How do you get a security group ID out of a created AWS::EC2::SecurityGroup?
OS::Neutron::Port only seems to take ID's, and Ref on the security group only gives you the name. I also want to pass it as an output, and again, it only gives you the name, not the ID.
Thanks, Kevin
Edit: Yes, OS::Neutron::Firewall provides perimeter firewall functionality, but I was thinking it could possibly solve your use-case as follows (disclaimer, I'm not a Neutron expert):
Modify the default security group for the project/tenant to allow the traffic required
Connect all instances to a Neutron subnet, which routes via a Neutron router to your external network
Configure the Neutron FWaaS on the router via OS::Neutron::Firewall to enforce the rules required outside the private subnet between instances/stacks
If you define the VpcId property of the AWS::EC2::SecurityGroup, Ref returns the security group ID, not name, does this solve your problem?
Edit: Re VpcId, you could use AWS::EC2::VPC to create the network/router and pass that into the security group, but just setting the VpcId property to AWS::EC2::SecurityGroup makes it use the neutron security group API instead of the nova one, which is probably what you want in this case.
I agree, it's not a clean interface - what we probably need is a heat-native OS::Neutron::SecurityGroup resource.
OS::Neutron::Firewall seems intended for something else. I'm not sure though.
Setting VpcId on the security group to the neutron NetworkId seemed to make this work. Seems alittle sketchy though. Can someone garantee this behaviour is safe?
Thanks, Kevin
Asked: 2013-10-16 14:39:07 -0500
Seen: 700 times
Last updated: Oct 17 '13
