From d42aa88bc64296c42238a1bb58375cfd78d5b2b7 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Thu, 27 Feb 2025 19:29:00 +0100 Subject: [PATCH] nsg Signed-off-by: Gerd Oberlechner --- config/config.msft.yaml | 4 ++ config/config.schema.json | 13 +++++++ config/config.yaml | 4 ++ config/public-cloud-cs-pr.json | 3 ++ config/public-cloud-dev.json | 3 ++ config/public-cloud-msft-int.json | 3 ++ config/public-cloud-personal-dev.json | 3 ++ .../svc-cluster.tmpl.bicepparam | 1 + .../modules/aks-cluster-base.bicep | 4 ++ .../templates/mgmt-cluster.bicep | 10 +++++ .../templates/svc-cluster.bicep | 39 +++++++++++++++++++ 11 files changed, 87 insertions(+) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 5e063b3a8..e43f03550 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -252,6 +252,10 @@ clouds: clusterService: environment: "arohcpint" + # Geneva Actions + genevaActions: + serviceTag: GenevaActionsNonProd + # OIDC oidcStorageAccountName: arohcpoidcint{{ .ctx.regionShort }} oidcZoneRedundantMode: Auto diff --git a/config/config.schema.json b/config/config.schema.json index 339a92fde..fbcb1132e 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -426,6 +426,18 @@ "cert" ] }, + "genevaActions": { + "type": "object", + "properties": { + "serviceTag": { + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "serviceTag" + ] + }, "global": { "type": "object", "properties": { @@ -977,6 +989,7 @@ "firstPartyAppClientId", "firstPartyAppCertName", "frontend", + "genevaActions", "global", "hypershift", "hypershiftOperator", diff --git a/config/config.yaml b/config/config.yaml index 99f617a2e..d5b6617d7 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -25,6 +25,10 @@ defaults: logs: enableLogAnalytics: false + # Geneva Actions + genevaActions: + serviceTag: GenevaActionsNonProd + # SVC cluster specifics svc: subscription: ARO Hosted Control Planes (EA Subscription 1) diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 71723f3e5..23acd76af 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -95,6 +95,9 @@ "repository": "arohcpfrontend" } }, + "genevaActions": { + "serviceTag": "GenevaActionsNonProd" + }, "global": { "globalMSIName": "global-rollout-identity", "region": "westus3", diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index 309e62a3f..1618e8759 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -95,6 +95,9 @@ "repository": "arohcpfrontend" } }, + "genevaActions": { + "serviceTag": "GenevaActionsNonProd" + }, "global": { "globalMSIName": "global-rollout-identity", "region": "westus3", diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 922cc358d..10dc034f4 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -95,6 +95,9 @@ "repository": "arohcpfrontend" } }, + "genevaActions": { + "serviceTag": "GenevaActionsNonProd" + }, "global": { "globalMSIName": "global-ev2-identity", "region": "uksouth", diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index 2388a73f4..5c25d093d 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -95,6 +95,9 @@ "repository": "arohcpfrontend" } }, + "genevaActions": { + "serviceTag": "GenevaActionsNonProd" + }, "global": { "globalMSIName": "global-rollout-identity", "region": "westus3", diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam index 8b67a8bd0..3a0a0541d 100644 --- a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam @@ -72,6 +72,7 @@ param regionalResourceGroup = '{{ .regionRG }}' param frontendIngressCertName = '{{ .frontend.cert.name }}' param frontendIngressCertIssuer = '{{ .frontend.cert.issuer }}' +param genevaActionsServiceTag = '{{ .genevaActions.serviceTag }}' // Azure Monitor Workspace param azureMonitoringWorkspaceId = '__azureMonitoringWorkspaceId__' diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep index 6150c1df5..9930966c8 100644 --- a/dev-infrastructure/modules/aks-cluster-base.bicep +++ b/dev-infrastructure/modules/aks-cluster-base.bicep @@ -37,6 +37,7 @@ param subnetPrefix string param podSubnetPrefix string param clusterType string param workloadIdentities array +param nodeSubnetNSGId string @description('Istio Ingress Gateway Public IP Address resource name') param istioIngressGatewayIPAddressName string = '' @@ -192,6 +193,9 @@ resource aksNodeSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' = service: 'Microsoft.KeyVault' } ] + networkSecurityGroup: { + id: nodeSubnetNSGId + } } } diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep index db3de6b06..87cfb7d9e 100644 --- a/dev-infrastructure/templates/mgmt-cluster.bicep +++ b/dev-infrastructure/templates/mgmt-cluster.bicep @@ -111,6 +111,15 @@ param logsServiceAccount string // Log Analytics Workspace ID will be passed from region pipeline if enabled in config param logAnalyticsWorkspaceId string = '' +resource mgmtClusterNSG 'Microsoft.Network/networkSecurityGroups@2023-11-01' = { + location: location + name: 'mgmt-cluster-node-nsg' + properties: { + securityRules: [ + ] + } +} + module mgmtCluster '../modules/aks-cluster-base.bicep' = { name: 'cluster' scope: resourceGroup() @@ -124,6 +133,7 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = { deployIstio: false kubernetesVersion: kubernetesVersion vnetAddressPrefix: vnetAddressPrefix + nodeSubnetNSGId: mgmtClusterNSG.id subnetPrefix: subnetPrefix podSubnetPrefix: podSubnetPrefix clusterType: 'mgmt-cluster' diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index ec0f02108..2cb012151 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -179,6 +179,9 @@ param frontendIngressCertName string @description('Frontend Ingress Certificate Issuer') param frontendIngressCertIssuer string +@description('The service tag for Geneva Actions') +param genevaActionsServiceTag string + @description('The Azure Resource ID of the Azure Monitor Workspace (stores prometheus metrics)') param azureMonitoringWorkspaceId string @@ -209,6 +212,41 @@ resource serviceKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing scope: resourceGroup(serviceKeyVaultResourceGroup) } +resource svcClusterNSG 'Microsoft.Network/networkSecurityGroups@2023-11-01' = { + location: location + name: 'svc-cluster-node-nsg' + properties: { + securityRules: [ + { + name: 'rp-in-arm' + properties: { + access: 'Allow' + destinationAddressPrefix: '*' + destinationPortRange: '443' + direction: 'Inbound' + priority: 120 + protocol: 'Tcp' + sourceAddressPrefix: 'AzureResourceManager' + sourcePortRange: '*' + } + } + { + name: 'admin-in-geneva' + properties: { + access: 'Allow' + destinationAddressPrefix: '*' + destinationPortRange: '443' + direction: 'Inbound' + priority: 130 + protocol: 'Tcp' + sourceAddressPrefix: genevaActionsServiceTag + sourcePortRange: '*' + } + } + ] + } +} + module svcCluster '../modules/aks-cluster-base.bicep' = { name: 'cluster' scope: resourceGroup() @@ -225,6 +263,7 @@ module svcCluster '../modules/aks-cluster-base.bicep' = { istioIngressGatewayIPAddressName: istioIngressGatewayIPAddressName istioIngressGatewayIPAddressIPTags: istioIngressGatewayIPAddressIPTags vnetAddressPrefix: vnetAddressPrefix + nodeSubnetNSGId: svcClusterNSG.id subnetPrefix: subnetPrefix podSubnetPrefix: podSubnetPrefix clusterType: 'svc-cluster'