Merge branch 'secgroup_refactor' into 'master'

Secgroup refactor See merge request hpc-team/ansible_cluster_in_a_box!303 Former-commit-id: 57f53762

Merge branch 'secgroup_refactor' into 'master'
Secgroup refactor See merge request hpc-team/ansible_cluster_in_a_box!303 Former-commit-id: 57f53762
472d46ae · Jafar Lie · 26a7711b · 2d688df7 · 472d46ae · 472d46ae
Commit 472d46ae authored 4 years ago by Jafar Lie
--- a/CICD/heat/gc_HOT.yaml
+++ b/CICD/heat/gc_HOT.yaml
@@ -2,6 +2,7 @@
 heat_template_version: 2013-05-23
 description: "A simple template to boot a cluster of desktops (LoginNode, ManagementNodes and Desktop Nodes)"
 # avz parameters disabled. they are working but I want just more options than monash-02. I would like to have a parameter that says "I don't care"
+#This requires gc_secgroups to be called beforehand

 parameters:
  ubuntu_1804_image_id:
@@ -33,77 +34,33 @@ parameters:
  Flavour:
    type: string
    default: m3.xsmall
-
+  SlurmSecGroupID:
+    type: string
+    label: Resource ID
+    default: 6e7a09b0-981c-424f-a9b7-9fd4f4d8f416
+  NFSSecGroupID:
+    type: string
+    label: Resource ID
+    default: b07a75a3-830c-4778-96c6-8a3732ec7d6c
+  MySQLSecGroupID:
+    type: string
+    label: Resource ID
+    default: 4478f245-de5c-4177-bcbd-6fa661032cbe
+  SSHMonashSecGroupID:
+    type: string
+    label: Resource ID
+    default: c15081f4-c756-4c57-b8cf-388dd7fdbcd4
+  HTTPsSecGroupID:
+    type: string
+    label: Resource ID
+    default: 2d4510c3-ae73-44ea-9700-b6f0a00bf7aa
+  PublicSSHSecGroupID:
+    type: string
+    label: Resource ID
+    default: 8a029c04-08ce-40f1-a705-d45a2077e27d

 resources:

-  SlurmSecGroup:
-   type: "OS::Neutron::SecurityGroup"
-   properties:
-     name: "heatslurmsecgroup"
-     rules: [ { protocol: tcp,
-               port_range_min: 12000,
-               port_range_max: 12999},
-              { protocol: tcp,
-               port_range_min: 6817,
-               port_range_max: 6819},
-              { protocol: tcp,
-               port_range_min: 1019,
-               port_range_max: 1019}]
-  NFSSecGroup:
-   type: "OS::Neutron::SecurityGroup"
-   properties:
-     name: "heatnfssecgroup"
-     rules: [ { protocol: tcp,
-               port_range_min: 2049,
-               port_range_max: 2049},
-              { protocol: tcp,
-               port_range_min: 111,
-               port_range_max: 111},
-              { protocol: udp,
-               port_range_min: 2049,
-               port_range_max: 2049},
-              { protocol: udp,
-               port_range_min: 111,
-               port_range_max: 111}]
-  MySQLSecGroup:
-   type: "OS::Neutron::SecurityGroup"
-   properties:
-     name: "heatmysqlsecgroup"
-     rules: [ { protocol: tcp,
-               port_range_min: 3306,
-               port_range_max: 3306,
-               remote_mode: "remote_group_id"} ]
-  SSHMonashSecGroup:
-   type: "OS::Neutron::SecurityGroup"
-   properties:
-     name: "SSHMonashSecGroup"
-     rules: [ { protocol: tcp,
-               port_range_min: 22,
-               port_range_max: 22,
-               direction: ingress,
-               remote_ip_prefix: 118.138.240.0/21
-     } ]
-#  SSHInternalSecGroup:
-#   type: "OS::Neutron::SecurityGroup"
-#   properties:
-#     name: "SSHInternalSecGroup"
-#     rules: [ { protocol: tcp,
-#               port_range_min: 22,
-#               port_range_max: 22,
-#               direction: ingress} ]
-               #remote_ip_prefix: { get_param: REMOTE_IP }, direction: ingress
-  webaccess:
-   type: "OS::Neutron::SecurityGroup"
-   properties:
-     name: "webaccess"
-     rules: [ { protocol: tcp,
-               port_range_min: 80,
-               port_range_max: 80},
-              { protocol: tcp,
-               port_range_min: 443,
-               port_range_max: 443} ]
-
  SQLNode0:
   type: "OS::Nova::Server"
   properties:
@@ -113,7 +70,7 @@ resources:
    flavor: m3.xsmall
    image: { get_param: centos_7_image_id }
    key_name: { get_param: ssh_key }
-    security_groups: [ { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: MySQLSecGroup }, { get_resource: NFSSecGroup } ]
+    security_groups: [ { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: NFSSecGroupID } ]
    metadata:
     ansible_host_groups: [ SQLNodes, NFSNodes ]
     ansible_ssh_user: ec2-user
@@ -170,7 +127,7 @@ resources:
        mynodename:
         list_join: [ '-', [ { get_param: "OS::stack_name" }, 'mgmt%index%' ]]
        ssh_key: { get_param: ssh_key }
-        security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup }, { get_resource: MySQLSecGroup } ]
+        security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: MySQLSecGroupID } ]
        project_name: { get_param: project_name }

  LoginNodes:
@@ -186,7 +143,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'login%index%' ]]
-      security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+      security_groups: [ default, { get_param: PublicSSHSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
      metadata:
       ansible_host_groups: [ LoginNodes ]
       ansible_ssh_user: ec2-user
@@ -207,7 +164,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'desktopc%index%' ]]
-      security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
      metadata:
       ansible_host_groups: [ DesktopNodes, VisNodes, ComputeNodes ]
       ansible_ssh_user: ec2-user
@@ -228,7 +185,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computec%index%' ]]
-      security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+      security_groups: [ default, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SSHMonashSecGroupID } ]
      metadata:
       ansible_host_groups: [ ComputeNodes ]
       ansible_ssh_user: ec2-user
@@ -249,7 +206,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'desktopu%index%' ]]
-      security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
      metadata:
       ansible_host_groups: [ DesktopNodes ]
       ansible_ssh_user: ubuntu
@@ -270,7 +227,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computerhel%index%' ]]
-      security_groups: [ default, { get_resource: SSHMonashSecGroup }, { get_resource: SlurmSecGroup }, { get_resource: NFSSecGroup } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
      metadata:
       ansible_host_groups: [ DGXRHELNodes ]
       ansible_ssh_user: cloud-user
@@ -287,7 +244,7 @@ resources:
 #    flavor: m3.xsmall
 #    image: { get_param: ubuntu_1804_image_id }
 #    key_name: { get_param: ssh_key }
-#    security_groups: [ { get_resource: SSHMonashSecGroup }, { get_resource: webaccess } ]
+#    security_groups: [ { get_resource_id SSHMonashSecGroup }, { get_resource_id webaccess } ]
 #    metadata:
 #     ansible_host_groups: [ PySSHauthz ]
 #     ansible_ssh_user: ubuntu

--- a/CICD/heat/gc_secgroups.hot
+++ b/CICD/heat/gc_secgroups.hot
+---
+heat_template_version: 2013-05-23
+description: # call with openstack stack [update || create ] --wait --template gc_secgroups.hot SecurityGroupStack
+
+resources:
+
+  SlurmSecGroup:
+   type: "OS::Neutron::SecurityGroup"
+   properties:
+     name: "heatslurmsecgroup"
+     rules: [ { protocol: tcp,
+               port_range_min: 12000,
+               port_range_max: 12999},
+              { protocol: tcp,
+               port_range_min: 6817,
+               port_range_max: 6819},
+              { protocol: tcp,
+               port_range_min: 1019,
+               port_range_max: 1019}]
+  NFSSecGroup:
+   type: "OS::Neutron::SecurityGroup"
+   properties:
+     name: "heatnfssecgroup"
+     rules: [ { protocol: tcp,
+               port_range_min: 2049,
+               port_range_max: 2049,
+               remote_mode: "remote_group_id"},
+              { protocol: tcp,
+               port_range_min: 111,
+               port_range_max: 111,
+               remote_mode: "remote_group_id"},
+              { protocol: udp,
+               port_range_min: 2049,
+               port_range_max: 2049,
+               remote_mode: "remote_group_id"},
+              { protocol: udp,
+               port_range_min: 111,
+               port_range_max: 111,
+               remote_mode: "remote_group_id"} ]
+  MySQLSecGroup:
+   type: "OS::Neutron::SecurityGroup"
+   properties:
+     name: "heatmysqlsecgroup"
+     rules: [ { protocol: tcp,
+               port_range_min: 3306,
+               port_range_max: 3306,
+               remote_mode: "remote_group_id"} ]
+  PublicSSHSecGroup:
+   type: "OS::Neutron::SecurityGroup"
+   properties:
+     name: "SSHSecGroup"
+     rules: [ { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22} ]
+  SSHMonashSecGroup:
+   type: "OS::Neutron::SecurityGroup"
+   properties:
+     name: "SSHMonashSecGroup"
+     rules: [ { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 59.191.208.0/20
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 114.30.64.0/21
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 118.138.0.0/16
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 118.139.0.0/17
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 130.194.0.0/16
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 203.0.141.0/24
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 203.6.141.0/24
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 203.23.136.0/24
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 59.191.192.0/20
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 202.158.212.32/27
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 130.194.13.96/27
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 49.127.0.0/16
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 202.58.246.0/24
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 202.94.69.0/24
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 103.35.228.0/22
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 43.246.232.0/22
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 103.35.228.0/22
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 59.191.208.0/20
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 49.127.0.0/16
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 59.191.220.0/22
+     },
+     { protocol: tcp,
+               port_range_min: 22,
+               port_range_max: 22,
+               direction: ingress,
+               remote_ip_prefix: 43.246.232.0/22
+     } ]
+  HTTPsSecGroup:
+   type: "OS::Neutron::SecurityGroup"
+   properties:
+     name: "HTTPsSecGroup"
+     rules: [ { protocol: tcp,
+               port_range_min: 80,
+               port_range_max: 80},
+              { protocol: tcp,
+               port_range_min: 443,
+               port_range_max: 443} ]