From 7068e59a79a7596d5583e5e9780def1b5aae8dff Mon Sep 17 00:00:00 2001 From: Jonathan Chang Date: Wed, 16 Oct 2024 10:22:54 -0700 Subject: [PATCH] move maestro to 3 different templates --- .../mvp-maestro-consumer.bicepparam | 9 +++ .../mvp-maestro-server.bicepparam | 13 +++ .../mvp-mgmt-cluster.bicepparam | 5 -- .../configurations/mvp-region.bicepparam | 5 -- .../configurations/mvp-regional.bicepparam | 5 ++ .../configurations/mvp-svc-cluster.bicepparam | 9 --- .../templates/maestro-consumer.bicep | 61 ++++++++++++++ .../templates/maestro-regional.bicep | 35 ++++++++ .../{maestro.bicep => maestro-server.bicep} | 80 +++---------------- 9 files changed, 133 insertions(+), 89 deletions(-) create mode 100644 dev-infrastructure/configurations/mvp-maestro-consumer.bicepparam create mode 100644 dev-infrastructure/configurations/mvp-maestro-server.bicepparam create mode 100644 dev-infrastructure/configurations/mvp-regional.bicepparam create mode 100644 dev-infrastructure/templates/maestro-consumer.bicep create mode 100644 dev-infrastructure/templates/maestro-regional.bicep rename dev-infrastructure/templates/{maestro.bicep => maestro-server.bicep} (60%) diff --git a/dev-infrastructure/configurations/mvp-maestro-consumer.bicepparam b/dev-infrastructure/configurations/mvp-maestro-consumer.bicepparam new file mode 100644 index 000000000..349e48755 --- /dev/null +++ b/dev-infrastructure/configurations/mvp-maestro-consumer.bicepparam @@ -0,0 +1,9 @@ +using '../templates/maestro-consumer.bicep' + +param deployMaestroConsumer = true +param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev' +param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev' +param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com' + +param regionalResourceGroup = '' +param mgmtResourceGroup = '' diff --git a/dev-infrastructure/configurations/mvp-maestro-server.bicepparam b/dev-infrastructure/configurations/mvp-maestro-server.bicepparam new file mode 100644 index 000000000..54fd19739 --- /dev/null +++ b/dev-infrastructure/configurations/mvp-maestro-server.bicepparam @@ -0,0 +1,13 @@ +using '../templates/maestro-server.bicep' + +param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev' +param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev' +param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com' +param maestroPostgresServerName = 'maestro-pg-aro-hcp-dev' +param maestroPostgresServerVersion = '15' +param maestroPostgresServerStorageSizeGB = 32 +param deployMaestroPostgres = false +param maestroPostgresPrivate = false + +param regionalResourceGroup = '' +param svcResourceGroup = '' diff --git a/dev-infrastructure/configurations/mvp-mgmt-cluster.bicepparam b/dev-infrastructure/configurations/mvp-mgmt-cluster.bicepparam index 9de68c279..13470208b 100644 --- a/dev-infrastructure/configurations/mvp-mgmt-cluster.bicepparam +++ b/dev-infrastructure/configurations/mvp-mgmt-cluster.bicepparam @@ -15,11 +15,6 @@ param userAgentVMSize = 'Standard_D2s_v3' param userAgentPoolAZCount = 3 param persist = true -param deployMaestroConsumer = true -param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev' -param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev' -param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com' - param baseDNSZoneName = 'hcp.osadev.cloud' param regionalDNSSubdomain = 'westus3' diff --git a/dev-infrastructure/configurations/mvp-region.bicepparam b/dev-infrastructure/configurations/mvp-region.bicepparam index 9d58a7a44..fafa9d8a2 100644 --- a/dev-infrastructure/configurations/mvp-region.bicepparam +++ b/dev-infrastructure/configurations/mvp-region.bicepparam @@ -6,10 +6,5 @@ param persist = true param baseDNSZoneName = 'hcp.osadev.cloud' param baseDNSZoneResourceGroup = 'global' -// maestro -param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev' -param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev' -param maestroEventGridMaxClientSessionsPerAuthName = 4 - // This parameter is always overriden in the Makefile param currentUserId = '' diff --git a/dev-infrastructure/configurations/mvp-regional.bicepparam b/dev-infrastructure/configurations/mvp-regional.bicepparam new file mode 100644 index 000000000..65454486a --- /dev/null +++ b/dev-infrastructure/configurations/mvp-regional.bicepparam @@ -0,0 +1,5 @@ +using '../templates/maestro-regional.bicep' + +param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev' +param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev' +param maestroEventGridMaxClientSessionsPerAuthName = 4 diff --git a/dev-infrastructure/configurations/mvp-svc-cluster.bicepparam b/dev-infrastructure/configurations/mvp-svc-cluster.bicepparam index 1874b20d5..6c4e9147f 100644 --- a/dev-infrastructure/configurations/mvp-svc-cluster.bicepparam +++ b/dev-infrastructure/configurations/mvp-svc-cluster.bicepparam @@ -11,15 +11,6 @@ param aksKeyVaultName = 'aks-kv-aro-hcp-dev-sc' param disableLocalAuth = false param deployFrontendCosmos = true -param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev' -param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev' -param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com' -param maestroPostgresServerName = 'maestro-pg-aro-hcp-dev' -param maestroPostgresServerVersion = '15' -param maestroPostgresServerStorageSizeGB = 32 -param deployMaestroPostgres = false -param maestroPostgresPrivate = false - param deployCsInfra = false param csPostgresServerName = 'cs-pg-aro-hcp-dev' param clusterServicePostgresPrivate = false diff --git a/dev-infrastructure/templates/maestro-consumer.bicep b/dev-infrastructure/templates/maestro-consumer.bicep new file mode 100644 index 000000000..60f36e229 --- /dev/null +++ b/dev-infrastructure/templates/maestro-consumer.bicep @@ -0,0 +1,61 @@ +@description('Azure Region Location') +param location string = resourceGroup().location + +@description('The resourcegroup for regional infrastructure') +param regionalResourceGroup string + + +@description('The resourcegroup for regional infrastructure') +param mgmtResourceGroup string + +@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.') +param maestroCertDomain string + + +@description('Deploys a Maestro Consumer to the management cluster if set to true.') +param deployMaestroConsumer bool + +@description('The name of the eventgrid namespace for Maestro.') +param maestroEventGridNamespacesName string + +@description('The name of the keyvault for Maestro Eventgrid namespace certificates.') +@maxLength(24) +param maestroKeyVaultName string + +@description('The name of the managed identity that will manage certificates in maestros keyvault.') +param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi' + +// +// M A E S T R O C O N S U M E R +// + + +var mgmtWorkloadIdentities = items({ + maestro_wi: { + uamiName: 'maestro-consumer' + namespace: 'maestro' + serviceAccountName: 'maestro' + } +}) + +resource mgmtUami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing= [ + for wi in mgmtWorkloadIdentities: { + name: wi.value.uamiName + scope: resourceGroup(mgmtResourceGroup) + } +] +func isValidMaestroConsumerName(input string) bool => length(input) <= 90 && contains(input, '[^a-zA-Z0-9_-]') == false + +module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = if (deployMaestroConsumer) { + name: 'maestro-consumer' + params: { + maestroServerManagedIdentityPrincipalId: mgmtUami[0].properties.principalId + maestroInfraResourceGroup: regionalResourceGroup + maestroConsumerName: isValidMaestroConsumerName(resourceGroup().name) ? mgmtResourceGroup : '' + maestroEventGridNamespaceName: maestroEventGridNamespacesName + maestroKeyVaultName: maestroKeyVaultName + maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName + maestroKeyVaultCertificateDomain: maestroCertDomain + location: location + } +} diff --git a/dev-infrastructure/templates/maestro-regional.bicep b/dev-infrastructure/templates/maestro-regional.bicep new file mode 100644 index 000000000..ea0e43ebc --- /dev/null +++ b/dev-infrastructure/templates/maestro-regional.bicep @@ -0,0 +1,35 @@ +@description('Azure Region Location') +param location string = resourceGroup().location + + +@description('The name of the eventgrid namespace for Maestro.') +param maestroEventGridNamespacesName string + +@description('The maximum client sessions per authentication name for the EventGrid MQTT broker') +param maestroEventGridMaxClientSessionsPerAuthName int + +@description('The name of the keyvault for Maestro Eventgrid namespace certificates.') +@maxLength(24) +param maestroKeyVaultName string + +@description('The name of the managed identity that will manage certificates in maestros keyvault.') +param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi' + +// +// M A E S T R O R E G I O N A L +// + +module maestroInfra '../modules/maestro/maestro-infra.bicep' = { + name: 'maestro-infra' + params: { + eventGridNamespaceName: maestroEventGridNamespacesName + location: location + maxClientSessionsPerAuthName: maestroEventGridMaxClientSessionsPerAuthName + maestroKeyVaultName: maestroKeyVaultName + kvCertOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName + } +} + + + + diff --git a/dev-infrastructure/templates/maestro.bicep b/dev-infrastructure/templates/maestro-server.bicep similarity index 60% rename from dev-infrastructure/templates/maestro.bicep rename to dev-infrastructure/templates/maestro-server.bicep index 2ce3e8a6b..b24e4af50 100644 --- a/dev-infrastructure/templates/maestro.bicep +++ b/dev-infrastructure/templates/maestro-server.bicep @@ -1,27 +1,11 @@ @description('Azure Region Location') param location string = resourceGroup().location -@description('The resourcegroup for regional infrastructure') -param regionalResourceGroup string - @description('The resourcegroup for regional infrastructure') param svcResourceGroup string @description('The resourcegroup for regional infrastructure') -param mgmtResourceGroup string - -@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.') -param maestroCertDomain string - -@description('The name of the eventgrid namespace for Maestro.') -param maestroEventGridNamespacesName string - -@description('The maximum client sessions per authentication name for the EventGrid MQTT broker') -param maestroEventGridMaxClientSessionsPerAuthName int - -@description('The name of the keyvault for Maestro Eventgrid namespace certificates.') -@maxLength(24) -param maestroKeyVaultName string +param regionalResourceGroup string @description('Deploy ARO HCP Maestro Postgres if true') param deployMaestroPostgres bool = true @@ -40,27 +24,18 @@ param maestroPostgresServerStorageSizeGB int @description('If true, make the Maestro Postgres instance private') param maestroPostgresPrivate bool = true -@description('The name of the managed identity that will manage certificates in maestros keyvault.') -param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi' - -@description('Deploys a Maestro Consumer to the management cluster if set to true.') -param deployMaestroConsumer bool +@description('The name of the eventgrid namespace for Maestro.') +param maestroEventGridNamespacesName string +@description('The name of the keyvault for Maestro Eventgrid namespace certificates.') +@maxLength(24) +param maestroKeyVaultName string -// -// M A E S T R O R E G I O N A L -// +@description('The name of the managed identity that will manage certificates in maestros keyvault.') +param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi' -module maestroInfra '../modules/maestro/maestro-infra.bicep' = { - name: 'maestro-infra' - params: { - eventGridNamespaceName: maestroEventGridNamespacesName - location: location - maxClientSessionsPerAuthName: maestroEventGridMaxClientSessionsPerAuthName - maestroKeyVaultName: maestroKeyVaultName - kvCertOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName - } -} +@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.') +param maestroCertDomain string // // M A E S T R O S E R V E R @@ -112,38 +87,3 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = { location: location } } - -// -// M A E S T R O C O N S U M E R -// - - -var mgmtWorkloadIdentities = items({ - maestro_wi: { - uamiName: 'maestro-consumer' - namespace: 'maestro' - serviceAccountName: 'maestro' - } -}) - -resource mgmtUami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing= [ - for wi in mgmtWorkloadIdentities: { - name: wi.value.uamiName - scope: resourceGroup(mgmtResourceGroup) - } -] -func isValidMaestroConsumerName(input string) bool => length(input) <= 90 && contains(input, '[^a-zA-Z0-9_-]') == false - -module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = if (deployMaestroConsumer) { - name: 'maestro-consumer' - params: { - maestroServerManagedIdentityPrincipalId: mgmtUami[0].properties.principalId - maestroInfraResourceGroup: regionalResourceGroup - maestroConsumerName: isValidMaestroConsumerName(resourceGroup().name) ? mgmtResourceGroup : '' - maestroEventGridNamespaceName: maestroEventGridNamespacesName - maestroKeyVaultName: maestroKeyVaultName - maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName - maestroKeyVaultCertificateDomain: maestroCertDomain - location: location - } -}