OpenStack Heat

Implement SecurityGroupIngress and SecurityGroupEgress

Registered by Stephen Gran on 2014-03-03

AWS implements Security Group Rules as separate resources to the Security Group. This allows you to create rulesets referencing the parent group without issues caused by self-referential behavior.

Blueprint information

Status:: Complete

Approver:: Oleksii Chuprykov

Priority:: Low

Drafter:: Stephen Gran

Direction:: Approved

Assignee:: Dmitriy

Definition:: Approved

Series goal:: None

Implementation:: Implemented

Milestone target:: None

Started by: Oleksii Chuprykov on 2016-07-04

Completed by: Oleksii Chuprykov on 2016-08-29

Related branches

Related bugs

Sprints

Whiteboard

You might want a template snippet that looks like this for your proxy servers:
"SquidSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Allow instances to communicate on service port",
      "SecurityGroupIngress" : [{
            "IpProtocol" : "udp",
            "FromPort" : "3130",
            "ToPort" : "3130",
            "SourceSecurityGroupName": { "Ref": "SquidSecurityGroup" }
         }]
}

This is currently not possible, since rules are not separate from the containing groups, so heat cannot order them appropriately.

(therve) FWIW, we solved that issue for OS::Neutron::SecurityGroup by allowing self reference. We're still missing cross reference.

Gerrit topic: https://review.openstack.org/#q,topic:bp/securitygroupingressegress,n,z

Addressed by: https://review.openstack.org/330608
Add new resource Security Group Rule

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Jean-Sebastien Mouret