Avoid dangling firewall rule for ssh access

Change Ie548f7216610e15af24c96f65a58cc8de603235c introduced a new parameter, SshFirewallAllowAll, set to True by default. This parameter allows to add a generic firewall rule allowing, as its name states, world access to the SSH service. Until now, if someone changes his mind and decides to deactivate this opening, the rule will not be removed, although the operator sets the variable to False. This patch intends to reflect the operator will regarding ssh access. Change-Id: I1b4e23b602cf9c41ce6f9a1b602359d7aa7224c0
2019-01-22 12:27:49 +01:00 · 2019-01-22 12:27:49 +01:00 · 13ec67a3aa
commit 13ec67a3aa
parent a79b7cb921
1 changed files with 6 additions and 1 deletions
--- a/deployment/sshd/sshd-baremetal-puppet.yaml
+++ b/deployment/sshd/sshd-baremetal-puppet.yaml
@ -87,7 +87,12 @@ outputs:
                '003 accept ssh from all':
                  proto: 'tcp'
                  dport: 22
-            - null
+            - tripleo::sshd::firewall_rules:
+                '003 accept ssh from all':
+                  proto: 'tcp'
+                  dport: 22
+                  extras:
+                    ensure: 'absent'

      step_config: |
        include ::tripleo::profile::base::sshd