Have a stack to define a security Group as well as to create the rules in that group.
---
The heat stack YAML file to add the rules to the security group is
[root@newtonallinone HeatOrchestrationTemplates(keystone_admin)]# cat 09securitygroup.yml
---
# for Newton release of OpenStack
#
heat_template_version: 2016-10-14
description: put a security group
resources:
securitygroup:
type: OS::Neutron::SecurityGroup
properties:
name: securitygroup80-443-22-ICMP
#rules:
#type: list
rules:
- { direction: ingress, ethertype: IPv4, protocol: icmp, remote_ip_prefix: 0.0.0.0/0 }
- { direction: ingress, ethertype: IPv4, port_range_min: 22, port_range_max: 22, protocol: tcp, remote_ip_prefix: 0.0.0.0/0 }
- { direction: ingress, ethertype: IPv4, port_range_min: 80, port_range_max: 80, protocol: tcp, remote_ip_prefix: 0.0.0.0/0 }
- { direction: ingress, ethertype: IPv4, port_range_min: 443, port_range_max: 443, protocol: tcp, remote_ip_prefix: 0.0.0.0/0 }
outputs:
subnet_info:
value: { get_attr: [securitygroup]}
[root@newtonallinone HeatOrchestrationTemplates(keystone_admin)]#
---
- The above YAML file template as called using the OpenStack orchestration as a template, will add the following rules to the security group 'securitygroup80-443-22-ICMP'.
- This YAML file in the process of implementing the stack also creates the security group 'securitygroup80-443-22-ICMP' first.
ingress from 0.0.0.0/0 for PING
ingress from 0.0.0.0/0 for SSH TCP 22
ingress from 0.0.0.0/0 for HTTP TCP 80
ingress from 0.0.0.0/09 for HTTPS TCP 443
---
Implement the stack
[root@newtonallinone HeatOrchestrationTemplates(keystone_admin)]# openstack stack create -t 09securitygroup.yml securitygroup80-443-22-ICMP
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| id | ec487918-3130-4a5c-9302-4711119c2cd9 |
| stack_name | securitygroup80-443-22-ICMP |
| description | put a security group |
| creation_time | 2017-10-19T21:40:39Z |
| updated_time | None |
| stack_status | CREATE_IN_PROGRESS |
| stack_status_reason | Stack CREATE started |
+---------------------+--------------------------------------+
[root@newtonallinone HeatOrchestrationTemplates(keystone_admin)]#
The heat implementing the stack_id
----------
Confirm the security group and rules
[root@newtonallinone HeatOrchestrationTemplates(keystone_admin)]# neutron security-group-list | grep ICMP
| dc2a8841-cd94-4349-8643-942f2b2596b7 | securitygroup80-443-22-ICMP | egress, IPv4 |
[root@newtonallinone HeatOrchestrationTemplates(keystone_admin)]#
Confirm the
[root@newtonallinone HeatOrchestrationTemplates(keystone_admin)]# neutron security-group-show securitygroup80-443-22-ICMP
+----------------------+--------------------------------------------------------------------+
| Field | Value |
+----------------------+--------------------------------------------------------------------+
| created_at | 2017-10-19T21:40:40Z |
| description | |
| id | dc2a8841-cd94-4349-8643-942f2b2596b7 |
| name | securitygroup80-443-22-ICMP |
| project_id | 49b25ce4022c492fa0c1eab4fc6c7419 |
| revision_number | 5 |
| security_group_rules | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "protocol": "tcp", |
| | "description": "", |
| | "ethertype": "IPv4", |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "port_range_max": 22, |
| | "updated_at": "2017-10-19T21:40:40Z", |
| | "security_group_id": "dc2a8841-cd94-4349-8643-942f2b2596b7", |
| | "port_range_min": 22, |
| | "revision_number": 1, |
| | "tenant_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "created_at": "2017-10-19T21:40:40Z", |
| | "project_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "id": "267fc284-9657-41c1-b221-bb737d50e709" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "protocol": "icmp", |
| | "description": "", |
| | "ethertype": "IPv4", |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "port_range_max": null, |
| | "updated_at": "2017-10-19T21:40:40Z", |
| | "security_group_id": "dc2a8841-cd94-4349-8643-942f2b2596b7", |
| | "port_range_min": null, |
| | "revision_number": 1, |
| | "tenant_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "created_at": "2017-10-19T21:40:40Z", |
| | "project_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "id": "64b97157-fa46-4bfe-84cb-da7ba9c8e76b" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "protocol": "tcp", |
| | "description": "", |
| | "ethertype": "IPv4", |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "port_range_max": 443, |
| | "updated_at": "2017-10-19T21:40:41Z", |
| | "security_group_id": "dc2a8841-cd94-4349-8643-942f2b2596b7", |
| | "port_range_min": 443, |
| | "revision_number": 1, |
| | "tenant_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "created_at": "2017-10-19T21:40:41Z", |
| | "project_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "id": "87d969f5-d315-4ab3-ba28-fe1de7f0988b" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "egress", |
| | "protocol": null, |
| | "description": null, |
| | "ethertype": "IPv4", |
| | "remote_ip_prefix": null, |
| | "port_range_max": null, |
| | "updated_at": "2017-10-19T21:40:40Z", |
| | "security_group_id": "dc2a8841-cd94-4349-8643-942f2b2596b7", |
| | "port_range_min": null, |
| | "revision_number": 1, |
| | "tenant_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "created_at": "2017-10-19T21:40:40Z", |
| | "project_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "id": "b1903a87-8ae4-40d0-b6d9-75276eb2e4cf" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "egress", |
| | "protocol": null, |
| | "description": null, |
| | "ethertype": "IPv6", |
| | "remote_ip_prefix": null, |
| | "port_range_max": null, |
| | "updated_at": "2017-10-19T21:40:40Z", |
| | "security_group_id": "dc2a8841-cd94-4349-8643-942f2b2596b7", |
| | "port_range_min": null, |
| | "revision_number": 1, |
| | "tenant_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "created_at": "2017-10-19T21:40:40Z", |
| | "project_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "id": "b845f9ed-4aed-46f4-8480-de6560f781b8" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "protocol": "tcp", |
| | "description": "", |
| | "ethertype": "IPv4", |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "port_range_max": 80, |
| | "updated_at": "2017-10-19T21:40:40Z", |
| | "security_group_id": "dc2a8841-cd94-4349-8643-942f2b2596b7", |
| | "port_range_min": 80, |
| | "revision_number": 1, |
| | "tenant_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "created_at": "2017-10-19T21:40:40Z", |
| | "project_id": "49b25ce4022c492fa0c1eab4fc6c7419", |
| | "id": "f5633437-f842-470d-997c-e5279e31f0eb" |
| | } |
| tenant_id | 49b25ce4022c492fa0c1eab4fc6c7419 |
| updated_at | 2017-10-19T21:40:41Z |
+----------------------+--------------------------------------------------------------------+
No comments:
Post a Comment