[1598] Ability to attach multiple security groups to yugabyte nodes

Summary: Simpler way to achieve this was to just make the user provide the security groups as a comma delimited string and we split that in ybcloud side. Test Plan: Test1: * Setup a AWS provider with comma delimited security group * Created a universe * Validated the nodes had multiple security groups attached. Test2: * Setup a AWS provider with single security group * Created a universe * Validated the nodes had only one security group attached. Test3: * Setup a AWS provider with VPC automatically created * Created a universe * Validated the nodes had YB specific security group attached. Reviewers: wesley, bogdan Reviewed By: bogdan Subscribers: jenkins-bot, rao Differential Revision: https://phabricator.dev.yugabyte.com/D8213
yugabyte · Apr 1, 2020 · 99daa74 · 99daa74
1 parent b7ee2e1
commit 99daa74
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 15 deletions.
diff --git a/managed/devops/opscli/ybops/cloud/aws/method.py b/managed/devops/opscli/ybops/cloud/aws/method.py
@@ -42,7 +42,8 @@ def add_extra_args(self):
         super(AwsCreateInstancesMethod, self).add_extra_args()
         self.parser.add_argument("--key_pair_name", default=os.environ.get("YB_EC2_KEY_PAIR_NAME"),
                                  help="AWS Key Pair name")
-        self.parser.add_argument("--security_group_id", default=None, help="AWS security group ID.")
+        self.parser.add_argument("--security_group_id", default=None,
+                                 help="AWS comma delimited security group IDs.")
         self.parser.add_argument("--volume_type", choices=["gp2", "io1"], default="gp2",
                                  help="Volume type for volumes on EBS-backed instances.")
         self.parser.add_argument("--spot_price", default=None,

diff --git a/managed/devops/opscli/ybops/cloud/aws/utils.py b/managed/devops/opscli/ybops/cloud/aws/utils.py
@@ -152,6 +152,7 @@ def __init__(self):
         self.region = None
         self.vpc = None
         self.sg_yugabyte = None
+        self.customer_sgs = None
         self.route_table = None
         self.subnets = None
 
@@ -177,9 +178,9 @@ def from_user_json(region, per_region_meta):
             c.vpc = client.Vpc(vpc_id)
         else:
             c.vpc = get_vpc(client, RESOURCE_PREFIX_FORMAT.format(region))
-        sg_id = per_region_meta.get("customSecurityGroupId")
-        if sg_id:
-            c.sg_yugabyte = client.SecurityGroup(sg_id)
+        sg_ids = per_region_meta.get("customSecurityGroupId")
+        if sg_ids:
+            c.customer_sgs = [client.SecurityGroup(sg_id) for sg_id in sg_ids.split(",")]
         else:
             c.sg_yugabyte = get_security_group(
                 client, SG_YUGABYTE_PREFIX_FORMAT.format(region), c.vpc)
@@ -195,7 +196,8 @@ def from_user_json(region, per_region_meta):
         return c
 
     def as_json(self):
-        return vpc_components_as_json(self.vpc, self.sg_yugabyte, self.subnets)
+        sgs = self.customer_sgs if self.customer_sgs else [self.sg_yugabyte]
+        return vpc_components_as_json(self.vpc, sgs, self.subnets)
 
 
 class AwsBootstrapClient():
@@ -619,9 +621,9 @@ def set_yb_sg_and_fetch_vpc(metadata, region, dest_vpc_id):
     for r in rules:
         r.update({"cidr_ip": IGW_CIDR})
     add_cidr_to_rules(rules, dest_vpc.cidr_block)
-    sg = create_security_group(client=client, group_name=sg_group_name, vpc=dest_vpc,
-                               description="YugaByte SG", rules=rules)
-    return vpc_components_as_json(dest_vpc, sg, subnets)
+    sgs = [create_security_group(client=client, group_name=sg_group_name, vpc=dest_vpc,
+                                 description="YugaByte SG", rules=rules)]
+    return vpc_components_as_json(dest_vpc, sgs, subnets)
 
 
 def query_vpc(region):
@@ -683,18 +685,18 @@ def _get_name_from_tags(tags):
     return None
 
 
-def vpc_components_as_json(vpc, sg, subnets):
+def vpc_components_as_json(vpc, sgs, subnets):
     """Method takes VPC, Security Group and Subnets and returns a json data format with ids.
     Args:
         vpc (VPC Object): Region specific VPC object
-        sg (Security Group Object): Region specific Security Group object
+        sgs (List of Security Group Object): Region specific Security Group object
         subnets (subnet object map): Map of Subnet objects keyed of zone.
     Retuns:
         json (str): A Json string for yugaware to consume with necessary ids.
     """
     result = {}
     result["vpc_id"] = vpc.id
-    result["security_group"] = {"id": sg.group_id, "name": sg.group_name}
+    result["security_group"] = [{"id": sg.group_id, "name": sg.group_name} for sg in sgs]
     result["zones"] = {}
     for zone, subnet in subnets.iteritems():
         result["zones"][zone] = subnet.id
@@ -856,8 +858,9 @@ def create_instance(args):
         "InstanceType": args.instance_type,
     }
     # Network setup.
-    sg_id = args.security_group_id
-    if sg_id is None:
+    # Lets assume they have provided security group id comma delimited.
+    sg_ids = args.security_group_id.split(",") if args.security_group_id else None
+    if sg_ids is None:
         # Figure out which VPC this instance will be brought up in and search for the SG in there.
         # This is for a bit of backwards compatibility with the previous mode of potentially using
         # YW's VPC, in which we would still deploy a SG with the same name as in our normal VPCs.
@@ -867,12 +870,12 @@ def create_instance(args):
         vpc = get_vpc_for_subnet(client, args.cloud_subnet)
         sg_name = get_yb_sg_name(args.region)
         sg = get_security_group(client, sg_name, vpc)
-        sg_id = sg.id
+        sg_ids = [sg.id]
     vars["NetworkInterfaces"] = [{
         "DeviceIndex": 0,
         "AssociatePublicIpAddress": args.assign_public_ip,
         "SubnetId": args.cloud_subnet,
-        "Groups": [sg_id]
+        "Groups": sg_ids
     }]
     # Volume setup.
     volumes = []