[AWS] Fixed Security Group Creation Issues

Issues:
1. Security Group created using Openstack API, creates 2 outbound rules
(1 for IPv4 and 1 for IPv6) and no inbound rules. Hence the rule_dict
that was getting created contained same data for both outbound rules.
Hence while authorization of egress direction, it was throwing error
"ClientError: The same permission must not appear multiple times"

2. Since there are no inbound rules in security group, empty list was
passed to AuthorizeSecurityGroupIngress operation. Hence it was raising
"ClientError: Missing source specification: include source security group
or CIDR information".

3. While updating the security group which was created using API, I was
seeing error: "ClientError: Missing source specification: include source
security group or CIDR information" as there were no inbound rules.

Fixes:
1. Added a check for IPv4 ether type in "_convert_openstack_rules_to_vpc()"

2. Moved authorization for ingress inside if block

3. Added checks in "_update_sec_group()"

Closes-Bug: #1709545

Change-Id: I4e4acad4da3b095e7a8951abbfb94f1b0d9c7e41

neutron/neutron/common/aws_utils.py

@@ -47,8 +47,7 @@ def _process_exception(e, dry_run):
     if dry_run:
         error_code = e.response['Code']
         if not error_code == 'DryRunOperation':
-            raise AwsException(
-                error_code='AuthFailure',
+            raise AwsException(error_code='AuthFailure',
                                message='Check your AWS authorization')
     else:
         if isinstance(e, botocore.exceptions.ClientError):
@@ -433,6 +432,7 @@ class AwsUtils(object):
                     rule_dict['ToPort'] = 65535
                 else:
                     rule_dict['ToPort'] = rule['port_range_max']
+            if rule['ethertype'] == "IPv4":
                 rule_dict['IpRanges'] = []
                 if rule['remote_group_id'] is not None:
                     rule_dict['IpRanges'].append({
@@ -449,6 +449,8 @@ class AwsUtils(object):
                         rule_dict['IpRanges'].append({
                             'CidrIp': '0.0.0.0/0'
                         })
+            elif rule['ethertype'] == "IPv6":
+                LOG.warning("Ethertype IPv6 is supported only for EC2-VPC")
             if rule['direction'] == 'egress':
                 egress_rules.append(rule_dict)
             else:
@@ -462,7 +464,9 @@ class AwsUtils(object):
             secgrp.revoke_ingress(IpPermissions=old_ingress)
         if old_egress:
             secgrp.revoke_egress(IpPermissions=old_egress)
+        if ingress:
             secgrp.authorize_ingress(IpPermissions=ingress)
+        if egress:
             secgrp.authorize_egress(IpPermissions=egress)
 
     def _create_sec_grp_rules(self, secgrp, rules):
@@ -496,7 +500,7 @@ class AwsUtils(object):
         secgrp = self._get_ec2_resource().create_security_group(
             GroupName=name, Description=description, VpcId=vpc_id)
         if self._create_sec_grp_tags(secgrp, tags) is False:
-            delete_sec_grp(secgrp.id)  # noqa
+            self.delete_security_group_by_id(secgrp.id)
             raise AwsException(
                 message='Timed out creating tags on security group',
                 error_code='Time Out')
@@ -531,13 +535,18 @@ class AwsUtils(object):
     def _update_sec_group(self, ec2_id, old_ingress, old_egress, new_ingress,
                           new_egress):
         sg = self._get_ec2_resource().SecurityGroup(ec2_id)
+        if old_ingress:
             sg.revoke_ingress(IpPermissions=old_ingress)
             time.sleep(1)
+        if old_egress:
             sg.revoke_egress(IpPermissions=old_egress)
             time.sleep(1)
+        if new_ingress:
             sg.authorize_ingress(IpPermissions=new_ingress)
             time.sleep(1)
+        if new_egress:
             sg.authorize_egress(IpPermissions=new_egress)
+            time.sleep(1)
 
     @aws_exception
     def update_sec_group(self, openstack_id, rules):