robot/assets/asdc/base_vfw/base_vfw.yaml

##########################################################################
#
##########################################################################

heat_template_version: 2013-05-23

description: Heat template that deploys vFirewall demo app for ONAP

##############
#            #
# PARAMETERS #
#            #
##############

parameters:
  vfw_image_name:
    type: string
    label: Image name or ID
    description: Image to be used for compute instance
  vfw_flavor_name:
    type: string
    label: Flavor
    description: Type of instance (flavor) to be used
  public_net_id:
    type: string
    label: Public network name or ID
    description: Public network that enables remote connection to VNF
  unprotected_private_net_id:
    type: string
    label: Unprotected private network name or ID
    description: Private network that connects vPacketGenerator with vFirewall
  protected_private_net_id:
    type: string
    label: Protected private network name or ID
    description: Private network that connects vFirewall with vSink
  onap_private_net_id:
    type: string
    label: ONAP management network name or ID
    description: Private network that connects ONAP components and the VNF
  onap_private_subnet_id:
    type: string
    label: ONAP management sub-network name or ID
    description: Private sub-network that connects ONAP components and the VNF
  unprotected_private_net_cidr:
    type: string
    label: Unprotected private network CIDR
    description: The CIDR of the unprotected private network
  protected_private_net_cidr:
    type: string
    label: Protected private network CIDR
    description: The CIDR of the protected private network
  onap_private_net_cidr:
    type: string
    label: ONAP private network CIDR
    description: The CIDR of the protected private network
  vfw_private_ip_0:
    type: string
    label: vFirewall private IP address towards the unprotected network
    description: Private IP address that is assigned to the vFirewall to communicate with the vPacketGenerator
  vfw_private_ip_1:
    type: string
    label: vFirewall private IP address towards the protected network
    description: Private IP address that is assigned to the vFirewall to communicate with the vSink
  vfw_private_ip_2:
    type: string
    label: vFirewall private IP address towards the ONAP management network
    description: Private IP address that is assigned to the vFirewall to communicate with ONAP components
  vpg_private_ip_0:
    type: string
    label: vPacketGenerator private IP address towards the unprotected network
    description: Private IP address that is assigned to the vPacketGenerator to communicate with the vFirewall
  vpg_private_ip_1:
    type: string
    label: vPacketGenerator private IP address towards the ONAP management network
    description: Private IP address that is assigned to the vPacketGenerator to communicate with ONAP components
  vsn_private_ip_0:
    type: string
    label: vSink private IP address towards the protected network
    description: Private IP address that is assigned to the vSink to communicate with the vFirewall
  vsn_private_ip_1:
    type: string
    label: vSink private IP address towards the ONAP management network
    description: Private IP address that is assigned to the vSink to communicate with ONAP components
  vfw_name_0:
    type: string
    label: vFirewall name
    description: Name of the vFirewall
  vpg_name_0:
    type: string
    label: vPacketGenerator name
    description: Name of the vPacketGenerator
  vsn_name_0:
    type: string
    label: vSink name
    description: Name of the vSink
  vnf_id:
    type: string
    label: VNF ID
    description: The VNF ID is provided by ONAP
  vf_module_id:
    type: string
    label: vFirewall module ID
    description: The vFirewall Module ID is provided by ONAP
  dcae_collector_ip:
    type: string
    label: DCAE collector IP address
    description: IP address of the DCAE collector
  dcae_collector_port:
    type: string
    label: DCAE collector port
    description: Port of the DCAE collector
  key_name:
    type: string
    label: Key pair name
    description: Public/Private key pair name
  pub_key:
    type: string
    label: Public key
    description: Public key to be installed on the compute instance
  repo_url_blob:
    type: string
    label: Repository URL
    description: URL of the repository that hosts the demo packages
  repo_url_artifacts:
    type: string
    label: Repository URL
    description: URL of the repository that hosts the demo packages
  install_script_version:
    type: string
    label: Installation script version number
    description: Version number of the scripts that install the vFW demo app
  demo_artifacts_version:
    type: string
    label: Artifacts version used in demo vnfs
    description: Artifacts (jar, tar.gz) version used in demo vnfs
  cloud_env:
    type: string
    label: Cloud environment
    description: Cloud environment (e.g., openstack, rackspace)

#############
#           #
# RESOURCES #
#           #
#############

resources:
  random-str:
    type: OS::Heat::RandomString
    properties:
      length: 4

  my_keypair:
    type: OS::Nova::KeyPair
    properties:
      name:
        str_replace:
          template: base_rand
          params:
            base: { get_param: key_name }
            rand: { get_resource: random-str }
      public_key: { get_param: pub_key }
      save_private_key: false

  unprotected_private_network:
    type: OS::Neutron::Net
    properties:
      name: { get_param: unprotected_private_net_id }

  protected_private_network:
    type: OS::Neutron::Net
    properties:
      name: { get_param: protected_private_net_id }

  unprotected_private_subnet:
    type: OS::Neutron::Subnet
    properties:
      network_id: { get_resource: unprotected_private_network }
      cidr: { get_param: unprotected_private_net_cidr }

  protected_private_subnet:
    type: OS::Neutron::Subnet
    properties:
      network_id: { get_resource: protected_private_network }
      cidr: { get_param: protected_private_net_cidr }

  # Virtual Firewall instantiation
  vfw_private_0_port:
    type: OS::Neutron::Port
    properties:
      network: { get_resource: unprotected_private_network }
      fixed_ips: [{"subnet": { get_resource: unprotected_private_subnet }, "ip_address": { get_param: vfw_private_ip_0 }}]

  vfw_private_1_port:
    type: OS::Neutron::Port
    properties:
      allowed_address_pairs: [{ "ip_address": { get_param: vpg_private_ip_0 }}]
      network: { get_resource: protected_private_network }
      fixed_ips: [{"subnet": { get_resource: protected_private_subnet }, "ip_address": { get_param: vfw_private_ip_1 }}]

  vfw_private_2_port:
    type: OS::Neutron::Port
    properties:
      network: { get_param: onap_private_net_id }
      fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vfw_private_ip_2 }}]

  vfw_0:
    type: OS::Nova::Server
    properties:
      image: { get_param: vfw_image_name }
      flavor: { get_param: vfw_flavor_name }
      name: { get_param: vfw_name_0 }
      key_name: { get_resource: my_keypair }
      networks:
        - network: { get_param: public_net_id }
        - port: { get_resource: vfw_private_0_port }
        - port: { get_resource: vfw_private_1_port }
        - port: { get_resource: vfw_private_2_port }
      metadata: {vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }}
      user_data_format: RAW
      user_data:
        str_replace:
          params:
            __dcae_collector_ip__ : { get_param: dcae_collector_ip }
            __dcae_collector_port__ : { get_param: dcae_collector_port }
            __repo_url_blob__ : { get_param: repo_url_blob }
            __repo_url_artifacts__ : { get_param: repo_url_artifacts }
            __demo_artifacts_version__ : { get_param: demo_artifacts_version }
            __install_script_version__ : { get_param: install_script_version }
            __vfw_private_ip_0__ : { get_param: vfw_private_ip_0 }
            __vfw_private_ip_1__ : { get_param: vfw_private_ip_1 }
            __vfw_private_ip_2__ : { get_param: vfw_private_ip_2 }
            __unprotected_private_net_cidr__ : { get_param: unprotected_private_net_cidr }
            __protected_private_net_cidr__ : { get_param: protected_private_net_cidr }
            __onap_private_net_cidr__ : { get_param: onap_private_net_cidr }
            __cloud_env__ : { get_param: cloud_env }
          template: |
            #!/bin/bash
            
            # Create configuration files
            mkdir /opt/config
            echo "__dcae_collector_ip__" > /opt/config/dcae_collector_ip.txt
            echo "__dcae_collector_port__" > /opt/config/dcae_collector_port.txt
            echo "__repo_url_blob__" > /opt/config/repo_url_blob.txt
            echo "__repo_url_artifacts__" > /opt/config/repo_url_artifacts.txt
            echo "__demo_artifacts_version__" > /opt/config/demo_artifacts_version.txt
            echo "__install_script_version__" > /opt/config/install_script_version.txt
            echo "__vfw_private_ip_0__" > /opt/config/vfw_private_ip_0.txt
            echo "__vfw_private_ip_1__" > /opt/config/vfw_private_ip_1.txt
            echo "__vfw_private_ip_2__" > /opt/config/vfw_private_ip_2.txt
            echo "__unprotected_private_net_cidr__" > /opt/config/unprotected_private_net_cidr.txt
            echo "__protected_private_net_cidr__" > /opt/config/protected_private_net_cidr.txt
            echo "__onap_private_net_cidr__" > /opt/config/onap_private_net_cidr.txt
            echo "__cloud_env__" > /opt/config/cloud_env.txt
            
            # Download and run install script
            curl -k __repo_url_blob__/org.onap.demo/vnfs/vfw/__install_script_version__/v_firewall_install.sh -o /opt/v_firewall_install.sh
            cd /opt
            chmod +x v_firewall_install.sh
            ./v_firewall_install.sh


  # Virtual Packet Generator instantiation
  vpg_private_0_port:
    type: OS::Neutron::Port
    properties:
      network: { get_resource: unprotected_private_network }
      fixed_ips: [{"subnet": { get_resource: unprotected_private_subnet }, "ip_address": { get_param: vpg_private_ip_0 }}]

  vpg_private_1_port:
    type: OS::Neutron::Port
    properties:
      network: { get_param: onap_private_net_id }
      fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vpg_private_ip_1 }}]

  vpg_0:
    type: OS::Nova::Server
    properties:
      image: { get_param: vfw_image_name }
      flavor: { get_param: vfw_flavor_name }
      name: { get_param: vpg_name_0 }
      key_name: { get_resource: my_keypair }
      networks:
        - network: { get_param: public_net_id }
        - port: { get_resource: vpg_private_0_port }
        - port: { get_resource: vpg_private_1_port }
      metadata: {vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }}
      user_data_format: RAW
      user_data:
        str_replace:
          params:
            __fw_ipaddr__: { get_param: vfw_private_ip_0 }
            __protected_net_cidr__: { get_param: protected_private_net_cidr }
            __sink_ipaddr__: { get_param: vsn_private_ip_0 }
            __repo_url_blob__ : { get_param: repo_url_blob }
            __repo_url_artifacts__ : { get_param: repo_url_artifacts }
            __demo_artifacts_version__ : { get_param: demo_artifacts_version }
            __install_script_version__ : { get_param: install_script_version }
            __vpg_private_ip_0__ : { get_param: vpg_private_ip_0 }
            __vpg_private_ip_1__ : { get_param: vpg_private_ip_1 }
            __unprotected_private_net_cidr__ : { get_param: unprotected_private_net_cidr }
            __onap_private_net_cidr__ : { get_param: onap_private_net_cidr }
            __cloud_env__ : { get_param: cloud_env }
          template: |
            #!/bin/bash
            
            # Create configuration files
            mkdir /opt/config
            echo "__fw_ipaddr__" > /opt/config/fw_ipaddr.txt
            echo "__protected_net_cidr__" > /opt/config/protected_net_cidr.txt
            echo "__sink_ipaddr__" > /opt/config/sink_ipaddr.txt
            echo "__repo_url_blob__" > /opt/config/repo_url_blob.txt
            echo "__repo_url_artifacts__" > /opt/config/repo_url_artifacts.txt
            echo "__demo_artifacts_version__" > /opt/config/demo_artifacts_version.txt
            echo "__install_script_version__" > /opt/config/install_script_version.txt
            echo "__vpg_private_ip_0__" > /opt/config/vpg_private_ip_0.txt
            echo "__vpg_private_ip_1__" > /opt/config/vpg_private_ip_1.txt
            echo "__unprotected_private_net_cidr__" > /opt/config/unprotected_private_net_cidr.txt
            echo "__onap_private_net_cidr__" > /opt/config/onap_private_net_cidr.txt
            echo "__cloud_env__" > /opt/config/cloud_env.txt
            
            # Download and run install script
            curl -k __repo_url_blob__/org.onap.demo/vnfs/vfw/__install_script_version__/v_packetgen_install.sh -o /opt/v_packetgen_install.sh
            cd /opt
            chmod +x v_packetgen_install.sh
            ./v_packetgen_install.sh


  # Virtual Sink instantiation
  vsn_private_0_port:
    type: OS::Neutron::Port
    properties:
      network: { get_resource: protected_private_network }
      fixed_ips: [{"subnet": { get_resource: protected_private_subnet }, "ip_address": { get_param: vsn_private_ip_0 }}]

  vsn_private_1_port:
    type: OS::Neutron::Port
    properties:
      network: { get_param: onap_private_net_id }
      fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vsn_private_ip_1 }}]

  vsn_0:
    type: OS::Nova::Server
    properties:
      image: { get_param: vfw_image_name }
      flavor: { get_param: vfw_flavor_name }
      name: { get_param: vsn_name_0 }
      key_name: { get_resource: my_keypair }
      networks:
        - network: { get_param: public_net_id }
        - port: { get_resource: vsn_private_0_port }
        - port: { get_resource: vsn_private_1_port }
      metadata: {vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }}
      user_data_format: RAW
      user_data:
        str_replace:
          params:
            __protected_net_gw__: { get_param: vfw_private_ip_1 }
            __unprotected_net__: { get_param: unprotected_private_net_cidr }
            __repo_url_blob__ : { get_param: repo_url_blob }
            __repo_url_artifacts__ : { get_param: repo_url_artifacts }
            __install_script_version__ : { get_param: install_script_version }
            __vsn_private_ip_0__ : { get_param: vsn_private_ip_0 }
            __vsn_private_ip_1__ : { get_param: vsn_private_ip_1 }
            __protected_private_net_cidr__ : { get_param: protected_private_net_cidr }
            __onap_private_net_cidr__ : { get_param: onap_private_net_cidr }
            __cloud_env__ : { get_param: cloud_env }
          template: |
            #!/bin/bash
            
            # Create configuration files
            mkdir /opt/config
            echo "__protected_net_gw__" > /opt/config/protected_net_gw.txt
            echo "__unprotected_net__" > /opt/config/unprotected_net.txt
            echo "__repo_url_blob__" > /opt/config/repo_url_blob.txt
            echo "__install_script_version__" > /opt/config/install_script_version.txt
            echo "__vsn_private_ip_0__" > /opt/config/vsn_private_ip_0.txt
            echo "__vsn_private_ip_1__" > /opt/config/vsn_private_ip_1.txt
            echo "__protected_private_net_cidr__" > /opt/config/protected_private_net_cidr.txt
            echo "__onap_private_net_cidr__" > /opt/config/onap_private_net_cidr.txt
            echo "__cloud_env__" > /opt/config/cloud_env.txt
            
            # Download and run install script
            curl -k __repo_url_blob__/org.onap.demo/vnfs/vfw/__install_script_version__/v_sink_install.sh -o /opt/v_sink_install.sh
            cd /opt
            chmod +x v_sink_install.sh
            ./v_sink_install.sh