From 546619c2b4ccf880d0e5e62a36167e492b96208d Mon Sep 17 00:00:00 2001
From: ativelkov <ativelkov@mirantis.com>
Date: Fri, 6 Dec 2013 17:23:37 +0400
Subject: [PATCH] Fixed security groups for AdvNetworking support

Requires change I87c694cfa7725e32956062b63529c3bda5804ba7 to work properly

Change-Id: I16e9fcf5b95d9f77c26e80680975be701d2be271
---
 .../Services/activeDirectory-manifest.yaml    |   4 +-
 .../Services/aspNetApp-manifest.yaml          |   4 +-
 .../Services/aspNetAppFarm-manifest.yaml      |   3 +
 .../Services/demoService-manifest.yaml        |   5 +-
 .../heat_templates/DefaultSecurity.template   |  18 ++++
 .../Services/heat_templates/Demo.template     |  38 -------
 .../heat_templates/DemoSecurity.template      |  17 +++
 .../heat_templates/InstancePort.template      |   2 +-
 .../InstancePortWSubnet.template              |   2 +-
 .../Services/heat_templates/Linux.template    |  38 -------
 .../heat_templates/LinuxSecurity.template     |  17 +++
 .../heat_templates/NNSecurity.template        |   4 +-
 .../heat_templates/SQL-security.template      |  20 +---
 .../heat_templates/SQLCluster.template        |  37 -------
 .../heat_templates/TelnetSecurity.template    |  17 +++
 ...ty.template => WebServerSecurity.template} |  10 +-
 .../Services/heat_templates/Windows.template  |  27 -----
 .../heat_templates/WindowsSecurity.template   |  17 +++
 .../Services/linuxApacheService-manifest.yaml |   5 +-
 .../Services/linuxTelnetService-manifest.yaml |   3 +
 .../Services/msSqlClusterServer-manifest.yaml |   5 +-
 .../Services/msSqlServer-manifest.yaml        |   3 +
 .../Services/webServer-manifest.yaml          |   3 +
 .../Services/webServerFarm-manifest.yaml      |   4 +-
 muranorepository/Services/workflows/AD.xml    |   8 ++
 .../Services/workflows/Apache.xml             |  38 ++-----
 muranorepository/Services/workflows/Demo.xml  |  13 ++-
 .../Services/workflows/LinuxTelnet.xml        |   9 +-
 .../Services/workflows/MsSqlCluster.xml       |   7 ++
 .../Services/workflows/MsSqlServer.xml        |  29 ++---
 .../Services/workflows/Networking.xml         | 101 +++++++++++++++++-
 .../Services/workflows/WebApps.xml            |  10 ++
 32 files changed, 292 insertions(+), 226 deletions(-)
 create mode 100644 muranorepository/Services/heat_templates/DefaultSecurity.template
 create mode 100644 muranorepository/Services/heat_templates/DemoSecurity.template
 create mode 100644 muranorepository/Services/heat_templates/LinuxSecurity.template
 create mode 100644 muranorepository/Services/heat_templates/TelnetSecurity.template
 rename muranorepository/Services/heat_templates/{ApacheSecurity.template => WebServerSecurity.template} (67%)
 create mode 100644 muranorepository/Services/heat_templates/WindowsSecurity.template

diff --git a/muranorepository/Services/activeDirectory-manifest.yaml b/muranorepository/Services/activeDirectory-manifest.yaml
index f39fcfc..08569c0 100644
--- a/muranorepository/Services/activeDirectory-manifest.yaml
+++ b/muranorepository/Services/activeDirectory-manifest.yaml
@@ -14,11 +14,13 @@ heat:
 - RouterInterface.template
 - Windows.template
 - Network.template
-- NNSecurity.template
 - Param.template
 - Subnet.template
 - InstancePortWSubnet.template
 - InstancePort.template
+- NNSecurity.template
+- DefaultSecurity.template
+- WindowsSecurity.template
 scripts:
 - Install-RoleSecondaryDomainController.ps1
 - Install-RolePrimaryDomainController.ps1
diff --git a/muranorepository/Services/aspNetApp-manifest.yaml b/muranorepository/Services/aspNetApp-manifest.yaml
index 077be12..7e2ae1f 100644
--- a/muranorepository/Services/aspNetApp-manifest.yaml
+++ b/muranorepository/Services/aspNetApp-manifest.yaml
@@ -27,7 +27,9 @@ heat:
   - Param.template
   - RouterInterface.template
   - Subnet.template
-
+  - DefaultSecurity.template
+  - WindowsSecurity.template
+  - WebServerSecurity.template
 
 agent:
   - SetPassword.template
diff --git a/muranorepository/Services/aspNetAppFarm-manifest.yaml b/muranorepository/Services/aspNetAppFarm-manifest.yaml
index e6d0c7a..866fa09 100644
--- a/muranorepository/Services/aspNetAppFarm-manifest.yaml
+++ b/muranorepository/Services/aspNetAppFarm-manifest.yaml
@@ -28,6 +28,9 @@ heat:
   - RouterInterface.template
   - Subnet.template
   - LoadBalancer.template
+  - DefaultSecurity.template
+  - WindowsSecurity.template
+  - WebServerSecurity.template
 
 agent:
  - SetPassword.template
diff --git a/muranorepository/Services/demoService-manifest.yaml b/muranorepository/Services/demoService-manifest.yaml
index c82b808..70c0b35 100644
--- a/muranorepository/Services/demoService-manifest.yaml
+++ b/muranorepository/Services/demoService-manifest.yaml
@@ -11,8 +11,11 @@ heat:
 - Subnet.template
 - InstancePortWSubnet.template
 - InstancePort.template
+- DefaultSecurity.template
+- LinuxSecurity.template
+- DemoSecurity.template
 scripts: []
-service_display_name: Demo Service 
+service_display_name: Demo Service
 service_version: ''
 ui:
 - Demo.yaml
diff --git a/muranorepository/Services/heat_templates/DefaultSecurity.template b/muranorepository/Services/heat_templates/DefaultSecurity.template
new file mode 100644
index 0000000..8fb2e26
--- /dev/null
+++ b/muranorepository/Services/heat_templates/DefaultSecurity.template
@@ -0,0 +1,18 @@
+{
+    "Resources": {
+        "$MuranoSecurityGroup-{envName}": {
+            "Type": "AWS::EC2::SecurityGroup",
+            "Properties": {
+                "SecurityGroupIngress": [
+                    {
+                        "ToPort": "-1",
+                        "IpProtocol": "icmp",
+                        "FromPort": "-1",
+                        "CidrIp": "$cidr"
+                    }
+                ],
+                "GroupDescription": "$Composite security group for Murano Environment {envName}"
+            }
+        }
+    }
+}
diff --git a/muranorepository/Services/heat_templates/Demo.template b/muranorepository/Services/heat_templates/Demo.template
index a737bc2..d3c3997 100644
--- a/muranorepository/Services/heat_templates/Demo.template
+++ b/muranorepository/Services/heat_templates/Demo.template
@@ -1,14 +1,6 @@
 {
     "AWSTemplateFormatVersion": "2010-09-09",
 
-    "Parameters": {
-        "KeyName": {
-            "Description": "Key Pair name for Load Balancer",
-            "Type": "String",
-            "Default": "murano-lb-key"
-        }
-    },
-
     "Resources": {
         "$instanceName": {
             "Type": "AWS::EC2::Instance",
@@ -18,36 +10,6 @@
                 "AvailabilityZone": "$availabilityZone",
                 "UserData": "$userData"
             }
-        },
-        "MuranoDefaultSecurityGroup": {
-            "Type": "AWS::EC2::SecurityGroup",
-            "Properties": {
-                "SecurityGroupIngress": [
-                    {
-                        "ToPort": "3389",
-                        "IpProtocol": "tcp",
-                        "FromPort": "3389",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "22",
-                        "IpProtocol": "tcp",
-                        "FromPort": "22",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "-1",
-                        "IpProtocol": "icmp",
-                        "FromPort": "-1",
-                        "CidrIp": "0.0.0.0/0"
-                    }
-                ],
-                "GroupDescription": "Default security group for Murano Environments"
-            }
         }
-
-    },
-
-    "Outputs": {
     }
 }
diff --git a/muranorepository/Services/heat_templates/DemoSecurity.template b/muranorepository/Services/heat_templates/DemoSecurity.template
new file mode 100644
index 0000000..d5de9fc
--- /dev/null
+++ b/muranorepository/Services/heat_templates/DemoSecurity.template
@@ -0,0 +1,17 @@
+{
+    "Resources": {
+        "$MuranoSecurityGroup-{envName}": {
+            "Type": "AWS::EC2::SecurityGroup",
+            "Properties": {
+                "SecurityGroupIngress": [
+                     {
+                        "ToPort": "-1",
+                        "IpProtocol": "icmp",
+                        "FromPort": "-1",
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ]
+            }
+        }
+    }
+}
diff --git a/muranorepository/Services/heat_templates/InstancePort.template b/muranorepository/Services/heat_templates/InstancePort.template
index 31bac7d..219374a 100644
--- a/muranorepository/Services/heat_templates/InstancePort.template
+++ b/muranorepository/Services/heat_templates/InstancePort.template
@@ -14,7 +14,7 @@
             "Properties": {
                 "security_groups": [
                     {
-                        "Ref": "MuranoDefaultSecurityGroup"
+                        "Ref": "$MuranoSecurityGroup-{envName}"
                     }
                 ],
                 "network_id": {
diff --git a/muranorepository/Services/heat_templates/InstancePortWSubnet.template b/muranorepository/Services/heat_templates/InstancePortWSubnet.template
index 1ab0d4a..19d3883 100644
--- a/muranorepository/Services/heat_templates/InstancePortWSubnet.template
+++ b/muranorepository/Services/heat_templates/InstancePortWSubnet.template
@@ -14,7 +14,7 @@
             "Properties": {
                 "security_groups": [
                     {
-                        "Ref": "MuranoDefaultSecurityGroup"
+                        "Ref": "$MuranoSecurityGroup-{envName}"
                     }
                 ],
                 "network_id": {
diff --git a/muranorepository/Services/heat_templates/Linux.template b/muranorepository/Services/heat_templates/Linux.template
index 2cc95f3..3773a6a 100644
--- a/muranorepository/Services/heat_templates/Linux.template
+++ b/muranorepository/Services/heat_templates/Linux.template
@@ -19,44 +19,6 @@
                 "AvailabilityZone": "$availabilityZone",
                 "UserData": "$userData"
             }
-        },
-        "MuranoDefaultSecurityGroup": {
-            "Type": "AWS::EC2::SecurityGroup",
-            "Properties": {
-                "SecurityGroupIngress": [
-                    {
-                        "ToPort": "22",
-                        "IpProtocol": "tcp",
-                        "FromPort": "22",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "23",
-                        "IpProtocol": "tcp",
-                        "FromPort": "23",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "-1",
-                        "IpProtocol": "icmp",
-                        "FromPort": "-1",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "IpProtocol": "tcp",
-                        "FromPort" : "1",
-                        "ToPort": "65535",
-                        "CidrIp": "10.0.0.0/24"
-                    },
-                    {
-                        "IpProtocol": "udp",
-                        "FromPort" : "1",
-                        "ToPort": "65535",
-                        "CidrIp": "10.0.0.0/24"
-                    }
-                ],
-                "GroupDescription": "Default security group for Linux Murano Environments"
-            }
         }
     },
 
diff --git a/muranorepository/Services/heat_templates/LinuxSecurity.template b/muranorepository/Services/heat_templates/LinuxSecurity.template
new file mode 100644
index 0000000..b898056
--- /dev/null
+++ b/muranorepository/Services/heat_templates/LinuxSecurity.template
@@ -0,0 +1,17 @@
+{
+    "Resources": {
+        "$MuranoSecurityGroup-{envName}": {
+            "Type": "AWS::EC2::SecurityGroup",
+            "Properties": {
+                "SecurityGroupIngress": [
+                     {
+                        "ToPort": "22",
+                        "IpProtocol": "tcp",
+                        "FromPort": "22",
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ]
+            }
+        }
+    }
+}
diff --git a/muranorepository/Services/heat_templates/NNSecurity.template b/muranorepository/Services/heat_templates/NNSecurity.template
index c6d617c..cc0051a 100644
--- a/muranorepository/Services/heat_templates/NNSecurity.template
+++ b/muranorepository/Services/heat_templates/NNSecurity.template
@@ -4,10 +4,10 @@
             "Properties": {
                 "SecurityGroups": [
                     {
-                        "Ref": "MuranoDefaultSecurityGroup"
+                        "Ref": "$MuranoSecurityGroup-{envName}"
                     }
                 ]
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/muranorepository/Services/heat_templates/SQL-security.template b/muranorepository/Services/heat_templates/SQL-security.template
index aee056d..e4196cd 100644
--- a/muranorepository/Services/heat_templates/SQL-security.template
+++ b/muranorepository/Services/heat_templates/SQL-security.template
@@ -1,11 +1,6 @@
 {
     "Resources": {
-        "$instancePort": {
-            "Properties": {
-                "SecurityGroups" : [ {"Ref" : "MsSqlSecurityGroup"} ]
-            }
-        },
-        "MsSqlSecurityGroup": {
+        "$MuranoSecurityGroup-{envName}": {
             "Type": "AWS::EC2::SecurityGroup",
             "Properties": {
                 "SecurityGroupIngress": [
@@ -13,28 +8,21 @@
                         "ToPort": "4022",
                         "IpProtocol": "tcp",
                         "FromPort": "4022",
-                        "CidrIp": "0.0.0.0/0"
+                        "CidrIp": "$cidr"
                     },
                     {
                         "ToPort": "135",
                         "IpProtocol": "tcp",
                         "FromPort": "135",
-                        "CidrIp": "0.0.0.0/0"
+                        "CidrIp": "$cidr"
                     },
                     {
                         "ToPort": "1433",
                         "IpProtocol": "tcp",
                         "FromPort": "1433",
                         "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "1434",
-                        "IpProtocol": "tcp",
-                        "FromPort": "1434",
-                        "CidrIp": "0.0.0.0/0"
                     }
-                ],
-                "GroupDescription": "Enable MS SQL access"
+                ]
             }
         }
     }
diff --git a/muranorepository/Services/heat_templates/SQLCluster.template b/muranorepository/Services/heat_templates/SQLCluster.template
index 3103ee4..a55405f 100644
--- a/muranorepository/Services/heat_templates/SQLCluster.template
+++ b/muranorepository/Services/heat_templates/SQLCluster.template
@@ -6,45 +6,8 @@
                     {
                         "ip_address": "$clusterIp"
                     }
-                ],
-                "SecurityGroups": [
-                    {
-                        "Ref": "MsSqlSecurityGroup"
-                    }
                 ]
             }
-        },
-        "MsSqlSecurityGroup": {
-            "Type": "AWS::EC2::SecurityGroup",
-            "Properties": {
-                "SecurityGroupIngress": [
-                    {
-                        "ToPort": "4022",
-                        "IpProtocol": "tcp",
-                        "FromPort": "4022",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "135",
-                        "IpProtocol": "tcp",
-                        "FromPort": "135",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "1433",
-                        "IpProtocol": "tcp",
-                        "FromPort": "1433",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "1434",
-                        "IpProtocol": "tcp",
-                        "FromPort": "1434",
-                        "CidrIp": "0.0.0.0/0"
-                    }
-                ],
-                "GroupDescription": "Enable MS SQL access"
-            }
         }
     }
 }
diff --git a/muranorepository/Services/heat_templates/TelnetSecurity.template b/muranorepository/Services/heat_templates/TelnetSecurity.template
new file mode 100644
index 0000000..52b82f1
--- /dev/null
+++ b/muranorepository/Services/heat_templates/TelnetSecurity.template
@@ -0,0 +1,17 @@
+{
+    "Resources": {
+        "$MuranoSecurityGroup-{envName}": {
+            "Type": "AWS::EC2::SecurityGroup",
+            "Properties": {
+                "SecurityGroupIngress": [
+                     {
+                        "ToPort": "23",
+                        "IpProtocol": "tcp",
+                        "FromPort": "23",
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ]
+            }
+        }
+    }
+}
diff --git a/muranorepository/Services/heat_templates/ApacheSecurity.template b/muranorepository/Services/heat_templates/WebServerSecurity.template
similarity index 67%
rename from muranorepository/Services/heat_templates/ApacheSecurity.template
rename to muranorepository/Services/heat_templates/WebServerSecurity.template
index 9c6cda0..ffb8cee 100644
--- a/muranorepository/Services/heat_templates/ApacheSecurity.template
+++ b/muranorepository/Services/heat_templates/WebServerSecurity.template
@@ -1,11 +1,6 @@
 {
     "Resources": {
-        "$port-{instanceName}": {
-            "Properties": {
-                "security_groups" : [ {"Ref" : "ApacheSecurityGroup"} ]
-            }
-        },
-        "ApacheSecurityGroup": {
+        "$MuranoSecurityGroup-{envName}": {
             "Type": "AWS::EC2::SecurityGroup",
             "Properties": {
                 "SecurityGroupIngress": [
@@ -21,8 +16,7 @@
                         "FromPort": "433",
                         "CidrIp": "0.0.0.0/0"
                     }
-                ],
-                "GroupDescription": "Enable access to HTTP and HTTPS protocols"
+                ]
             }
         }
     }
diff --git a/muranorepository/Services/heat_templates/Windows.template b/muranorepository/Services/heat_templates/Windows.template
index 9460c47..b2b0dcb 100644
--- a/muranorepository/Services/heat_templates/Windows.template
+++ b/muranorepository/Services/heat_templates/Windows.template
@@ -1,7 +1,6 @@
 {
     "AWSTemplateFormatVersion": "2010-09-09",
 
-    "Parameters": {},
 
     "Resources": {
         "$instanceName": {
@@ -12,32 +11,6 @@
                 "AvailabilityZone": "$availabilityZone",
                 "UserData": "$userData"
             }
-        },
-        "MuranoDefaultSecurityGroup": {
-            "Type": "AWS::EC2::SecurityGroup",
-            "Properties": {
-                "SecurityGroupIngress": [
-                    {
-                        "ToPort": "3389",
-                        "IpProtocol": "tcp",
-                        "FromPort": "3389",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "22",
-                        "IpProtocol": "tcp",
-                        "FromPort": "22",
-                        "CidrIp": "0.0.0.0/0"
-                    },
-                    {
-                        "ToPort": "-1",
-                        "IpProtocol": "icmp",
-                        "FromPort": "-1",
-                        "CidrIp": "0.0.0.0/0"
-                    }
-                ],
-                "GroupDescription": "Default security group for Murano Environments"
-            }
         }
     },
 
diff --git a/muranorepository/Services/heat_templates/WindowsSecurity.template b/muranorepository/Services/heat_templates/WindowsSecurity.template
new file mode 100644
index 0000000..a8d4c5c
--- /dev/null
+++ b/muranorepository/Services/heat_templates/WindowsSecurity.template
@@ -0,0 +1,17 @@
+{
+    "Resources": {
+        "$MuranoSecurityGroup-{envName}": {
+            "Type": "AWS::EC2::SecurityGroup",
+            "Properties": {
+                "SecurityGroupIngress": [
+                    {
+                        "ToPort": "3389",
+                        "IpProtocol": "tcp",
+                        "FromPort": "3389",
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ]
+            }
+        }
+    }
+}
diff --git a/muranorepository/Services/linuxApacheService-manifest.yaml b/muranorepository/Services/linuxApacheService-manifest.yaml
index db12b79..9f8ce82 100644
--- a/muranorepository/Services/linuxApacheService-manifest.yaml
+++ b/muranorepository/Services/linuxApacheService-manifest.yaml
@@ -19,7 +19,7 @@ workflows:
 
 heat:
   - Linux.template
-  - ApacheSecurity.template
+  - WebServerSecurity.template
   - InstancePort.template
   - InstancePortWSubnet.template
   - Network.template
@@ -27,6 +27,9 @@ heat:
   - Param.template
   - RouterInterface.template
   - Subnet.template
+  - DefaultSecurity.template
+  - WebServerSecurity.template
+  - LinuxSecurity.template
 
 agent:
   - DeployApache.template
diff --git a/muranorepository/Services/linuxTelnetService-manifest.yaml b/muranorepository/Services/linuxTelnetService-manifest.yaml
index a612887..2eb24ce 100644
--- a/muranorepository/Services/linuxTelnetService-manifest.yaml
+++ b/muranorepository/Services/linuxTelnetService-manifest.yaml
@@ -26,6 +26,9 @@ heat:
   - Param.template
   - RouterInterface.template
   - Subnet.template
+  - DefaultSecurity.template
+  - LinuxSecurity.template
+  - TelnetSecurity.template
 
 agent:
   - DeployTelnet.template
diff --git a/muranorepository/Services/msSqlClusterServer-manifest.yaml b/muranorepository/Services/msSqlClusterServer-manifest.yaml
index 98d59b5..41547f6 100644
--- a/muranorepository/Services/msSqlClusterServer-manifest.yaml
+++ b/muranorepository/Services/msSqlClusterServer-manifest.yaml
@@ -28,6 +28,9 @@ heat:
   - Param.template
   - RouterInterface.template
   - Subnet.template
+  - DefaultSecurity.template
+  - WindowsSecurity.template
+  - SQL-security.template
 
 
 agent:
@@ -51,4 +54,4 @@ scripts:
  - OptionParser.ps1
  - SQLServer/SQLServerOptionParsers.ps1
  - SQLServer/SQLServerInstaller.ps1
- - Export-Function.ps1
\ No newline at end of file
+ - Export-Function.ps1
diff --git a/muranorepository/Services/msSqlServer-manifest.yaml b/muranorepository/Services/msSqlServer-manifest.yaml
index dc72c00..2928d05 100644
--- a/muranorepository/Services/msSqlServer-manifest.yaml
+++ b/muranorepository/Services/msSqlServer-manifest.yaml
@@ -28,6 +28,9 @@ heat:
   - Param.template
   - RouterInterface.template
   - Subnet.template
+  - DefaultSecurity.template
+  - WindowsSecurity.template
+  - SQL-security.template
 
 
 agent:
diff --git a/muranorepository/Services/webServer-manifest.yaml b/muranorepository/Services/webServer-manifest.yaml
index 8922014..f2356a9 100644
--- a/muranorepository/Services/webServer-manifest.yaml
+++ b/muranorepository/Services/webServer-manifest.yaml
@@ -27,6 +27,9 @@ heat:
   - Param.template
   - RouterInterface.template
   - Subnet.template
+  - DefaultSecurity.template
+  - WindowsSecurity.template
+  - WebServerSecurity.template
 
 agent:
   - SetPassword.template
diff --git a/muranorepository/Services/webServerFarm-manifest.yaml b/muranorepository/Services/webServerFarm-manifest.yaml
index c19fd9d..d1d72c1 100644
--- a/muranorepository/Services/webServerFarm-manifest.yaml
+++ b/muranorepository/Services/webServerFarm-manifest.yaml
@@ -27,7 +27,9 @@ heat:
   - Param.template
   - RouterInterface.template
   - Subnet.template
-
+  - DefaultSecurity.template
+  - WindowsSecurity.template
+  - WebServerSecurity.template
 
 agent:
   - SetPassword.template
diff --git a/muranorepository/Services/workflows/AD.xml b/muranorepository/Services/workflows/AD.xml
index d4538c8..8df34a0 100644
--- a/muranorepository/Services/workflows/AD.xml
+++ b/muranorepository/Services/workflows/AD.xml
@@ -7,6 +7,14 @@
         <mute/>
 	</rule>
 
+	<rule match="$.services[?(@.type == 'activeDirectory' and not @.securityTemplates)]">
+        <set path="securityTemplates">
+            <list>
+                <text>WindowsSecurity</text>
+            </list>
+        </set>
+	</rule>
+
 	<rule match="$[?(@.networking.state.ready_for_cf)].services[?(@.type == 'activeDirectory' and @.osImage.name)].units[?(@.state.hostname and not @.temp.instanceName)]"
             desc="Units of AD services which have got hostname and image assigned, but instances not deployed yet">
 		<report entity="unit">
diff --git a/muranorepository/Services/workflows/Apache.xml b/muranorepository/Services/workflows/Apache.xml
index 8093603..8ce42b7 100644
--- a/muranorepository/Services/workflows/Apache.xml
+++ b/muranorepository/Services/workflows/Apache.xml
@@ -1,5 +1,15 @@
 <workflow>
 	<!-- Provisioning rules -->
+    <rule match="$.services[?(@.type == 'linuxApacheService' and not @.securityTemplates)]">
+        <set path="securityTemplates">
+            <list>
+                <text>WebServerSecurity</text>
+                <text>LinuxSecurity</text>
+            </list>
+        </set>
+    </rule>
+
+
 	<rule match="$[?(@.networking.state.ready_for_cf)].services[?(@.type == 'linuxApacheService')].units[?(@.state.hostname and not @.temp.instanceName)]"
 		desc="Units of Linux Telnet service having hostname and image names assigned but without instances">
 		<report entity="unit">
@@ -77,34 +87,6 @@
 				Configuring security groups on <select path="state.hostname"/> (<select path="name"/>)
 			</parameter>
 		</report>
-		<update-cf-stack template="ApacheSecurity" error="exception">
-			<parameter name="mappings">
-				<map>
-					<mapping name="portName">port-<select path="state.hostname"/></mapping>
-				</map>
-			</parameter>
-			<success>
-				<report entity="unit">
-					<parameter name="id">
-						<select path="id"/>
-					</parameter>
-					<parameter name="text">
-						Security groups configuration on instance <select path="state.hostname"/> (<select path="name"/>) is successful
-					</parameter>
-				</report>
-			</success>
-			<failure>
-				<report entity="unit" level="error">
-					<parameter name="id">
-						<select path="id"/>
-					</parameter>
-					<parameter name="text">
-						Unable to configure security groups on instance <select path="state.hostname"/> (<select path="name"/>) due to <format-error error="exception"/>
-					</parameter>
-				</report>
-				<stop/>
-			</failure>
-		</update-cf-stack>
 	</rule>
 	<!-- Agent rules -->
 	<rule match="$.services[?(@.type == 'linuxApacheService')].units[?(@.temp.instanceName and not @.state.ApacheInstalled)]"
diff --git a/muranorepository/Services/workflows/Demo.xml b/muranorepository/Services/workflows/Demo.xml
index a3afd11..acc4217 100644
--- a/muranorepository/Services/workflows/Demo.xml
+++ b/muranorepository/Services/workflows/Demo.xml
@@ -1,5 +1,16 @@
 <workflow>
-	<rule match="$[?(@.networking.state.ready_for_cf)].services[?(@.type == 'demoService')].units[?(@.state.hostname and not @.temp.instanceName)]"
+
+	<rule match="$.services[?(@.type == 'demoService')]">
+        <set path="securityTemplates">
+            <list>
+                <text>DemoSecurity</text>
+                <text>LinuxSecurity</text>
+            </list>
+        </set>
+	</rule>
+
+
+    <rule match="$[?(@.networking.state.ready_for_cf)].services[?(@.type == 'demoService')].units[?(@.state.hostname and not @.temp.instanceName)]"
 		desc="Units of demo service having hostname and image names assigned but without instances">
 		<report entity="unit">
 			<parameter name="id"><select path="id"/></parameter>
diff --git a/muranorepository/Services/workflows/LinuxTelnet.xml b/muranorepository/Services/workflows/LinuxTelnet.xml
index 1013c5f..5ceef3b 100644
--- a/muranorepository/Services/workflows/LinuxTelnet.xml
+++ b/muranorepository/Services/workflows/LinuxTelnet.xml
@@ -1,5 +1,12 @@
 <workflow>
-
+    <rule match="$.services[?(@.type == 'linuxTelnetService' and not @.securityTemplates)]">
+        <set path="securityTemplates">
+            <list>
+                <text>TelnetSecurity</text>
+                <text>LinuxSecurity</text>
+            </list>
+        </set>
+    </rule>
 	<rule match="$[?(@.networking.state.ready_for_cf)].services[?(@.type == 'linuxTelnetService')].units[?(@.state.hostname and not @.temp.instanceName)]"
 		desc="Units of Linux Telnet service having hostname and image names assigned but without instances">
 		<report entity="unit">
diff --git a/muranorepository/Services/workflows/MsSqlCluster.xml b/muranorepository/Services/workflows/MsSqlCluster.xml
index d66d2c2..e5bea10 100644
--- a/muranorepository/Services/workflows/MsSqlCluster.xml
+++ b/muranorepository/Services/workflows/MsSqlCluster.xml
@@ -1,4 +1,11 @@
 <workflow>
+    <rule match="$.services[?(@.type == 'msSqlClusterServer' and not @.securityTemplates)]">
+        <set path="securityTemplates">
+            <list>
+                <text>SQL-security</text>
+            </list>
+        </set>
+	</rule>
 
 	<rule match="$.services[?(@.type == 'msSqlClusterServer' and @.domain)].units[*]"
             desc="Units of SQL Server Cluster services which are part of the domain">
diff --git a/muranorepository/Services/workflows/MsSqlServer.xml b/muranorepository/Services/workflows/MsSqlServer.xml
index 58aa93a..193eaae 100644
--- a/muranorepository/Services/workflows/MsSqlServer.xml
+++ b/muranorepository/Services/workflows/MsSqlServer.xml
@@ -1,4 +1,13 @@
 <workflow>
+
+    <rule match="$.services[?(@.type == 'msSqlServer' and not @.securityTemplates)]">
+        <set path="securityTemplates">
+            <list>
+                <text>SQL-security</text>
+            </list>
+        </set>
+	</rule>
+
 	<rule match="$.services[?(@.type == 'msSqlServer' and @.domain)].units[*]"
             desc="Units of SQL Server services which are part of the domain">
 		<set path="domain">
@@ -51,26 +60,6 @@
 			<parameter name="id"><select path="id"/></parameter>
 			<parameter name="text">Opening SQL ports on <select path="state.hostname"/> (<select path="name"/>)</parameter>
 		</report>
-		<update-cf-stack template="SQL-security" error="exception">
-			<parameter name="mappings">
-				<map>
-					<mapping name="instancePort">port-<select path="state.hostname"/></mapping>
-				</map>
-			</parameter>
-			<success>
-				<report entity="unit">
-					<parameter name="id"><select path="id"/></parameter>
-					<parameter name="text">SQL ports open on <select path="state.hostname"/> (<select path="name"/>)</parameter>
-				</report>
-			</success>
-            <failure>
-                <report entity="unit" level="error">
-					<parameter name="id"><select path="id"/></parameter>
-					<parameter name="text">Unable to open SQL ports on instance <select path="state.hostname"/> (<select path="name"/>) due to <format-error error="exception"/></parameter>
-				</report>
-                <stop/>
-            </failure>
-		</update-cf-stack>
 	</rule>
 
 	<rule match="$.services[?(@.type == 'msSqlServer' and @.adminPassword and @.adminPassword != @.state.adminPassword)].units[?(@.temp.instanceName)]"
diff --git a/muranorepository/Services/workflows/Networking.xml b/muranorepository/Services/workflows/Networking.xml
index 8008336..2852923 100644
--- a/muranorepository/Services/workflows/Networking.xml
+++ b/muranorepository/Services/workflows/Networking.xml
@@ -39,6 +39,7 @@
 
       <rule match="$[?(@.networking.topology == 'nova' and not @.networking.state.ready_for_cf)]"
               desc="Nova topology - skip all neutron actions">
+          <set path="networking.cidr">0.0.0.0/0</set>
           <set path="networking.state.ready_for_cf"><true/></set>
       </rule>
 
@@ -59,7 +60,7 @@
         </rule>
 
         <rule match="$[?(@.networking.state.ready_for_cidrs)].networking.networks[?(@.createSubnet and not @.cidr)]"
-                desc="Need to find cidr for network-to-join">
+                desc="Need to generate cidr for new subnet in network-to-join">
             <get-cidr result="cidr">
                 <parameter name="routerId"><select path="/networking.routerId"/></parameter>
                 <success>
@@ -68,6 +69,18 @@
             </get-cidr>
         </rule>
 
+       <rule match="$[?(@.networking.state.ready_for_cidrs)].networking.networks[?(not @.createSubnet and not @.cidr)]"
+                desc="Need to find cidr in existing subnet in network-to-join">
+            <get-cidr result="cidr">
+                <parameter name="existingNetwork"><select path="networkId"/></parameter>
+                <success>
+                    <set path="cidr"><select source="cidr" path="cidr"/></set>
+                </success>
+            </get-cidr>
+        </rule>
+
+
+
         <rule match="$[?(@.networking.state.ready_for_cidrs)]">
             <rule match="$[?(@.networking.createNetwork and not @.networking.cidr)]"
                     desc="No more cidr config required for new networks">
@@ -79,7 +92,7 @@
         </rule>
 
         <rule match="$[?(@.networking.state.ready_for_cidrs)]">
-            <rule match="$.networking.networks[?(@.createSubnet and not @.cidr)]"
+            <rule match="$.networking.networks[?(not @.cidr)]"
                     desc="No more cidr config required for joined networks">
                 <empty>
                     <set path="networking.state.join_net_cidr_done"><true/></set>
@@ -195,6 +208,7 @@
               <parameter name="mappings">
                   <map>
                       <mapping name="instanceName"><select path="state.hostname"/></mapping>
+                      <mapping name="envName"><select path="/name"/></mapping>
                   </map>
               </parameter>
           </update-cf-stack>
@@ -206,6 +220,7 @@
                 <update-cf-stack template="InstancePortWSubnet">
                     <parameter name="mappings">
                         <map>
+                            <mapping name="envName"><select path="/name"/></mapping>
                             <mapping name="instanceName"><select path="state.hostname"/></mapping>
                             <mapping name="instancePort">port-<select path="state.hostname"/></mapping>
                             <mapping name="network">network</mapping>
@@ -225,6 +240,7 @@
                 <update-cf-stack template="InstancePortWSubnet">
                     <parameter name="mappings">
                         <map>
+                            <mapping name="envName"><select path="/name"/></mapping>
                             <mapping name="instanceName"><select path="state.hostname"/></mapping>
                             <mapping name="instancePort">network-port-<select path="state.hostname"/></mapping>
                             <mapping name="network">network-<select source="network" path="id"/> </mapping>
@@ -244,6 +260,7 @@
                 <update-cf-stack template="InstancePort">
                     <parameter name="mappings">
                         <map>
+                            <mapping name="envName"><select path="/name"/></mapping>
                             <mapping name="instanceName"><select path="state.hostname"/></mapping>
                             <mapping name="instancePort">join-<select source="network" path="id"/>-port-<select path="state.hostname"/></mapping>
                             <mapping name="network">network-<select source="network" path="id"/> </mapping>
@@ -252,5 +269,85 @@
                 </update-cf-stack>
             </rule>
         </rule>
+
+        <rule match="$[?(@.networking.state.ready_for_cf and not @.temp.defaultSecurityApplied)]"
+                desc = "Need to apply default security rules">
+            <update-cf-stack template="DefaultSecurity">
+                <parameter name="mappings">
+                    <map>
+                        <mapping name="envName"><select path="/name"/></mapping>
+                        <mapping name="cidr"><select path="/networking.cidr"/></mapping>
+                    </map>
+                </parameter>
+                <success>
+                    <set path="/temp.defaultSecurityApplied"><true/></set>
+                    <report entity="environment" level="info">
+                             <parameter name="id"><select path="/id"/></parameter>
+                             <parameter name="text">Applied default security template in subnet <select path="/networking.cidr"/></parameter>
+                    </report>
+                </success>
+            </update-cf-stack>
+            <rule match="$.networking.networks[*]">
+                <update-cf-stack template="DefaultSecurity">
+                    <parameter name="mappings">
+                        <map>
+                            <mapping name="envName"><select path="/name"/></mapping>
+                            <mapping name="cidr"><select path="cidr"/></mapping>
+                        </map>
+                    </parameter>
+                    <success>
+                        <set path="/temp.defaultSecurityApplied"><true/></set>
+                        <report entity="environment" level="info">
+                             <parameter name="id"><select path="/id"/></parameter>
+                             <parameter name="text">Applied default security template in subnet <select path="cidr"/></parameter>
+                        </report>
+                    </success>
+                </update-cf-stack>
+            </rule>
+        </rule>
+
+        <rule match="$[?(@.networking.state.ready_for_cf)].services[?(@.securityTemplates and not @.temp.securityApplied)].securityTemplates[*]"
+                desc="Custom security templates exist">
+           <set path="#templateName">
+                <select/>
+           </set>
+           <update-cf-stack>
+                <parameter name="template"><select/></parameter>
+                <parameter name="mappings">
+                    <map>
+                        <mapping name="envName"><select path="/name"/></mapping>
+                        <mapping name="cidr"><select path="/networking.cidr"/></mapping>
+                    </map>
+                </parameter>
+                <success>
+                    <set path="::temp.securityApplied"><true/></set>
+                    <report entity="service" level="info">
+                        <parameter name="id"><select path="::id"/></parameter>
+                        <parameter name="text">Applied security template <select source="templateName"/> for <select path="::name"/> in subnet <select path="/networking.cidr"/></parameter>
+                    </report>
+                </success>
+            </update-cf-stack>
+
+           <set path="#service">
+                <select path="::"/>
+           </set>
+            <rule match="/$.networking.networks[*]">
+                <update-cf-stack>
+                    <parameter name="template"><select source="templateName"/></parameter>
+                    <parameter name="mappings">
+                        <map>
+                            <mapping name="envName"><select path="/name"/></mapping>
+                            <mapping name="cidr"><select path="cidr"/></mapping>
+                        </map>
+                    </parameter>
+                    <success>
+                        <report entity="service" level="info">
+                            <parameter name="id"><select path="id" source="service"/></parameter>
+                            <parameter name="text">Applied security template <select source="templateName"/> for <select path="name" source="service"/> in subnet <select path="cidr"/></parameter>
+                        </report>
+                    </success>
+                </update-cf-stack>
+            </rule>
+        </rule>
     </rule>
 </workflow>
diff --git a/muranorepository/Services/workflows/WebApps.xml b/muranorepository/Services/workflows/WebApps.xml
index 24801a4..e35fed0 100644
--- a/muranorepository/Services/workflows/WebApps.xml
+++ b/muranorepository/Services/workflows/WebApps.xml
@@ -1,4 +1,14 @@
 <workflow>
+
+    <rule match="$.services[?(@.type in ('webServer', 'aspNetApp', 'webServerFarm', 'aspNetAppFarm') and not @.securityTemplates)]">
+        <set path="securityTemplates">
+            <list>
+                <text>WindowsSecurity</text>
+                <text>WebServerSecurity</text>
+            </list>
+        </set>
+	</rule>
+
 	<rule match="$.services[?(@.type in ('webServer', 'aspNetApp', 'webServerFarm', 'aspNetAppFarm') and @.domain)].units[*]"
           desc='Units of web services with domain'>
 		<set path="domain">