inmanta-module-openstack 5.0.1__tar.gz → 5.1.0__tar.gz

{inmanta_module_openstack-5.0.1 → inmanta_module_openstack-5.1.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: inmanta-module-openstack
-Version: 5.0.1
+Version: 5.1.0
 License: Apache 2.0
 Requires-Dist: inmanta-module-ssh
 Requires-Dist: inmanta-module-std

{inmanta_module_openstack-5.0.1 → inmanta_module_openstack-5.1.0}/inmanta_module_openstack.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: inmanta-module-openstack
-Version: 5.0.1
+Version: 5.1.0
 License: Apache 2.0
 Requires-Dist: inmanta-module-ssh
 Requires-Dist: inmanta-module-std

{inmanta_module_openstack-5.0.1 → inmanta_module_openstack-5.1.0}/inmanta_module_openstack.egg-info/SOURCES.txt

@@ -15,6 +15,7 @@ inmanta_plugins/openstack/common/base.py
 inmanta_plugins/openstack/common/deps.py
 inmanta_plugins/openstack/compute/__init__.py
 inmanta_plugins/openstack/compute/flavor.py
+inmanta_plugins/openstack/compute/host_aggregate.py
 inmanta_plugins/openstack/compute/host_port.py
 inmanta_plugins/openstack/compute/virtual_machine.py
 inmanta_plugins/openstack/identity/__init__.py
@@ -30,19 +31,26 @@ inmanta_plugins/openstack/model/_init.cf
 inmanta_plugins/openstack/network/__init__.py
 inmanta_plugins/openstack/network/floating_ip.py
 inmanta_plugins/openstack/network/network.py
+inmanta_plugins/openstack/network/network_port.py
 inmanta_plugins/openstack/network/qos_policy.py
 inmanta_plugins/openstack/network/router.py
 inmanta_plugins/openstack/network/router_port.py
 inmanta_plugins/openstack/network/security_group.py
 inmanta_plugins/openstack/network/subnet.py
 inmanta_plugins/openstack/network/subnet_v6.py
+inmanta_plugins/openstack/network/trunk_network.py
+inmanta_plugins/openstack/network/trunk_port.py
 inmanta_plugins/openstack/quota/__init__.py
 inmanta_plugins/openstack/quota/quota.py
+tests/test_block_devices.py
 tests/test_dependency_handling.py
 tests/test_examples.py
 tests/test_flavor.py
+tests/test_host_aggregate.py
+tests/test_host_port_security_groups.py
 tests/test_image.py
 tests/test_keystone.py
 tests/test_neutron.py
 tests/test_nova.py
-tests/test_quota.py
+tests/test_quota.py
+tests/test_trunk.py

{inmanta_module_openstack-5.0.1 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/__init__.py

@@ -29,6 +29,7 @@ from inmanta.plugins import PluginException, plugin
 
 IMAGES = {}
 FIND_IMAGE_RESULT = {}
+IMAGE_SIZE_RESULT = {}
 
 LOGGER = logging.getLogger(__name__)
 
@@ -114,6 +115,39 @@ def find_image(
             conn.close()
 
 
+@plugin
+def image_size_gb(provider: "openstack::Provider", image_id: "string") -> "int":
+    """
+    Return the size of a Glance image in GB, rounded up.
+
+    :param provider: The OpenStack provider to connect to.
+    :param image_id: The Glance image ID (e.g. from std::getfact(image, "image_id")).
+    """
+
+    ident = (provider.name, image_id)
+    if ident in IMAGE_SIZE_RESULT:
+        return IMAGE_SIZE_RESULT[ident]
+
+    conn = openstack.connection.Connection(
+        auth_url=provider.connection_url,
+        username=provider.username,
+        password=provider.password,
+        project_name=provider.project_name,
+        user_domain_name=provider.user_domain_name,
+        project_domain_name=provider.project_domain_name,
+        verify_cert=provider.verify_cert,
+    )
+    try:
+        image = conn.image.get_image(image_id)
+        size_gb = math.ceil(image.size / (1024**3))
+        IMAGE_SIZE_RESULT[ident] = size_gb
+        return size_gb
+    except openstack.exceptions.ResourceNotFound:
+        raise PluginException(f"Image '{image_id}' not found in Glance.")
+    finally:
+        conn.close()
+
+
 FLAVORS = {}
 FIND_FLAVOR_RESULT = {}
 

{inmanta_module_openstack-5.0.1 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/common/base.py

@@ -239,6 +239,35 @@ class OpenStackHandler(CRUDHandler):
         routers = self._connection.network.routers(**query_params)
         return self.require_single_item(routers)
 
+    def get_trunk(self, project_id=None, name=None, trunk_id=None):
+        """
+        Retrieve a trunk based on name or id
+        """
+        if not name and not trunk_id:
+            raise Exception("Either a name or an id needs to be provided.")
+
+        query_params = {}
+        if project_id:
+            query_params["project_id"] = project_id
+        if name:
+            query_params["name"] = name
+        if trunk_id:
+            query_params["id"] = trunk_id
+
+        trunks = self._connection.network.trunks(**query_params)
+        return self.require_single_item(trunks)
+
+    def get_port_by_name(self, name, project_id=None):
+        """
+        Retrieve a single neutron port by name, optionally scoped to a project
+        """
+        query_params = {"name": name}
+        if project_id:
+            query_params["project_id"] = project_id
+
+        ports = self._connection.network.ports(**query_params)
+        return self.require_single_item(ports)
+
     def get_domain(self, domain_name: str | None):
         """
         Retrieve the domain by name

{inmanta_module_openstack-5.0.1 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/common/deps.py

@@ -17,11 +17,15 @@ Contact: code@inmanta.com
 """
 
 from collections import defaultdict
+from collections.abc import Mapping
 
 from inmanta.export import dependency_manager
 
 from inmanta_plugins.openstack.common.base import OpenstackResource
 
+# Per-provider view of the collected resources: resource type -> resource name -> resource.
+ResourceCollector = Mapping[str, Mapping[str, OpenstackResource]]
+
 MANAGED_DEPENDENCIES = {
     "openstack::Project",
     "openstack::Network",
@@ -34,9 +38,15 @@ MANAGED_DEPENDENCIES = {
 }
 
 
-def resource_collector(resource_model):
-    purged_resources = defaultdict(lambda: defaultdict(dict))
-    non_purged_resources = defaultdict(lambda: defaultdict(dict))
+def resource_collector(
+    resource_model: Mapping[object, OpenstackResource],
+) -> tuple[Mapping[object, ResourceCollector], Mapping[object, ResourceCollector]]:
+    purged_resources: dict[object, dict[str, dict[str, OpenstackResource]]] = (
+        defaultdict(lambda: defaultdict(dict))
+    )
+    non_purged_resources: dict[object, dict[str, dict[str, OpenstackResource]]] = (
+        defaultdict(lambda: defaultdict(dict))
+    )
 
     for current_resource in resource_model.values():
         rtype = current_resource.id.entity_type
@@ -51,14 +61,13 @@ def resource_collector(resource_model):
     return purged_resources, non_purged_resources
 
 
-def set_dependencies_on_purged_resources(
-    collector: dict[str, OpenstackResource],
-) -> None:
+def set_dependencies_on_purged_resources(collector: ResourceCollector) -> None:
     """
-    This method only sets the dependencies between a VM and its ports!
+    Set the dependencies between purged VMs/ports and the security groups they reference.
     """
     vms = collector.get("openstack::VirtualMachine", {})
     ports = collector.get("openstack::HostPort", {})
+    sgs = collector.get("openstack::SecurityGroup", {})
 
     # When the VM is purged, all its purged ports should be deployed first
     for vm in vms.values():
@@ -67,10 +76,15 @@ def set_dependencies_on_purged_resources(
                 port_id = ports[vm_port["name"]].id
                 vm.requires.add(port_id)
 
+    # When a security group is purged, every port referencing it must be removed (or have the
+    # reference dropped) before the group itself can be deleted.
+    for port in ports.values():
+        for sg_name in port.security_groups:
+            if sg_name in sgs:
+                sgs[sg_name].requires.add(port.id)
 
-def set_dependencies_on_non_purged_resources(
-    collector: dict[str, OpenstackResource],
-) -> None:
+
+def set_dependencies_on_non_purged_resources(collector: ResourceCollector) -> None:
     projects = collector.get("openstack::Project", {})
     networks = collector.get("openstack::Network", {})
     routers = collector.get("openstack::Router", {})
@@ -131,6 +145,10 @@ def set_dependencies_on_non_purged_resources(
         if port.host in vms:
             port.requires.add(vms[port.host].id)
 
+        for sg_name in port.security_groups:
+            if sg_name in sgs:
+                port.requires.add(sgs[sg_name].id)
+
     for fip in fips.values():
         if fip.external_network in networks:
             fip.requires.add(networks[fip.external_network].id)
@@ -146,7 +164,9 @@ def set_dependencies_on_non_purged_resources(
 
 
 @dependency_manager
-def openstack_dependencies(config_model, resource_model):
+def openstack_dependencies(
+    config_model: object, resource_model: Mapping[object, OpenstackResource]
+) -> None:
     purged_resources, non_purged_resources = resource_collector(resource_model)
     for project, collector in non_purged_resources.items():
         set_dependencies_on_non_purged_resources(collector)
@@ -155,10 +175,12 @@ def openstack_dependencies(config_model, resource_model):
 
 
 @dependency_manager
-def keystone_dependencies(config_model, resource_model):
-    projects = {}
-    users = {}
-    roles = []
+def keystone_dependencies(
+    config_model: object, resource_model: Mapping[object, OpenstackResource]
+) -> None:
+    projects: dict[str, OpenstackResource] = {}
+    users: dict[str, OpenstackResource] = {}
+    roles: list[OpenstackResource] = []
     for _, res in resource_model.items():
         if res.id.entity_type == "openstack::Project":
             if not res.purged:

{inmanta_module_openstack-5.0.1 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/compute/flavor.py

@@ -79,6 +79,29 @@ class FlavorHandler(OpenStackHandler):
         )
         return self.require_single_item(flavors)
 
+    def _create_flavor(self, resource: Flavor):
+        """Create a flavor in OpenStack."""
+        flavor = self._connection.compute.create_flavor(
+            name=resource.name,
+            ram=resource.ram,
+            vcpus=resource.vcpus,
+            disk=resource.disk,
+            id=resource.flavor_id,
+            ephemeral=resource.ephemeral,
+            swap=resource.swap,
+            rxtx_factor=resource.rxtx_factor,
+            is_public=resource.is_public,
+        )
+
+        if resource.extra_specs:
+            self._connection.compute.create_flavor_extra_specs(
+                flavor, resource.extra_specs
+            )
+        return flavor
+
+    def _delete_flavor(self) -> None:
+        self._connection.compute.delete_flavor(self.flavor.id, ignore_missing=True)
+
     def read_resource(self, ctx: handler.HandlerContext, resource: Flavor) -> None:
         self.flavor = self._get_flavor(resource)
         if self.flavor is None:
@@ -101,27 +124,12 @@ class FlavorHandler(OpenStackHandler):
         self._set_facts(ctx)
 
     def create_resource(self, ctx: handler.HandlerContext, resource: Flavor) -> None:
-        self.flavor = self._connection.compute.create_flavor(
-            name=resource.name,
-            ram=resource.ram,
-            vcpus=resource.vcpus,
-            disk=resource.disk,
-            id=resource.flavor_id,
-            ephemeral=resource.ephemeral,
-            swap=resource.swap,
-            rxtx_factor=resource.rxtx_factor,
-            is_public=resource.is_public,
-        )
-
-        if resource.extra_specs:
-            self._connection.compute.create_flavor_extra_specs(
-                self.flavor, resource.extra_specs
-            )
+        self.flavor = self._create_flavor(resource)
         self._set_facts(ctx)
         ctx.set_created()
 
     def delete_resource(self, ctx: handler.HandlerContext, resource: Flavor) -> None:
-        self._connection.compute.delete_flavor(self.flavor.id, ignore_missing=True)
+        self._delete_flavor()
         ctx.set_purged()
 
     def update_resource(
@@ -130,31 +138,33 @@ class FlavorHandler(OpenStackHandler):
         changes: dict,
         resource: Flavor,
     ) -> None:
-        self.validate_allowed_fields(
-            changes,
-            {
-                "extra_specs",
-            },
-        )
-
-        if "extra_specs" in changes:
-            new_extra_specs = changes["extra_specs"]["desired"]
-            extra_specs_to_remove = [
-                key for key in self.flavor.extra_specs if key not in new_extra_specs
-            ]
-            for key in extra_specs_to_remove:
-                self._connection.compute.delete_flavor_extra_specs_property(
-                    self.flavor, key
-                )
-            self._connection.compute.create_flavor_extra_specs(
-                self.flavor, new_extra_specs
+        """Update flavor parameters.
+
+        OpenStack flavors must be immutable, so *every* change - including
+        extra_specs - is applied by deleting the existing flavor and
+        recreating it. This is only safe when OpenStack assigns the id: an
+        explicit flavor_id would collide with the soft-deleted flavor, so we
+        refuse such changes instead.
+        """
+        if self._resource_has_explicit_flavor_id(resource):
+            raise ValueError(
+                f"Cannot change {sorted(changes)} on a flavor with an explicit "
+                f"flavor_id: recreating it would reuse the soft-deleted id. "
+                f"Remove the flavor and create a new one instead."
             )
-            self.flavor = self._get_flavor(resource)
+
+        ctx.info(
+            "Recreating flavor; changed field(s): %(fields)s",
+            fields=sorted(changes),
+        )
+        self._delete_flavor()
+        self.flavor = self._create_flavor(resource)
+        self._set_facts(ctx)
         ctx.set_updated()
 
     def _set_facts(self, ctx):
-        ctx.set_fact("flavor_id", self.flavor.id, expires=False)
-        ctx.set_fact("is_disabled", str(self.flavor.is_disabled), expires=True)
+        ctx.set_fact("flavor_id", self.flavor.id)
+        ctx.set_fact("is_disabled", str(self.flavor.is_disabled))
 
     @cache(timeout=5)
     def facts(self, ctx, resource: Flavor) -> dict:

inmanta_module_openstack-5.1.0/inmanta_plugins/openstack/compute/host_aggregate.py

@@ -0,0 +1,117 @@
+"""
+Copyright 2026 Inmanta
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Contact: code@inmanta.com
+"""
+
+from inmanta.agent import handler
+from inmanta.agent.handler import ResourcePurged, SkipResource, provider
+from inmanta.resources import resource
+
+from inmanta_plugins.openstack.common.base import (
+    OpenstackAdminResource,
+    OpenStackHandler,
+)
+
+
+@resource(
+    "openstack::HostAggregateMetadata",
+    agent="provider.name",
+    id_attribute="metadata_id",
+)
+class HostAggregateMetadata(OpenstackAdminResource):
+    """A single key/value metadata item on a Nova host aggregate."""
+
+    fields = ("aggregate", "key", "value")
+    aggregate: str
+    key: str
+    value: str
+
+    @staticmethod
+    def get_metadata_id(_, resource) -> str:
+        # Unique per (aggregate, key) within the provider's agent.
+        return f"{resource.aggregate}::{resource.key}"
+
+
+@provider("openstack::HostAggregateMetadata", name="openstack")
+class HostAggregateMetadataHandler(OpenStackHandler):
+    """Manage a single metadata key on a host aggregate.
+
+    create/update -> set the key to the desired value
+    delete        -> remove the key (Nova removes a key when its value is None),
+                     leaving any other keys on the aggregate untouched
+    """
+
+    def _get_aggregate(self, resource: HostAggregateMetadata, *, required: bool):
+        aggregate = self._connection.compute.find_aggregate(
+            resource.aggregate, ignore_missing=True
+        )
+        if aggregate is None and required:
+            raise SkipResource(
+                f"Host aggregate '{resource.aggregate}' does not exist; cannot manage "
+                f"metadata key '{resource.key}'. The aggregate must be created first."
+            )
+        return aggregate
+
+    def read_resource(
+        self, ctx: handler.HandlerContext, resource: HostAggregateMetadata
+    ) -> None:
+        aggregate = self._get_aggregate(resource, required=True)
+        metadata = aggregate.metadata or {}
+
+        if resource.key not in metadata:
+            raise ResourcePurged()
+
+        resource.purged = False
+        # Surface the current value so a changed value is detected as a diff.
+        resource.value = metadata[resource.key]
+
+    def create_resource(
+        self, ctx: handler.HandlerContext, resource: HostAggregateMetadata
+    ) -> None:
+        aggregate = self._get_aggregate(resource, required=True)
+        self._connection.compute.set_aggregate_metadata(
+            aggregate, metadata={resource.key: resource.value}
+        )
+        ctx.set_created()
+
+    def update_resource(
+        self,
+        ctx: handler.HandlerContext,
+        changes: dict,
+        resource: HostAggregateMetadata,
+    ) -> None:
+        # Only the value can change; aggregate and key are part of the resource id.
+        aggregate = self._get_aggregate(resource, required=True)
+        self._connection.compute.set_aggregate_metadata(
+            aggregate, metadata={resource.key: resource.value}
+        )
+        ctx.set_updated()
+
+    def delete_resource(
+        self, ctx: handler.HandlerContext, resource: HostAggregateMetadata
+    ) -> None:
+        aggregate = self._get_aggregate(resource, required=False)
+        if aggregate is None:
+            # Aggregate gone -> the key is gone with it; nothing to unset.
+            ctx.set_purged()
+            return
+
+        # Nova removes a metadata key when it is set to None, leaving any other keys
+        # on the aggregate untouched.
+        self._connection.compute.set_aggregate_metadata(
+            aggregate, metadata={resource.key: None}
+        )
+        ctx.set_purged()

{inmanta_module_openstack-5.0.1 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/compute/host_port.py

@@ -47,6 +47,7 @@ class HostPort(Port):
         "wait",
         "allowed_address_pairs",
         "wait_for_vm",
+        "security_groups",
     )
     host: str
     portsecurity: bool
@@ -56,6 +57,7 @@ class HostPort(Port):
     wait: bool
     allowed_address_pairs: dict[str, Optional[str]]
     wait_for_vm: bool
+    security_groups: list[str]
 
     @staticmethod
     def get_host(_, port):
@@ -77,6 +79,10 @@ class HostPort(Port):
         """field used to determine if we expect the VM to be present at all"""
         return not (port.vm.purged)
 
+    @staticmethod
+    def get_security_groups(_, port):
+        return sorted([v.name for v in port.security_groups])
+
 
 @provider("openstack::HostPort", name="openstack")
 class HostPortHandler(OpenStackHandler):
@@ -182,6 +188,13 @@ class HostPortHandler(OpenStackHandler):
             pair["ip_address"]: pair.get("mac_address")
             for pair in self.port.allowed_address_pairs
         }
+
+        if resource.security_groups:
+            resource.security_groups = sorted(
+                self.get_security_group(project_id=self.project_id, group_id=sg_id).name
+                for sg_id in self.port.security_group_ids
+            )
+
         resource.name = self.port.name
         self._set_facts(ctx)
 
@@ -197,6 +210,10 @@ class HostPortHandler(OpenStackHandler):
             "admin_state_up": True,
             "name": resource.name,
             "network_id": self.network.id,
+            # Create the port in the resource's project. When the provider's auth
+            # project matches resource.project (the common case) this is a no-op;
+            # it only matters when an admin creates a port in another project.
+            "project_id": self.project_id,
         }
 
         if resource.address and not resource.dhcp:
@@ -205,7 +222,13 @@ class HostPortHandler(OpenStackHandler):
             ]
 
         port_attrs["port_security_enabled"] = resource.portsecurity
-        port_attrs["security_groups"] = None
+        if resource.security_groups:
+            port_attrs["security_group_ids"] = [
+                self.get_security_group(project_id=self.project_id, name=sg).id
+                for sg in resource.security_groups
+            ]
+        else:
+            port_attrs["security_group_ids"] = None
 
         # Allowed address pairs
         if resource.allowed_address_pairs:
@@ -244,16 +267,27 @@ class HostPortHandler(OpenStackHandler):
         resource: HostPort,
     ) -> None:
         self.validate_allowed_fields(
-            changes, {"portsecurity", "name", "allowed_address_pairs"}
+            changes,
+            {"portsecurity", "name", "allowed_address_pairs", "security_groups"},
+        )
+
+        disabling_portsecurity = (
+            "portsecurity" in changes and not changes["portsecurity"]["desired"]
         )
 
         if self.port.is_port_security_enabled and "portsecurity" in changes:
             if not changes["portsecurity"]["desired"]:
                 self.port.is_port_security_enabled = False
-                self.port.security_groups = None
+                self.port.security_group_ids = []
             else:
                 raise SkipResource("Turning port security on again is not supported.")
 
+        if "security_groups" in changes and not disabling_portsecurity:
+            self.port.security_group_ids = [
+                self.get_security_group(project_id=self.project_id, name=sg).id
+                for sg in resource.security_groups
+            ]
+
         # Handle name change
         if "name" in changes:
             self.port.name = resource.name