Ask Your Question

martyj's profile - activity

2019-06-19 03:49:35 -0500 received badge  Famous Question (source)
2019-06-19 03:49:35 -0500 received badge  Notable Question (source)
2019-06-19 03:49:35 -0500 received badge  Popular Question (source)
2018-06-24 19:21:08 -0500 asked a question Create multiple security rules in repeat template

Existing heat template uses the following expansion for security rules

 signaling_security_group:
   type: OS::Neutron::SecurityGroup
   properties:
     name: foo
     rules: [
       {direction: ingress, remote_ip_prefix: {get_param: SGRemoteIpSIG}, protocol: ICMP, ethertype: IPv6},
       {direction: ingress, remote_ip_prefix: {get_param: SGRemoteIpSIG}, port_range_min: 53, port_range_max: 53, protocol: UDP, ethertype: IPv6},

[ ... several more rules ...]

        {direction: egress, remote_ip_prefix: {get_param: SGRemoteIpSIG}, port_range_min: 3054, port_range_max: 3055, protocol: UDP, ethertype: IPv6}
       ]

SGRemoteIpSig is defined as a string with a single IP prefix

We now have a requirement for the same rules for multiple IP prefixes. So, repeat seems like a reasonable place to start.

Changed SGRemoteIpSig to a comma_delimited_list of multiple prefixes and started with this

 signaling_security_group:
   type: OS::Neutron::SecurityGroup
   properties:
     name: foo
      rules:
        repeat:
          for_each:
            <%addressPrefix%>: { get_param: SGRemoteIpSIG }
          template:
            {direction: ingress, remote_ip_prefix: <%addressPrefix%>, protocol: ICMP, ethertype: IPv6},
            {direction: ingress, remote_ip_prefix: <%addressPrefix%>, port_range_min: 53, port_range_max: 53, protocol: UDP, ethertype: IPv6},

                [... several more rules ...]

            {direction: egress, remote_ip_prefix: <%addressPrefix%>, port_range_min: 3054, port_range_max: 3055, protocol: UDP, ethertype: IPv6}

NOTHING I have been able to do will let me have multiple rules inside the template block. I even tried with multiple repeat blocks and that just seems to overwrite rule 0 with the data from the last repeat block.

The rules are asymmetric (ingress and egress) and some have port ranges while others have a single port. Nested for_each variables wouldn't work in this case.

This is on Newton (customer's release), but they're upgrading to Queens in a couple of months.

Thoughts?