From 7a58f1ffb1572122e76346156050f0b8c1c35c00 Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Tue, 23 Jun 2020 17:18:24 +0200 Subject: Add Ansible roles for OpenStack security groups Additional OpenStack security group and its rules are required to allow traffic to virtual machines created on DevStack. Virtual machines will be accessible from 172.24.4.0/24 network (default public IP pool). Issue-ID: INT-1601 Change-Id: I902f64f542197e329e21790f98662d2e408d4bb6 Signed-off-by: Pawel Wieczorek --- .../noheat/infra-openstack/ansible/create.yml | 1 + .../noheat/infra-openstack/ansible/destroy.yml | 1 + .../infra-openstack/ansible/group_vars/all.yml | 5 +++++ .../create_devstack_hosts/tasks/create_host.yml | 2 ++ .../tasks/create_securitygroup.yml | 19 +++++++++++++++++++ .../create_devstack_securitygroup/tasks/main.yml | 4 ++++ .../tasks/destroy_securitygroup.yml | 5 +++++ .../destroy_devstack_securitygroup/tasks/main.yml | 4 ++++ .../vagrant/test/create_securitygroup.stderr | 0 .../vagrant/test/create_securitygroup.stdout | 1 + .../vagrant/test/create_securitygroup.test | 21 +++++++++++++++++++++ .../vagrant/test/destroy_securitygroup.stderr | 0 .../vagrant/test/destroy_securitygroup.stdout | 1 + .../vagrant/test/destroy_securitygroup.test | 21 +++++++++++++++++++++ 14 files changed, 85 insertions(+) create mode 100644 deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml create mode 100644 deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml create mode 100644 deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml create mode 100644 deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml create mode 100644 deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stderr create mode 100644 deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stdout create mode 100755 deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.test create mode 100644 deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stderr create mode 100644 deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stdout create mode 100755 deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.test (limited to 'deployment/noheat') diff --git a/deployment/noheat/infra-openstack/ansible/create.yml b/deployment/noheat/infra-openstack/ansible/create.yml index a2665f911..38f2f9d20 100644 --- a/deployment/noheat/infra-openstack/ansible/create.yml +++ b/deployment/noheat/infra-openstack/ansible/create.yml @@ -5,5 +5,6 @@ gather_facts: False roles: - openstack/create_devstack_network + - openstack/create_devstack_securitygroup - openstack/create_devstack_keypair - openstack/create_devstack_hosts diff --git a/deployment/noheat/infra-openstack/ansible/destroy.yml b/deployment/noheat/infra-openstack/ansible/destroy.yml index 4576125c4..6091e597d 100644 --- a/deployment/noheat/infra-openstack/ansible/destroy.yml +++ b/deployment/noheat/infra-openstack/ansible/destroy.yml @@ -7,3 +7,4 @@ - openstack/destroy_devstack_hosts - openstack/destroy_devstack_keypair - openstack/destroy_devstack_network + - openstack/destroy_devstack_securitygroup diff --git a/deployment/noheat/infra-openstack/ansible/group_vars/all.yml b/deployment/noheat/infra-openstack/ansible/group_vars/all.yml index 1da1e8f78..40fdabf94 100644 --- a/deployment/noheat/infra-openstack/ansible/group_vars/all.yml +++ b/deployment/noheat/infra-openstack/ansible/group_vars/all.yml @@ -6,9 +6,14 @@ network: keypair: name: &keypair_name "onap_ci_lab" +securitygroup: + name: &securitygroup_name "onap_ci_lab" + remote_ip_prefix: "172.24.4.0/24" + hosts: - name: "operator0" image: "cirros-0.5.1-x86_64-disk" flavor: "cirros256" keypair: *keypair_name network: *network_name + securitygroup: *securitygroup_name diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml index 847150f36..c164d7144 100644 --- a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml +++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml @@ -7,3 +7,5 @@ flavor: "{{ host.flavor }}" key_name: "{{ host.keypair }}" network: "{{ host.network }}" + security_groups: + - "{{ host.securitygroup }}" diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml new file mode 100644 index 000000000..d6b78d1f4 --- /dev/null +++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml @@ -0,0 +1,19 @@ +--- +- name: "Create {{ secgrp.name }} security group" + os_security_group: + state: present + name: "{{ secgrp.name }}" + +- name: "Create {{ secgrp.name }} security group rule for ping" + os_security_group_rule: + security_group: "{{ secgrp.name }}" + protocol: icmp + remote_ip_prefix: "{{ secgrp.remote_ip_prefix }}" + +- name: "Create {{ secgrp.name }} security group rule for SSH" + os_security_group_rule: + security_group: "{{ secgrp.name }}" + protocol: tcp + port_range_min: 22 + port_range_max: 22 + remote_ip_prefix: "{{ secgrp.remote_ip_prefix }}" diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml new file mode 100644 index 000000000..da125cbc4 --- /dev/null +++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include: create_securitygroup.yml secgrp={{ item }} + with_items: + - "{{ securitygroup }}" diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml new file mode 100644 index 000000000..eb86f9bc2 --- /dev/null +++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml @@ -0,0 +1,5 @@ +--- +- name: "Destroy {{ secgrp.name }} security group" + os_security_group: + state: absent + name: "{{ secgrp.name }}" diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml new file mode 100644 index 000000000..586e18067 --- /dev/null +++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include: destroy_securitygroup.yml secgrp={{ item }} + with_items: + - "{{ securitygroup }}" diff --git a/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stderr b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stderr new file mode 100644 index 000000000..e69de29bb diff --git a/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stdout b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stdout new file mode 100644 index 000000000..363825389 --- /dev/null +++ b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stdout @@ -0,0 +1 @@ +"onap_ci_lab" diff --git a/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.test b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.test new file mode 100755 index 000000000..6378776b8 --- /dev/null +++ b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.test @@ -0,0 +1,21 @@ +#!/bin/sh + +export SECURITYGROUP_NAME='onap_ci_lab' + +export VAGRANT_CWD='..' + +set_up() { + vagrant up --provision-with=run_playbook_destroy + vagrant up --provision-with=run_playbook_create +} + +check() { + local secgrp="$1" + vagrant ssh operator --no-tty -c \ + "export OS_CLOUD=openstack; openstack security group list -fcsv" \ + | grep "$secgrp" \ + | cut -d',' -f2 +} + +set_up >/dev/null # drop provisioning output +check "$SECURITYGROUP_NAME" diff --git a/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stderr b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stderr new file mode 100644 index 000000000..e69de29bb diff --git a/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stdout b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stdout new file mode 100644 index 000000000..7adb2f89a --- /dev/null +++ b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stdout @@ -0,0 +1 @@ +Security group onap_ci_lab not found. diff --git a/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.test b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.test new file mode 100755 index 000000000..0d8042d6a --- /dev/null +++ b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.test @@ -0,0 +1,21 @@ +#!/bin/sh + +export SECURITYGROUP_NAME='onap_ci_lab' + +export VAGRANT_CWD='..' + +set_up() { + vagrant up --provision-with=run_playbook_create + vagrant up --provision-with=run_playbook_destroy +} + +check() { + local secgrp="$1" + vagrant ssh operator --no-tty -c \ + "export OS_CLOUD=openstack; openstack security group list -fcsv" \ + | grep "$secgrp" \ + || echo "Security group ${secgrp} not found." +} + +set_up >/dev/null # drop provisioning output +check "$SECURITYGROUP_NAME" -- cgit 1.2.3-korg