Merge "Restrict SNMP to internal network"

network/service_net_map.j2.yaml

@@ -65,6 +65,7 @@ parameters:
       RedisNetwork: internal_api
       GaneshaNetwork: storage_nfs
       MysqlNetwork: internal_api
+      SnmpdNetwork: internal_api
       CephClusterNetwork: storage_mgmt
       CephMonNetwork: storage
       CephRgwNetwork: storage

puppet/services/snmp.yaml

@@ -48,6 +48,13 @@ parameters:
     description: A string containing the commandline options passed to snmpd
     type: string
     default: '-LS0-5d'
+  SnmpdIpSubnet:
+    default: ''
+    description: IP address/subnet on the snmpd network. If empty (default), SnmpdNetwork
+                 will be taken.
+    type: string
+conditions:
+  snmpd_network_unset: {equals : [{get_param: SnmpdIpSubnet}, '']}
 
 outputs:
   role_data:
@@ -59,10 +66,20 @@ outputs:
         tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
         snmp::agentaddress: {get_param: SnmpdBindHost}
         snmp::snmpd_options: {get_param: SnmpdOptions}
+        snmpd_network:
+          str_replace:
+            template: "NETWORK_subnet"
+            params:
+              NETWORK: {get_param: [ServiceNetMap, SnmpdNetwork]}
         tripleo.snmp.firewall_rules:
-          '127 snmp':
+          '124 snmp':
             dport: 161
             proto: 'udp'
+            source:
+              if:
+              - snmpd_network_unset
+              - "%{hiera('snmpd_network')}"
+              - {get_param: SnmpdIpSubnet}
       step_config: |
         include ::tripleo::profile::base::snmp
       upgrade_tasks:

releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Change the IPtables rule for SNMP service and open 161 udp port on
+    SnmpdIpSubnet parameter instead of 0.0.0.0/0.
+    If SnmpdIpSubnet is left empty, SnmpdNetwork will be used.
+