Add Ansible roles for OpenStack security groups

Additional OpenStack security group and its rules are required to allow
traffic to virtual machines created on DevStack. Virtual machines will
be accessible from 172.24.4.0/24 network (default public IP pool).

Issue-ID: INT-1601
Change-Id: I902f64f542197e329e21790f98662d2e408d4bb6
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

5 files changed, 34 insertions, 0 deletions

diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml
index 847150f36..c164d7144 100644
--- a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml
@@ -7,3 +7,5 @@
     flavor: "{{ host.flavor }}"
     key_name: "{{ host.keypair }}"
     network: "{{ host.network }}"
+    security_groups:
+      - "{{ host.securitygroup }}"
diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml
new file mode 100644
index 000000000..d6b78d1f4
--- /dev/null
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml
@@ -0,0 +1,19 @@
+---
+- name: "Create {{ secgrp.name }} security group"
+  os_security_group:
+    state: present
+    name: "{{ secgrp.name }}"
+
+- name: "Create {{ secgrp.name }} security group rule for ping"
+  os_security_group_rule:
+    security_group: "{{ secgrp.name }}"
+    protocol: icmp
+    remote_ip_prefix: "{{ secgrp.remote_ip_prefix }}"
+
+- name: "Create {{ secgrp.name }} security group rule for SSH"
+  os_security_group_rule:
+    security_group: "{{ secgrp.name }}"
+    protocol: tcp
+    port_range_min: 22
+    port_range_max: 22
+    remote_ip_prefix: "{{ secgrp.remote_ip_prefix }}"
diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml
new file mode 100644
index 000000000..da125cbc4
--- /dev/null
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- include: create_securitygroup.yml secgrp={{ item }}
+  with_items:
+    - "{{ securitygroup }}"
diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml
new file mode 100644
index 000000000..eb86f9bc2
--- /dev/null
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml
@@ -0,0 +1,5 @@
+---
+- name: "Destroy {{ secgrp.name }} security group"
+  os_security_group:
+    state: absent
+    name: "{{ secgrp.name }}"
diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml
new file mode 100644
index 000000000..586e18067
--- /dev/null
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- include: destroy_securitygroup.yml secgrp={{ item }}
+  with_items:
+    - "{{ securitygroup }}"