Ask Your Question

heat security group id

asked 2013-10-16 14:39:07 -0500

kfox1111 gravatar image

How do you get a security group ID out of a created AWS::EC2::SecurityGroup?

OS::Neutron::Port only seems to take ID's, and Ref on the security group only gives you the name. I also want to pass it as an output, and again, it only gives you the name, not the ID.

Thanks, Kevin

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-10-16 14:56:51 -0500

shardy gravatar image

updated 2013-10-17 04:08:11 -0500

  • Can you use OS::Neutron::Firewall instead of AWS::EC2::SecurityGroup? In general we expect users to use either the native Neutron resources (recommended), or the AWS-compatible VPC resources if portability when CFN is a concern

Edit: Yes, OS::Neutron::Firewall provides perimeter firewall functionality, but I was thinking it could possibly solve your use-case as follows (disclaimer, I'm not a Neutron expert):

  • Modify the default security group for the project/tenant to allow the traffic required

  • Connect all instances to a Neutron subnet, which routes via a Neutron router to your external network

  • Configure the Neutron FWaaS on the router via OS::Neutron::Firewall to enforce the rules required outside the private subnet between instances/stacks

  • If you define the VpcId property of the AWS::EC2::SecurityGroup, Ref returns the security group ID, not name, does this solve your problem?

Edit: Re VpcId, you could use AWS::EC2::VPC to create the network/router and pass that into the security group, but just setting the VpcId property to AWS::EC2::SecurityGroup makes it use the neutron security group API instead of the nova one, which is probably what you want in this case.

I agree, it's not a clean interface - what we probably need is a heat-native OS::Neutron::SecurityGroup resource.

edit flag offensive delete link more

answered 2013-10-16 17:14:24 -0500

kfox1111 gravatar image

OS::Neutron::Firewall seems intended for something else. I'm not sure though.

Setting VpcId on the security group to the neutron NetworkId seemed to make this work. Seems alittle sketchy though. Can someone garantee this behaviour is safe?

Thanks, Kevin

edit flag offensive delete link more


Edits added to my initial answer

shardy gravatar imageshardy ( 2013-10-17 04:05:29 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-10-16 14:39:07 -0500

Seen: 700 times

Last updated: Oct 17 '13