diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
index 176c46691a..a989e04269 100644
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
@@ -47,6 +47,12 @@ outputs:
       config_settings:
         tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
         tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
+        tripleo::tripleo_firewall::firewall_rules:
+          '003 accept ssh from controlplane':
+            source: "%{hiera('ctlplane_subnet')}"
+            proto: 'tcp'
+            dport: 22
+
       step_config: |
         include ::tripleo::firewall
       upgrade_tasks: