Azure · jonathan34c · Oct 14, 2024 · Oct 16, 2024 · Oct 16, 2024 · Oct 16, 2024
@@ -17,11 +17,6 @@ param aksUserOsDiskSizeGB = 100
 param userAgentPoolAZCount = 3
 param persist = true
 
-param deployMaestroConsumer = true
-param maestroKeyVaultName = 'maestro-kv-cs-integ'
-param maestroEventGridNamespacesName = 'maestro-eventgrid-cs-integ'
-param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com'
-
 param baseDNSZoneName = 'hcp.osadev.cloud'
 param regionalDNSSubdomain = 'westus3-cs'
 

@@ -7,10 +7,5 @@ param baseDNSZoneName = 'hcp.osadev.cloud'
 param regionalDNSSubdomain = 'westus3-cs'
 param baseDNSZoneResourceGroup = 'global'
 
-// maestro
-param maestroKeyVaultName = 'maestro-kv-cs-integ'
-param maestroEventGridNamespacesName = 'maestro-eventgrid-cs-integ'
-param maestroEventGridMaxClientSessionsPerAuthName = 4
-
 // This parameter is always overriden in the Makefile
 param currentUserId = ''
@@ -11,15 +11,6 @@ param aksKeyVaultName = 'aks-kv-cs-integ-sc'
 param disableLocalAuth = false
 param deployFrontendCosmos = true
 
-param maestroKeyVaultName = 'maestro-kv-cs-integ'
-param maestroEventGridNamespacesName = 'maestro-eventgrid-cs-integ'
-param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com'
-param maestroPostgresServerName = 'maestro-pg-cs-integ'
-param maestroPostgresServerVersion = '15'
-param maestroPostgresServerStorageSizeGB = 32
-param deployMaestroPostgres = false
-param maestroPostgresPrivate = false
-
 param deployCsInfra = false
 param csPostgresServerName = 'cs-pg-cs-integ'
 param clusterServicePostgresPrivate = false

@@ -18,11 +18,6 @@ param aksUserOsDiskSizeGB = 100
 param userAgentPoolAZCount = 3
 param persist = false
 
-param deployMaestroConsumer = true
-param maestroKeyVaultName = take('maestro-kv-${uniqueString(currentUserId)}', 24)
-param maestroEventGridNamespacesName = take('maestro-eg-${uniqueString(currentUserId)}', 24)
-param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-int.azure.com'
-
 param baseDNSZoneName = 'hcp.osadev.cloud'
 
 param acrPullResourceGroups = ['global']

@@ -0,0 +1,9 @@
+using '../templates/maestro-consumer.bicep'
+
+param deployMaestroConsumer = true
+param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev'
+param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev'
+param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com'
+
+param regionalResourceGroup = ''
+param mgmtResourceGroup = ''
@@ -0,0 +1,13 @@
+using '../templates/maestro-server.bicep'
+
+param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev'
+param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev'
+param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com'
+param maestroPostgresServerName = 'maestro-pg-aro-hcp-dev'
+param maestroPostgresServerVersion = '15'
+param maestroPostgresServerStorageSizeGB = 32
+param deployMaestroPostgres = false
+param maestroPostgresPrivate = false
+
+param regionalResourceGroup = ''
+param svcResourceGroup = ''
@@ -17,11 +17,6 @@ param aksUserOsDiskSizeGB = 100
 param userAgentPoolAZCount = 3
 param persist = true
 
-param deployMaestroConsumer = true
-param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev'
-param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev'
-param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com'
-
 param baseDNSZoneName = 'hcp.osadev.cloud'
 param regionalDNSSubdomain = 'westus3'
 

@@ -6,10 +6,5 @@ param persist = true
 param baseDNSZoneName = 'hcp.osadev.cloud'
 param baseDNSZoneResourceGroup = 'global'
 
-// maestro
-param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev'
-param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev'
-param maestroEventGridMaxClientSessionsPerAuthName = 4
-
 // This parameter is always overriden in the Makefile
 param currentUserId = ''
@@ -0,0 +1,5 @@
+using '../templates/maestro-regional.bicep'
+
+param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev'
+param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev'
+param maestroEventGridMaxClientSessionsPerAuthName = 4
@@ -11,15 +11,6 @@ param aksKeyVaultName = 'aks-kv-aro-hcp-dev-sc'
 param disableLocalAuth = false
 param deployFrontendCosmos = true
 
-param maestroKeyVaultName = 'maestro-kv-aro-hcp-dev'
-param maestroEventGridNamespacesName = 'maestro-eventgrid-aro-hcp-dev'
-param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-dev.azure.com'
-param maestroPostgresServerName = 'maestro-pg-aro-hcp-dev'
-param maestroPostgresServerVersion = '15'
-param maestroPostgresServerStorageSizeGB = 32
-param deployMaestroPostgres = false
-param maestroPostgresPrivate = false
-
 param deployCsInfra = false
 param csPostgresServerName = 'cs-pg-aro-hcp-dev'
 param clusterServicePostgresPrivate = false

@@ -4,10 +4,5 @@ using '../templates/region.bicep'
 param baseDNSZoneName = 'hcp.osadev.cloud'
 param baseDNSZoneResourceGroup = 'global'
 
-// maestro
-param maestroKeyVaultName = take('maestro-kv-${uniqueString(currentUserId)}', 24)
-param maestroEventGridNamespacesName = take('maestro-eg-${uniqueString(currentUserId)}', 24)
-param maestroEventGridMaxClientSessionsPerAuthName = 4
-
 // These parameters are always overriden in the Makefile
 param currentUserId = ''
@@ -12,15 +12,6 @@ param aksEtcdKVEnableSoftDelete = false
 param disableLocalAuth = false
 param deployFrontendCosmos = false
 
-param maestroKeyVaultName = take('maestro-kv-${uniqueString(currentUserId)}', 24)
-param maestroEventGridNamespacesName = take('maestro-eg-${uniqueString(currentUserId)}', 24)
-param maestroCertDomain = 'selfsigned.maestro.keyvault.aro-int.azure.com'
-param maestroPostgresServerName = take('maestro-pg-${uniqueString(currentUserId)}', 60)
-param maestroPostgresServerVersion = '15'
-param maestroPostgresServerStorageSizeGB = 32
-param deployMaestroPostgres = false
-param maestroPostgresPrivate = false
-
 param deployCsInfra = false
 param csPostgresServerName = take('cs-pg-${uniqueString(currentUserId)}', 60)
 param clusterServicePostgresPrivate = false

@@ -0,0 +1,60 @@
+@description('Azure Region Location')
+param location string = resourceGroup().location
+
+@description('The resourcegroup for regional infrastructure')
+param regionalResourceGroup string
+
+
+@description('The resourcegroup for regional infrastructure')
+param mgmtResourceGroup string
+
+@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.')
+param maestroCertDomain string
+
+
+@description('Deploys a Maestro Consumer to the management cluster if set to true.')
+param deployMaestroConsumer bool
+
+@description('The name of the eventgrid namespace for Maestro.')
+param maestroEventGridNamespacesName string
+
+@description('The name of the keyvault for Maestro Eventgrid namespace certificates.')
+@maxLength(24)
+param maestroKeyVaultName string
+
+@description('The name of the managed identity that will manage certificates in maestros keyvault.')
+param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi'
+
+//
+//   M A E S T R O  C O N S U M E R
+//
+
+
+var mgmtWorkloadIdentities = items({
+  maestro_wi: {
+    uamiName: 'maestro-consumer'
+    namespace: 'maestro'
+    serviceAccountName: 'maestro'
+  }
+})
+
+resource mgmtUami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing= [
+  for wi in mgmtWorkloadIdentities: {
+    name: wi.value.uamiName
+    scope: resourceGroup(mgmtResourceGroup)
+  }
+]
+
+module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = if (deployMaestroConsumer) {
+  name: 'maestro-consumer'
+  params: {
+    maestroServerManagedIdentityPrincipalId: mgmtUami[0].properties.principalId
+    maestroInfraResourceGroup: regionalResourceGroup
+    maestroConsumerName: mgmtResourceGroup
+    maestroEventGridNamespaceName: maestroEventGridNamespacesName
+    maestroKeyVaultName: maestroKeyVaultName
+    maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
+    maestroKeyVaultCertificateDomain: maestroCertDomain
+    location: location
+  }
+}
@@ -0,0 +1,35 @@
+@description('Azure Region Location')
+param location string = resourceGroup().location
+
+
+@description('The name of the eventgrid namespace for Maestro.')
+param maestroEventGridNamespacesName string
+
+@description('The maximum client sessions per authentication name for the EventGrid MQTT broker')
+param maestroEventGridMaxClientSessionsPerAuthName int
+
+@description('The name of the keyvault for Maestro Eventgrid namespace certificates.')
+@maxLength(24)
+param maestroKeyVaultName string
+
+@description('The name of the managed identity that will manage certificates in maestros keyvault.')
+param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi'
+
+//
+// M A E S T R O  R E G I O N A L
+//
+
+module maestroInfra '../modules/maestro/maestro-infra.bicep' = {
+  name: 'maestro-infra'
+  params: {
+    eventGridNamespaceName: maestroEventGridNamespacesName
+    location: location
+    maxClientSessionsPerAuthName: maestroEventGridMaxClientSessionsPerAuthName
+    maestroKeyVaultName: maestroKeyVaultName
+    kvCertOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
+  }
+}
+
+
+
+
@@ -0,0 +1,89 @@
+@description('Azure Region Location')
+param location string = resourceGroup().location
+
+@description('The resourcegroup for regional infrastructure')
+param svcResourceGroup string
+
+@description('The resourcegroup for regional infrastructure')
+param regionalResourceGroup string
+
+@description('Deploy ARO HCP Maestro Postgres if true')
+param deployMaestroPostgres bool = true
+
+@description('The name of the Postgres server for Maestro')
+@maxLength(60)
+param maestroPostgresServerName string
+
+@description('The version of the Postgres server for Maestro')
+param maestroPostgresServerVersion string
+
+
+@description('The size of the Postgres server for Maestro')
+param maestroPostgresServerStorageSizeGB int
+
+@description('If true, make the Maestro Postgres instance private')
+param maestroPostgresPrivate bool = true
+
+@description('The name of the eventgrid namespace for Maestro.')
+param maestroEventGridNamespacesName string
+
+@description('The name of the keyvault for Maestro Eventgrid namespace certificates.')
+@maxLength(24)
+param maestroKeyVaultName string
+
+@description('The name of the managed identity that will manage certificates in maestros keyvault.')
+param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi'
+
+@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.')
+param maestroCertDomain string
+
+//
+//   M A E S T R O  S E R V E R
+//
+
+resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' existing= {
+  name: 'aks-net'
+  scope: resourceGroup()
+}
+
+resource aksNodeSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing= {
+  parent: vnet
+  name: 'ClusterSubnet-001'
+}
+
+var svcWorkloadIdentities = items({
+  maestro_wi: {
+    uamiName: 'maestro-server'
+    namespace: 'maestro'
+    serviceAccountName: 'maestro'
+  }
+})
+
+resource svcUami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing= [
+  for wi in svcWorkloadIdentities: {
+    name: wi.value.uamiName
+    scope: resourceGroup(svcResourceGroup)
+  }
+]
+
+module maestroServer '../modules/maestro/maestro-server.bicep' = {
+  name: 'maestro-server'
+  scope: resourceGroup(svcResourceGroup)
+  params: {
+    maestroInfraResourceGroup: regionalResourceGroup
+    maestroEventGridNamespaceName: maestroEventGridNamespacesName
+    maestroKeyVaultName: maestroKeyVaultName
+    maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
+    maestroKeyVaultCertificateDomain: maestroCertDomain
+    deployPostgres: deployMaestroPostgres
+    postgresServerName: maestroPostgresServerName
+    postgresServerVersion: maestroPostgresServerVersion
+    postgresServerStorageSizeGB: maestroPostgresServerStorageSizeGB
+    privateEndpointSubnetId: aksNodeSubnet.id
+    privateEndpointVnetId: vnet.id
+    postgresServerPrivate: maestroPostgresPrivate
+    maestroServerManagedIdentityPrincipalId: svcUami[0].properties.principalId
+    maestroServerManagedIdentityName: 'maestro-server'
+    location: location
+  }
+}
@@ -62,22 +62,6 @@ param aksKeyVaultName string
 @description('Manage soft delete setting for AKS etcd key-value store')
 param aksEtcdKVEnableSoftDelete bool = true
 
-@description('Deploys a Maestro Consumer to the management cluster if set to true.')
-param deployMaestroConsumer bool
-
-@description('The domain to use to use for the maestro certificate. Relevant only for environments where OneCert can be used.')
-param maestroCertDomain string
-
-@description('The name of the keyvault for Maestro Eventgrid namespace certificates.')
-@maxLength(24)
-param maestroKeyVaultName string
-
-@description('The name of the managed identity that will manage certificates in maestros keyvault.')
-param maestroKeyVaultCertOfficerMSIName string = '${maestroKeyVaultName}-cert-officer-msi'
-
-@description('The name of the eventgrid namespace for Maestro.')
-param maestroEventGridNamespacesName string
-
 @description('This is a global DNS zone name that will be the parent of regional DNS zones to host ARO HCP customer cluster DNS records')
 param baseDNSZoneName string = ''
 
@@ -146,27 +130,6 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
 
 output aksClusterName string = mgmtCluster.outputs.aksClusterName
 
-//
-//   M A E S T R O
-//
-
-module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = if (deployMaestroConsumer) {
-  name: 'maestro-consumer'
-  params: {
-    maestroServerManagedIdentityPrincipalId: filter(
-      mgmtCluster.outputs.userAssignedIdentities,
-      id => id.uamiName == 'maestro-consumer'
-    )[0].uamiPrincipalID
-    maestroInfraResourceGroup: regionalResourceGroup
-    maestroConsumerName: isValidMaestroConsumerName(resourceGroup().name) ? resourceGroup().name : ''
-    maestroEventGridNamespaceName: maestroEventGridNamespacesName
-    maestroKeyVaultName: maestroKeyVaultName
-    maestroKeyVaultOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
-    maestroKeyVaultCertificateDomain: maestroCertDomain
-    location: location
-  }
-}
-
 //
 //  E X T E R N A L   D N S
 //