Simplify elasticsearch firewall rules

Because we are no longer running elasticsearch daemons on
logstash-workers to perform indexing (and instead use http to the
elasticsearch cluster data nodes) and because kibana also speaks the
http API and doesn't join the cluster from logstash.openstack.org we
don't need to allow the full mesh of connectivity over ports 9200 to
9400.

Remove these unneeded firewall rules as the next step is converting to
the new dns resolving firewall rule builder parameter in
puppet-iptables.

Change-Id: If79bab6dc0b510c5589b83c943458e8580eb8092

manifests/site.pp

@@ -463,11 +463,8 @@ node /^wiki-dev\d+\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^logstash\d*\.openstack\.org$/ {
-  $iptables_es_rule = regsubst($elasticsearch_nodes,
-  '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
-  $iptables_gm_rule = regsubst($logstash_gearman_clients,
+  $logstash_iptables_rule = regsubst($logstash_gearman_clients,
   '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
-  $logstash_iptables_rule = flatten([$iptables_es_rule, $iptables_gm_rule])
 
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [22, 80, 3306],
@@ -493,14 +490,10 @@ node /^logstash\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^logstash-worker\d+\.openstack\.org$/ {
-  $logstash_worker_iptables_rule = regsubst(flatten([$elasticsearch_nodes, $elasticsearch_clients]),
-  '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
   $group = 'logstash-worker'
 
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [22],
-    iptables_rules6           => $logstash_worker_iptables_rule,
-    iptables_rules4           => $logstash_worker_iptables_rule,
     sysadmins                 => hiera('sysadmins', []),
   }