Azure · geoberle · Feb 28, 2025 · Feb 25, 2025 · Feb 27, 2025 · Feb 28, 2025
@@ -252,6 +252,10 @@ clouds:
           clusterService:
             environment: "arohcpint"
 
+          # Geneva Actions
+          genevaActions:
+            serviceTag: GenevaActionsNonProd
+
           # OIDC
           oidcStorageAccountName: arohcpoidcint{{ .ctx.regionShort }}
           oidcZoneRedundantMode: Auto

@@ -426,6 +426,18 @@
         "cert"
       ]
     },
+    "genevaActions": {
+      "type": "object",
+      "properties": {
+        "serviceTag": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "required": [
+        "serviceTag"
+      ]
+    },
     "global": {
       "type": "object",
       "properties": {
@@ -977,6 +989,7 @@
     "firstPartyAppClientId",
     "firstPartyAppCertName",
     "frontend",
+    "genevaActions",
     "global",
     "hypershift",
     "hypershiftOperator",

@@ -25,6 +25,10 @@ defaults:
   logs:
     enableLogAnalytics: false
 
+  # Geneva Actions
+  genevaActions:
+    serviceTag: GenevaActionsNonProd
+
   # SVC cluster specifics
   svc:
     subscription: ARO Hosted Control Planes (EA Subscription 1)

@@ -95,6 +95,9 @@
       "repository": "arohcpfrontend"
     }
   },
+  "genevaActions": {
+    "serviceTag": "GenevaActionsNonProd"
+  },
   "global": {
     "globalMSIName": "global-rollout-identity",
     "region": "westus3",

@@ -95,6 +95,9 @@
       "repository": "arohcpfrontend"
     }
   },
+  "genevaActions": {
+    "serviceTag": "GenevaActionsNonProd"
+  },
   "global": {
     "globalMSIName": "global-rollout-identity",
     "region": "westus3",

@@ -95,6 +95,9 @@
       "repository": "arohcpfrontend"
     }
   },
+  "genevaActions": {
+    "serviceTag": "GenevaActionsNonProd"
+  },
   "global": {
     "globalMSIName": "global-ev2-identity",
     "region": "uksouth",

@@ -95,6 +95,9 @@
       "repository": "arohcpfrontend"
     }
   },
+  "genevaActions": {
+    "serviceTag": "GenevaActionsNonProd"
+  },
   "global": {
     "globalMSIName": "global-rollout-identity",
     "region": "westus3",

@@ -72,6 +72,7 @@ param regionalResourceGroup = '{{ .regionRG }}'
 
 param frontendIngressCertName = '{{ .frontend.cert.name }}'
 param frontendIngressCertIssuer = '{{ .frontend.cert.issuer }}'
+param genevaActionsServiceTag = '{{ .genevaActions.serviceTag }}'
 
 // Azure Monitor Workspace
 param azureMonitoringWorkspaceId = '__azureMonitoringWorkspaceId__'

@@ -37,6 +37,7 @@ param subnetPrefix string
 param podSubnetPrefix string
 param clusterType string
 param workloadIdentities array
+param nodeSubnetNSGId string
 
 @description('Istio Ingress Gateway Public IP Address resource name')
 param istioIngressGatewayIPAddressName string = ''
@@ -192,6 +193,9 @@ resource aksNodeSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' =
         service: 'Microsoft.KeyVault'
       }
     ]
+    networkSecurityGroup: {
+      id: nodeSubnetNSGId
+    }
   }
 }
 
@@ -691,3 +695,4 @@ output aksNodeSubnetId string = aksNodeSubnet.id
 output aksOidcIssuerUrl string = aksCluster.properties.oidcIssuerProfile.issuerURL
 output aksClusterName string = aksClusterName
 output aksClusterKeyVaultSecretsProviderPrincipalId string = aksCluster.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.objectId
+output istioIngressGatewayIPAddress string = deployIstio ? istioIngressGatewayIPAddress.outputs.ipAddress : ''
@@ -0,0 +1,21 @@
+param zoneName string
+param recordName string
+param ipAddress string
+param ttl int
+
+resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = {
+  name: zoneName
+}
+
+resource frontendDNSRecord 'Microsoft.Network/dnsZones/A@2023-07-01-preview' = {
+  name: recordName
+  parent: dnsZone
+  properties: {
+    TTL: ttl
+    ARecords: [
+      {
+        ipv4Address: ipAddress
+      }
+    ]
+  }
+}
@@ -39,3 +39,5 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = i
   properties: roleAssignmentProperties
   scope: publicIPAddress
 }
+
+output ipAddress string = publicIPAddress.properties.ipAddress
@@ -111,6 +111,14 @@ param logsServiceAccount string
 // Log Analytics Workspace ID will be passed from region pipeline if enabled in config
 param logAnalyticsWorkspaceId string = ''
 
+resource mgmtClusterNSG 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
+  location: location
+  name: 'mgmt-cluster-node-nsg'
+  properties: {
+    securityRules: []
+  }
+}
+
 module mgmtCluster '../modules/aks-cluster-base.bicep' = {
   name: 'cluster'
   scope: resourceGroup()
@@ -124,6 +132,7 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
     deployIstio: false
     kubernetesVersion: kubernetesVersion
     vnetAddressPrefix: vnetAddressPrefix
+    nodeSubnetNSGId: mgmtClusterNSG.id
     subnetPrefix: subnetPrefix
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'mgmt-cluster'

@@ -158,7 +158,7 @@ module maestroInfra '../modules/maestro/maestro-infra.bicep' = {
     maxClientSessionsPerAuthName: maestroEventGridMaxClientSessionsPerAuthName
     publicNetworkAccess: maestroEventGridPrivate ? 'Disabled' : 'Enabled'
     certificateIssuer: maestroCertificateIssuer
-    logAnalyticsWorkspaceId: logAnalyticsWorkspace.id
+    logAnalyticsWorkspaceId: enableLogAnalytics ? logAnalyticsWorkspace.id : ''
   }
 }
 

@@ -179,6 +179,9 @@ param frontendIngressCertName string
 @description('Frontend Ingress Certificate Issuer')
 param frontendIngressCertIssuer string
 
+@description('The service tag for Geneva Actions')
+param genevaActionsServiceTag string
+
 @description('The Azure Resource ID of the Azure Monitor Workspace (stores prometheus metrics)')
 param azureMonitoringWorkspaceId string
 
@@ -209,6 +212,41 @@ resource serviceKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing
   scope: resourceGroup(serviceKeyVaultResourceGroup)
 }
 
+resource svcClusterNSG 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
+  location: location
+  name: 'svc-cluster-node-nsg'
+  properties: {
+    securityRules: [
+      {
+        name: 'rp-in-arm'
+        properties: {
+          access: 'Allow'
+          destinationAddressPrefix: '*'
+          destinationPortRange: '443'
+          direction: 'Inbound'
+          priority: 120
+          protocol: 'Tcp'
+          sourceAddressPrefix: 'AzureResourceManager'
+          sourcePortRange: '*'
+        }
+      }
+      {
+        name: 'admin-in-geneva'
+        properties: {
+          access: 'Allow'
+          destinationAddressPrefix: '*'
+          destinationPortRange: '443'
+          direction: 'Inbound'
+          priority: 130
+          protocol: 'Tcp'
+          sourceAddressPrefix: genevaActionsServiceTag
+          sourcePortRange: '*'
+        }
+      }
+    ]
+  }
+}
+
 module svcCluster '../modules/aks-cluster-base.bicep' = {
   name: 'cluster'
   scope: resourceGroup()
@@ -225,6 +263,7 @@ module svcCluster '../modules/aks-cluster-base.bicep' = {
     istioIngressGatewayIPAddressName: istioIngressGatewayIPAddressName
     istioIngressGatewayIPAddressIPTags: istioIngressGatewayIPAddressIPTags
     vnetAddressPrefix: vnetAddressPrefix
+    nodeSubnetNSGId: svcClusterNSG.id
     subnetPrefix: subnetPrefix
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'svc-cluster'
@@ -450,19 +489,22 @@ module eventGrindPrivateEndpoint '../modules/private-endpoint.bicep' = {
 }
 
 //
-//   F R O N T E N D   C E R T I F I C A T E
+//   F R O N T E N D
 //
 
+var frontendDnsName = 'rp'
+var frontendDnsFQDN = '${frontendDnsName}.${regionalSvcDNSZoneName}'
+
 module frontendIngressCert '../modules/keyvault/key-vault-cert.bicep' = {
   name: 'frontend-cert-${uniqueString(resourceGroup().name)}'
   scope: resourceGroup(serviceKeyVaultResourceGroup)
   params: {
     keyVaultName: serviceKeyVaultName
-    subjectName: 'CN=frontend.${regionalSvcDNSZoneName}'
+    subjectName: 'CN=${frontendDnsFQDN}'
     certName: frontendIngressCertName
     keyVaultManagedIdentityId: aroDevopsMsiId
     dnsNames: [
-      'frontend.${regionalSvcDNSZoneName}'
+      frontendDnsFQDN
     ]
     issuerName: frontendIngressCertIssuer
   }
@@ -478,3 +520,14 @@ module frontendIngressCertCSIAccess '../modules/keyvault/keyvault-secret-access.
     secretName: frontendIngressCertName
   }
 }
+
+module frontendDNS '../modules/dns/a-record.bicep' = {
+  name: 'frontend-dns'
+  scope: resourceGroup(regionalResourceGroup)
+  params: {
+    zoneName: regionalSvcDNSZoneName
+    recordName: frontendDnsName
+    ipAddress: svcCluster.outputs.istioIngressGatewayIPAddress
+    ttl: 300
+  }
+}