1100573 - Remove releng AWS puppet masters from address books

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)

Description

[Dustin J. Mitchell [:dustin] (he/him)]

Simplifying!  All of these can go:

> delete security policies from-zone bb to-zone vpc policy bb-vpc--puppet
> delete security policies from-zone bb to-zone vpc policy releng-puppet
> delete security policies from-zone build to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone dc to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone inband to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone mobile to-zone vpc policy releng-puppet
> delete security policies from-zone openstack_stage to-zone vpc policy openstack-stage--puppet
> delete security policies from-zone openstack_stage to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone pod to-zone vpc policy releng-puppet
> delete security policies from-zone relabs to-zone vpc policy releng-puppet
> delete security policies from-zone servo to-zone vpc policy releng-puppet
> delete security policies from-zone srv to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone test to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone try to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone vpc to-zone untrust policy puppet-github
> delete security policies from-zone winbuild to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone wintest to-zone vpc policy releng-puppet--puppet
> delete security policies from-zone wintry to-zone vpc policy releng-puppet--puppet

> delete security zones security-zone vpc address-book address servo-puppet1.srv.servo.releng.use1 10.134.82.20/32
> delete security zones security-zone vpc address-book address releng-puppet1.srv.releng.use1 10.134.48.57/32
> delete security zones security-zone vpc address-book address releng-puppet2.srv.releng.use1 10.134.49.5/32
> delete security zones security-zone vpc address-book address releng-puppet1.srv.releng.usw2 10.132.48.212/32
> delete security zones security-zone vpc address-book address releng-puppet2.srv.releng.usw2 10.132.48.229/32
> delete security zones security-zone vpc address-book address-delete releng-puppet address releng-puppet1.srv.releng.use1
> delete security zones security-zone vpc address-book address-delete releng-puppet address releng-puppet2.srv.releng.use1
> delete security zones security-zone vpc address-book address-delete releng-puppet address releng-puppet1.srv.releng.usw2
> delete security zones security-zone vpc address-book address-delete releng-puppet address releng-puppet2.srv.releng.usw2
> delete security zones security-zone vpc address-book address-delete all-releng-puppet address releng-puppet1.srv.releng.use1
> delete security zones security-zone vpc address-book address-delete all-releng-puppet address releng-puppet2.srv.releng.use1
> delete security zones security-zone vpc address-book address-delete all-releng-puppet address releng-puppet1.srv.releng.usw2
> delete security zones security-zone vpc address-book address-delete all-releng-puppet address releng-puppet2.srv.releng.usw2

(and if you look at all of that you'll see it's pretty darn redundant!)

Comment 1

[Dave Curado :dcurado]

working on this.

Comment 2

[Dave Curado :dcurado]

Some comments from Dave:
First of all, thank you very much for spending the time and energy to remove un-needed firewall configuration.  Every time I do a commit on some of our firewalls, I am worried by the amount
of time it takes the firewall to get it done -- the configurations are large in proportion to
the amount of CPU the firewall has. And while we get steady stream of requests to add stuff,
the requests to remove things are few and far between. i.e. lots of dead wood.  

Second thing, just as an FYI... not a request to change anything, just sharing...
these things:

> delete security zones security-zone vpc address-book address-delete releng-puppet address releng-puppet1.srv.releng.use1
> delete security zones security-zone vpc address-book address-delete releng-puppet address releng-puppet2.srv.releng.use1
> delete security zones security-zone vpc address-book address-delete releng-puppet address releng-puppet1.srv.releng.usw2
> delete security zones security-zone vpc address-book address-delete releng-puppet address releng-puppet2.srv.releng.usw2
> delete security zones security-zone vpc address-book address-delete all-releng-puppet address releng-puppet1.srv.releng.use1
> delete security zones security-zone vpc address-book address-delete all-releng-puppet address releng-puppet2.srv.releng.use1
> delete security zones security-zone vpc address-book address-delete all-releng-puppet address releng-puppet1.srv.releng.usw2
> delete security zones security-zone vpc address-book address-delete all-releng-puppet address releng-puppet2.srv.releng.usw2

are actually address-sets, and deleting them can be done with:

   delete security zones security-zone vpc address-book address-set releng-puppet 
   delete security zones security-zone vpc address-book address-set all-releng-puppet 

Finally, I could not delete this address-book entry:

   delete security zones security-zone vpc address-book address servo-puppet1.srv.servo.releng.use1   10.134.82.20/32

because it is referenced in this policy:
   policy servo-puppet1_srv_servo_releng_use1--puppet 

Thanks again!

Comment 3

[Dustin J. Mitchell [:dustin] (he/him)]

Heh, I copied the 'show .. | display set' output and changed 'set' to 'delete', but should have looked a little harder.  Thanks for getting my meaning :)

We have another delete coming for servo which will take care of that last addressbook entry.

I like deleting things too!  I'll have another one soon that leaves from-zone <*> to-zone vpc as a blanket permit (basically making vpc another dc-like zone), once bug 1058225 lands.