Ask Your Question
0

Heat Hot: Can I use a repeat function, to provide multiple rules (OS::Neutron::FirewallRules), for the firewall_rules parameter of a OS::Neutron:FirewallPolicy type?

asked 2016-07-07 14:53:29 -0500

karl.harris gravatar image

updated 2016-07-13 10:37:40 -0500

I have cleaned up the code: The parameters rprotocol and ip_addresses will be comma_delimited_lists of protocols and cidrs/ips. Single values are used for debugging.

description: Configuration for Firewall service
    heat_template_version: 2016-04-08
    parameters:
        rprotocol:
            type: comma_delimited_list
            label: rprotocol
            default: "tcp"
        ip_addresses:
            type: comma_delimited_list
            label: ip_addresses
            default: "208.16.215.23" 
    resources:
        Firewall:
            properties:
                admin_state_up: true
                description: Firewall Resource
                firewall_policy_id:
                    get_resource: Firewall_Policy
                name: Firewall
            type: OS::Neutron::Firewall

Firewall_Policy:
    type: OS::Neutron::FirewallPolicy
    properties:
      name: Firewall_Policy
      audited: true
      firewall_rules: 
        repeat:
          for_each:
            <%rule_protocol%>: {get_param: rprotocol}
            <%src_ip_address%>: {get_param: ip_addresses}
          template:
            - get_file: ../groupbasepolicy/MakeRuleB.yaml

MakeRuleB.yaml

description: Create a firewall rule
heat_template_version: 2016-04-08
parameters:
  raction:
      type: string
      label: raction
      default: "allow"
  rproto:
      type: string
      label: proto
      default: <%rule_protocol%>
  src_address:
      type: string
      label: src_address
      default: <%src_ip_address%>
  rdescription:
      type: string
      label: rdescription
      default: "Rule"
resources:
  MakeRule:
      properties:
          action: {get_param: raction}
          description: {get_param: rdescription}
          enabled: true
          name: ''
          protocol: {get_param: rproto}
          source_ip_address: {get_param: src_address}
      type: OS::Neutron::FirewallRule

outputs:
  this_rule:
    description: "Id of this rule"
    value: { get_attr: [ MakeRule, Id ] }

I am getting a error in Neutron TypeError: unhashable type: 'list' in q-svc.log. See below:

2016-07-13 10:50:24.874 35352 DEBUG neutron.wsgi [req-358fe82d-9844-483c-8f56-1cb2c939695e admin -] http://172.16.139.134:9696/v2.0/extensions.json returned with HTTP 200 __call__ /opt/stack/neutron/neutron/wsgi.py:725
2016-07-13 10:50:24.874 35352 INFO neutron.wsgi [req-358fe82d-9844-483c-8f56-1cb2c939695e admin -] 172.16.139.134 - - [13/Jul/2016 10:50:24] "GET //v2.0/extensions.json HTTP/1.1" 200 7665 0.047303
2016-07-13 10:50:25.291 35351 DEBUG neutron.wsgi [-] (35351) accepted ('172.16.139.134', 47640) server /usr/local/lib/python2.7/dist-packages/eventlet/wsgi.py:867
2016-07-13 10:50:25.346 35351 DEBUG neutron.api.v2.base [req-3be36300-f096-4576-90c3-9f4c4bb647f1 admin -] Request body: {u'firewall_policy': {u'shared': False, u'audited': True, u'firewall_rules': [[u'description: Create a firewall rule\nheat_template_version: 2016-04-08\nparameters:\n  raction:\n      type: string\n      label: raction\n      default: "allow"\n  rproto:\n      type: string\n      label: proto\n      default: tcp\n  src_address:\n      type: string\n      label: src_address\n      default: 208.16.215.23\n  rdescription:\n      type: string\n      label: rdescription\n      default: "Rule"\nresources:\n  MakeRule:\n      properties:\n          action: {get_param: raction}\n          description: {get_param: rdescription}\n          enabled: true\n          name: \'\'\n          protocol: {get_param: rproto}\n          source_ip_address: {get_param: src_address}\n      type: OS::Neutron::FirewallRule\n\noutputs:\n  this_rule:\n    description: "Id of this rule"\n    value: { get_attr: [ MakeRule, Id ] }\n']], u'name': u'Firewall_Policy'}} prepare_request_body /opt/stack/neutron/neutron/api/v2/base.py:657
2016-07-13 10:50:25.347 35351 ERROR neutron.api.v2.resource [req-3be36300-f096-4576-90c3-9f4c4bb647f1 admin -] create failed
2016-07-13 10:50:25.347 35351 ERROR neutron.api.v2.resource Traceback (most recent call last):
2016-07-13 10:50:25.347 35351 ERROR neutron.api.v2.resource   File "/opt/stack/neutron/neutron/api/v2/resource.py", line 84, in resource
2016-07-13 10:50:25.347 35351 ERROR neutron.api.v2.resource     result = method(request=request, **args)
2016-07-13 10:50:25.347 35351 ERROR neutron.api.v2.resource   File "/opt/stack/neutron/neutron ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2016-07-29 11:01:14 -0500

zaneb gravatar image

First of all, you're getting the error "unhashable type: 'list'" because the value of the "template" argument is a list:

      template:
        - get_file: ../groupbasepolicy/MakeRuleB.yaml

If you don't want the output to be a list of lists, don't make the template a list.

Secondly, 'template' in this context doesn't refer to a HOT template. It just means some syntax to be repeated with substitutions (like a Jinja template, except not). It does not create an inline nested stack.

So the answer to your question is no, you can't use the repeat function to create multiple resources.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-07-07 14:45:30 -0500

Seen: 1,009 times

Last updated: Jul 29 '16