From 6de19ae04e8b69d1fb0968574f32f3f5ce3c8fb0 Mon Sep 17 00:00:00 2001
From: Gerd Oberlechner <goberlec@redhat.com>
Date: Tue, 11 Jun 2024 09:08:00 +0200
Subject: [PATCH] explicit names for keyvault and eventgrid

the nameing for keyvault and eventgrid are currently derived by the bicep modules at runtime based on various inputs like the current user ID, the resourcegroup name etc
but both resources have special requirements for their names:

* keyvaults require globally unique names
* eventgrid requires region unique names

instead of relying on the code to come up with names that satisfy the required uniqueness, this PR makes the names explicit inputs for the bicep templates.

the dev parameter files under `dev-infrastructure/configuration` still provide some meaningful defaults based on the current user ID, which will provide unique names for our regular dev purposes. but for any environment beyond dev, the names for keyvault and evengrid need to be provided explicitely.

Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
---
 .../configurations/mgmt-cluster.bicepparam    |  5 +++
 .../configurations/svc-cluster.bicepparam     |  5 +++
 .../modules/aks-cluster-base.bicep            |  5 ++-
 .../modules/maestro/maestro-config.bicep      | 27 ------------
 .../templates/mgmt-cluster.bicep              | 36 ++++++++-------
 .../templates/svc-cluster.bicep               | 44 +++++++++++--------
 6 files changed, 60 insertions(+), 62 deletions(-)
 delete mode 100644 dev-infrastructure/modules/maestro/maestro-config.bicep

diff --git a/dev-infrastructure/configurations/mgmt-cluster.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.bicepparam
index 491aeb700..d149ceded 100644
--- a/dev-infrastructure/configurations/mgmt-cluster.bicepparam
+++ b/dev-infrastructure/configurations/mgmt-cluster.bicepparam
@@ -6,9 +6,14 @@ param vnetAddressPrefix = '10.132.0.0/14'
 param subnetPrefix = '10.132.8.0/21'
 param podSubnetPrefix = '10.132.64.0/18'
 param enablePrivateCluster = false
+param aksKeyVaultName = take('aks-kv-mgmt-cluster-${uniqueString(currentUserId)}', 24)
 param persist = false
 param deployMaestroConsumer = false
 param maestroNamespace = 'maestro'
+param maestroKeyVaultName = take('maestro-kv-${uniqueString(currentUserId)}', 24)
+param maestroEventGridNamespacesName = '${maestroInfraResourceGroup}-eventgrid'
+param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-int.azure.com'
+
 param workloadIdentities = items({
   maestro_wi: {
     uamiName: 'maestro-consumer'
diff --git a/dev-infrastructure/configurations/svc-cluster.bicepparam b/dev-infrastructure/configurations/svc-cluster.bicepparam
index 8a941650e..d1b837c28 100644
--- a/dev-infrastructure/configurations/svc-cluster.bicepparam
+++ b/dev-infrastructure/configurations/svc-cluster.bicepparam
@@ -7,10 +7,15 @@ param subnetPrefix = '10.128.8.0/21'
 param podSubnetPrefix = '10.128.64.0/18'
 param enablePrivateCluster = false
 param persist = false
+param aksKeyVaultName = take('aks-kv-svc-cluster-${uniqueString(currentUserId)}', 24)
 param disableLocalAuth = false
 param deployFrontendCosmos = false
 param deployMaestroInfra = false
 param maestroNamespace = 'maestro'
+param maestroKeyVaultName = take('maestro-kv-${uniqueString(currentUserId)}', 24)
+param maestroEventGridNamespacesName = '${maestroInfraResourceGroup}-eventgrid'
+param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-int.azure.com'
+
 param workloadIdentities = items({
   frontend_wi: {
     uamiName: 'frontend'
diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep
index 3124b20f0..232310f1c 100644
--- a/dev-infrastructure/modules/aks-cluster-base.bicep
+++ b/dev-infrastructure/modules/aks-cluster-base.bicep
@@ -22,6 +22,9 @@ param podSubnetPrefix string
 param clusterType string
 param workloadIdentities array
 
+@maxLength(24)
+param aksKeyVaultName string
+
 // Local Params
 @description('Optional DNS prefix to use with hosted Kubernetes API server FQDN.')
 param dnsPrefix string = aksClusterName
@@ -70,7 +73,7 @@ resource aks_pod_nsg 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
 
 resource aks_keyvault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   location: location
-  name: take('aks-kv-${clusterType}-${uniqueString(currentUserId)}', 24)
+  name: aksKeyVaultName
   tags: {
     resourceGroup: resourceGroup().name
   }
diff --git a/dev-infrastructure/modules/maestro/maestro-config.bicep b/dev-infrastructure/modules/maestro/maestro-config.bicep
deleted file mode 100644
index 6ec8aa596..000000000
--- a/dev-infrastructure/modules/maestro/maestro-config.bicep
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
-This is a module for generating consistent constants and names for resources
-that are shared across the maestro-server and (upcoming) maestro-consumer modules.
-*/
-
-@description('The resource group name for the Maestro infrastructure')
-param resourceGroupName string
-
-@description('The location for the Maestro infrastructure')
-param location string
-
-@description('The Maestro Event Grid Namespaces name')
-param eventGridNamespaceName string?
-
-@description('The name for the Key Vault for Maestro certificates')
-param keyVaultName string = take('maestro-kv-${location}-${uniqueString(resourceGroupName)}', 24)
-
-@description('The base domain name used in the the Event Grid certificate')
-param certificateDomain string?
-
-output kvCertOfficerManagedIdentityName string = '${keyVaultName}-cert-officer-msi'
-
-output maestroEventGridNamespaceName string = eventGridNamespaceName ?? '${resourceGroupName}-eventgrid'
-
-output maestroKeyVaultName string = keyVaultName
-
-output maestroCertificateDomain string = certificateDomain ?? '${location}.maestro.keyvault.aro-int.azure.com'
diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep
index e44e4afb1..d4fba27a1 100644
--- a/dev-infrastructure/templates/mgmt-cluster.bicep
+++ b/dev-infrastructure/templates/mgmt-cluster.bicep
@@ -25,6 +25,10 @@ param kubernetesVersion string
 @description('Istio control plane version to use with AKS')
 param istioVersion string
 
+@description('The name of the keyvault for AKS.')
+@maxLength(24)
+param aksKeyVaultName string
+
 @description('List of workload identities to create and their required values')
 param workloadIdentities array
 
@@ -34,12 +38,22 @@ param deployMaestroConsumer bool
 @description('Namespace to deploy the Maestro Consumer to.')
 param maestroNamespace string
 
-@description('The OneCertV2 domain to use to use for the Maestro certificate.')
-param maestroCertDomain string?
+@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.')
+param maestroCertDomain string
+
+@description('The name of the keyvault for Maestro Eventgrid namespace certificates.')
+@maxLength(24)
+param maestroKeyVaultName string
+
+@description('The name of the managed identity that will manage certificates in maestros keyvault.')
+param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi'
 
 @description('The resourcegroups where the Maestro infrastructure is deployed.')
 param maestroInfraResourceGroup string
 
+@description('The name of the eventgrid namespace for Maestro.')
+param maestroEventGridNamespacesName string
+
 module mgmtCluster '../modules/aks-cluster-base.bicep' = {
   name: 'aks_base_cluster'
   scope: resourceGroup()
@@ -55,6 +69,7 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'mgmt-cluster'
     workloadIdentities: workloadIdentities
+    aksKeyVaultName: aksKeyVaultName
   }
 }
 
@@ -62,15 +77,6 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
 //   M A E S T R O
 //
 
-module maestroConfig '../modules/maestro/maestro-config.bicep' = {
-  name: 'maestro-config'
-  params: {
-    location: location
-    resourceGroupName: maestroInfraResourceGroup
-    certificateDomain: maestroCertDomain
-  }
-}
-
 module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = if (deployMaestroConsumer && maestroInfraResourceGroup != '') {
   name: 'maestro-consumer'
   scope: resourceGroup()
@@ -87,10 +93,10 @@ module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = if (deployM
     namespace: maestroNamespace
     maestroInfraResourceGroup: maestroInfraResourceGroup
     maestroConsumerName: mgmtCluster.outputs.aksClusterName
-    maestroEventGridNamespaceName: maestroConfig.outputs.maestroEventGridNamespaceName
-    maestroKeyVaultName: maestroConfig.outputs.maestroKeyVaultName
-    maestroKeyVaultOfficerManagedIdentityName: maestroConfig.outputs.kvCertOfficerManagedIdentityName
-    maestroKeyVaultCertificateDomain: maestroConfig.outputs.maestroCertificateDomain
+    maestroEventGridNamespaceName: maestroEventGridNamespacesName
+    maestroKeyVaultName: maestroKeyVaultName
+    maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
+    maestroKeyVaultCertificateDomain: maestroCertDomain
     location: location
   }
 }
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
index 4a6f9f117..33537bb8a 100644
--- a/dev-infrastructure/templates/svc-cluster.bicep
+++ b/dev-infrastructure/templates/svc-cluster.bicep
@@ -25,6 +25,10 @@ param kubernetesVersion string
 @description('Istio control plane version to use with AKS')
 param istioVersion string
 
+@description('The name of the keyvault for AKS.')
+@maxLength(24)
+param aksKeyVaultName string
+
 // TODO: When the work around workload identity for the RP is finalized, change this to true
 @description('disableLocalAuth for the ARO HCP RP CosmosDB')
 param disableLocalAuth bool
@@ -41,11 +45,21 @@ param deployMaestroInfra bool
 @description('The namespace where the maestro resources will be deployed.')
 param maestroNamespace string
 
-@description('The OneCertV2 domain to use to use for the maestro certificate.')
-param maestroCertDomain string?
+@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.')
+param maestroCertDomain string
+
+@description('The name of the eventgrid namespace for Maestro.')
+param maestroEventGridNamespacesName string
+
+@description('The name of the keyvault for Maestro Eventgrid namespace certificates.')
+@maxLength(24)
+param maestroKeyVaultName string
+
+@description('The name of the managed identity that will manage certificates in maestros keyvault.')
+param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi'
 
 @description('The resourcegroups where the Maestro infrastructure will be deployed.')
-param maestroInfraResourceGroup string
+param maestroInfraResourceGroup string = resourceGroup().name
 
 module svcCluster '../modules/aks-cluster-base.bicep' = {
   name: 'svc-cluster'
@@ -62,6 +76,7 @@ module svcCluster '../modules/aks-cluster-base.bicep' = {
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'svc-cluster'
     workloadIdentities: workloadIdentities
+    aksKeyVaultName: aksKeyVaultName
   }
 }
 var frontendMI = filter(svcCluster.outputs.userAssignedIdentities, id => id.uamiName == 'frontend')[0]
@@ -85,24 +100,15 @@ output frontend_mi_client_id string = frontendMI.uamiClientID
 //   M A E S T R O
 //
 
-module maestroConfig '../modules/maestro/maestro-config.bicep' = {
-  name: 'maestro-config'
-  params: {
-    location: location
-    resourceGroupName: maestroInfraResourceGroup
-    certificateDomain: maestroCertDomain
-  }
-}
-
 module maestroInfra '../modules/maestro/maestro-infra.bicep' = if (deployMaestroInfra) {
   name: 'maestro-infra'
   scope: resourceGroup(maestroInfraResourceGroup)
   params: {
-    eventGridNamespaceName: maestroConfig.outputs.maestroEventGridNamespaceName
+    eventGridNamespaceName: maestroEventGridNamespacesName
     location: location
     currentUserId: currentUserId
-    maestroKeyVaultName: maestroConfig.outputs.maestroKeyVaultName
-    kvCertOfficerManagedIdentityName: maestroConfig.outputs.kvCertOfficerManagedIdentityName
+    maestroKeyVaultName: maestroKeyVaultName
+    kvCertOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
   }
 }
 
@@ -120,10 +126,10 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = if (deployMaest
     )[0].uamiClientID
     namespace: maestroNamespace
     maestroInfraResourceGroup: maestroInfraResourceGroup
-    maestroEventGridNamespaceName: maestroConfig.outputs.maestroEventGridNamespaceName
-    maestroKeyVaultName: maestroConfig.outputs.maestroKeyVaultName
-    maestroKeyVaultOfficerManagedIdentityName: maestroConfig.outputs.kvCertOfficerManagedIdentityName
-    maestroKeyVaultCertificateDomain: maestroConfig.outputs.maestroCertificateDomain
+    maestroEventGridNamespaceName: maestroEventGridNamespacesName
+    maestroKeyVaultName: maestroKeyVaultName
+    maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
+    maestroKeyVaultCertificateDomain: maestroCertDomain
     location: location
   }
   dependsOn: [