
+  }
+
+  neutron_fwaas_service_config { 'DEFAULT/thisshouldnotexist' :
+    value => '<SERVICE DEFAULT>',
+  }
+
+  neutron_fwaas_service_config { 'DEFAULT/thisshouldexist2' :
+    value             => '<SERVICE DEFAULT>',
+    ensure_absent_val => 'toto',
+  }
+
+  neutron_fwaas_service_config { 'DEFAULT/thisshouldnotexist2' :
+    value             => 'toto',
+    ensure_absent_val => 'toto',
+  }
+
   neutron_vpnaas_agent_config { 'DEFAULT/thisshouldexist' :
     value => 'foo',
   }
@@ -387,6 +429,8 @@ describe 'basic neutron_config resource' do
                     'neutron_metadata_agent_config',
                     'neutron_metering_agent_config',
                     'neutron_plugin_ml2',
+                    'neutron_fwaas_agent_config',
+                    'neutron_fwaas_service_config',
                     'neutron_vpnaas_agent_config',
                     'neutron_vpnaas_service_config',
                     'neutron_ovn_vpn_agent_config',

spec/classes/neutron_agents_fwaas_spec.rb

@@ -0,0 +1,83 @@
+require 'spec_helper'
+
+describe 'neutron::agents::fwaas' do
+  let :params do
+    {}
+  end
+
+  shared_examples 'neutron::agents::fwaas' do
+    context 'with defaults' do
+      it { should contain_class('neutron::params') }
+
+      it 'configures fwaas_driver.ini' do
+        should contain_neutron_fwaas_agent_config('fwaas/driver').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_fwaas_agent_config('fwaas/enabled').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_fwaas_agent_config('fwaas/conntrack_driver').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_fwaas_agent_config('fwaas/firewall_l2_driver').with_value('<SERVICE DEFAULT>')
+      end
+      it 'configures ml2_conf.ini' do
+        should contain_neutron_plugin_ml2('fwaas/driver').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_plugin_ml2('fwaas/enabled').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_plugin_ml2('fwaas/conntrack_driver').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_plugin_ml2('fwaas/firewall_l2_driver').with_value('<SERVICE DEFAULT>')
+      end
+
+      it 'installs neutron fwaas package' do
+        should contain_package('neutron-fwaas').with(
+          :ensure => 'installed',
+          :name   => platform_params[:fwaas_package],
+          :tag    => ['openstack', 'neutron-package'],
+        )
+      end
+    end
+
+    context 'with parameters' do
+      let :params do
+        {
+          :driver             => 'iptables_v2',
+          :enabled            => true,
+          :conntrack_driver   => 'conntrack',
+          :firewall_l2_driver => 'ovs',
+        }
+      end
+
+      it 'configures fwaas_driver.ini' do
+        should contain_neutron_fwaas_agent_config('fwaas/driver').with_value('iptables_v2')
+        should contain_neutron_fwaas_agent_config('fwaas/enabled').with_value(true)
+        should contain_neutron_fwaas_agent_config('fwaas/conntrack_driver').with_value('conntrack')
+        should contain_neutron_fwaas_agent_config('fwaas/firewall_l2_driver').with_value('ovs')
+      end
+      it 'configures ml2_conf.ini' do
+        should contain_neutron_plugin_ml2('fwaas/driver').with_value('iptables_v2')
+        should contain_neutron_plugin_ml2('fwaas/enabled').with_value(true)
+        should contain_neutron_plugin_ml2('fwaas/conntrack_driver').with_value('conntrack')
+        should contain_neutron_plugin_ml2('fwaas/firewall_l2_driver').with_value('ovs')
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      let (:platform_params) do
+        case facts[:os]['family']
+        when 'Debian'
+          {
+            :fwaas_package => 'python3-neutron-fwaas'
+          }
+        when 'RedHat'
+          {
+            :fwaas_package => 'openstack-neutron-fwaas'
+          }
+        end
+      end
+
+      it_behaves_like 'neutron::agents::fwaas'
+    end
+  end
+end

spec/classes/neutron_config_spec.rb

@@ -79,6 +79,8 @@ describe 'neutron::config' do
         :dhcp_agent_config        => config_hash,
         :metadata_agent_config    => config_hash,
         :metering_agent_config    => config_hash,
+        :fwaas_agent_config       => config_hash,
+        :fwaas_service_config     => config_hash,
         :vpnaas_agent_config      => config_hash,
         :vpnaas_service_config    => config_hash,
         :ovn_vpn_agent_config     => config_hash,
@@ -136,6 +138,18 @@ describe 'neutron::config' do
       should contain_neutron_metering_agent_config('DEFAULT/baz').with_ensure('absent')
     end
 
+    it 'configures arbitrary fwaas_agent_config configurations' do
+      should contain_neutron_fwaas_agent_config('DEFAULT/foo').with_value('fooValue')
+      should contain_neutron_fwaas_agent_config('DEFAULT/bar').with_value('barValue')
+      should contain_neutron_fwaas_agent_config('DEFAULT/baz').with_ensure('absent')
+    end
+
+    it 'configures arbitrary fwaas_service_config configurations' do
+      should contain_neutron_fwaas_service_config('DEFAULT/foo').with_value('fooValue')
+      should contain_neutron_fwaas_service_config('DEFAULT/bar').with_value('barValue')
+      should contain_neutron_fwaas_service_config('DEFAULT/baz').with_ensure('absent')
+    end
+
     it 'configures arbitrary vpnaas_agent_config configurations' do
       should contain_neutron_vpnaas_agent_config('DEFAULT/foo').with_value('fooValue')
       should contain_neutron_vpnaas_agent_config('DEFAULT/bar').with_value('barValue')

spec/classes/neutron_quota_fwaas_spec.rb

@@ -0,0 +1,57 @@
+require 'spec_helper'
+
+describe 'neutron::quota::fwaas' do
+  let :params do
+    {}
+  end
+
+  let :default_params do
+    {
+      :quota_firewall_group  => '<SERVICE DEFAULT>',
+      :quota_firewall_policy => '<SERVICE DEFAULT>',
+      :quota_firewall_rule   => '<SERVICE DEFAULT>',
+    }
+  end
+
+  shared_examples 'neutron::quota::fwaas test' do
+    let :params_hash do
+      default_params.merge(params)
+    end
+
+    it 'configures quota in neutron.conf' do
+      params_hash.each_pair do |config,value|
+        should contain_neutron_config("quotas/#{config}").with_value( value )
+      end
+    end
+  end
+
+  shared_examples 'neutron::quota::fwaas' do
+    context 'with default' do
+      it_behaves_like 'neutron::quota::fwaas test'
+    end
+
+    context 'with provided parameters' do
+      before do
+        params.merge!({
+          :quota_firewall_group  => 10,
+          :quota_firewall_policy => 11,
+          :quota_firewall_rule   => 100,
+        })
+      end
+
+      it_behaves_like 'neutron::quota::fwaas test'
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'neutron::quota::fwaas'
+    end
+  end
+end

spec/classes/neutron_services_fwaas_spec.rb

@@ -0,0 +1,84 @@
+require 'spec_helper'
+
+describe 'neutron::services::fwaas' do
+
+  shared_examples 'neutron fwaas service plugin' do
+    context 'with default params' do
+      it 'installs fwaas package' do
+        should contain_package('neutron-fwaas').with(
+          :ensure => 'installed',
+          :name   => platform_params[:fwaas_package_name]
+        )
+      end
+
+      it 'configures neutron_fwaas.conf' do
+        should contain_neutron_fwaas_service_config(
+          'service_providers/service_provider'
+        ).with_value(
+          'FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default'
+        )
+      end
+
+      it 'does not run neutron-db-manage' do
+        should_not contain_exec('fwaas-db-sync')
+      end
+    end
+
+    context 'with db sync enabled' do
+      let :params do
+        {
+          :sync_db => true
+        }
+      end
+
+      it 'runs neutron-db-manage' do
+        should contain_exec('fwaas-db-sync').with(
+          :command     => 'neutron-db-manage --subproject neutron-fwaas upgrade head',
+          :path        => '/usr/bin',
+          :user        => 'neutron',
+          :subscribe   => ['Anchor[neutron::install::end]',
+                           'Anchor[neutron::config::end]',
+                           'Anchor[neutron::dbsync::begin]'
+                           ],
+          :notify      => 'Anchor[neutron::dbsync::end]',
+          :refreshonly => 'true',
+        )
+      end
+    end
+
+    context 'with multiple service providers' do
+      let :params do
+        {
+          :service_providers => ['provider1', 'provider2']
+        }
+      end
+
+      it 'configures neutron_fwaas.conf' do
+        should contain_neutron_fwaas_service_config(
+          'service_providers/service_provider'
+        ).with_value(['provider1', 'provider2'])
+      end
+    end
+
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts())
+      end
+
+      let (:platform_params) do
+        case facts[:os]['family']
+        when 'Debian'
+          { :fwaas_package_name => 'python3-neutron-fwaas' }
+        when 'RedHat'
+          { :fwaas_package_name => 'openstack-neutron-fwaas' }
+        end
+      end
+      it_behaves_like 'neutron fwaas service plugin'
+    end
+  end
+end

spec/unit/provider/neutron_fwaas_agent_config/ini_setting_spec.rb

@@ -0,0 +1,51 @@
+require 'spec_helper'
+
+provider_class = Puppet::Type.type(:neutron_fwaas_agent_config).provider(:ini_setting)
+
+describe provider_class do
+
+  it 'should default to the default setting when no other one is specified' do
+    resource = Puppet::Type::Neutron_fwaas_agent_config.new(
+      {
+        :name => 'DEFAULT/foo',
+        :value => 'bar'
+      }
+    )
+    provider = provider_class.new(resource)
+    expect(provider.section).to eq('DEFAULT')
+    expect(provider.setting).to eq('foo')
+    expect(provider.file_path).to eq('/etc/neutron/fwaas_driver.ini')
+  end
+
+  it 'should allow setting to be set explicitly' do
+    resource = Puppet::Type::Neutron_fwaas_agent_config.new(
+      {
+        :name => 'dude/foo',
+        :value => 'bar'
+      }
+    )
+    provider = provider_class.new(resource)
+    expect(provider.section).to eq('dude')
+    expect(provider.setting).to eq('foo')
+    expect(provider.file_path).to eq('/etc/neutron/fwaas_driver.ini')
+  end
+
+  it 'should ensure absent when <SERVICE DEFAULT> is specified as a value' do
+    resource = Puppet::Type::Neutron_fwaas_agent_config.new(
+      {:name => 'dude/foo', :value => '<SERVICE DEFAULT>'}
+    )
+    provider = provider_class.new(resource)
+    provider.exists?
+    expect(resource[:ensure]).to eq :absent
+  end
+
+  it 'should ensure absent when value matches ensure_absent_val' do
+    resource = Puppet::Type::Neutron_fwaas_agent_config.new(
+      {:name => 'dude/foo', :value => 'foo', :ensure_absent_val => 'foo' }
+    )
+    provider = provider_class.new(resource)
+    provider.exists?
+    expect(resource[:ensure]).to eq :absent
+  end
+
+end

spec/unit/provider/neutron_fwaas_service_config/openstackconfig_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+provider_class = Puppet::Type.type(:neutron_fwaas_service_config).provider(:openstackconfig)
+describe provider_class do
+
+  it 'should default to the default setting when no other one is specified' do
+    resource = Puppet::Type::Neutron_fwaas_service_config.new(
+      {:name => 'DEFAULT/foo', :value => 'bar'}
+    )
+    provider = provider_class.new(resource)
+    expect(provider.section).to eq('DEFAULT')
+    expect(provider.setting).to eq('foo')
+  end
+
+  it 'should allow setting to be set explicitly' do
+    resource = Puppet::Type::Neutron_fwaas_service_config.new(
+      {:name => 'dude/foo', :value => 'bar'}
+    )
+    provider = provider_class.new(resource)
+    expect(provider.section).to eq('dude')
+    expect(provider.setting).to eq('foo')
+  end
+
+  it 'should ensure absent when <SERVICE DEFAULT> is specified as a value' do
+    resource = Puppet::Type::Neutron_fwaas_service_config.new(
+      {:name => 'dude/foo', :value => '<SERVICE DEFAULT>'}
+    )
+    provider = provider_class.new(resource)
+    provider.exists?
+    expect(resource[:ensure]).to eq :absent
+  end
+
+  it 'should ensure absent when value matches ensure_absent_val' do
+    resource = Puppet::Type::Neutron_fwaas_service_config.new(
+      {:name => 'dude/foo', :value => 'foo', :ensure_absent_val => 'foo' }
+    )
+    provider = provider_class.new(resource)
+    provider.exists?
+    expect(resource[:ensure]).to eq :absent
+  end
+
+end

spec/unit/type/neutron_fwaas_agent_config_spec.rb

@@ -0,0 +1,20 @@
+require 'puppet'
+require 'puppet/type/neutron_fwaas_agent_config'
+
+describe 'Puppet::Type.type(:neutron_fwaas_agent_config)' do
+
+  before :each do
+    @neutron_fwaas_agent_config = Puppet::Type.type(:neutron_fwaas_agent_config).new(:name => 'DEFAULT/foo', :value => 'bar')
+  end
+
+  it 'should autorequire the package that install the file' do
+    catalog = Puppet::Resource::Catalog.new
+    anchor = Puppet::Type.type(:anchor).new(:name => 'neutron::install::end')
+    catalog.add_resource anchor, @neutron_fwaas_agent_config
+    dependency = @neutron_fwaas_agent_config.autorequire
+    expect(dependency.size).to eq(1)
+    expect(dependency[0].target).to eq(@neutron_fwaas_agent_config)
+    expect(dependency[0].source).to eq(anchor)
+  end
+
+end

spec/unit/type/neutron_fwaas_service_config_spec.rb

@@ -0,0 +1,65 @@
+require 'puppet'
+require 'puppet/type/neutron_fwaas_service_config'
+
+describe 'Puppet::Type.type(:neutron_fwaas_service_config)' do
+
+  before :each do
+    @neutron_fwaas_service_config = Puppet::Type.type(:neutron_fwaas_service_config).new(:name => 'DEFAULT/foo', :value => 'bar')
+  end
+
+  it 'should require a name' do
+    expect {
+      Puppet::Type.type(:neutron_fwaas_service_config).new({})
+    }.to raise_error(Puppet::Error, 'Title or name must be provided')
+  end
+
+  it 'should not expect a name with whitespace' do
+    expect {
+      Puppet::Type.type(:neutron_fwaas_service_config).new(:name => 'f oo')
+    }.to raise_error(Puppet::Error, /Parameter name failed/)
+  end
+
+  it 'should fail when there is no section' do
+    expect {
+      Puppet::Type.type(:neutron_fwaas_service_config).new(:name => 'foo')
+    }.to raise_error(Puppet::Error, /Parameter name failed/)
+  end
+
+  it 'should not require a value when ensure is absent' do
+    Puppet::Type.type(:neutron_fwaas_service_config).new(:name => 'DEFAULT/foo', :ensure => :absent)
+  end
+
+  it 'should accept a valid value' do
+    @neutron_fwaas_service_config[:value] = 'bar'
+    expect(@neutron_fwaas_service_config[:value]).to eq(['bar'])
+  end
+
+  it 'should accept a value with whitespace' do
+    @neutron_fwaas_service_config[:value] = 'b ar'
+    expect(@neutron_fwaas_service_config[:value]).to eq(['b ar'])
+  end
+
+  it 'should accept valid ensure values' do
+    @neutron_fwaas_service_config[:ensure] = :present
+    expect(@neutron_fwaas_service_config[:ensure]).to eq(:present)
+    @neutron_fwaas_service_config[:ensure] = :absent
+    expect(@neutron_fwaas_service_config[:ensure]).to eq(:absent)
+  end
+
+  it 'should not accept invalid ensure values' do
+    expect {
+      @neutron_fwaas_service_config[:ensure] = :latest
+    }.to raise_error(Puppet::Error, /Invalid value/)
+  end
+
+  it 'should autorequire the package that install the file' do
+    catalog = Puppet::Resource::Catalog.new
+    anchor = Puppet::Type.type(:anchor).new(:name => 'neutron::install::end')
+    catalog.add_resource anchor, @neutron_fwaas_service_config
+    dependency = @neutron_fwaas_service_config.autorequire
+    expect(dependency.size).to eq(1)
+    expect(dependency[0].target).to eq(@neutron_fwaas_service_config)
+    expect(dependency[0].source).to eq(anchor)
+  end
+
+end