From 2d688df70580432c92be425225b334eba1f8605e Mon Sep 17 00:00:00 2001
From: handreas <andreas.hamacher@monash.edu>
Date: Thu, 9 Apr 2020 09:30:37 +0000
Subject: [PATCH] This change allows to have a single heat stack for security
groups and each CICD-stack to reuse those. Therefore the limitation to 30.
security groups per nectar-project is not so painfull anymore
Former-commit-id: 5acff448c668f32c2ccc1066ce659109408f5078
---
CICD/heat/gc_HOT.yaml | 109 +++++++--------------
CICD/heat/gc_secgroups.hot | 194 +++++++++++++++++++++++++++++++++++++
2 files changed, 227 insertions(+), 76 deletions(-)
create mode 100644 CICD/heat/gc_secgroups.hot
diff --git a/CICD/heat/gc_HOT.yaml b/CICD/heat/gc_HOT.yaml
index 7b44445e..982306e0 100644
--- a/CICD/heat/gc_HOT.yaml
+++ b/CICD/heat/gc_HOT.yaml
@@ -2,6 +2,7 @@
heat_template_version: 2013-05-23
description: "A simple template to boot a cluster of desktops (LoginNode, ManagementNodes and Desktop Nodes)"
# avz parameters disabled. they are working but I want just more options than monash-02. I would like to have a parameter that says "I don't care"
+#This requires gc_secgroups to be called beforehand
parameters:
ubuntu_1804_image_id:
@@ -33,77 +34,33 @@ parameters:
Flavour:
type: string
default: m3.xsmall
-
+ SlurmSecGroupID:
+ type: string
+ label: Resource ID
+ default: 6e7a09b0-981c-424f-a9b7-9fd4f4d8f416
+ NFSSecGroupID:
+ type: string
+ label: Resource ID
+ default: b07a75a3-830c-4778-96c6-8a3732ec7d6c
+ MySQLSecGroupID:
+ type: string
+ label: Resource ID
+ default: 4478f245-de5c-4177-bcbd-6fa661032cbe
+ SSHMonashSecGroupID:
+ type: string
+ label: Resource ID
+ default: c15081f4-c756-4c57-b8cf-388dd7fdbcd4
+ HTTPsSecGroupID:
+ type: string
+ label: Resource ID
+ default: 2d4510c3-ae73-44ea-9700-b6f0a00bf7aa
+ PublicSSHSecGroupID:
+ type: string
+ label: Resource ID
+ default: 8a029c04-08ce-40f1-a705-d45a2077e27d
resources:
- SlurmSecGroup:
- type: "OS::Neutron::SecurityGroup"
- properties:
- name: "heatslurmsecgroup"
- rules: [ { protocol: tcp,
- port_range_min: 12000,
- port_range_max: 12999},
- { protocol: tcp,
- port_range_min: 6817,
- port_range_max: 6819},
- { protocol: tcp,
- port_range_min: 1019,
- port_range_max: 1019}]
- NFSSecGroup:
- type: "OS::Neutron::SecurityGroup"
- properties:
- name: "heatnfssecgroup"
- rules: [ { protocol: tcp,
- port_range_min: 2049,
- port_range_max: 2049},
- { protocol: tcp,
- port_range_min: 111,
- port_range_max: 111},
- { protocol: udp,
- port_range_min: 2049,
- port_range_max: 2049},
- { protocol: udp,
- port_range_min: 111,
- port_range_max: 111}]
- MySQLSecGroup:
- type: "OS::Neutron::SecurityGroup"
- properties:
- name: "heatmysqlsecgroup"
- rules: [ { protocol: tcp,
- port_range_min: 3306,
- port_range_max: 3306,
- remote_mode: "remote_group_id"} ]
- SSHMonashSecGroup:
- type: "OS::Neutron::SecurityGroup"
- properties:
- name: "SSHMonashSecGroup"
- rules: [ { protocol: tcp,
- port_range_min: 22,
- port_range_max: 22,
- direction: ingress,
- remote_ip_prefix: 118.138.240.0/21
- } ]
-# SSHInternalSecGroup:
-# type: "OS::Neutron::SecurityGroup"
-# properties:
-# name: "SSHInternalSecGroup"
-# rules: [ { protocol: tcp,
-# port_range_min: 22,
-# port_range_max: 22,
-# direction: ingress} ]
- #remote_ip_prefix: { get_param: REMOTE_IP }, direction: ingress
- webaccess:
- type: "OS::Neutron::SecurityGroup"
- properties:
- name: "webaccess"
- rules: [ { protocol: tcp,
- port_range_min: 80,
- port_range_max: 80},
- { protocol: tcp,
- port_range_min: 443,
- port_range_max: 443} ]
-
SQLNode0:
type: "OS::Nova::Server"
properties:
@@ -113,7 +70,7 @@ resources:
flavor: m3.xsmall
image: { get_param: centos_7_image_id }
key_name: { get_param: ssh_key }
- security_groups: [ { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: MySQLSecGroup }, { get_resource: NFSSecGroup } ]
+ security_groups: [ { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: NFSSecGroupID } ]
metadata:
ansible_host_groups: [ SQLNodes, NFSNodes ]
ansible_ssh_user: ec2-user
@@ -170,7 +127,7 @@ resources:
mynodename:
list_join: [ '-', [ { get_param: "OS::stack_name" }, 'mgmt%index%' ]]
ssh_key: { get_param: ssh_key }
- security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup }, { get_resource: MySQLSecGroup } ]
+ security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: MySQLSecGroupID } ]
project_name: { get_param: project_name }
LoginNodes:
@@ -186,7 +143,7 @@ resources:
key_name: { get_param: ssh_key }
name:
list_join: [ '-', [ { get_param: "OS::stack_name" }, 'login%index%' ]]
- security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+ security_groups: [ default, { get_param: PublicSSHSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
metadata:
ansible_host_groups: [ LoginNodes ]
ansible_ssh_user: ec2-user
@@ -207,7 +164,7 @@ resources:
key_name: { get_param: ssh_key }
name:
list_join: [ '-', [ { get_param: "OS::stack_name" }, 'desktopc%index%' ]]
- security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+ security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
metadata:
ansible_host_groups: [ DesktopNodes, VisNodes, ComputeNodes ]
ansible_ssh_user: ec2-user
@@ -228,7 +185,7 @@ resources:
key_name: { get_param: ssh_key }
name:
list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computec%index%' ]]
- security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+ security_groups: [ default, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SSHMonashSecGroupID } ]
metadata:
ansible_host_groups: [ ComputeNodes ]
ansible_ssh_user: ec2-user
@@ -249,7 +206,7 @@ resources:
key_name: { get_param: ssh_key }
name:
list_join: [ '-', [ { get_param: "OS::stack_name" }, 'desktopu%index%' ]]
- security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+ security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
metadata:
ansible_host_groups: [ DesktopNodes ]
ansible_ssh_user: ubuntu
@@ -270,7 +227,7 @@ resources:
key_name: { get_param: ssh_key }
name:
list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computerhel%index%' ]]
- security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+ security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
metadata:
ansible_host_groups: [ DGXRHELNodes ]
ansible_ssh_user: cloud-user
@@ -287,7 +244,7 @@ resources:
# flavor: m3.xsmall
# image: { get_param: ubuntu_1804_image_id }
# key_name: { get_param: ssh_key }
-# security_groups: [ { get_resource: SSHMonashSecGroup }, { get_resource: webaccess } ]
+# security_groups: [ { get_resource_id SSHMonashSecGroup }, { get_resource_id webaccess } ]
# metadata:
# ansible_host_groups: [ PySSHauthz ]
# ansible_ssh_user: ubuntu
diff --git a/CICD/heat/gc_secgroups.hot b/CICD/heat/gc_secgroups.hot
new file mode 100644
index 00000000..ad6e7790
--- /dev/null
+++ b/CICD/heat/gc_secgroups.hot
@@ -0,0 +1,194 @@
+---
+heat_template_version: 2013-05-23
+description: # call with openstack stack [update || create ] --wait --template gc_secgroups.hot SecurityGroupStack
+
+resources:
+
+ SlurmSecGroup:
+ type: "OS::Neutron::SecurityGroup"
+ properties:
+ name: "heatslurmsecgroup"
+ rules: [ { protocol: tcp,
+ port_range_min: 12000,
+ port_range_max: 12999},
+ { protocol: tcp,
+ port_range_min: 6817,
+ port_range_max: 6819},
+ { protocol: tcp,
+ port_range_min: 1019,
+ port_range_max: 1019}]
+ NFSSecGroup:
+ type: "OS::Neutron::SecurityGroup"
+ properties:
+ name: "heatnfssecgroup"
+ rules: [ { protocol: tcp,
+ port_range_min: 2049,
+ port_range_max: 2049,
+ remote_mode: "remote_group_id"},
+ { protocol: tcp,
+ port_range_min: 111,
+ port_range_max: 111,
+ remote_mode: "remote_group_id"},
+ { protocol: udp,
+ port_range_min: 2049,
+ port_range_max: 2049,
+ remote_mode: "remote_group_id"},
+ { protocol: udp,
+ port_range_min: 111,
+ port_range_max: 111,
+ remote_mode: "remote_group_id"} ]
+ MySQLSecGroup:
+ type: "OS::Neutron::SecurityGroup"
+ properties:
+ name: "heatmysqlsecgroup"
+ rules: [ { protocol: tcp,
+ port_range_min: 3306,
+ port_range_max: 3306,
+ remote_mode: "remote_group_id"} ]
+ PublicSSHSecGroup:
+ type: "OS::Neutron::SecurityGroup"
+ properties:
+ name: "SSHSecGroup"
+ rules: [ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22} ]
+ SSHMonashSecGroup:
+ type: "OS::Neutron::SecurityGroup"
+ properties:
+ name: "SSHMonashSecGroup"
+ rules: [ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 59.191.208.0/20
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 114.30.64.0/21
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 118.138.0.0/16
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 118.139.0.0/17
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 130.194.0.0/16
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 203.0.141.0/24
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 203.6.141.0/24
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 203.23.136.0/24
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 59.191.192.0/20
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 202.158.212.32/27
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 130.194.13.96/27
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 49.127.0.0/16
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 202.58.246.0/24
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 202.94.69.0/24
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 103.35.228.0/22
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 43.246.232.0/22
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 103.35.228.0/22
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 59.191.208.0/20
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 49.127.0.0/16
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 59.191.220.0/22
+ },
+ { protocol: tcp,
+ port_range_min: 22,
+ port_range_max: 22,
+ direction: ingress,
+ remote_ip_prefix: 43.246.232.0/22
+ } ]
+ HTTPsSecGroup:
+ type: "OS::Neutron::SecurityGroup"
+ properties:
+ name: "HTTPsSecGroup"
+ rules: [ { protocol: tcp,
+ port_range_min: 80,
+ port_range_max: 80},
+ { protocol: tcp,
+ port_range_min: 443,
+ port_range_max: 443} ]
--
GitLab