Allow to set allowed_ssh_prefixes list parameter

[BenoitCattie]

Hello,

this PR allow to set a list of IP prefixes allowed for SSH in instances security groups.

Notes :

• adding OS::Neutron::SecurityGroupRule as i wasn't able to combine "repeat" and "static" rules

Benoit

[tomassedovic]

Thanks @BenoitCattie! I understand the desire for this change, but it makes the template much more verbose :-(.

What do you think about creating a separate SSH security group with the IP prefixes rules and passing that in addition to the current security group?

A server/port can have more than one security group applied:

https://github.com/BenoitCattie/openshift-on-openstack/blob/4d8d64516dc6b0fb2ee7416a88f239449b06b9a2/master.yaml#L235

If that doesn't work out (but it should), I'd prefer if we moved all the security groups & rules to separate files.

[BenoitCattie]

Hello,

indeed, the template is much more verbose with OS::Neutron::SecurityGroupRule.

I'm not sure how to pass IP prefixes in a different security group, as existing security group have a SSH rule allowing any ingress traffic. So adding restricted prefixes in addition will not remove the existing rule.

Do i misunderstood something ?

Benoit