Merge pull request #196 from Azure/explicit-kv-eg-naming

explicit names for keyvault and eventgrid
Azure · Jun 11, 2024 · dc14477 · dc14477
2 parents 6611c14 + 6de19ae
commit dc14477
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 62 deletions.
diff --git a/dev-infrastructure/configurations/mgmt-cluster.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.bicepparam
@@ -6,9 +6,14 @@ param vnetAddressPrefix = '10.132.0.0/14'
 param subnetPrefix = '10.132.8.0/21'
 param podSubnetPrefix = '10.132.64.0/18'
 param enablePrivateCluster = false
+param aksKeyVaultName = take('aks-kv-mgmt-cluster-${uniqueString(currentUserId)}', 24)
 param persist = false
 param deployMaestroConsumer = false
 param maestroNamespace = 'maestro'
+param maestroKeyVaultName = take('maestro-kv-${uniqueString(currentUserId)}', 24)
+param maestroEventGridNamespacesName = '${maestroInfraResourceGroup}-eventgrid'
+param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-int.azure.com'
+
 param workloadIdentities = items({
   maestro_wi: {
     uamiName: 'maestro-consumer'

diff --git a/dev-infrastructure/configurations/svc-cluster.bicepparam b/dev-infrastructure/configurations/svc-cluster.bicepparam
@@ -7,10 +7,15 @@ param subnetPrefix = '10.128.8.0/21'
 param podSubnetPrefix = '10.128.64.0/18'
 param enablePrivateCluster = false
 param persist = false
+param aksKeyVaultName = take('aks-kv-svc-cluster-${uniqueString(currentUserId)}', 24)
 param disableLocalAuth = false
 param deployFrontendCosmos = false
 param deployMaestroInfra = false
 param maestroNamespace = 'maestro'
+param maestroKeyVaultName = take('maestro-kv-${uniqueString(currentUserId)}', 24)
+param maestroEventGridNamespacesName = '${maestroInfraResourceGroup}-eventgrid'
+param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-int.azure.com'
+
 param workloadIdentities = items({
   frontend_wi: {
     uamiName: 'frontend'

diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep
@@ -22,6 +22,9 @@ param podSubnetPrefix string
 param clusterType string
 param workloadIdentities array
 
+@maxLength(24)
+param aksKeyVaultName string
+
 // Local Params
 @description('Optional DNS prefix to use with hosted Kubernetes API server FQDN.')
 param dnsPrefix string = aksClusterName
@@ -70,7 +73,7 @@ resource aks_pod_nsg 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
 
 resource aks_keyvault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   location: location
-  name: take('aks-kv-${clusterType}-${uniqueString(currentUserId)}', 24)
+  name: aksKeyVaultName
   tags: {
     resourceGroup: resourceGroup().name
   }

diff --git a/dev-infrastructure/modules/maestro/maestro-config.bicep b/dev-infrastructure/modules/maestro/maestro-config.bicep
diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep
@@ -25,6 +25,10 @@ param kubernetesVersion string
 @description('Istio control plane version to use with AKS')
 param istioVersion string
 
+@description('The name of the keyvault for AKS.')
+@maxLength(24)
+param aksKeyVaultName string
+
 @description('List of workload identities to create and their required values')
 param workloadIdentities array
 
@@ -34,12 +38,22 @@ param deployMaestroConsumer bool
 @description('Namespace to deploy the Maestro Consumer to.')
 param maestroNamespace string
 
-@description('The OneCertV2 domain to use to use for the Maestro certificate.')
-param maestroCertDomain string?
+@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.')
+param maestroCertDomain string
+
+@description('The name of the keyvault for Maestro Eventgrid namespace certificates.')
+@maxLength(24)
+param maestroKeyVaultName string
+
+@description('The name of the managed identity that will manage certificates in maestros keyvault.')
+param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi'
 
 @description('The resourcegroups where the Maestro infrastructure is deployed.')
 param maestroInfraResourceGroup string
 
+@description('The name of the eventgrid namespace for Maestro.')
+param maestroEventGridNamespacesName string
+
 module mgmtCluster '../modules/aks-cluster-base.bicep' = {
   name: 'aks_base_cluster'
   scope: resourceGroup()
@@ -55,22 +69,14 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'mgmt-cluster'
     workloadIdentities: workloadIdentities
+    aksKeyVaultName: aksKeyVaultName
   }
 }
 
 //
 //   M A E S T R O
 //
 
-module maestroConfig '../modules/maestro/maestro-config.bicep' = {
-  name: 'maestro-config'
-  params: {
-    location: location
-    resourceGroupName: maestroInfraResourceGroup
-    certificateDomain: maestroCertDomain
-  }
-}
-
 module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = if (deployMaestroConsumer && maestroInfraResourceGroup != '') {
   name: 'maestro-consumer'
   scope: resourceGroup()
@@ -87,10 +93,10 @@ module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = if (deployM
     namespace: maestroNamespace
     maestroInfraResourceGroup: maestroInfraResourceGroup
     maestroConsumerName: mgmtCluster.outputs.aksClusterName
-    maestroEventGridNamespaceName: maestroConfig.outputs.maestroEventGridNamespaceName
-    maestroKeyVaultName: maestroConfig.outputs.maestroKeyVaultName
-    maestroKeyVaultOfficerManagedIdentityName: maestroConfig.outputs.kvCertOfficerManagedIdentityName
-    maestroKeyVaultCertificateDomain: maestroConfig.outputs.maestroCertificateDomain
+    maestroEventGridNamespaceName: maestroEventGridNamespacesName
+    maestroKeyVaultName: maestroKeyVaultName
+    maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
+    maestroKeyVaultCertificateDomain: maestroCertDomain
     location: location
   }
 }
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -25,6 +25,10 @@ param kubernetesVersion string
 @description('Istio control plane version to use with AKS')
 param istioVersion string
 
+@description('The name of the keyvault for AKS.')
+@maxLength(24)
+param aksKeyVaultName string
+
 // TODO: When the work around workload identity for the RP is finalized, change this to true
 @description('disableLocalAuth for the ARO HCP RP CosmosDB')
 param disableLocalAuth bool
@@ -41,11 +45,21 @@ param deployMaestroInfra bool
 @description('The namespace where the maestro resources will be deployed.')
 param maestroNamespace string
 
-@description('The OneCertV2 domain to use to use for the maestro certificate.')
-param maestroCertDomain string?
+@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.')
+param maestroCertDomain string
+
+@description('The name of the eventgrid namespace for Maestro.')
+param maestroEventGridNamespacesName string
+
+@description('The name of the keyvault for Maestro Eventgrid namespace certificates.')
+@maxLength(24)
+param maestroKeyVaultName string
+
+@description('The name of the managed identity that will manage certificates in maestros keyvault.')
+param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi'
 
 @description('The resourcegroups where the Maestro infrastructure will be deployed.')
-param maestroInfraResourceGroup string
+param maestroInfraResourceGroup string = resourceGroup().name
 
 module svcCluster '../modules/aks-cluster-base.bicep' = {
   name: 'svc-cluster'
@@ -62,6 +76,7 @@ module svcCluster '../modules/aks-cluster-base.bicep' = {
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'svc-cluster'
     workloadIdentities: workloadIdentities
+    aksKeyVaultName: aksKeyVaultName
   }
 }
 var frontendMI = filter(svcCluster.outputs.userAssignedIdentities, id => id.uamiName == 'frontend')[0]
@@ -85,24 +100,15 @@ output frontend_mi_client_id string = frontendMI.uamiClientID
 //   M A E S T R O
 //
 
-module maestroConfig '../modules/maestro/maestro-config.bicep' = {
-  name: 'maestro-config'
-  params: {
-    location: location
-    resourceGroupName: maestroInfraResourceGroup
-    certificateDomain: maestroCertDomain
-  }
-}
-
 module maestroInfra '../modules/maestro/maestro-infra.bicep' = if (deployMaestroInfra) {
   name: 'maestro-infra'
   scope: resourceGroup(maestroInfraResourceGroup)
   params: {
-    eventGridNamespaceName: maestroConfig.outputs.maestroEventGridNamespaceName
+    eventGridNamespaceName: maestroEventGridNamespacesName
     location: location
     currentUserId: currentUserId
-    maestroKeyVaultName: maestroConfig.outputs.maestroKeyVaultName
-    kvCertOfficerManagedIdentityName: maestroConfig.outputs.kvCertOfficerManagedIdentityName
+    maestroKeyVaultName: maestroKeyVaultName
+    kvCertOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
   }
 }
 
@@ -120,10 +126,10 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = if (deployMaest
     )[0].uamiClientID
     namespace: maestroNamespace
     maestroInfraResourceGroup: maestroInfraResourceGroup
-    maestroEventGridNamespaceName: maestroConfig.outputs.maestroEventGridNamespaceName
-    maestroKeyVaultName: maestroConfig.outputs.maestroKeyVaultName
-    maestroKeyVaultOfficerManagedIdentityName: maestroConfig.outputs.kvCertOfficerManagedIdentityName
-    maestroKeyVaultCertificateDomain: maestroConfig.outputs.maestroCertificateDomain
+    maestroEventGridNamespaceName: maestroEventGridNamespacesName
+    maestroKeyVaultName: maestroKeyVaultName
+    maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
+    maestroKeyVaultCertificateDomain: maestroCertDomain
     location: location
   }
   dependsOn: [