Add manila-service-security-group to limit manila ports (#412)
manila-service-security-group to service project that will later create
manila share instances on
diff --git a/roles/manila/tasks/generate_resources.yml b/roles/manila/tasks/generate_resources.yml
index b3969ac..63839ac 100644
--- a/roles/manila/tasks/generate_resources.yml
+++ b/roles/manila/tasks/generate_resources.yml
@@ -31,3 +31,34 @@
glance_image_url: "{{ manila_image_url }}"
glance_image_container_format: "{{ manila_image_container_format }}"
glance_image_disk_format: "{{ manila_image_disk_format }}"
+
+- name: Create generic share driver security group
+ openstack.cloud.security_group:
+ cloud: atmosphere
+ name: manila-service-security-group
+ project: service
+ register: _manila_service_security_group
+
+- name: Create generic share driver security group tcp rules
+ openstack.cloud.security_group_rule:
+ cloud: atmosphere
+ security_group: "{{ _manila_service_security_group.id }}"
+ direction: ingress
+ ethertype: IPv4
+ protocol: tcp
+ project: service
+ port_range_min: "{{ item }}"
+ port_range_max: "{{ item }}"
+ loop:
+ - 22
+ - 111
+ - 2049
+
+- name: Create generic share driver security group icmp rules
+ openstack.cloud.security_group_rule:
+ cloud: atmosphere
+ security_group: "{{ _manila_service_security_group.id }}"
+ direction: ingress
+ ethertype: IPv4
+ protocol: icmp
+ project: service
diff --git a/roles/manila/vars/main.yml b/roles/manila/vars/main.yml
index abde25e..c6e2cfa 100644
--- a/roles/manila/vars/main.yml
+++ b/roles/manila/vars/main.yml
@@ -53,6 +53,7 @@
path_to_public_key: /etc/manila/ssh-keys/id_rsa.pub
service_image_name: "{{ manila_image_name }}"
service_instance_flavor_id: "{{ _manila_flavor.id }}"
+ service_instance_security_group: "{{ _manila_service_security_group.id }}"
keystone_authtoken:
# NOTE(okozachenko1203): We can remove it once the following is merged:
# https://review.opendev.org/883066