diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 6ca8c9b0d..9191f5042 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -7,7 +7,7 @@ defaults: # General AKS config kubernetesVersion: 1.30.5 - istioVersion: "['asm-1-22']" + istioVersion: "asm-1-22" vnetAddressPrefix: "10.128.0.0/14" subnetPrefix: "10.128.8.0/21" podSubnetPrefix: "10.128.64.0/18" @@ -51,13 +51,13 @@ defaults: maestro: eventGrid: name: arohcp-maestro-{{ .ctx.regionShort }} - maxClientSessionsPerAuthName: '4' + maxClientSessionsPerAuthName: 4 private: false certDomain: 'selfsigned.maestro.keyvault.azure.com' postgres: name: arohcp-maestro-{{ .ctx.regionShort }} serverVersion: '15' - serverStorageSizeGB: '32' + serverStorageSizeGB: 32 deploy: false private: false minTLSVersion: 'TLSV1.2' @@ -89,7 +89,7 @@ defaults: serviceKeyVault: name: arohcp-svc-{{ .ctx.regionShort }} - rg: hcp-underlay-{{ .ctx.regionShort }} + rg: hcp-underlay-{{ .ctx.region }}-svc region: {{ .ctx.region }} softDelete: false private: false @@ -162,7 +162,7 @@ clouds: osDiskSizeGB: 100 azCount: 3 # DNS - baseDnsZoneName: aro-hcp.azure-test.net' + baseDnsZoneName: aro-hcp.azure-test.net regionalDNSSubdomain: '{{ .ctx.region }}' # ACR @@ -191,9 +191,9 @@ clouds: # Grafana monitoring: - grafanaAdminGroupPrincipalId: '??? the one to be used as Grafana Admin in grafana.bicep ???' + grafanaAdminGroupPrincipalId: '2fdb57d4-3fd3-415d-b604-1d0e37a188fe' # Azure Red Hat OpenShift MSFT Engineering # DEVOPS MSI # lets create this MSI manually for the time being and automate soon # but we should use the MSI name as an input and not the resource ID of the MSI - aroDevopsMsiId: '??? the one for OIDC deployment script / lives in the global RG / needs to be created first thing on regional buildout ???' + aroDevopsMsiId: '/subscriptions/5299e6b7-b23b-46c8-8277-dc1147807117/resourcegroups/global-shared-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aroint-int-public-oidc' \ No newline at end of file diff --git a/dev-infrastructure/configurations/region.tmpl.bicepparam b/dev-infrastructure/configurations/region.tmpl.bicepparam index 65ed549df..75d89cc50 100644 --- a/dev-infrastructure/configurations/region.tmpl.bicepparam +++ b/dev-infrastructure/configurations/region.tmpl.bicepparam @@ -7,5 +7,5 @@ param regionalDNSSubdomain = '{{ .regionalDNSSubdomain }}' // maestro param maestroEventGridNamespacesName = '{{ .maestro.eventGrid.name }}' -param maestroEventGridMaxClientSessionsPerAuthName = {{ .maestro.eventGrid.maxClientSessionsPerAuthName }} -param maestroEventGridPrivate = {{ .maestro.eventGrid.private }} +param maestroEventGridMaxClientSessionsPerAuthName = any('{{ .maestro.eventGrid.maxClientSessionsPerAuthName }}') +param maestroEventGridPrivate = any('{{ .maestro.eventGrid.private }}') diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam index 077fca8d9..e39b3b09a 100644 --- a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam @@ -1,24 +1,24 @@ using '../templates/svc-cluster.bicep' param kubernetesVersion = '{{ .kubernetesVersion }}' -param istioVersion = {{ .istioVersion }} +param istioVersion = ['{{ .istioVersion }}'] param vnetAddressPrefix = '{{ .vnetAddressPrefix }}' param subnetPrefix = '{{ .subnetPrefix }}' param podSubnetPrefix = '{{ .podSubnetPrefix }}' param aksClusterName = '{{ .aksName }}' param aksKeyVaultName = '{{ .svc.etcd.kvName }}' -param aksEtcdKVEnableSoftDelete = {{ .svc.etcd.kvSoftDelete }} +param aksEtcdKVEnableSoftDelete = any('{{ .svc.etcd.kvSoftDelete }}') -param userAgentMinCount = {{ .svc.userAgentPool.minCount }} -param userAgentMaxCount = {{ .svc.userAgentPool.maxCount }} +param userAgentMinCount = any('{{ .svc.userAgentPool.minCount }}') +param userAgentMaxCount = any('{{ .svc.userAgentPool.maxCount }}') param userAgentVMSize = '{{ .svc.userAgentPool.vmSize }}' -param aksUserOsDiskSizeGB = {{ .svc.userAgentPool.osDiskSizeGB }} -param userAgentPoolAZCount = {{ .svc.userAgentPool.azCount }} +param aksUserOsDiskSizeGB = any('{{ .svc.userAgentPool.osDiskSizeGB }}') +param userAgentPoolAZCount = any('{{ .svc.userAgentPool.azCount }}') -param disableLocalAuth = {{ .frontend.cosmosDB.disableLocalAuth }} -param deployFrontendCosmos = {{ .frontend.cosmosDB.deploy }} +param disableLocalAuth = any('{{ .frontend.cosmosDB.disableLocalAuth }}') +param deployFrontendCosmos = any('{{ .frontend.cosmosDB.deploy }}') param rpCosmosDbName = '{{ .frontend.cosmosDB.name }}' -param rpCosmosDbPrivate = {{ .frontend.cosmosDB.private }} +param rpCosmosDbPrivate = any('{{ .frontend.cosmosDB.private }}') param maestroEventGridNamespacesName = '{{ .maestro.eventGrid.name }}' param maestroServerMqttClientName = '{{ .maestro.serverMqttClientName }}' @@ -26,20 +26,20 @@ param maestroCertDomain = '{{ .maestro.certDomain}}' param maestroPostgresServerName = '{{ .maestro.postgres.name }}' param maestroPostgresServerMinTLSVersion = '{{ .maestro.postgres.minTLSVersion }}' param maestroPostgresServerVersion = '{{ .maestro.postgres.serverVersion }}' -param maestroPostgresServerStorageSizeGB = {{ .maestro.postgres.serverStorageSizeGB }} -param deployMaestroPostgres = {{ .maestro.postgres.deploy }} -param maestroPostgresPrivate = {{ .maestro.postgres.private }} +param maestroPostgresServerStorageSizeGB = any('{{ .maestro.postgres.serverStorageSizeGB }}') +param deployMaestroPostgres = any('{{ .maestro.postgres.deploy }}') +param maestroPostgresPrivate = any('{{ .maestro.postgres.private }}') -param deployCsInfra = {{ .clusterService.postgres.deploy }} +param deployCsInfra = any('{{ .clusterService.postgres.deploy }}') param csPostgresServerName = '{{ .clusterService.postgres.name }}' param csPostgresServerMinTLSVersion = '{{ .clusterService.postgres.minTLSVersion }}' -param clusterServicePostgresPrivate = {{ .clusterService.postgres.private }} +param clusterServicePostgresPrivate = any('{{ .clusterService.postgres.private }}') param serviceKeyVaultName = '{{ .serviceKeyVault.name }}' param serviceKeyVaultResourceGroup = '{{ .serviceKeyVault.rg }}' param serviceKeyVaultLocation = '{{ .serviceKeyVault.region }}' -param serviceKeyVaultSoftDelete = {{ .serviceKeyVault.softDelete }} -param serviceKeyVaultPrivate = {{ .serviceKeyVault.private }} +param serviceKeyVaultSoftDelete = any('{{ .serviceKeyVault.softDelete }}') +param serviceKeyVaultPrivate = any('{{ .serviceKeyVault.private }}') param acrPullResourceGroups = ['{{ .serviceComponentAcrResourceGroups }}'] param imageSyncAcrResourceGroupNames = ['{{ .imageSync.acrRG }}'] diff --git a/dev-infrastructure/region-pipeline.yaml b/dev-infrastructure/region-pipeline.yaml index d680c1bc5..69125cdeb 100644 --- a/dev-infrastructure/region-pipeline.yaml +++ b/dev-infrastructure/region-pipeline.yaml @@ -1,4 +1,4 @@ -serviceGroup: Microsoft.Azure.ARO.Test +serviceGroup: Microsoft.Azure.ARO.HCP.Region rolloutName: Region Rollout resourceGroups: - name: {{ .regionRG }} @@ -10,7 +10,7 @@ resourceGroups: parameters: configurations/region.tmpl.bicepparam - name: metrics-infra action: ARM - template: modules/modules/metrics.bicep + template: modules/metrics/metrics.bicep parameters: configurations/metrics.tmpl.bicepparam dependsOn: - region diff --git a/dev-infrastructure/svc-pipeline.yaml b/dev-infrastructure/svc-pipeline.yaml index 743b0415a..cee2de6ef 100644 --- a/dev-infrastructure/svc-pipeline.yaml +++ b/dev-infrastructure/svc-pipeline.yaml @@ -1,4 +1,4 @@ -serviceGroup: Microsoft.Azure.ARO.Test +serviceGroup: Microsoft.Azure.ARO.HCP.Service.Infra rolloutName: Service Cluster Rollout resourceGroups: - name: {{ .svc.rg }} diff --git a/dev-infrastructure/templates/region.bicep b/dev-infrastructure/templates/region.bicep index 7c88b7072..89eb9c9bd 100644 --- a/dev-infrastructure/templates/region.bicep +++ b/dev-infrastructure/templates/region.bicep @@ -47,7 +47,7 @@ module regionalZoneDelegation '../modules/dns/zone-delegation.bicep' = { params: { childZoneName: regionalDNSSubdomain childZoneNameservers: regionalZone.properties.nameServers - parentZoneName: baseDNSZoneName + parentZoneName: regionalZone.name } } diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index 69edf4d99..eac617fbe 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -231,42 +231,42 @@ module rpCosmosDb '../modules/rp-cosmos.bicep' = if (deployFrontendCosmos) { output cosmosDBName string = deployFrontendCosmos ? rpCosmosDb.outputs.cosmosDBName : '' output frontend_mi_client_id string = frontendMI.uamiClientID -// -// M A E S T R O -// - -module maestroServer '../modules/maestro/maestro-server.bicep' = { - name: 'maestro-server' - params: { - maestroInfraResourceGroup: regionalResourceGroup - maestroEventGridNamespaceName: maestroEventGridNamespacesName - mqttClientName: maestroServerMqttClientName - certKeyVaultName: serviceKeyVaultName - certKeyVaultResourceGroup: serviceKeyVaultResourceGroup - keyVaultOfficerManagedIdentityName: aroDevopsMsiId - maestroCertificateDomain: maestroCertDomain - deployPostgres: deployMaestroPostgres - postgresServerName: maestroPostgresServerName - postgresServerVersion: maestroPostgresServerVersion - postgresServerMinTLSVersion: maestroPostgresServerMinTLSVersion - postgresServerStorageSizeGB: maestroPostgresServerStorageSizeGB - privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId - privateEndpointVnetId: svcCluster.outputs.aksVnetId - postgresServerPrivate: maestroPostgresPrivate - maestroServerManagedIdentityPrincipalId: filter( - svcCluster.outputs.userAssignedIdentities, - id => id.uamiName == 'maestro-server' - )[0].uamiPrincipalID - maestroServerManagedIdentityName: filter( - svcCluster.outputs.userAssignedIdentities, - id => id.uamiName == 'maestro-server' - )[0].uamiName - location: location - } - dependsOn: [ - serviceKeyVault - ] -} +// // +// // M A E S T R O +// // + +// module maestroServer '../modules/maestro/maestro-server.bicep' = { +// name: 'maestro-server' +// params: { +// maestroInfraResourceGroup: regionalResourceGroup +// maestroEventGridNamespaceName: maestroEventGridNamespacesName +// mqttClientName: maestroServerMqttClientName +// certKeyVaultName: serviceKeyVaultName +// certKeyVaultResourceGroup: serviceKeyVaultResourceGroup +// keyVaultOfficerManagedIdentityName: aroDevopsMsiId +// maestroCertificateDomain: maestroCertDomain +// deployPostgres: deployMaestroPostgres +// postgresServerName: maestroPostgresServerName +// postgresServerVersion: maestroPostgresServerVersion +// postgresServerMinTLSVersion: maestroPostgresServerMinTLSVersion +// postgresServerStorageSizeGB: maestroPostgresServerStorageSizeGB +// privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId +// privateEndpointVnetId: svcCluster.outputs.aksVnetId +// postgresServerPrivate: maestroPostgresPrivate +// maestroServerManagedIdentityPrincipalId: filter( +// svcCluster.outputs.userAssignedIdentities, +// id => id.uamiName == 'maestro-server' +// )[0].uamiPrincipalID +// maestroServerManagedIdentityName: filter( +// svcCluster.outputs.userAssignedIdentities, +// id => id.uamiName == 'maestro-server' +// )[0].uamiName +// location: location +// } +// dependsOn: [ +// serviceKeyVault +// ] +// } // // K E Y V A U L T S @@ -320,7 +320,7 @@ module cs '../modules/cluster-service.bicep' = if (deployCsInfra) { clusterServiceManagedIdentityName: clusterServiceMIName } dependsOn: [ - maestroServer + // maestroServer svcCluster ] } @@ -371,60 +371,60 @@ module imageServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-access.bi ] } -resource imageSyncAcrResourceGroups 'Microsoft.Resources/resourceGroups@2023-07-01' existing = [ - for rg in imageSyncAcrResourceGroupNames: { - name: rg - scope: subscription() - } -] - -module acrPushRole '../modules/acr-permissions.bicep' = [ - for (_, i) in imageSyncAcrResourceGroupNames: { - name: guid(imageSyncAcrResourceGroups[i].id, resourceGroup().name, 'image-sync', 'push') - scope: imageSyncAcrResourceGroups[i] - params: { - principalId: imageSyncManagedIdentityPrincipalId - grantPushAccess: true - acrResourceGroupid: imageSyncAcrResourceGroups[i].id - } - } -] - -resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@2023-07-01' existing = [ - for rg in clustersServiceAcrResourceGroupNames: { - name: rg - scope: subscription() - } -] - -module acrManageTokenRole '../modules/acr-permissions.bicep' = [ - for (_, i) in clustersServiceAcrResourceGroupNames: { - name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens') - scope: clustersServiceAcrResourceGroups[i] - params: { - principalId: csManagedIdentityPrincipalId - grantManageTokenAccess: true - acrResourceGroupid: clustersServiceAcrResourceGroups[i].id - } - } -] - -// oidc - -module oidc '../modules/oidc/main.bicep' = { - name: '${deployment().name}-oidc' - params: { - location: location - storageAccountName: oidcStorageAccountName - rpMsiName: clusterServiceMIName - skuName: oidcStorageAccountSku - aroDevopsMsiId: aroDevopsMsiId - deploymentScriptLocation: location - } - dependsOn: [ - svcCluster - ] -} +// resource imageSyncAcrResourceGroups 'Microsoft.Resources/resourceGroups@2023-07-01' existing = [ +// for rg in imageSyncAcrResourceGroupNames: { +// name: rg +// scope: subscription() +// } +// ] + +// module acrPushRole '../modules/acr-permissions.bicep' = [ +// for (_, i) in imageSyncAcrResourceGroupNames: { +// name: guid(imageSyncAcrResourceGroups[i].id, resourceGroup().name, 'image-sync', 'push') +// scope: imageSyncAcrResourceGroups[i] +// params: { +// principalId: imageSyncManagedIdentityPrincipalId +// grantPushAccess: true +// acrResourceGroupid: imageSyncAcrResourceGroups[i].id +// } +// } +// ] + +// resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@2023-07-01' existing = [ +// for rg in clustersServiceAcrResourceGroupNames: { +// name: rg +// scope: subscription() +// } +// ] + +// module acrManageTokenRole '../modules/acr-permissions.bicep' = [ +// for (_, i) in clustersServiceAcrResourceGroupNames: { +// name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens') +// scope: clustersServiceAcrResourceGroups[i] +// params: { +// principalId: csManagedIdentityPrincipalId +// grantManageTokenAccess: true +// acrResourceGroupid: clustersServiceAcrResourceGroups[i].id +// } +// } +// ] + +// // oidc + +// module oidc '../modules/oidc/main.bicep' = { +// name: '${deployment().name}-oidc' +// params: { +// location: location +// storageAccountName: oidcStorageAccountName +// rpMsiName: clusterServiceMIName +// skuName: oidcStorageAccountSku +// aroDevopsMsiId: aroDevopsMsiId +// deploymentScriptLocation: location +// } +// dependsOn: [ +// svcCluster +// ] +// } // // E V E N T G R I D P R I V A T E E N D P O I N T C O N N E C T I O N diff --git a/tooling/templatize/pkg/ev2/mapping.go b/tooling/templatize/pkg/ev2/mapping.go index 8b06532e9..0fe3c3df6 100644 --- a/tooling/templatize/pkg/ev2/mapping.go +++ b/tooling/templatize/pkg/ev2/mapping.go @@ -21,7 +21,7 @@ func EV2Mapping(input config.Variables, prefix []string) (map[string]string, map } replaced[key] = replacement } else { - placeholder := fmt.Sprintf("__%s__", strings.ToUpper(strings.Join(nestedKey, "_"))) + placeholder := fmt.Sprintf("__%s__", strings.Join(nestedKey, "_")) output[placeholder] = strings.Join(nestedKey, ".") replaced[key] = placeholder }