heat_template_version: pike

description: >
  Apache service configured with Puppet. Note this is typically included
  automatically via other services which run via Apache.

parameters:
  ApacheMaxRequestWorkers:
    default: 256
    description: Maximum number of simultaneously processed requests.
    type: number
  ApacheServerLimit:
    default: 256
    description: Maximum number of Apache processes.
    type: number
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  EnableInternalTLS:
    type: boolean
    default: false
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.

conditions:

  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

resources:

  ApacheNetworks:
    type: OS::Heat::Value
    properties:
      value:
        # NOTE(jaosorior) Get unique network names to create
        # certificates for those. We skip the tenant network since
        # we don't need a certificate for that, and the external
        # is for HAProxy so it isn't used for apache either.
        yaql:
          expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
          data:
            map:
              get_param: ServiceNetMap

outputs:
  role_data:
    description: Role data for the Apache role.
    value:
      service_name: apache
      config_settings:
        map_merge:
          -
            # for the given network; replacement examples (eg. for internal_api):
            # internal_api -> IP
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
            apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
            apache::default_vhost: false
            apache::server_signature: 'Off'
            apache::server_tokens: 'Prod'
            apache_remote_proxy_ips_network:
              str_replace:
                template: "NETWORK_subnet"
                params:
                  NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
            apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
            apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
            apache::mod::remoteip::proxy_ips:
              - "%{hiera('apache_remote_proxy_ips_network')}"
          - if:
            - internal_tls_enabled
            -
              generate_service_certificates: true
              apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
              tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
              tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
              apache_certificates_specs:
                map_merge:
                  repeat:
                    template:
                      httpd-NETWORK:
                        service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
                        service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
                        hostname: "%{hiera('fqdn_NETWORK')}"
                        principal: "HTTP/%{hiera('fqdn_NETWORK')}"
                    for_each:
                      NETWORK: {get_attr: [ApacheNetworks, value]}
            - {}
      metadata_settings:
        if:
          - internal_tls_enabled
          -
            repeat:
              template:
                - service: HTTP
                  network: $NETWORK
                  type: node
              for_each:
                $NETWORK: {get_attr: [ApacheNetworks, value]}
          - null
      upgrade_tasks:
        - name: Check if httpd is deployed
          command: systemctl is-enabled httpd
          tags: common
          ignore_errors: True
          register: httpd_enabled
        - name: "PreUpgrade step0,validation: Check service httpd is running"
          shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
          when: httpd_enabled.rc == 0
          tags: step0,validation
        - name: Ensure mod_ssl package is installed
          tags: step3
          yum: name=mod_ssl state=latest