Dynamically generated params with mine
daks opened this issue · comments
Hello,
We are actually happily using this formula, but we are facing a new need, to dynamically generate a parameter with the salt mine.
Our situation looks like:
- a server S which provides a service on port P
- a bunch of 'client' servers C, they need to access the service on S
- C are tagged/identified/configured with a pillar
UseService: True
If we want to maintain firewall of S to only open port P, we could use a pillar like this
shorewall:
rules:
NEW:
- action: ACCEPT
- source $S_CLIENTS
- dest: $FW
- proto: tcp
- destport: P
But the param S_CLIENTS can only be specified statically with
shorewall:
params:
- key: S_CLIENTS
value: 10.10.10.1,10.10.10.2,10.10.10.3
The only solution I see, would be to let shorewall:params manage (in addition to actual static values) mine queries. Something like what mysql-formula already implements. New pillar could look like
shorewall:
params:
- key: S_CLIENTS
mine:
target: I@UseService
function: <mine function to retrieve public IP>
expr_form: compound
I already have some code to implement this idea (which still needs work before any PR), but I would like to know what users think about this idea.
Hi,
this looks to be really interesting.
Have you already a proof on concept?
If you want help/reviews/opinions just write me about it!
@Sjd-Risca my code is here https://github.com/daks/shorewall-formula/tree/dynamic-params.
I think that the only thing missing is the possibility to specify what you want to do with the data retrieved from the salt mine. E.g in my code https://github.com/daks/shorewall-formula/blob/dynamic-params/shorewall/files/params.jinja#L46
{{ result[0] }}{%- if not loop.last -%}{{','}}{%- endif -%}
but I'm not sure there could not be other requests which results needs a different processing.
code has been merged