heat_template_version: wallaby

description: >
  Configure sshd_config

parameters:
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry. Use
                 parameter_merge_strategies to merge it with the defaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  BannerText:
    default: ''
    description: Configures Banner text in sshd_config
    type: string
  MessageOfTheDay:
    default: ''
    description: Configures /etc/motd text
    type: string
  SshServerOptions:
    default: {}
    description: Mapping of sshd_config values
    type: json
  PasswordAuthentication:
    default: 'no'
    description: Whether or not disable password authentication
    type: string
  SshFirewallAllowAll:
    default: false
    description: Set this to true to open up ssh access from all sources.
    type: boolean
  # DEPRECATED: the following options are deprecated and are currently maintained
  # for backwards compatibility.
  SshServerOptionsOverrides:
    default: {}
    description: Mapping of sshd_config values to override definitions in
                 SshServerOptions
    type: json

parameter_groups:
- label: deprecated
  description: |
   The following parameters are deprecated and will be removed. They should not
   be relied on for new deployments. If you have concerns regarding deprecated
   parameters, please contact the TripleO development team on IRC or the
   OpenStack mailing list.
  parameters:
  - SshServerOptionsOverrides

conditions:
  ssh_firewall_allow_all: {equals: [{get_param: SshFirewallAllowAll}, true]}
  ssh_banner_text_set:
    not: {equals: [{get_param: BannerText}, '']}
  ssh_motd_text_set:
    not: {equals: [{get_param: MessageOfTheDay}, '']}

outputs:
  role_data:
    description: Role data for the ssh
    value:
      service_name: sshd
      firewall_rules:
        '003 accept ssh from all':
          proto: 'tcp'
          dport: 22
          extras:
            ensure: {if: [ssh_firewall_allow_all, 'present', 'absent']}
      host_prep_tasks:
        - include_role:
            name: tripleo_sshd
          vars:
            tripleo_sshd_server_options:
              map_merge:
                - {get_param: SshServerOptions}
                - {get_param: SshServerOptionsOverrides}
            tripleo_sshd_password_authentication: {get_param: PasswordAuthentication}
            tripleo_sshd_banner_enabled:
              if:
                - ssh_banner_text_set
                - true
                - false
            tripleo_sshd_banner_text: {get_param: BannerText}
            tripleo_sshd_motd_enabled:
              if:
                - ssh_motd_text_set
                - true
                - false
            tripleo_sshd_message_of_the_day: {get_param: MessageOfTheDay}