Add Ansible roles for OpenStack security groups

Additional OpenStack security group and its rules are required to allow
traffic to virtual machines created on DevStack. Virtual machines will
be accessible from 172.24.4.0/24 network (default public IP pool).

Issue-ID: INT-1601
Change-Id: I902f64f542197e329e21790f98662d2e408d4bb6
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/deployment/noheat/infra-openstack/ansible/create.yml b/deployment/noheat/infra-openstack/ansible/create.yml
index a2665f9..38f2f9d 100644 (file)
--- a/deployment/noheat/infra-openstack/ansible/create.yml
+++ b/deployment/noheat/infra-openstack/ansible/create.yml
@@ -5,5 +5,6 @@
   gather_facts: False
   roles:
     - openstack/create_devstack_network
+    - openstack/create_devstack_securitygroup
     - openstack/create_devstack_keypair
     - openstack/create_devstack_hosts

diff --git a/deployment/noheat/infra-openstack/ansible/destroy.yml b/deployment/noheat/infra-openstack/ansible/destroy.yml
index 4576125..6091e59 100644 (file)
--- a/deployment/noheat/infra-openstack/ansible/destroy.yml
+++ b/deployment/noheat/infra-openstack/ansible/destroy.yml
@@ -7,3 +7,4 @@
     - openstack/destroy_devstack_hosts
     - openstack/destroy_devstack_keypair
     - openstack/destroy_devstack_network
+    - openstack/destroy_devstack_securitygroup

diff --git a/deployment/noheat/infra-openstack/ansible/group_vars/all.yml b/deployment/noheat/infra-openstack/ansible/group_vars/all.yml
index 1da1e8f..40fdabf 100644 (file)
--- a/deployment/noheat/infra-openstack/ansible/group_vars/all.yml
+++ b/deployment/noheat/infra-openstack/ansible/group_vars/all.yml
@@ -6,9 +6,14 @@ network:
 keypair:
   name: &keypair_name "onap_ci_lab"
 
+securitygroup:
+  name: &securitygroup_name "onap_ci_lab"
+  remote_ip_prefix: "172.24.4.0/24"
+
 hosts:
   - name: "operator0"
     image: "cirros-0.5.1-x86_64-disk"
     flavor: "cirros256"
     keypair: *keypair_name
     network: *network_name
+    securitygroup: *securitygroup_name

diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml
index 847150f..c164d71 100644 (file)
--- a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_hosts/tasks/create_host.yml
@@ -7,3 +7,5 @@
     flavor: "{{ host.flavor }}"
     key_name: "{{ host.keypair }}"
     network: "{{ host.network }}"
+    security_groups:
+      - "{{ host.securitygroup }}"

diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml
new file mode 100644 (file)
index 0000000..d6b78d1
--- /dev/null
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/create_securitygroup.yml
@@ -0,0 +1,19 @@
+---
+- name: "Create {{ secgrp.name }} security group"
+  os_security_group:
+    state: present
+    name: "{{ secgrp.name }}"
+
+- name: "Create {{ secgrp.name }} security group rule for ping"
+  os_security_group_rule:
+    security_group: "{{ secgrp.name }}"
+    protocol: icmp
+    remote_ip_prefix: "{{ secgrp.remote_ip_prefix }}"
+
+- name: "Create {{ secgrp.name }} security group rule for SSH"
+  os_security_group_rule:
+    security_group: "{{ secgrp.name }}"
+    protocol: tcp
+    port_range_min: 22
+    port_range_max: 22
+    remote_ip_prefix: "{{ secgrp.remote_ip_prefix }}"

diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml
new file mode 100644 (file)
index 0000000..da125cb
--- /dev/null
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/create_devstack_securitygroup/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- include: create_securitygroup.yml secgrp={{ item }}
+  with_items:
+    - "{{ securitygroup }}"

diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml
new file mode 100644 (file)
index 0000000..eb86f9b
--- /dev/null
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/destroy_securitygroup.yml
@@ -0,0 +1,5 @@
+---
+- name: "Destroy {{ secgrp.name }} security group"
+  os_security_group:
+    state: absent
+    name: "{{ secgrp.name }}"

diff --git a/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml
new file mode 100644 (file)
index 0000000..586e180
--- /dev/null
+++ b/deployment/noheat/infra-openstack/ansible/roles/openstack/destroy_devstack_securitygroup/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- include: destroy_securitygroup.yml secgrp={{ item }}
+  with_items:
+    - "{{ securitygroup }}"

diff --git a/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stderr b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stderr
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stdout b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stdout
new file mode 100644 (file)
index 0000000..3638253
--- /dev/null
+++ b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.stdout
@@ -0,0 +1 @@
+"onap_ci_lab"

diff --git a/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.test b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.test
new file mode 100755 (executable)
index 0000000..6378776
--- /dev/null
+++ b/deployment/noheat/infra-openstack/vagrant/test/create_securitygroup.test
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+export SECURITYGROUP_NAME='onap_ci_lab'
+
+export VAGRANT_CWD='..'
+
+set_up() {
+    vagrant up --provision-with=run_playbook_destroy
+    vagrant up --provision-with=run_playbook_create
+}
+
+check() {
+    local secgrp="$1"
+    vagrant ssh operator --no-tty -c \
+        "export OS_CLOUD=openstack; openstack security group list -fcsv" \
+        | grep "$secgrp" \
+        | cut -d',' -f2
+}
+
+set_up >/dev/null # drop provisioning output
+check "$SECURITYGROUP_NAME"

diff --git a/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stderr b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stderr
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stdout b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stdout
new file mode 100644 (file)
index 0000000..7adb2f8
--- /dev/null
+++ b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.stdout
@@ -0,0 +1 @@
+Security group onap_ci_lab not found.

diff --git a/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.test b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.test
new file mode 100755 (executable)
index 0000000..0d8042d
--- /dev/null
+++ b/deployment/noheat/infra-openstack/vagrant/test/destroy_securitygroup.test
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+export SECURITYGROUP_NAME='onap_ci_lab'
+
+export VAGRANT_CWD='..'
+
+set_up() {
+    vagrant up --provision-with=run_playbook_create
+    vagrant up --provision-with=run_playbook_destroy
+}
+
+check() {
+    local secgrp="$1"
+    vagrant ssh operator --no-tty -c \
+        "export OS_CLOUD=openstack; openstack security group list -fcsv" \
+        | grep "$secgrp" \
+        || echo "Security group ${secgrp} not found."
+}
+
+set_up >/dev/null # drop provisioning output
+check "$SECURITYGROUP_NAME"