From 478085fa3206d488c537315e6c0e47c9e288ca3b Mon Sep 17 00:00:00 2001
From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com>
Date: Thu, 10 Apr 2025 15:30:47 +0100
Subject: [PATCH 1/4] [patch] Remove unnecessary (and broken) edge cert order
 call

https://jsw.ibm.com/browse/MASCORE-6361
---
 ibm/mas_devops/plugins/modules/cis_dns_entries.py | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/ibm/mas_devops/plugins/modules/cis_dns_entries.py b/ibm/mas_devops/plugins/modules/cis_dns_entries.py
index 58cb3bdb29..67689603ec 100644
--- a/ibm/mas_devops/plugins/modules/cis_dns_entries.py
+++ b/ibm/mas_devops/plugins/modules/cis_dns_entries.py
@@ -246,20 +246,12 @@ def main():
                     if(response.status_code == 200):
                         changed = True
         if cis_waf:
-
             url = f"https://api.cis.cloud.ibm.com/v1/{crn}/zones/{zoneId}/settings/waf"	
             payload="{\n \"value\": \"on\" \n}"
             response = requests.request("PATCH", url, headers=headers, data=payload)
             if(response.status_code == 200):
                 changed = True
         
-        if (edgeCertRoutes) and len(edgeCertRoutes) > 0:
-            url = f"https://api.cis.cloud.ibm.com/v2/{crn}/zones/{zoneId}/ssl/certificate_packs/order"
-            payload = "{\n \"certificate_authority\": \"digicert\",\n \"validation_method\": \"txt\",\n \"validity_days\": 365,\n \"type\": \"advanced\",\n  \"hosts\": ["+ ",".join(["'"+str(i)+"'" for i in edgeCertRoutes]) +"],:}" 
-            response = requests.request("POST", url, headers=headers, data=payload)
-            if(response.status_code == 200):
-                
-                changed = True
     except requests.exceptions.RequestException as e:  # This is the correct syntax
         module.fail_json(msg = f"Error calling : {url}")
 

From 9eb6201cd62ecdfa6800e863b761d1bec5f71347 Mon Sep 17 00:00:00 2001
From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com>
Date: Thu, 10 Apr 2025 15:32:02 +0100
Subject: [PATCH 2/4] allow up to 100 hostnames (which is the max) per edge
 cert

https://jsw.ibm.com/browse/MASCORE-6361
---
 .../suite_dns/tasks/providers/cis/cis_edge_certificate.yml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml
index f07d1e5c13..c6e366647b 100644
--- a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml
+++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml
@@ -78,6 +78,6 @@
 - name: "cis : Order certificate if there no dedicated yet"
   ansible.builtin.shell: |
     ibmcloud cis certificate-order {{ _cis_domain_id }} --hostnames {{ item|join(',') }} -i {{ cis_service_name }}
-  loop: "{{ edge_cert_routes | batch(50) | list }}"
+  loop: "{{ edge_cert_routes | batch(100) | list }}"
   when:
     - not hasDedicated or _deleted_certificate is defined

From 8da2c09283be022641856d0a5c47775d178e9e0b Mon Sep 17 00:00:00 2001
From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com>
Date: Tue, 15 Apr 2025 17:03:53 +0100
Subject: [PATCH 3/4] fix issue where new edge certs are ordered even if they
 were not deleted

---
 .../suite_dns/tasks/providers/cis/cis_edge_certificate.yml    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml
index c6e366647b..3c21f9bc56 100644
--- a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml
+++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml
@@ -78,6 +78,6 @@
 - name: "cis : Order certificate if there no dedicated yet"
   ansible.builtin.shell: |
     ibmcloud cis certificate-order {{ _cis_domain_id }} --hostnames {{ item|join(',') }} -i {{ cis_service_name }}
-  loop: "{{ edge_cert_routes | batch(100) | list }}"
+  loop: "{{ edge_cert_routes | batch(50) | list }}"
   when:
-    - not hasDedicated or _deleted_certificate is defined
+    - not hasDedicated or _deleted_certificate["changed"]

From 4cdd603ea4b505b2f59d9a62d94c7a21dd0e4ba4 Mon Sep 17 00:00:00 2001
From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com>
Date: Tue, 15 Apr 2025 17:47:00 +0100
Subject: [PATCH 4/4] add SAAS_MODE

---
 ibm/mas_devops/roles/suite_dns/README.md      |  7 +++
 .../roles/suite_dns/defaults/main.yaml        |  5 ++
 .../tasks/providers/cis/cis_dns_mgmt.yml      | 12 +++++
 .../saas_edge_certificate_routes.yml.j2       | 50 +++++++++++++++++++
 4 files changed, 74 insertions(+)
 create mode 100644 ibm/mas_devops/roles/suite_dns/templates/saas_edge_certificate_routes.yml.j2

diff --git a/ibm/mas_devops/roles/suite_dns/README.md b/ibm/mas_devops/roles/suite_dns/README.md
index 3e9b28bf37..d38e5eeb5c 100644
--- a/ibm/mas_devops/roles/suite_dns/README.md
+++ b/ibm/mas_devops/roles/suite_dns/README.md
@@ -209,6 +209,13 @@ Location to output the edge-routes-{mas_instance_id}.txt
 - Environment Variable: `OUTPUT_DIR`
 - Default: `.` (which will set the directory file in ibm/mas_devops)
 
+### saas_mode
+If true, saas_edge_certificate_routes.yml.j2 template will be used instead of edge_certificate_routes.yml.j2
+This template omits routes that will not be present in SaaS envs to reduce the hostname count to under 50 so only a single edge route certificate is required
+
+- Optional
+- Environment Variable: `SAAS_MODE`
+- Default: false
 
 Role Variables - AWS Route 53
 ------------------------------------------------------------
diff --git a/ibm/mas_devops/roles/suite_dns/defaults/main.yaml b/ibm/mas_devops/roles/suite_dns/defaults/main.yaml
index b589385b15..6347df65c3 100644
--- a/ibm/mas_devops/roles/suite_dns/defaults/main.yaml
+++ b/ibm/mas_devops/roles/suite_dns/defaults/main.yaml
@@ -65,6 +65,11 @@ delete_wildcards: "{{ lookup('env', 'DELETE_WILDCARDS') | default('false', true)
 # Override and delete any existing edge certificates in cis instance
 override_edge_certs: "{{ lookup('env', 'OVERRIDE_EDGE_CERTS') | default('true', true) | bool }}"
 
+# If true, saas_edge_certificate_routes.yml.j2 template will be used instead of edge_certificate_routes.yml.j2
+# This template omits routes that will not be present in SaaS envs to reduce the hostname count to under 50
+# so only a single edge route certificate is required
+saas_mode:  "{{ lookup('env', 'SAAS_MODE') | default('false', true) | bool }}"
+
 cis_apiservice:
   group_name: acme.cis.ibm.com
 
diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml
index e60ca5693f..f18aaf8673 100644
--- a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml
+++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml
@@ -30,7 +30,19 @@
 - name: "cis : Define DNS Entries"
   set_fact:
     dns_entries: "{{ lookup('ansible.builtin.template', 'dnsentries.yml.j2') | from_yaml }}"
+
+
+- name: "cis : Read Edge Certificate Routes"
+  set_fact:
     list_edge_cert_routes: "{{ lookup('ansible.builtin.template', 'edge_certificate_routes.yml.j2') | from_yaml }}"
+  when:
+    - not saas_mode
+
+- name: "cis : Read Edge Certificate Routes (SaaS)"
+  set_fact:
+    list_edge_cert_routes: "{{ lookup('ansible.builtin.template', 'saas_edge_certificate_routes.yml.j2') | from_yaml }}"
+  when:
+    - saas_mode
 
 - name: "cis : Define Edge Certificate Routes"
   set_fact:
diff --git a/ibm/mas_devops/roles/suite_dns/templates/saas_edge_certificate_routes.yml.j2 b/ibm/mas_devops/roles/suite_dns/templates/saas_edge_certificate_routes.yml.j2
new file mode 100644
index 0000000000..9424e90c46
--- /dev/null
+++ b/ibm/mas_devops/roles/suite_dns/templates/saas_edge_certificate_routes.yml.j2
@@ -0,0 +1,50 @@
+edge_cert_routes:
+  - "{{mas_domain}}"
+  - sls.{{mas_domain}}
+  - admin.{{mas_domain}}
+  - api.{{mas_domain}}
+  - auth.{{mas_domain}}
+  - home.{{mas_domain}}
+  - {{ mas_workspace_id }}.home.{{mas_domain}}
+  - health.{{mas_domain}}
+  - {{ mas_workspace_id }}.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-all.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-ui.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-mea.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-rpt.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-cron.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-jms.health.{{mas_domain}}
+  - maxinst.health.{{mas_domain}}
+  - iot.{{mas_domain}}
+  - {{ mas_workspace_id }}.iot.{{mas_domain}}
+  - messaging.iot.{{mas_domain}}
+  - {{ mas_workspace_id }}.messaging.iot.{{mas_domain}}
+  - edgeconfig.iot.{{mas_domain}}
+  - {{ mas_workspace_id }}.edgeconfig.iot.{{mas_domain}}
+  - edgeconfigapi.iot.{{mas_domain}}
+  - {{ mas_workspace_id }}.edgeconfigapi.iot.{{mas_domain}}
+  - manage.{{mas_domain}}
+  - {{ mas_workspace_id }}.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-all.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-ui.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-mea.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-rpt.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-cron.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-jms.manage.{{mas_domain}}
+  - maxinst.manage.{{mas_domain}}
+  - monitor.{{mas_domain}}
+  - {{ mas_workspace_id }}.monitor.{{mas_domain}}
+  - admin.monitor.{{mas_domain}}
+  - api.monitor.{{mas_domain}}
+  - {{ mas_workspace_id }}.api.monitor.{{mas_domain}}
+  - predict.{{mas_domain}}
+  - {{ mas_workspace_id }}.predict.{{mas_domain}}
+  - visualinspection.{{mas_domain}}
+  - {{ mas_workspace_id }}.visualinspection.{{mas_domain}}
+  - optimizer.{{mas_domain}}
+  - {{ mas_workspace_id }}.optimizer.{{mas_domain}}
+  - api.optimizer.{{mas_domain}}
+  - {{ mas_workspace_id }}.api.optimizer.{{mas_domain}}
+  - assist.{{mas_domain}}
+  - {{ mas_workspace_id }}.assist.{{mas_domain}}
+  - reportdb.{{mas_domain}}