TripleO Should Report Required Firewall Rules by Role

TripleO service definitions include the ports used by the service, and this information is used to configure iptables on the host running the service. Some operators want to enhance this security with hardware firewalls. Unfortunately, it isn't clear to operators what rules need to be configured on hardware firewalls or router ACLs.

Since we already have the firewall ports used by each service in the service definition, we have the information about which ports are needed for a particular service. TripleO should publish or report, on a per-node or per-role basis, what ports need to be open for each composable role. This would be used to report which ports need to be opened when using a hardware firewall or router ACL to further secure the environment.

It would be ideal if we could publish this data in a machine-readable format such as JSON. This would allow some automation to be inserted so that hardware firewalls could be automatically configured based on which services are used on which nodes. This would also make it clear what changes were required on hardware firewalls during upgrades.

Each service contains firewall rules in a unique key, for instance:

          tripleo.nova_api.firewall_rules:
            '113 nova_api':
              dport:
                - 8774
                - 13774
                - 8775

So what is needed is a way to compile all the applicable tripleo.*.firewall_rules parameters used on a role, and publish this in a report or file. This should include any custom rules that are added manually to the role by the installer.