diff --git a/puppet/extraconfig/tls/freeipa-enroll.yaml b/puppet/extraconfig/tls/freeipa-enroll.yaml
deleted file mode 100644
index 7ad06538c1..0000000000
--- a/puppet/extraconfig/tls/freeipa-enroll.yaml
+++ /dev/null
@@ -1,83 +0,0 @@
-heat_template_version: rocky
-
-description: Enroll nodes to FreeIPA
-
-parameters:
-  server:
-    description: ID of the controller node to apply this config to
-    type: string
-
-  CloudDomain:
-    description: >
-      The configured cloud domain; this will also be used as the kerberos realm
-    type: string
-
-  FreeIPAOTP:
-    default: ''
-    description: 'OTP that will be used for FreeIPA enrollment'
-    type: string
-    hidden: true
-  FreeIPAServer:
-    default: ''
-    description: 'FreeIPA server DNS name'
-    type: string
-  FreeIPAIPAddress:
-    default: ''
-    description: 'FreeIPA server IP Address'
-    type: string
-
-resources:
-  FreeIPAEnrollmentConfig:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: script
-      inputs:
-        - name: otp
-        - name: ipa_server
-        - name: ipa_domain
-        - name: ipa_ip
-      config: |
-        #!/bin/sh
-        # If no IPA server was given as a parameter, it will be assumed from
-        # DNS.
-        if [ -n "${ipa_server}" ]; then
-            sed -i "/${ipa_server}/d" /etc/hosts
-            # Optionally add the FreeIPA server IP to /etc/hosts
-            if [ -n "${ipa_ip}" ]; then
-                echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
-            fi
-        fi
-        # Set the node's domain if needed
-        if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
-            hostnamectl set-hostname "$(hostname).${ipa_domain}"
-        fi
-        yum install -y ipa-client
-        # Enroll. If there is already keytab, we have already done this. If
-        # this node hasn't enrolled and the OTP is missing, fail.
-        if [ ! -f /etc/krb5.keytab ]; then
-            if [ -z "${otp}" ]; then
-                echo "OTP is missing"
-                exit 1
-            fi
-            ipa-client-install --server ${ipa_server} -w ${otp} \
-                --domain=${ipa_domain} -U
-        fi
-        # Get a TGT
-        kinit -k -t /etc/krb5.keytab
-
-  FreeIPAControllerEnrollmentDeployment:
-    type: OS::Heat::SoftwareDeployment
-    properties:
-      name: FreeIPAEnrollmentDeployment
-      config: {get_resource: FreeIPAEnrollmentConfig}
-      server: {get_param: server}
-      input_values:
-        otp: {get_param: FreeIPAOTP}
-        ipa_server: {get_param: FreeIPAServer}
-        ipa_domain: {get_param: CloudDomain}
-        ipa_ip: {get_param: FreeIPAIPAddress}
-
-outputs:
-  deploy_stdout:
-    description: Output of the FreeIPA enrollment deployment
-    value: {get_attr: [FreeIPAControllerEnrollmentDeployment, deploy_stdout]}