1c79250bfe
Removed LBaaS v1 related resource and configuration, and enabled LBaaS v2 as default version. Change-Id: I76a35c516e620f09e9a470ed8bf673f94cd02f8b Closes-Bug: 1676400
477 lines
12 KiB
YAML
477 lines
12 KiB
YAML
heat_template_version: 2014-10-16
|
|
resources:
|
|
HTTP-REDIRECT-FW-LB:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ HTTP, REDIRECT-FW-LB ]
|
|
properties:
|
|
name: HTTP-REDIRECT-FW-LB
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: HTTP }
|
|
policy_actions: [ { get_resource: REDIRECT-FW-LB } ]
|
|
shared: true
|
|
|
|
HTTP-REDIRECT-LB:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ HTTP, REDIRECT-LB ]
|
|
properties:
|
|
name: HTTP-REDIRECT-LB
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: HTTP }
|
|
policy_actions: [ { get_resource: REDIRECT-LB } ]
|
|
shared: true
|
|
|
|
MySQL-REDIRECT-FW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ MySQL, REDIRECT-FW ]
|
|
properties:
|
|
name: MySQL-REDIRECT-FW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: MySQL }
|
|
policy_actions: [ { get_resource: REDIRECT-FW } ]
|
|
shared: true
|
|
|
|
ANY-REDIRECT-VPN:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ ANY, REDIRECT-VPN ]
|
|
properties:
|
|
name: ANY-REDIRECT-VPN
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: ANY }
|
|
policy_actions: [ { get_resource: REDIRECT-VPN } ]
|
|
shared: true
|
|
|
|
HTTP-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ HTTP, ALLOW ]
|
|
properties:
|
|
name: HTTP-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: HTTP }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
HTTPS-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ HTTPS, ALLOW ]
|
|
properties:
|
|
name: HTTPS-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: HTTPS }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
SYSLOG-UDP-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ SYSLOG-UDP, ALLOW ]
|
|
properties:
|
|
name: SYSLOG-UDP-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: SYSLOG-UDP }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
ICMP-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ ICMP, ALLOW ]
|
|
properties:
|
|
name: ICMP-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: ICMP }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
SSH-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ SSH, ALLOW ]
|
|
properties:
|
|
name: SSH-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: SSH }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
SNMP-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ SNMP, ALLOW ]
|
|
properties:
|
|
name: SNMP-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: SNMP }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
ANY-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ ANY, ALLOW ]
|
|
properties:
|
|
name: ANY-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: ANY }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
TCP-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ ANY-TCP, ALLOW ]
|
|
properties:
|
|
name: TCP-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: ANY-TCP }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
UDP-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ ANY-UDP, ALLOW ]
|
|
properties:
|
|
name: UDP-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: ANY-UDP }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
KEYSTONE-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ KEYSTONE, ALLOW ]
|
|
properties:
|
|
name: KEYSTONE-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: KEYSTONE }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
KEYSTONE-ADMIN-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ KEYSTONE-ADMIN, ALLOW ]
|
|
properties:
|
|
name: KEYSTONE-ADMIN-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: KEYSTONE-ADMIN }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
NEUTRON-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ NEUTRON, ALLOW ]
|
|
properties:
|
|
name: NEUTRON-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: NEUTRON }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
NOVA-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ NOVA, ALLOW ]
|
|
properties:
|
|
name: NOVA-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: NOVA }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
CEILOMETER-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ CEILOMETER, ALLOW ]
|
|
properties:
|
|
name: CEILOMETER-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: CEILOMETER }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
MySQL-ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyRule
|
|
depends_on: [ MySQL, ALLOW ]
|
|
properties:
|
|
name: MySQL-ALLOW
|
|
enabled: true
|
|
policy_classifier_id: { get_resource: MySQL }
|
|
policy_actions: [ { get_resource: ALLOW } ]
|
|
shared: true
|
|
|
|
ICMP:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: ICMP
|
|
protocol: icmp
|
|
direction: bi
|
|
shared: true
|
|
|
|
SSH:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: SSH
|
|
protocol: tcp
|
|
port_range: 22
|
|
direction: in
|
|
shared: true
|
|
|
|
HTTP:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: HTTP
|
|
protocol: tcp
|
|
port_range: 80
|
|
direction: in
|
|
shared: true
|
|
|
|
HTTPS:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: HTTPS
|
|
protocol: tcp
|
|
port_range: 443
|
|
direction: in
|
|
shared: true
|
|
|
|
SNMP:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: SNMP
|
|
protocol: udp
|
|
port_range: 161:162
|
|
direction: bi
|
|
shared: true
|
|
|
|
SYSLOG-UDP:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: SYSLOG-UDP
|
|
protocol: udp
|
|
port_range: 514
|
|
direction: bi
|
|
shared: true
|
|
|
|
ANY:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: ANY-TRAFFIC
|
|
direction: bi
|
|
shared: true
|
|
|
|
ANY-TCP:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: ANY-TCP
|
|
protocol: tcp
|
|
direction: in
|
|
shared: true
|
|
|
|
ANY-UDP:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: ANY-UDP
|
|
protocol: udp
|
|
direction: bi
|
|
shared: true
|
|
|
|
MySQL:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: MySQL
|
|
protocol: tcp
|
|
port_range: 3306
|
|
direction: in
|
|
shared: true
|
|
|
|
NEUTRON:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: NEUTRON
|
|
protocol: tcp
|
|
port_range: 9696
|
|
direction: out
|
|
shared: true
|
|
|
|
NOVA:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: NOVA
|
|
protocol: tcp
|
|
port_range: 8774
|
|
direction: out
|
|
shared: true
|
|
|
|
CEILOMETER:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: CEILOMETER
|
|
protocol: tcp
|
|
port_range: 8777
|
|
direction: out
|
|
shared: true
|
|
|
|
KEYSTONE:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: KEYSTONE
|
|
protocol: tcp
|
|
port_range: 5000
|
|
direction: out
|
|
shared: true
|
|
|
|
KEYSTONE-ADMIN:
|
|
type: OS::GroupBasedPolicy::PolicyClassifier
|
|
properties:
|
|
name: KEYSTONE-ADMIN
|
|
protocol: tcp
|
|
port_range: 35357
|
|
direction: out
|
|
shared: true
|
|
|
|
ALLOW:
|
|
type: OS::GroupBasedPolicy::PolicyAction
|
|
properties:
|
|
name: ALLOW
|
|
action_type: allow
|
|
shared: true
|
|
|
|
REDIRECT-LB:
|
|
type: OS::GroupBasedPolicy::PolicyAction
|
|
depends_on: [ SPEC-LB ]
|
|
properties:
|
|
name: REDIRECT-LB
|
|
action_type: redirect
|
|
action_value: { get_resource: SPEC-LB }
|
|
shared: true
|
|
|
|
REDIRECT-FW:
|
|
type: OS::GroupBasedPolicy::PolicyAction
|
|
depends_on: [ SPEC-FW ]
|
|
properties:
|
|
name: REDIRECT-FW
|
|
action_type: redirect
|
|
action_value: { get_resource: SPEC-FW }
|
|
shared: true
|
|
|
|
REDIRECT-FW-LB:
|
|
type: OS::GroupBasedPolicy::PolicyAction
|
|
depends_on: [ SPEC-FW-LB ]
|
|
properties:
|
|
name: REDIRECT-FW-LB
|
|
action_type: redirect
|
|
action_value: { get_resource: SPEC-FW-LB }
|
|
shared: true
|
|
|
|
REDIRECT-VPN:
|
|
type: OS::GroupBasedPolicy::PolicyAction
|
|
depends_on: [ SPEC-VPN ]
|
|
properties:
|
|
name: REDIRECT-VPN
|
|
action_type: redirect
|
|
action_value: { get_resource: SPEC-VPN }
|
|
shared: true
|
|
|
|
SPEC-LB:
|
|
type: OS::GroupBasedPolicy::ServiceChainSpec
|
|
depends_on: [ NODE-LB ]
|
|
properties:
|
|
name: LB
|
|
nodes: [ { get_resource: NODE-LB } ]
|
|
shared: true
|
|
|
|
SPEC-FW:
|
|
type: OS::GroupBasedPolicy::ServiceChainSpec
|
|
depends_on: [ NODE-FW ]
|
|
properties:
|
|
name: FW
|
|
nodes: [ { get_resource: NODE-FW } ]
|
|
shared: true
|
|
|
|
SPEC-FW-LB:
|
|
type: OS::GroupBasedPolicy::ServiceChainSpec
|
|
depends_on: [ NODE-FW, NODE-LB ]
|
|
properties:
|
|
name: FW-LB
|
|
nodes:
|
|
- { get_resource: NODE-FW }
|
|
- { get_resource: NODE-LB }
|
|
shared: true
|
|
|
|
SPEC-VPN:
|
|
type: OS::GroupBasedPolicy::ServiceChainSpec
|
|
depends_on: [ NODE-VPN ]
|
|
properties:
|
|
name: VPN
|
|
nodes:
|
|
- { get_resource: NODE-VPN }
|
|
shared: true
|
|
|
|
NODE-FW:
|
|
type: OS::GroupBasedPolicy::ServiceChainNode
|
|
depends_on: [ PROFILE-FW ]
|
|
properties:
|
|
name: FW
|
|
service_profile_id: { get_resource: PROFILE-FW }
|
|
config: { get_file: fw.template }
|
|
shared: True
|
|
|
|
NODE-LB:
|
|
type: OS::GroupBasedPolicy::ServiceChainNode
|
|
depends_on: [ PROFILE-LB ]
|
|
properties:
|
|
name: LB
|
|
service_profile_id: { get_resource: PROFILE-LB }
|
|
config: { get_file: haproxy_lbaasv2_multiple_listeners.template }
|
|
shared: true
|
|
|
|
NODE-VPN:
|
|
type: OS::GroupBasedPolicy::ServiceChainNode
|
|
depends_on: [ PROFILE-VPN ]
|
|
properties:
|
|
name: VPN
|
|
service_profile_id: { get_resource: PROFILE-VPN }
|
|
config: { get_file: vpn.template }
|
|
shared: true
|
|
|
|
PROFILE-FW:
|
|
type: OS::GroupBasedPolicy::ServiceProfile
|
|
properties:
|
|
name: FW
|
|
vendor: NFP
|
|
service_type: FIREWALL
|
|
insertion_mode: l3
|
|
service_flavor: service_vendor=vyos,device_type=nova
|
|
shared: true
|
|
|
|
PROFILE-VPN:
|
|
type: OS::GroupBasedPolicy::ServiceProfile
|
|
properties:
|
|
name: VPN
|
|
vendor: NFP
|
|
service_type: VPN
|
|
insertion_mode: l3
|
|
service_flavor: service_vendor=vyos,device_type=nova
|
|
shared: true
|
|
|
|
PROFILE-LB:
|
|
type: OS::GroupBasedPolicy::ServiceProfile
|
|
properties:
|
|
name: LB
|
|
vendor: NFP
|
|
service_type: LOADBALANCERV2
|
|
insertion_mode: l3
|
|
service_flavor: service_vendor=haproxy,device_type=nova
|
|
shared: true
|
|
|
|
LBVIP-IP-POLICY:
|
|
type: OS::GroupBasedPolicy::NetworkServicePolicy
|
|
properties:
|
|
name: LBVIP-IP-POLICY
|
|
network_service_params:
|
|
- type: ip_single
|
|
name: vip_ip
|
|
value: self_subnet
|
|
shared: True
|
|
|
|
FIP-POLICY:
|
|
type: OS::GroupBasedPolicy::NetworkServicePolicy
|
|
properties:
|
|
name: FIP-POLICY
|
|
network_service_params:
|
|
- type: ip_pool
|
|
name: fip
|
|
value: nat_pool
|
|
shared: True
|