From 13ec67a3aa9978d0f3926848a321bd31574bf0e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Tue, 22 Jan 2019 12:27:49 +0100
Subject: [PATCH] Avoid dangling firewall rule for ssh access

Change Ie548f7216610e15af24c96f65a58cc8de603235c introduced a new
parameter, SshFirewallAllowAll, set to True by default.
This parameter allows to add a generic firewall rule allowing, as
its name states, world access to the SSH service.

Until now, if someone changes his mind and decides to deactivate
this opening, the rule will not be removed, although the operator
sets the variable to False.

This patch intends to reflect the operator will regarding ssh access.

Change-Id: I1b4e23b602cf9c41ce6f9a1b602359d7aa7224c0
---
 deployment/sshd/sshd-baremetal-puppet.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/deployment/sshd/sshd-baremetal-puppet.yaml b/deployment/sshd/sshd-baremetal-puppet.yaml
index d4a06ae9a3..bbb49fa219 100644
--- a/deployment/sshd/sshd-baremetal-puppet.yaml
+++ b/deployment/sshd/sshd-baremetal-puppet.yaml
@@ -87,7 +87,12 @@ outputs:
                 '003 accept ssh from all':
                   proto: 'tcp'
                   dport: 22
-            - null
+            - tripleo::sshd::firewall_rules:
+                '003 accept ssh from all':
+                  proto: 'tcp'
+                  dport: 22
+                  extras:
+                    ensure: 'absent'
 
       step_config: |
         include ::tripleo::profile::base::sshd