diff --git a/.zuul.yaml b/.zuul.yaml index 571fdf3d..11b233a7 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -100,6 +100,7 @@ recordset role_assignment security_group + security_group_rule subnet subnet_pool user diff --git a/ci/roles/security_group/defaults/main.yml b/ci/roles/security_group/defaults/main.yml index 81f7822e..00310dd1 100644 --- a/ci/roles/security_group/defaults/main.yml +++ b/ci/roles/security_group/defaults/main.yml @@ -1,20 +1 @@ -expected_fields: - - created_at - - description - - direction - - ether_type - - id - - name - - port_range_max - - port_range_min - - project_id - - protocol - - remote_address_group_id - - remote_group_id - - remote_ip_prefix - - revision_number - - security_group_id - - tags - - tenant_id - - updated_at secgroup_name: shade_secgroup diff --git a/ci/roles/security_group/tasks/main.yml b/ci/roles/security_group/tasks/main.yml index 6e8b2bff..cde3c707 100644 --- a/ci/roles/security_group/tasks/main.yml +++ b/ci/roles/security_group/tasks/main.yml @@ -13,214 +13,6 @@ state: present description: Created from Ansible playbook -- name: Create empty ICMP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - register: rule - -- name: Assert return fields - assert: - that: item in rule.rule - loop: "{{ expected_fields }}" - -- name: Assert changed - assert: - that: rule is changed - -- name: Create empty ICMP rule again - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - register: rule - -- name: Assert not changed - assert: - that: rule is not changed - -- name: Create -1 ICMP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: icmp - port_range_min: -1 - port_range_max: -1 - remote_ip_prefix: 0.0.0.0/0 - register: rule - -- name: Assert not changed - assert: - that: rule is not changed - -- name: Create -1 ICMP rule again - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: icmp - port_range_min: -1 - port_range_max: -1 - remote_ip_prefix: 0.0.0.0/0 - register: rule - -- name: Assert not changed - assert: - that: rule is not changed - -- name: Create empty TCP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - register: rule - -- name: Assert changed - assert: - that: rule is changed - -- name: Create TCP rule again with port range (1, 65535) - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: tcp - port_range_min: 1 - port_range_max: 65535 - remote_ip_prefix: 0.0.0.0/0 - register: rule - -- name: Assert changed - assert: - that: rule is not changed - -- name: Create TCP rule again with port range (-1, -1) - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: tcp - port_range_min: -1 - port_range_max: -1 - remote_ip_prefix: 0.0.0.0/0 - register: rule - -- name: Assert changed - assert: - that: rule is not changed - -- name: Create TCP rule again with defined range - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: tcp - port_range_min: 8000 - port_range_max: 9000 - remote_ip_prefix: 0.0.0.0/0 - register: rule - -- name: Assert changed - assert: - that: rule is changed - -- name: Create empty UDP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - -- name: Create UDP rule again with port range (1, 65535) - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: udp - port_range_min: 1 - port_range_max: 65535 - remote_ip_prefix: 0.0.0.0/0 - -- name: Create UDP rule again with port range (-1, -1) - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: udp - port_range_min: -1 - port_range_max: -1 - remote_ip_prefix: 0.0.0.0/0 - -- name: Create HTTP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: tcp - port_range_min: 80 - port_range_max: 80 - remote_ip_prefix: 0.0.0.0/0 - -- name: Create egress rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: present - protocol: tcp - port_range_min: 30000 - port_range_max: 30001 - remote_ip_prefix: 0.0.0.0/0 - direction: egress - -- name: List all available rules of all security groups in a project - openstack.cloud.security_group_rule_info: - cloud: "{{ cloud }}" - when: sdk_version is version("0.32", '>=') - register: test_sec_rules - -- name: Check - List all available rules of all security groups in a project - assert: - that: - - test_sec_rules.security_group_rules | length > 0 - when: sdk_version is version("0.32", '>=') - -- name: List all available rules of a specific security group - openstack.cloud.security_group_rule_info: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - register: test_sec_rule1 - -- name: Check - List all available rules of a specific security group - assert: - that: - - test_sec_rule1.security_group_rules | length > 0 - -- name: List all available rules with filters - openstack.cloud.security_group_rule_info: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - protocol: tcp - port_range_min: 80 - port_range_max: 80 - remote_ip_prefix: 0.0.0.0/0 - when: sdk_version is version("0.32", '>=') - register: test_sec_rule - -- name: Check - List all available rules with filters - assert: - that: - - test_sec_rule.security_group_rules | length == 1 - when: sdk_version is version("0.32", '>=') - - name: List all security groups of a project openstack.cloud.security_group_info: cloud: "{{ cloud }}" @@ -245,62 +37,6 @@ # This fails on Stein only when: sdk_version is version("0.36.5", '>=') - -- name: Delete empty ICMP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: absent - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - -- name: Delete -1 ICMP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: absent - protocol: icmp - port_range_min: -1 - port_range_max: -1 - remote_ip_prefix: 0.0.0.0/0 - -- name: Delete empty TCP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: absent - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - -- name: Delete empty UDP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: absent - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - -- name: Delete HTTP rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: absent - protocol: tcp - port_range_min: 80 - port_range_max: 80 - remote_ip_prefix: 0.0.0.0/0 - -- name: Delete egress rule - openstack.cloud.security_group_rule: - cloud: "{{ cloud }}" - security_group: "{{ secgroup_name }}" - state: absent - protocol: tcp - port_range_min: 30000 - port_range_max: 30001 - remote_ip_prefix: 0.0.0.0/0 - direction: egress - - name: Delete security group openstack.cloud.security_group: cloud: "{{ cloud }}" diff --git a/ci/roles/security_group_rule/defaults/main.yml b/ci/roles/security_group_rule/defaults/main.yml new file mode 100644 index 00000000..81f7822e --- /dev/null +++ b/ci/roles/security_group_rule/defaults/main.yml @@ -0,0 +1,20 @@ +expected_fields: + - created_at + - description + - direction + - ether_type + - id + - name + - port_range_max + - port_range_min + - project_id + - protocol + - remote_address_group_id + - remote_group_id + - remote_ip_prefix + - revision_number + - security_group_id + - tags + - tenant_id + - updated_at +secgroup_name: shade_secgroup diff --git a/ci/roles/security_group_rule/tasks/main.yml b/ci/roles/security_group_rule/tasks/main.yml new file mode 100644 index 00000000..739821b2 --- /dev/null +++ b/ci/roles/security_group_rule/tasks/main.yml @@ -0,0 +1,277 @@ +--- +- name: Ensure security group does not exist before tests + openstack.cloud.security_group: + cloud: "{{ cloud }}" + name: "{{ secgroup_name }}" + state: absent + description: Created from Ansible playbook + +- name: Create security group + openstack.cloud.security_group: + cloud: "{{ cloud }}" + name: "{{ secgroup_name }}" + state: present + description: Created from Ansible playbook + +- name: Create empty ICMP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: icmp + remote_ip_prefix: 0.0.0.0/0 + register: rule + +- name: Assert return fields + assert: + that: item in rule.rule + loop: "{{ expected_fields }}" + +- name: Assert changed + assert: + that: rule is changed + +- name: Create empty ICMP rule again + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: icmp + remote_ip_prefix: 0.0.0.0/0 + register: rule + +- name: Assert not changed + assert: + that: rule is not changed + +- name: Create -1 ICMP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: icmp + port_range_min: -1 + port_range_max: -1 + remote_ip_prefix: 0.0.0.0/0 + register: rule + +- name: Assert not changed + assert: + that: rule is not changed + +- name: Create -1 ICMP rule again + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: icmp + port_range_min: -1 + port_range_max: -1 + remote_ip_prefix: 0.0.0.0/0 + register: rule + +- name: Assert not changed + assert: + that: rule is not changed + +- name: Create empty TCP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + register: rule + +- name: Assert changed + assert: + that: rule is changed + +- name: Create TCP rule again with port range (1, 65535) + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: tcp + port_range_min: 1 + port_range_max: 65535 + remote_ip_prefix: 0.0.0.0/0 + register: rule + +- name: Assert changed + assert: + that: rule is not changed + +- name: Create TCP rule again with port range (-1, -1) + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: tcp + port_range_min: -1 + port_range_max: -1 + remote_ip_prefix: 0.0.0.0/0 + register: rule + +- name: Assert changed + assert: + that: rule is not changed + +- name: Create TCP rule again with defined range + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: tcp + port_range_min: 8000 + port_range_max: 9000 + remote_ip_prefix: 0.0.0.0/0 + register: rule + +- name: Assert changed + assert: + that: rule is changed + +- name: Create empty UDP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: udp + remote_ip_prefix: 0.0.0.0/0 + +- name: Create UDP rule again with port range (1, 65535) + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: udp + port_range_min: 1 + port_range_max: 65535 + remote_ip_prefix: 0.0.0.0/0 + +- name: Create UDP rule again with port range (-1, -1) + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: udp + port_range_min: -1 + port_range_max: -1 + remote_ip_prefix: 0.0.0.0/0 + +- name: Create HTTP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: tcp + port_range_min: 80 + port_range_max: 80 + remote_ip_prefix: 0.0.0.0/0 + +- name: Create egress rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: present + protocol: tcp + port_range_min: 30000 + port_range_max: 30001 + remote_ip_prefix: 0.0.0.0/0 + direction: egress + +- name: List all available rules of all security groups in a project + openstack.cloud.security_group_rule_info: + cloud: "{{ cloud }}" + when: sdk_version is version("0.32", '>=') + register: test_sec_rules + +- name: Check - List all available rules of all security groups in a project + assert: + that: + - test_sec_rules.security_group_rules | length > 0 + when: sdk_version is version("0.32", '>=') + +- name: List all available rules of a specific security group + openstack.cloud.security_group_rule_info: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + register: test_sec_rule1 + +- name: Check - List all available rules of a specific security group + assert: + that: + - test_sec_rule1.security_group_rules | length > 0 + +- name: List all available rules with filters + openstack.cloud.security_group_rule_info: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + protocol: tcp + port_range_min: 80 + port_range_max: 80 + remote_ip_prefix: 0.0.0.0/0 + when: sdk_version is version("0.32", '>=') + register: test_sec_rule + +- name: Delete empty ICMP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: absent + protocol: icmp + remote_ip_prefix: 0.0.0.0/0 + +- name: Delete -1 ICMP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: absent + protocol: icmp + port_range_min: -1 + port_range_max: -1 + remote_ip_prefix: 0.0.0.0/0 + +- name: Delete empty TCP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: absent + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + +- name: Delete empty UDP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: absent + protocol: udp + remote_ip_prefix: 0.0.0.0/0 + +- name: Delete HTTP rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: absent + protocol: tcp + port_range_min: 80 + port_range_max: 80 + remote_ip_prefix: 0.0.0.0/0 + +- name: Delete egress rule + openstack.cloud.security_group_rule: + cloud: "{{ cloud }}" + security_group: "{{ secgroup_name }}" + state: absent + protocol: tcp + port_range_min: 30000 + port_range_max: 30001 + remote_ip_prefix: 0.0.0.0/0 + direction: egress + +- name: Delete security group + openstack.cloud.security_group: + cloud: "{{ cloud }}" + name: "{{ secgroup_name }}" + state: absent diff --git a/ci/run-collection.yml b/ci/run-collection.yml index b900e1c0..3d5246f1 100644 --- a/ci/run-collection.yml +++ b/ci/run-collection.yml @@ -58,6 +58,7 @@ - { role: role_assignment, tags: role_assignment } - { role: router, tags: router } - { role: security_group, tags: security_group } + - { role: security_group_rule, tags: security_group_rule } - { role: server, tags: server } - { role: subnet, tags: subnet } - { role: subnet_pool, tags: subnet_pool }