heat_template_version: 2014-10-16 resources: HTTP-REDIRECT-FW-LB: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ HTTP, REDIRECT-FW-LB ] properties: name: HTTP-REDIRECT-FW-LB enabled: true policy_classifier_id: { get_resource: HTTP } policy_actions: [ { get_resource: REDIRECT-FW-LB } ] shared: true HTTP-REDIRECT-LB: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ HTTP, REDIRECT-LB ] properties: name: HTTP-REDIRECT-LB enabled: true policy_classifier_id: { get_resource: HTTP } policy_actions: [ { get_resource: REDIRECT-LB } ] shared: true MySQL-REDIRECT-FW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ MySQL, REDIRECT-FW ] properties: name: MySQL-REDIRECT-FW enabled: true policy_classifier_id: { get_resource: MySQL } policy_actions: [ { get_resource: REDIRECT-FW } ] shared: true ANY-REDIRECT-VPN: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ ANY, REDIRECT-VPN ] properties: name: ANY-REDIRECT-VPN enabled: true policy_classifier_id: { get_resource: ANY } policy_actions: [ { get_resource: REDIRECT-VPN } ] shared: true HTTP-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ HTTP, ALLOW ] properties: name: HTTP-ALLOW enabled: true policy_classifier_id: { get_resource: HTTP } policy_actions: [ { get_resource: ALLOW } ] shared: true HTTPS-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ HTTPS, ALLOW ] properties: name: HTTPS-ALLOW enabled: true policy_classifier_id: { get_resource: HTTPS } policy_actions: [ { get_resource: ALLOW } ] shared: true SYSLOG-UDP-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ SYSLOG-UDP, ALLOW ] properties: name: SYSLOG-UDP-ALLOW enabled: true policy_classifier_id: { get_resource: SYSLOG-UDP } policy_actions: [ { get_resource: ALLOW } ] shared: true ICMP-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ ICMP, ALLOW ] properties: name: ICMP-ALLOW enabled: true policy_classifier_id: { get_resource: ICMP } policy_actions: [ { get_resource: ALLOW } ] shared: true SSH-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ SSH, ALLOW ] properties: name: SSH-ALLOW enabled: true policy_classifier_id: { get_resource: SSH } policy_actions: [ { get_resource: ALLOW } ] shared: true SNMP-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ SNMP, ALLOW ] properties: name: SNMP-ALLOW enabled: true policy_classifier_id: { get_resource: SNMP } policy_actions: [ { get_resource: ALLOW } ] shared: true ANY-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ ANY, ALLOW ] properties: name: ANY-ALLOW enabled: true policy_classifier_id: { get_resource: ANY } policy_actions: [ { get_resource: ALLOW } ] shared: true TCP-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ ANY-TCP, ALLOW ] properties: name: TCP-ALLOW enabled: true policy_classifier_id: { get_resource: ANY-TCP } policy_actions: [ { get_resource: ALLOW } ] shared: true UDP-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ ANY-UDP, ALLOW ] properties: name: UDP-ALLOW enabled: true policy_classifier_id: { get_resource: ANY-UDP } policy_actions: [ { get_resource: ALLOW } ] shared: true KEYSTONE-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ KEYSTONE, ALLOW ] properties: name: KEYSTONE-ALLOW enabled: true policy_classifier_id: { get_resource: KEYSTONE } policy_actions: [ { get_resource: ALLOW } ] shared: true KEYSTONE-ADMIN-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ KEYSTONE-ADMIN, ALLOW ] properties: name: KEYSTONE-ADMIN-ALLOW enabled: true policy_classifier_id: { get_resource: KEYSTONE-ADMIN } policy_actions: [ { get_resource: ALLOW } ] shared: true NEUTRON-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ NEUTRON, ALLOW ] properties: name: NEUTRON-ALLOW enabled: true policy_classifier_id: { get_resource: NEUTRON } policy_actions: [ { get_resource: ALLOW } ] shared: true NOVA-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ NOVA, ALLOW ] properties: name: NOVA-ALLOW enabled: true policy_classifier_id: { get_resource: NOVA } policy_actions: [ { get_resource: ALLOW } ] shared: true CEILOMETER-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ CEILOMETER, ALLOW ] properties: name: CEILOMETER-ALLOW enabled: true policy_classifier_id: { get_resource: CEILOMETER } policy_actions: [ { get_resource: ALLOW } ] shared: true MySQL-ALLOW: type: OS::GroupBasedPolicy::PolicyRule depends_on: [ MySQL, ALLOW ] properties: name: MySQL-ALLOW enabled: true policy_classifier_id: { get_resource: MySQL } policy_actions: [ { get_resource: ALLOW } ] shared: true ICMP: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: ICMP protocol: icmp direction: bi shared: true SSH: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: SSH protocol: tcp port_range: 22 direction: in shared: true HTTP: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: HTTP protocol: tcp port_range: 80 direction: in shared: true HTTPS: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: HTTPS protocol: tcp port_range: 443 direction: in shared: true SNMP: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: SNMP protocol: udp port_range: 161:162 direction: bi shared: true SYSLOG-UDP: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: SYSLOG-UDP protocol: udp port_range: 514 direction: bi shared: true ANY: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: ANY-TRAFFIC direction: bi shared: true ANY-TCP: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: ANY-TCP protocol: tcp direction: in shared: true ANY-UDP: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: ANY-UDP protocol: udp direction: bi shared: true MySQL: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: MySQL protocol: tcp port_range: 3306 direction: in shared: true NEUTRON: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: NEUTRON protocol: tcp port_range: 9696 direction: out shared: true NOVA: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: NOVA protocol: tcp port_range: 8774 direction: out shared: true CEILOMETER: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: CEILOMETER protocol: tcp port_range: 8777 direction: out shared: true KEYSTONE: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: KEYSTONE protocol: tcp port_range: 5000 direction: out shared: true KEYSTONE-ADMIN: type: OS::GroupBasedPolicy::PolicyClassifier properties: name: KEYSTONE-ADMIN protocol: tcp port_range: 35357 direction: out shared: true ALLOW: type: OS::GroupBasedPolicy::PolicyAction properties: name: ALLOW action_type: allow shared: true REDIRECT-LB: type: OS::GroupBasedPolicy::PolicyAction depends_on: [ SPEC-LB ] properties: name: REDIRECT-LB action_type: redirect action_value: { get_resource: SPEC-LB } shared: true REDIRECT-FW: type: OS::GroupBasedPolicy::PolicyAction depends_on: [ SPEC-FW ] properties: name: REDIRECT-FW action_type: redirect action_value: { get_resource: SPEC-FW } shared: true REDIRECT-FW-LB: type: OS::GroupBasedPolicy::PolicyAction depends_on: [ SPEC-FW-LB ] properties: name: REDIRECT-FW-LB action_type: redirect action_value: { get_resource: SPEC-FW-LB } shared: true REDIRECT-VPN: type: OS::GroupBasedPolicy::PolicyAction depends_on: [ SPEC-VPN ] properties: name: REDIRECT-VPN action_type: redirect action_value: { get_resource: SPEC-VPN } shared: true SPEC-LB: type: OS::GroupBasedPolicy::ServiceChainSpec depends_on: [ NODE-LB ] properties: name: LB nodes: [ { get_resource: NODE-LB } ] shared: true SPEC-FW: type: OS::GroupBasedPolicy::ServiceChainSpec depends_on: [ NODE-FW ] properties: name: FW nodes: [ { get_resource: NODE-FW } ] shared: true SPEC-FW-LB: type: OS::GroupBasedPolicy::ServiceChainSpec depends_on: [ NODE-FW, NODE-LB ] properties: name: FW-LB nodes: - { get_resource: NODE-FW } - { get_resource: NODE-LB } shared: true SPEC-VPN: type: OS::GroupBasedPolicy::ServiceChainSpec depends_on: [ NODE-VPN ] properties: name: VPN nodes: - { get_resource: NODE-VPN } shared: true NODE-FW: type: OS::GroupBasedPolicy::ServiceChainNode depends_on: [ PROFILE-FW ] properties: name: FW service_profile_id: { get_resource: PROFILE-FW } config: { get_file: fw.template } shared: True NODE-LB: type: OS::GroupBasedPolicy::ServiceChainNode depends_on: [ PROFILE-LB ] properties: name: LB service_profile_id: { get_resource: PROFILE-LB } config: { get_file: haproxy_lbaasv2_multiple_listeners.template } shared: true NODE-VPN: type: OS::GroupBasedPolicy::ServiceChainNode depends_on: [ PROFILE-VPN ] properties: name: VPN service_profile_id: { get_resource: PROFILE-VPN } config: { get_file: vpn.template } shared: true PROFILE-FW: type: OS::GroupBasedPolicy::ServiceProfile properties: name: FW vendor: NFP service_type: FIREWALL insertion_mode: l3 service_flavor: service_vendor=vyos,device_type=nova shared: true PROFILE-VPN: type: OS::GroupBasedPolicy::ServiceProfile properties: name: VPN vendor: NFP service_type: VPN insertion_mode: l3 service_flavor: service_vendor=vyos,device_type=nova shared: true PROFILE-LB: type: OS::GroupBasedPolicy::ServiceProfile properties: name: LB vendor: NFP service_type: LOADBALANCERV2 insertion_mode: l3 service_flavor: service_vendor=haproxy,device_type=nova shared: true LBVIP-IP-POLICY: type: OS::GroupBasedPolicy::NetworkServicePolicy properties: name: LBVIP-IP-POLICY network_service_params: - type: ip_single name: vip_ip value: self_subnet shared: True FIP-POLICY: type: OS::GroupBasedPolicy::NetworkServicePolicy properties: name: FIP-POLICY network_service_params: - type: ip_pool name: fip value: nat_pool shared: True