From 912b5b865309b26064ba01569ce1f7f346b288d4 Mon Sep 17 00:00:00 2001
From: Alexander Tivelkov <ativelkov@mirantis.com>
Date: Thu, 12 Sep 2013 12:50:34 +0400
Subject: [PATCH] Added Default Murano Security group (workaround for MRN-630)

A new security group (called MuranoDefaultSecurityGroup) added.
This group has tcp ports 22 an 3389 open, as well as icmp enabled.
All murano-deployed instances are added to this group.
SQLServer instances additionally are added to MsSqlSecurityGroup

Change-Id: I7cec5a44d95ae9e24a631a13504859125c01bbb5
---
 ...ecurity.template => SQL-security.template} | 22 ++-----------
 data/templates/cf/Windows.template            | 31 +++++++++++++++++--
 data/workflows/MsSqlServer.xml                | 27 +++++++++++++++-
 3 files changed, 57 insertions(+), 23 deletions(-)
 rename data/templates/cf/{Windows-w-SQL-security.template => SQL-security.template} (67%)

diff --git a/data/templates/cf/Windows-w-SQL-security.template b/data/templates/cf/SQL-security.template
similarity index 67%
rename from data/templates/cf/Windows-w-SQL-security.template
rename to data/templates/cf/SQL-security.template
index 5590cb5..2cc2a52 100644
--- a/data/templates/cf/Windows-w-SQL-security.template
+++ b/data/templates/cf/SQL-security.template
@@ -1,26 +1,11 @@
 {
-    "AWSTemplateFormatVersion": "2010-09-09",
-
-    "Parameters": {
-        "KeyName": {
-            "Description": "Key Pair name for Load Balancer",
-            "Type": "String",
-            "Default": "murano-lb-key"
-        }
-    },
-
     "Resources": {
         "$instanceName": {
-            "Type": "AWS::EC2::Instance",
             "Properties": {
-                "InstanceType": "$instanceType",
-                "ImageId": "$imageName",
-                "AvailabilityZone": "$availabilityZone",
-                "UserData": "$userData",
-                "SecurityGroups" : [ {"Ref" : "MsSqlSecuritygroup"} ]
+                "SecurityGroups" : [ {"Ref" : "MsSqlSecurityGroup"} ]
             }
         },
-        "MsSqlSecuritygroup": {
+        "MsSqlSecurityGroup": {
             "Type": "AWS::EC2::SecurityGroup",
             "Properties": {
                 "SecurityGroupIngress": [
@@ -52,8 +37,5 @@
                 "GroupDescription": "Enable MS SQL access"
             }
         }
-    },
-    
-    "Outputs": {
     }
 }
diff --git a/data/templates/cf/Windows.template b/data/templates/cf/Windows.template
index d42d425..c69fc8f 100644
--- a/data/templates/cf/Windows.template
+++ b/data/templates/cf/Windows.template
@@ -16,9 +16,36 @@
         "InstanceType" : "$instanceType",
         "ImageId" : "$imageName",
         "AvailabilityZone" : "$availabilityZone",
-        "UserData": "$userData"
+        "UserData": "$userData",
+        "SecurityGroups" : [ {"Ref" : "MuranoDefaultSecurityGroup"} ]
       }
-    }
+    },
+    "MuranoDefaultSecurityGroup": {
+            "Type": "AWS::EC2::SecurityGroup",
+            "Properties": {
+                "SecurityGroupIngress": [
+                    {
+                        "ToPort": 3389,
+                        "IpProtocol": "tcp",
+                        "FromPort": 3389,
+                        "CidrIp": "0.0.0.0/0"
+                    },
+                    {
+                        "ToPort": 22,
+                        "IpProtocol": "tcp",
+                        "FromPort": 22,
+                        "CidrIp": "0.0.0.0/0"
+                    },
+                    {
+                        "ToPort": -1,
+                        "IpProtocol": "icmp",
+                        "FromPort": -1,
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "GroupDescription": "Default security group for Murano Environments"
+            }
+        }
    },
    
   "Outputs" : {
diff --git a/data/workflows/MsSqlServer.xml b/data/workflows/MsSqlServer.xml
index 5fee60e..547870a 100644
--- a/data/workflows/MsSqlServer.xml
+++ b/data/workflows/MsSqlServer.xml
@@ -13,7 +13,7 @@
 			<parameter name="id"><select path="id"/></parameter>
 			<parameter name="text">Creating instance <select path="state.hostname"/> (<select path="name"/>)</parameter>
 		</report>
-		<update-cf-stack template="Windows-w-SQL-security" error="exception">
+		<update-cf-stack template="Windows" error="exception">
 			<parameter name="mappings">
 				<map>
 					<mapping name="instanceName"><select path="state.hostname"/></mapping>
@@ -44,6 +44,31 @@
                 <stop/>
             </failure>
 		</update-cf-stack>
+
+        <report entity="unit">
+			<parameter name="id"><select path="id"/></parameter>
+			<parameter name="text">Openining SQL ports on <select path="state.hostname"/> (<select path="name"/>)</parameter>
+		</report>
+		<update-cf-stack template="SQL-security" error="exception">
+			<parameter name="mappings">
+				<map>
+					<mapping name="instanceName"><select path="state.hostname"/></mapping>
+				</map>
+			</parameter>
+			<success>
+				<report entity="unit">
+					<parameter name="id"><select path="id"/></parameter>
+					<parameter name="text">SQL ports open on <select path="state.hostname"/> (<select path="name"/>)</parameter>
+				</report>
+			</success>
+            <failure>
+                <report entity="unit" level="error">
+					<parameter name="id"><select path="id"/></parameter>
+					<parameter name="text">Unable to open SQL ports on instance <select path="state.hostname"/> (<select path="name"/>) due to <select source="exception" path="message" default="unknown Heat error"/> </parameter>
+				</report>
+                <stop/>
+            </failure>
+		</update-cf-stack>
 	</rule>
 
 	<rule match="$.services[?(@.type == 'msSqlServer' and @.adminPassword and @.adminPassword != @.state.adminPassword)].units[?(@.temp.instanceName)]"