commit e83c47f11d58445c06e777771607a0484575d3af
Author: Emilien Macchi <emilien@redhat.com>
Date:   Tue Sep 29 17:19:43 2020 -0400

    firewall: make ExtraFirewallRules role specific
    
    Allow our operators to override ExtraFirewallRules per role.
    Also add an environment file that hopefully provide enough example on
    how this feature can be used.
    
    Also making sure that CI is testing this change.
    
    Change-Id: I776f1cdb780ab57d7554985f0b7c2139356cdf3a
    (cherry picked from commit dbe38cac185ef2b51cdd283531bce393e9ce8e6c)

diff --git a/ci/environments/scenario003-standalone.yaml b/ci/environments/scenario003-standalone.yaml
index 12aedfd..7c6335b 100644
--- a/ci/environments/scenario003-standalone.yaml
+++ b/ci/environments/scenario003-standalone.yaml
@@ -87,3 +87,10 @@ parameter_defaults:
       proto: udp
       source: 127.0.0.1
       action: append
+  StandaloneParameters:
+    ExtraFirewallRules:
+      '303 allow arbitrary tcp rule for controller':
+        dport: 12347
+        proto: tcp
+        source: 127.0.0.1
+        action: insert
diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
index 8340291..d737da3 100644
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
@@ -34,6 +34,23 @@ parameters:
     default: {}
     description: Mapping of firewall rules.
     type: json
+    tags:
+      - role_specific
+
+resources:
+  # Merging role-specific parameters (RoleParameters) with the default parameters.
+  # RoleParameters will have the precedence over the default parameters.
+  RoleParametersValue:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        map_replace:
+          - map_replace:
+            - extra_firewall_rules: ExtraFirewallRules
+            - values: {get_param: [RoleParameters]}
+          - values:
+              ExtraFirewallRules: {get_param: ExtraFirewallRules}
 
 conditions:
   no_ctlplane:
@@ -60,7 +77,7 @@ outputs:
                     source: <%net_cidr%>
                     proto: 'tcp'
                     dport: 22
-          - {get_param: ExtraFirewallRules}
+          - {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
       host_prep_tasks:
         - if:
             - no_ctlplane
diff --git a/environments/firewall.yaml b/environments/firewall.yaml
new file mode 100644
index 0000000..aa8efb1
--- /dev/null
+++ b/environments/firewall.yaml
@@ -0,0 +1,23 @@
+# This is an example of custom firewall rules that one could apply for specific
+# roles.
+
+parameter_defaults:
+
+# This firewall rule will autorize 12345/tcp from localhost on all the nodes
+# in the overcloud:
+#  ExtraFirewallRules:
+#    '301 allow arbitrary tcp rule':
+#      dport: 12345
+#      proto: tcp
+#      source: 127.0.0.1
+#      action: insert
+
+# This firewall rule will autorize 12345/tcp from localhost on all the
+# compute nodes:
+#  ComputeParameters:
+#    ExtraFirewallRules:
+#      '301 allow arbitrary tcp rule':
+#        dport: 12345
+#        proto: tcp
+#        source: 127.0.0.1
+#        action: insert