Heat: Present policy rules for all services

The policy rules are used not only by heat-api but also by heat-api-cfn
and heat-engine. This change ensures the policy rules defined by
the HeatApiPolicies parameter is rendered into hieradata in the node
where these heat services are running, even if these services run on
separate nodes.

Change-Id: Ic278c69110d427118c5ff9b4bddc72493434154a
Closes-Bug: #1983342
Depends-on: https://review.opendev.org/851803

deployment/heat/heat-api-container-puppet.yaml

@@ -193,7 +193,6 @@ outputs:
             heat::wsgi::apache_api::access_log_format: 'forwarded'
             heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
             heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
-            heat::policy::policies: {get_param: HeatApiPolicies}
             heat::api::service_name: 'httpd'
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP
             # for the given network; replacement examples (eg. for internal_api):

deployment/heat/heat-base-puppet.yaml

@@ -144,6 +144,12 @@ parameters:
     description: |
       Use the advanced (eventlet safe) memcached client pool.
     default: true
+  HeatApiPolicies:
+    description: |
+      A hash of policies to configure for Heat API.
+      e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
+    default: {}
+    type: json
   EnforceSecureRbac:
     type: boolean
     default: false
@@ -184,6 +190,7 @@ outputs:
               - {get_param: HeatDebug}
               - true
               - {get_param: Debug}
+            heat::policy::policies: {get_param: HeatApiPolicies}
             heat::enable_proxy_headers_parsing: true
             heat::rpc_response_timeout: {get_param: HeatRpcResponseTimeout}
             heat::rabbit_heartbeat_timeout_threshold: 60