Convert firewall rules to use TripleO-Ansible

This change converts our filewall deployment practice to use the tripleo-ansible firewall role. This change creates a new "firewall_rules" object which is queried using YAQL from the "FirewallRules" resource. A new parameter has been added allowing users to input additional firewall rules as needed. The new parameter is `ExtraFirewallRules` and will be merged on top of the YAQL interface. Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-08-19 10:38:24 -05:00
parent c7f19f0bd2
commit 50367fbe35
86 changed files with 832 additions and 675 deletions
--- a/deployment/sshd/sshd-baremetal-puppet.yaml
+++ b/deployment/sshd/sshd-baremetal-puppet.yaml
@@ -75,24 +75,22 @@ outputs:
    description: Role data for the ssh
    value:
      service_name: sshd
+      if:
+        - {get_param: SshFirewallAllowAll}
+        - firewall_rules:
+            '003 accept ssh from all':
+              proto: 'tcp'
+              dport: 22
+        - firewall_rules:
+            '003 accept ssh from all':
+              proto: 'tcp'
+              dport: 22
+              extras:
+                ensure: 'absent'
      config_settings:
-        map_merge:
-          - tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
-            tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
-            tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
-            tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
-          - if:
-            - {get_param: SshFirewallAllowAll}
-            - tripleo::sshd::firewall_rules:
-                '003 accept ssh from all':
-                  proto: 'tcp'
-                  dport: 22
-            - tripleo::sshd::firewall_rules:
-                '003 accept ssh from all':
-                  proto: 'tcp'
-                  dport: 22
-                  extras:
-                    ensure: 'absent'
-
+        tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
+        tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
+        tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
+        tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
      step_config: |
        include ::tripleo::profile::base::sshd