Revert "Add global keyvault (Azure#654)" (Azure#657)

This reverts commit 2826c88.
ahitacat · Sep 26, 2024 · 6ca2a26 · 6ca2a26
1 parent 2826c88
commit 6ca2a26
Show file tree

Hide file tree

Showing 10 changed files with 79 additions and 106 deletions.
diff --git a/cluster-service/Makefile b/cluster-service/Makefile
@@ -5,7 +5,7 @@ CONFIG_PROFILE ?= dev
 include ../dev-infrastructure/configurations/$(CONFIG_PROFILE).mk
 
 CONSUMER_NAME ?= $(shell az aks list --query "[?tags.clusterType == 'mgmt-cluster' && starts_with(resourceGroup, '$(REGIONAL_RESOURCEGROUP)')].resourceGroup" -o tsv)
-KEYVAULT_NAME ?= $(shell az keyvault list --query "[?starts_with(name, 'service-kv')].name" -g ${SVC_KV_RESOURCEGROUP} --output tsv)
+KEYVAULT_NAME ?= $(shell az keyvault list --query "[?starts_with(name, 'service-kv')].name" -g ${RESOURCEGROUP} --output tsv)
 FPA_CERT_NAME ?= firstPartyMock
 AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID ?= "ccf5339c-61d1-402f-9c9b-d463670191f9"
 

diff --git a/dev-infrastructure/configurations/cs-integ-svc-cluster.bicepparam b/dev-infrastructure/configurations/cs-integ-svc-cluster.bicepparam
@@ -24,8 +24,7 @@ param deployCsInfra = false
 param csPostgresServerName = 'cs-pg-cs-integ'
 param clusterServicePostgresPrivate = false
 
-param serviceKeyVaultName = 'aro-hcp-dev-svc-kv'
-param serviceKeyVaultResourceGroup = 'global'
+param serviceKeyVaultName = 'service-kv-cs-integ'
 param serviceKeyVaultSoftDelete = true
 param serviceKeyVaultPrivate = false
 

diff --git a/dev-infrastructure/configurations/cs-integ.mk b/dev-infrastructure/configurations/cs-integ.mk
@@ -1,6 +1,6 @@
 REGION ?= westus3
 RESOURCEGROUP ?= cs-integ-$(USER)-$(REGION)-$(AKSCONFIG)
 REGIONAL_RESOURCEGROUP ?= cs-integ-$(USER)-$(REGION)
-SVC_KV_RESOURCEGROUP ?= global
 ARO_HCP_IMAGE_ACR ?= arohcpdev
 REGIONAL_ACR_NAME ?= arohcpdev$(shell echo $(CURRENTUSER) | sha256sum  | head -c 24)
+
diff --git a/dev-infrastructure/configurations/dev.mk b/dev-infrastructure/configurations/dev.mk
@@ -1,7 +1,6 @@
 REGION ?= westus3
 RESOURCEGROUP ?= aro-hcp-$(USER)-$(REGION)-$(AKSCONFIG)
 REGIONAL_RESOURCEGROUP ?= aro-hcp-$(USER)-$(REGION)
-SVC_KV_RESOURCEGROUP ?= global
 GLOBAL_RESOURCEGROUP ?= global
 ARO_HCP_IMAGE_ACR ?= arohcpdev
 REGIONAL_ACR_NAME ?= arohcpdev$(shell echo $(CURRENTUSER) | sha256sum  | head -c 24)

diff --git a/dev-infrastructure/configurations/mvp-svc-cluster.bicepparam b/dev-infrastructure/configurations/mvp-svc-cluster.bicepparam
@@ -24,8 +24,7 @@ param deployCsInfra = false
 param csPostgresServerName = 'cs-pg-aro-hcp-dev'
 param clusterServicePostgresPrivate = false
 
-param serviceKeyVaultName = 'aro-hcp-dev-svc-kv'
-param serviceKeyVaultResourceGroup = 'global'
+param serviceKeyVaultName = 'service-kv-aro-hcp-dev'
 param serviceKeyVaultSoftDelete = true
 param serviceKeyVaultPrivate = false
 

diff --git a/dev-infrastructure/configurations/svc-cluster.bicepparam b/dev-infrastructure/configurations/svc-cluster.bicepparam
@@ -25,8 +25,7 @@ param deployCsInfra = false
 param csPostgresServerName = take('cs-pg-${uniqueString(currentUserId)}', 60)
 param clusterServicePostgresPrivate = false
 
-param serviceKeyVaultName = 'aro-hcp-dev-svc-kv'
-param serviceKeyVaultResourceGroup = 'global'
+param serviceKeyVaultName = take('service-kv-${uniqueString(currentUserId)}', 24)
 param serviceKeyVaultSoftDelete = false
 param serviceKeyVaultPrivate = false
 

diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep
@@ -70,6 +70,8 @@ module aks_keyvault_builder '../modules/keyvault/keyvault.bicep' = {
     // todo: change for higher environments
     private: false
     enableSoftDelete: aksEtcdKVEnableSoftDelete
+    // AKS managed private endpoints on its own when the etcd KV is private
+    managedPrivateEndpoint: false
   }
 }
 

diff --git a/dev-infrastructure/modules/keyvault/keyvault-private-endpoint.bicep b/dev-infrastructure/modules/keyvault/keyvault-private-endpoint.bicep
diff --git a/dev-infrastructure/modules/keyvault/keyvault.bicep b/dev-infrastructure/modules/keyvault/keyvault.bicep
@@ -1,15 +1,19 @@
-@description('Location of the keyvault.')
 param location string
 
-@description('Name of the key vault.')
 param keyVaultName string
 
-@description('Toggle to enable soft delete.')
+param subnetId string = ''
+
+param vnetId string = ''
+
 param enableSoftDelete bool
 
-@description('Toggle to make the keyvault private.')
 param private bool
 
+// Event for some private KVs it makes sense to disable the creation of a private endpoint,
+// e.g. AKS KMS on a private KV will manage their own private endpoint setup in the nodepool RG
+param managedPrivateEndpoint bool = true
+
 resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
   location: location
   name: keyVaultName
@@ -31,6 +35,67 @@ resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
   }
 }
 
-output kvId string = keyVault.id
+//
+//   P R I V A T E   E N D P O I N T
+//
+
+var privateDnsZoneName = 'privatelink.vaultcore.azure.net'
+
+resource keyVaultPrivateEndpoint 'Microsoft.Network/privateEndpoints@2024-01-01' = if (managedPrivateEndpoint) {
+  name: '${keyVaultName}-pe'
+  location: location
+  properties: {
+    privateLinkServiceConnections: [
+      {
+        name: '${keyVaultName}-pe'
+        properties: {
+          groupIds: [
+            'vault'
+          ]
+          privateLinkServiceId: keyVault.id
+        }
+      }
+    ]
+    subnet: {
+      id: subnetId
+    }
+  }
+}
+
+resource keyVaultPrivateEndpointDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = if (managedPrivateEndpoint) {
+  name: privateDnsZoneName
+  location: 'global'
+  properties: {}
+}
+
+resource keyVaultPrivateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = if (managedPrivateEndpoint) {
+  parent: keyVaultPrivateEndpointDnsZone
+  name: uniqueString(keyVault.id)
+  location: 'global'
+  properties: {
+    registrationEnabled: false
+    virtualNetwork: {
+      id: vnetId
+    }
+  }
+}
+
+resource privateEndpointDnsGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-09-01' = if (managedPrivateEndpoint) {
+  parent: keyVaultPrivateEndpoint
+  name: '${keyVaultName}-dns-group'
+  properties: {
+    privateDnsZoneConfigs: [
+      {
+        name: 'config1'
+        properties: {
+          privateDnsZoneId: keyVaultPrivateEndpointDnsZone.id
+        }
+      }
+    ]
+  }
+  dependsOn: [
+    keyVaultPrivateDnsZoneVnetLink
+  ]
+}
 
 output kvName string = keyVault.name
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -90,9 +90,6 @@ param maestroPostgresServerStorageSizeGB int
 @description('The name of the service keyvault')
 param serviceKeyVaultName string
 
-@description('The name of the resourcegroup for the service keyvault')
-param serviceKeyVaultResourceGroup string = resourceGroup().name
-
 @description('Soft delete setting for service keyvault')
 param serviceKeyVaultSoftDelete bool = true
 
@@ -216,26 +213,18 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = {
 
 module serviceKeyVault '../modules/keyvault/keyvault.bicep' = {
   name: 'service-keyvault'
-  scope: resourceGroup(serviceKeyVaultResourceGroup)
   params: {
     location: location
     keyVaultName: serviceKeyVaultName
     private: serviceKeyVaultPrivate
     enableSoftDelete: serviceKeyVaultSoftDelete
-  }
-}
-
-module serviceKeyVaultPrivateEndpoint '../modules/keyvault/keyvault-private-endpoint.bicep' = {
-  name: 'service-keyvault-pe'
-  params: {
-    location: location
-    keyVaultName: serviceKeyVaultName
     subnetId: svcCluster.outputs.aksNodeSubnetId
     vnetId: svcCluster.outputs.aksVnetId
-    keyVaultId: serviceKeyVault.outputs.kvId
   }
 }
 
+output svcKeyVaultName string = serviceKeyVault.outputs.kvName
+
 //
 //   C L U S T E R   S E R V I C E
 //
@@ -266,7 +255,6 @@ module cs '../modules/cluster-service.bicep' = if (deployCsInfra) {
 
 module csServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-access.bicep' = {
   name: guid(serviceKeyVaultName, 'cs', 'read')
-  scope: resourceGroup(serviceKeyVaultResourceGroup)
   params: {
     keyVaultName: serviceKeyVaultName
     roleName: 'Key Vault Secrets User'
@@ -289,7 +277,6 @@ var imageSyncManagedIdentityPrincipalId = filter(
 
 module imageServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-access.bicep' = {
   name: guid(serviceKeyVaultName, 'imagesync', 'read')
-  scope: resourceGroup(serviceKeyVaultResourceGroup)
   params: {
     keyVaultName: serviceKeyVaultName
     roleName: 'Key Vault Secrets User'