From e83c47f11d58445c06e777771607a0484575d3af Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Tue, 29 Sep 2020 17:19:43 -0400
Subject: [PATCH] firewall: make ExtraFirewallRules role specific

Allow our operators to override ExtraFirewallRules per role.
Also add an environment file that hopefully provide enough example on
how this feature can be used.

Also making sure that CI is testing this change.

Change-Id: I776f1cdb780ab57d7554985f0b7c2139356cdf3a
(cherry picked from commit dbe38cac185ef2b51cdd283531bce393e9ce8e6c)
---
 ci/environments/scenario003-standalone.yaml   |  7 ++++++
 .../tripleo-firewall-baremetal-ansible.yaml   | 19 ++++++++++++++-
 environments/firewall.yaml                    | 23 +++++++++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 environments/firewall.yaml

diff --git a/ci/environments/scenario003-standalone.yaml b/ci/environments/scenario003-standalone.yaml
index 12aedfdb00..7c6335b1d8 100644
--- a/ci/environments/scenario003-standalone.yaml
+++ b/ci/environments/scenario003-standalone.yaml
@@ -87,3 +87,10 @@ parameter_defaults:
       proto: udp
       source: 127.0.0.1
       action: append
+  StandaloneParameters:
+    ExtraFirewallRules:
+      '303 allow arbitrary tcp rule for controller':
+        dport: 12347
+        proto: tcp
+        source: 127.0.0.1
+        action: insert
diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
index 834029186f..d737da323f 100644
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
@@ -34,6 +34,23 @@ parameters:
     default: {}
     description: Mapping of firewall rules.
     type: json
+    tags:
+      - role_specific
+
+resources:
+  # Merging role-specific parameters (RoleParameters) with the default parameters.
+  # RoleParameters will have the precedence over the default parameters.
+  RoleParametersValue:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        map_replace:
+          - map_replace:
+            - extra_firewall_rules: ExtraFirewallRules
+            - values: {get_param: [RoleParameters]}
+          - values:
+              ExtraFirewallRules: {get_param: ExtraFirewallRules}
 
 conditions:
   no_ctlplane:
@@ -60,7 +77,7 @@ outputs:
                     source: <%net_cidr%>
                     proto: 'tcp'
                     dport: 22
-          - {get_param: ExtraFirewallRules}
+          - {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
       host_prep_tasks:
         - if:
             - no_ctlplane
diff --git a/environments/firewall.yaml b/environments/firewall.yaml
new file mode 100644
index 0000000000..aa8efb1d44
--- /dev/null
+++ b/environments/firewall.yaml
@@ -0,0 +1,23 @@
+# This is an example of custom firewall rules that one could apply for specific
+# roles.
+
+parameter_defaults:
+
+# This firewall rule will autorize 12345/tcp from localhost on all the nodes
+# in the overcloud:
+#  ExtraFirewallRules:
+#    '301 allow arbitrary tcp rule':
+#      dport: 12345
+#      proto: tcp
+#      source: 127.0.0.1
+#      action: insert
+
+# This firewall rule will autorize 12345/tcp from localhost on all the
+# compute nodes:
+#  ComputeParameters:
+#    ExtraFirewallRules:
+#      '301 allow arbitrary tcp rule':
+#        dport: 12345
+#        proto: tcp
+#        source: 127.0.0.1
+#        action: insert