-
Notifications
You must be signed in to change notification settings - Fork 165
/
resources_cluster.go
167 lines (146 loc) · 6.35 KB
/
resources_cluster.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
package generator
// Copyright (c) Microsoft Corporation.
// Licensed under the Apache License 2.0.
import (
"fmt"
mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
"github.com/Azure/go-autorest/autorest/to"
"github.com/Azure/ARO-RP/pkg/util/arm"
"github.com/Azure/ARO-RP/pkg/util/azureclient"
)
const (
diskEncryptionKeyName = "concat(resourceGroup().name, '-disk-encryption-key')"
diskEncryptionSetName = "concat(resourceGroup().name, '-disk-encryption-set')"
)
func (g *generator) clusterVnet() *arm.Resource {
return g.virtualNetwork("dev-vnet", "[parameters('vnetAddressPrefix')]", nil, "[parameters('ci')]", nil)
}
func (g *generator) clusterRouteTable() *arm.Resource {
rt := &mgmtnetwork.RouteTable{
RouteTablePropertiesFormat: &mgmtnetwork.RouteTablePropertiesFormat{
Routes: &[]mgmtnetwork.Route{},
},
Name: to.StringPtr("[concat(parameters('clusterName'), '-rt')]"),
Type: to.StringPtr("Microsoft.Network/routeTables"),
Location: to.StringPtr("[resourceGroup().location]"),
}
return &arm.Resource{
Resource: rt,
APIVersion: azureclient.APIVersion("Microsoft.Network"),
}
}
func (g *generator) clusterMasterSubnet() *arm.Resource {
return &arm.Resource{
Resource: &mgmtnetwork.Subnet{
SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
AddressPrefixes: &[]string{
*to.StringPtr("[parameters('masterAddressPrefix')]"),
},
RouteTable: &mgmtnetwork.RouteTable{
ID: to.StringPtr("[resourceid('Microsoft.Network/routeTables', concat(parameters('clusterName'), '-rt'))]"),
},
},
Name: to.StringPtr("[concat('dev-vnet/', parameters('clusterName'), '-master')]"),
},
Type: "Microsoft.Network/virtualNetworks/subnets",
Location: "[resourceGroup().location]",
APIVersion: azureclient.APIVersion("Microsoft.Network"),
DependsOn: []string{
"[resourceid('Microsoft.Network/virtualNetworks', 'dev-vnet')]",
"[resourceid('Microsoft.Network/routeTables', concat(parameters('clusterName'), '-rt'))]",
},
}
}
func (g *generator) clusterWorkerSubnet() *arm.Resource {
return &arm.Resource{
Resource: &mgmtnetwork.Subnet{
SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
AddressPrefix: to.StringPtr("[parameters('workerAddressPrefix')]"),
RouteTable: &mgmtnetwork.RouteTable{
ID: to.StringPtr("[resourceid('Microsoft.Network/routeTables', concat(parameters('clusterName'), '-rt'))]"),
},
},
Name: to.StringPtr("[concat('dev-vnet/', parameters('clusterName'), '-worker')]"),
},
Type: "Microsoft.Network/virtualNetworks/subnets",
Location: "[resourceGroup().location]",
APIVersion: azureclient.APIVersion("Microsoft.Network"),
DependsOn: []string{
"[resourceid('Microsoft.Network/virtualNetworks/subnets', 'dev-vnet', concat(parameters('clusterName'), '-master'))]",
"[resourceid('Microsoft.Network/routeTables', concat(parameters('clusterName'), '-rt'))]",
},
}
}
func (g *generator) diskEncryptionKeyVault() *arm.Resource {
vaultResource := g.keyVault("[parameters('kvName')]", &[]mgmtkeyvault.AccessPolicyEntry{}, "[parameters('ci')]", nil)
return vaultResource
}
func (g *generator) diskEncryptionKey() *arm.Resource {
key := &mgmtkeyvault.Key{
KeyProperties: &mgmtkeyvault.KeyProperties{
Kty: mgmtkeyvault.RSA,
KeySize: to.Int32Ptr(4096),
},
Name: to.StringPtr(fmt.Sprintf("[concat(parameters('kvName'), '/', %s)]", diskEncryptionKeyName)),
Type: to.StringPtr("Microsoft.KeyVault/vaults/keys"),
Location: to.StringPtr("[resourceGroup().location]"),
}
return &arm.Resource{
Resource: key,
APIVersion: azureclient.APIVersion("Microsoft.KeyVault"),
DependsOn: []string{"[resourceId('Microsoft.KeyVault/vaults', parameters('kvName'))]"},
Condition: to.StringPtr("[parameters('ci')]"),
}
}
func (g *generator) diskEncryptionSet() *arm.Resource {
diskEncryptionSet := &mgmtcompute.DiskEncryptionSet{
EncryptionSetProperties: &mgmtcompute.EncryptionSetProperties{
ActiveKey: &mgmtcompute.KeyVaultAndKeyReference{
KeyURL: to.StringPtr(fmt.Sprintf("[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('kvName'), %s), '%s', 'Full').properties.keyUriWithVersion]", diskEncryptionKeyName, azureclient.APIVersion("Microsoft.KeyVault"))),
SourceVault: &mgmtcompute.SourceVault{
ID: to.StringPtr("[resourceId('Microsoft.KeyVault/vaults', parameters('kvName'))]"),
},
},
},
Name: to.StringPtr(fmt.Sprintf("[%s]", diskEncryptionSetName)),
Type: to.StringPtr("Microsoft.Compute/diskEncryptionSets"),
Location: to.StringPtr("[resourceGroup().location]"),
Identity: &mgmtcompute.EncryptionSetIdentity{Type: mgmtcompute.SystemAssigned},
}
return &arm.Resource{
Resource: diskEncryptionSet,
APIVersion: azureclient.APIVersion("Microsoft.Compute"),
Condition: to.StringPtr("[parameters('ci')]"),
DependsOn: []string{fmt.Sprintf("[resourceId('Microsoft.KeyVault/vaults/keys', parameters('kvName'), %s)]", diskEncryptionKeyName)},
}
}
func (g *generator) diskEncryptionKeyVaultAccessPolicy() *arm.Resource {
accessPolicy := &mgmtkeyvault.VaultAccessPolicyParameters{
Properties: &mgmtkeyvault.VaultAccessPolicyProperties{
AccessPolicies: &[]mgmtkeyvault.AccessPolicyEntry{
{
TenantID: &tenantUUIDHack,
ObjectID: to.StringPtr(fmt.Sprintf("[reference(resourceId('Microsoft.Compute/diskEncryptionSets', %s), '%s', 'Full').identity.PrincipalId]", diskEncryptionSetName, azureclient.APIVersion("Microsoft.Compute/diskEncryptionSets"))),
Permissions: &mgmtkeyvault.Permissions{
Keys: &[]mgmtkeyvault.KeyPermissions{
mgmtkeyvault.KeyPermissionsGet,
mgmtkeyvault.KeyPermissionsWrapKey,
mgmtkeyvault.KeyPermissionsUnwrapKey,
},
},
},
},
},
Name: to.StringPtr("[concat(parameters('kvName'), '/add')]"),
Type: to.StringPtr("Microsoft.KeyVault/vaults/accessPolicies"),
Location: to.StringPtr("[resourceGroup().location]"),
}
return &arm.Resource{
Resource: accessPolicy,
APIVersion: azureclient.APIVersion("Microsoft.KeyVault"),
Condition: to.StringPtr("[parameters('ci')]"),
DependsOn: []string{fmt.Sprintf("[resourceId('Microsoft.Compute/diskEncryptionSets', %s)]", diskEncryptionSetName)},
}
}