533f3e56b2
It was an error in the example to set firewall rule Tested on newton. Closes-Bug: 1691990 Change-Id: I091ad0305ac9d9fbb63853e46169fcaa6092456b Signed-off-by: Cyril Lopez <cylopez@redhat.com>
109 lines
3.1 KiB
Puppet
109 lines
3.1 KiB
Puppet
#
|
|
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# == Class: tripleo
|
|
#
|
|
# Configure the TripleO firewall
|
|
#
|
|
# === Parameters:
|
|
#
|
|
# [*manage_firewall*]
|
|
# (optional) Completely enable or disable firewall settings
|
|
# (false means disabled, and true means enabled)
|
|
# Defaults to false
|
|
#
|
|
# [*firewall_rules*]
|
|
# (optional) Allow to add custom firewall rules
|
|
# Should be an hash.
|
|
# Default to {}
|
|
#
|
|
# [*purge_firewall_rules*]
|
|
# (optional) Boolean, purge all firewall resources
|
|
# Defaults to false
|
|
#
|
|
# [*firewall_pre_extras*]
|
|
# (optional) Allow to add custom parameters to firewall rules (pre stage)
|
|
# Should be an hash.
|
|
# Default to {}
|
|
#
|
|
# [*firewall_post_extras*]
|
|
# (optional) Allow to add custom parameters to firewall rules (post stage)
|
|
# Should be an hash.
|
|
# Default to {}
|
|
#
|
|
class tripleo::firewall(
|
|
$manage_firewall = false,
|
|
$firewall_rules = {},
|
|
$purge_firewall_rules = false,
|
|
$firewall_pre_extras = {},
|
|
$firewall_post_extras = {},
|
|
) {
|
|
|
|
if $manage_firewall {
|
|
|
|
# Only purges IPv4 rules
|
|
if $purge_firewall_rules {
|
|
resources { 'firewall':
|
|
purge => true
|
|
}
|
|
}
|
|
|
|
# anyone can add your own rules
|
|
# example with Hiera:
|
|
#
|
|
# tripleo::firewall::firewall_rules:
|
|
# '300 allow custom application 1':
|
|
# port: 999
|
|
# proto: udp
|
|
# action: accept
|
|
# '301 allow custom application 2':
|
|
# port: 8081
|
|
# proto: tcp
|
|
# action: accept
|
|
#
|
|
create_resources('tripleo::firewall::rule', $firewall_rules)
|
|
|
|
ensure_resource('class', 'tripleo::firewall::pre', {
|
|
'firewall_settings' => $firewall_pre_extras,
|
|
})
|
|
|
|
ensure_resource('class', 'tripleo::firewall::post', {
|
|
'firewall_settings' => $firewall_post_extras,
|
|
})
|
|
|
|
Class['tripleo::firewall::pre'] -> Class['tripleo::firewall::post']
|
|
Service<||> -> Class['tripleo::firewall::post']
|
|
|
|
# Allow composable services to load their own custom
|
|
# example with Hiera.
|
|
# NOTE(dprince): In the future when we have a better hiera
|
|
# heat hook we might refactor this to use hiera's merging
|
|
# capabilities instead. Until then rolling up the flat service
|
|
# keys and dynamically creating firewall rules for each service
|
|
# will allow us to compose and should work fine.
|
|
#
|
|
# Each service can load its rules by using this form:
|
|
#
|
|
# tripleo.<service name with underscores>.firewall_rules:
|
|
# '300 allow custom application 1':
|
|
# dport: 999
|
|
# proto: udp
|
|
# action: accept
|
|
$service_names = hiera('service_names', [])
|
|
tripleo::firewall::service_rules { $service_names: }
|
|
}
|
|
|
|
}
|