firewall: stop using stdlib stages

Using Puppet stdlib in TripleO is risky because it exposes deployments
to dependency cycles in the catalog.
We should rather use native functions to make orchestrations, like
ordering and dependencies management.

This patch:

- removes usage of stages from stdlib
- use ordering to make sure we run pre rules before post
- use ordering to make sure we start all Services in catalog before post
  rules. It ensure that we don't drop all traffic before starting the
  services, which could lead to services errors (e.g. trying to reach database
  or amqp)

Change-Id: Iec4705d6b785a40ccf6f43809b94b726ccd47fef
Closes-Bug: #1643575

manifests/firewall.pp

@@ -51,8 +51,6 @@ class tripleo::firewall(
   $firewall_post_extras = {},
 ) {
 
-  include ::stdlib
-
   if $manage_firewall {
 
     # Only purges IPv4 rules
@@ -79,14 +77,15 @@ class tripleo::firewall(
 
     ensure_resource('class', 'tripleo::firewall::pre', {
       'firewall_settings' => $firewall_pre_extras,
-      'stage'             => 'setup',
     })
 
     ensure_resource('class', 'tripleo::firewall::post', {
-      'stage'             => 'runtime',
       'firewall_settings' => $firewall_post_extras,
     })
 
+    Class['tripleo::firewall::pre'] -> Class['tripleo::firewall::post']
+    Service<||> -> Class['tripleo::firewall::post']
+
     # Allow composable services to load their own custom
     # example with Hiera.
     # NOTE(dprince): In the future when we have a better hiera