Merge pull request #866 from Azure/eventgrid-tls-min12

Eventgrid tls min12
Azure · Nov 21, 2024 · 35a9823 · 35a9823
2 parents cc4e29f + b44f96e
commit 35a9823
Show file tree

Hide file tree

Showing 10 changed files with 53 additions and 19 deletions.
diff --git a/config/config.schema.json b/config/config.schema.json
@@ -222,11 +222,26 @@
           "consumerName": {
             "type": "string"
           },
-          "eventGridMaxClientSessionsPerAuthName": {
-            "type": "string"
-          },
-          "eventgridName": {
-            "type": "string"
+          "eventGrid": {
+            "type": "object",
+            "properties": {
+              "maxClientSessionsPerAuthName": {
+                "type": "string"
+              },
+              "name": {
+                "type": "string"
+              },
+              "minTLSVersion": {
+                "type": "string",
+                "enum": ["1.2"]
+              }
+            },
+            "additionalProperties": false,
+            "required": [
+              "maxClientSessionsPerAuthName",
+              "name",
+              "minTLSVersion"
+            ]
           },
           "imageBase": {
             "type": "string"
@@ -278,8 +293,7 @@
         "required": [
           "certDomain",
           "consumerName",
-          "eventGridMaxClientSessionsPerAuthName",
-          "eventgridName",
+          "eventGrid",
           "imageBase",
           "imageTag",
           "keyVaultName",

diff --git a/config/config.yaml b/config/config.yaml
@@ -49,8 +49,10 @@ defaults:
   # Maestro
   maestro:
     keyVaultName: arohcp-maestro-{{ .ctx.regionShort }}
-    eventgridName: arohcp-maestro-{{ .ctx.regionShort }}
-    eventGridMaxClientSessionsPerAuthName: '4'
+    eventGrid:
+      name: arohcp-maestro-{{ .ctx.regionShort }}
+      maxClientSessionsPerAuthName: '4'
+      minTLSVersion: '1.2'
     certDomain: 'selfsigned.maestro.keyvault.azure.com'
     postgres:
       name: arohcp-maestro-{{ .ctx.regionShort }}

diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -56,8 +56,11 @@
   "maestro": {
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
     "consumerName": "hcp-underlay-cspr-mgmt-1",
-    "eventGridMaxClientSessionsPerAuthName": "4",
-    "eventgridName": "arohcp-maestro-cspr",
+    "eventGrid": {
+      "maxClientSessionsPerAuthName": "4",
+      "minTLSVersion": "1.2",
+      "name": "arohcp-maestro-cspr"
+    },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
     "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
     "keyVaultName": "arohcp-maestro-cspr",

diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -56,8 +56,11 @@
   "maestro": {
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
     "consumerName": "hcp-underlay-dev-mgmt-1",
-    "eventGridMaxClientSessionsPerAuthName": "4",
-    "eventgridName": "arohcp-maestro-dev",
+    "eventGrid": {
+      "maxClientSessionsPerAuthName": "4",
+      "minTLSVersion": "1.2",
+      "name": "arohcp-maestro-dev"
+    },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
     "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
     "keyVaultName": "arohcp-maestro-dev",

diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -56,8 +56,11 @@
   "maestro": {
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
     "consumerName": "hcp-underlay-usw3tst-mgmt-1",
-    "eventGridMaxClientSessionsPerAuthName": "4",
-    "eventgridName": "arohcp-maestro-usw3tst",
+    "eventGrid": {
+      "maxClientSessionsPerAuthName": "4",
+      "minTLSVersion": "1.2",
+      "name": "arohcp-maestro-usw3tst"
+    },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
     "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
     "keyVaultName": "arohcp-maestro-usw3tst",

diff --git a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam
@@ -21,7 +21,7 @@ param userAgentPoolAZCount = {{ .mgmt.userAgentPool.azCount }}
 // Maestro
 param maestroConsumerName = '{{ .maestro.consumerName }}'
 param maestroKeyVaultName = '{{ .maestro.keyVaultName }}'
-param maestroEventGridNamespacesName = '{{ .maestro.eventgridName }}'
+param maestroEventGridNamespacesName = '{{ .maestro.eventGrid.name }}'
 param maestroCertDomain = '{{ .maestro.certDomain }}'
 
 // Hypershift

diff --git a/dev-infrastructure/configurations/region.tmpl.bicepparam b/dev-infrastructure/configurations/region.tmpl.bicepparam
@@ -7,5 +7,6 @@ param regionalDNSSubdomain = '{{ .regionalDNSSubdomain }}'
 
 // maestro
 param maestroKeyVaultName = '{{ .maestro.keyVaultName }}'
-param maestroEventGridNamespacesName = '{{ .maestro.eventgridName }}'
-param maestroEventGridMaxClientSessionsPerAuthName = {{ .maestro.eventGridMaxClientSessionsPerAuthName }}
+param maestroEventGridNamespacesName = '{{ .maestro.eventGrid.name }}'
+param maestroEventGridMaxClientSessionsPerAuthName = {{ .maestro.eventGrid.maxClientSessionsPerAuthName }}
+param maestroEventGridMinimumTlsVersionAllowed = '{{ .maestro.eventGrid.minTLSVersion }}'
diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam
@@ -15,7 +15,7 @@ param rpCosmosDbName = '{{ .frontend.cosmosDB.name }}'
 param rpCosmosDbPrivate = {{ .frontend.cosmosDB.private }}
 
 param maestroKeyVaultName = '{{ .maestro.keyVaultName }}'
-param maestroEventGridNamespacesName = '{{ .maestro.eventgridName }}'
+param maestroEventGridNamespacesName = '{{ .maestro.eventGrid.name }}'
 param maestroCertDomain = '{{ .maestro.certDomain}}'
 param maestroPostgresServerName = '{{ .maestro.postgres.name }}'
 param maestroPostgresServerMinTLSVersion = '{{ .maestro.postgres.minTLSVersion }}'

diff --git a/dev-infrastructure/modules/maestro/maestro-infra.bicep b/dev-infrastructure/modules/maestro/maestro-infra.bicep
@@ -35,6 +35,9 @@ param maestroKeyVaultName string
 @description('The name for the Managed Identity that will be created for Key Vault Certificate management.')
 param kvCertOfficerManagedIdentityName string
 
+@description('Minimum TLS version allowed for the EventGrid Namespace')
+param minimumTlsVersionAllowed string = '1.2'
+
 @description('Allow public network access to the EventGrid Namespace')
 @allowed([
   'Enabled'
@@ -118,6 +121,7 @@ resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2024-06-01-preview'
   properties: {
     isZoneRedundant: true
     publicNetworkAccess: publicNetworkAccess
+    minimumTlsVersionAllowed: minimumTlsVersionAllowed
     topicSpacesConfiguration: {
       state: 'Enabled'
       maximumSessionExpiryInHours: 1

diff --git a/dev-infrastructure/templates/region.bicep b/dev-infrastructure/templates/region.bicep
@@ -13,6 +13,9 @@ param maestroEventGridNamespacesName string
 @description('The maximum client sessions per authentication name for the EventGrid MQTT broker')
 param maestroEventGridMaxClientSessionsPerAuthName int
 
+@description('Minimum TLS version allowed for the EventGrid Namespace')
+param maestroEventGridMinimumTlsVersionAllowed string = '1.2'
+
 @description('Set to true to prevent resources from being pruned after 48 hours')
 param persist bool = false
 
@@ -67,5 +70,6 @@ module maestroInfra '../modules/maestro/maestro-infra.bicep' = {
     maestroKeyVaultName: maestroKeyVaultName
     kvCertOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
     publicNetworkAccess: 'Enabled'
+    minimumTlsVersionAllowed: maestroEventGridMinimumTlsVersionAllowed
   }
 }