Heat Translator

Security group access from self not applied

Bug #1793336 reported by Konrad Mosoń
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Heat Translator
Incomplete
Undecided
Unassigned

Bug Description

Example stack:

```
resources:
  secgroup_infra:
    type: OS::Neutron::SecurityGroup
    properties:
      name: infra
      rules:
        repeat:
          for_each:
            <%from_ip%>: {get_param: secgroup_infra_allow_from}
            <%port%>: {get_param: secgroup_infra_allow_ports}
          template:
            remote_ip_prefix: <%from_ip%>
            protocol: tcp
            port_range_min: <%port%>
            port_range_max: <%port%>
  secrule_infra_same_secgroup:
    type: OS::Neutron::SecurityGroupRule
    properties:
      # BUG: can't add security group to the same security group...
      security_group: {get_resource: secgroup_infra}
      remote_group: {get_resource: secgroup_infra}
```

This stack is happily created/updated. But secrule_infra_same_secgroup is not really created (even it's in state CREATED/UPDATED).

In Horizon I can add rule that allows all hosts that have the same security group to access to host. When selecting "Remote group" same secgroup is called "infra (current)" (in this case) and it works correctly.

But I can't set this in Heat.

Revision history for this message
Bob Haddleton (bob-haddleton) wrote :

Hi Konrad, thanks for the bug report.

Is this an issue with the translation from TOSCA to HOT? Or is it an issue with how Heat implements the HOT template?

Thanks

Bob Haddleton (bob-haddleton)
Changed in heat-translator:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.