Murano can now properly attach VMs to shared networks

When spawning VMs attached to pre-existing networks murano used to
generate a Heat template with a fixed_ips property for Neutron ports.
This can cause a policy violation if the target network is not owned
by the deploying tenant (i.e. the network is shared by some other
project).

This has been addressed: ExistingNeutronNetwork class no longer
generates the fixed_ips property of the port if the target network is
not owned by a current project.

Change-Id: I0c60a522f4223fdc47f87b950da1a0822a8cbdbe
Closes-bug: #1644797

meta/io.murano/Classes/SharedIp.yaml

@@ -51,13 +51,20 @@ Methods:
                   properties:
                     network_id: $networkData.netId
                     replacement_policy: AUTO
-                    fixed_ips:
-                      - subnet_id: $networkData.subnetId
               outputs:
                 $aapPortName+'-virtualIp':
                   value:
                     get_attr: [$aapPortName, fixed_ips, 0, ip_address]
                   description: format('SharedIP Address of SharedIp group {0}', id($))
+          - If: $networkData.subnetId
+            Then:
+              - $t:
+                  resources:
+                    $aapPortName:
+                      properties:
+                        fixed_ips:
+                          - subnet_id: $networkData.subnetId
+              - $template: $template.mergeWith($t)
           - $region.stack.updateTemplate($template)
           - If: $.assignFloatingIp
             Then:

meta/io.murano/Classes/resources/ExistingNeutronNetwork.yaml

@@ -65,10 +65,18 @@ Workflow:
             $.network_id = $this._internalNetworkId).first().name
       - If: $._internalSubnetworkId = null
         Then:
-          $._internalSubnetworkId: $._getSubnetworks().where(
-            ($.name = $this.internalSubnetworkName or
-              $.id = $this.internalSubnetworkName) and
-                $.network_id = $this._internalNetworkId).first().id
+          # Specify subnetwork id only if the network is owned by the
+          # environment owner tenant (otherwise we may not be allowed to create
+          # a port to that specific subnet)
+          - $net: $this._getNetworks().where($.id = $this._internalNetworkId).first()
+          - If: $net.tenant_id = std:Project.getEnvironmentOwner().id
+            Then:
+              - $._internalSubnetworkId: $._getSubnetworks().where(
+                  ($.name = $this.internalSubnetworkName or
+                    $.id = $this.internalSubnetworkName) and
+                      $.network_id = $this._internalNetworkId).first().id
+            Else:
+              - $._internalSubnetworkId: null
 
       - If: $.externalNetworkName = null and $._internalNetworkId != null
         Then:

meta/io.murano/Classes/resources/NeutronNetworkBase.yaml

@@ -59,10 +59,18 @@ Methods:
               type: 'OS::Neutron::Port'
               properties:
                 network: $netRef
-                fixed_ips:
-                  - subnet: $subnetRef
                 replacement_policy: AUTO
 
+      - If: $subnetRef
+        Then:
+          - $template:
+              resources:
+                $portName:
+                  properties:
+                    fixed_ips:
+                      - subnet: $subnetRef
+          - $patchTemplate: $patchTemplate.mergeWith($template)
+
       - If: bool($securityGroupName) and $securityGroupsEnabled
         Then:
           - $template:

releasenotes/notes/shared-net-port-creation-0eda66be4444cf2f.yaml

@@ -0,0 +1,10 @@
+---
+issues:
+  - If a VM being a part of some shared-ip group is attached to the network
+    which is not owned by the current tenant (shared network) a policy
+    violation may occur thus failing the deployment.
+
+fixes:
+  - Murano no longer specifies fixed-ip parameter for ports when creating VMs
+    attached to networks owned and shared by other tenants. Specifying this
+    parameter for non-owned networks could cause violation of neutron policies.