[patch] fix suite-dns edge certs logic & remove redundant HTTP call

ibm/mas_devops/plugins/modules/cis_dns_entries.py

@@ -246,20 +246,12 @@ def main():
                     if(response.status_code == 200):
                         changed = True
         if cis_waf:
-
             url = f"https://api.cis.cloud.ibm.com/v1/{crn}/zones/{zoneId}/settings/waf"	
             payload="{\n \"value\": \"on\" \n}"
             response = requests.request("PATCH", url, headers=headers, data=payload)
             if(response.status_code == 200):
                 changed = True
 
-        if (edgeCertRoutes) and len(edgeCertRoutes) > 0:
-            url = f"https://api.cis.cloud.ibm.com/v2/{crn}/zones/{zoneId}/ssl/certificate_packs/order"
-            payload = "{\n \"certificate_authority\": \"digicert\",\n \"validation_method\": \"txt\",\n \"validity_days\": 365,\n \"type\": \"advanced\",\n  \"hosts\": ["+ ",".join(["'"+str(i)+"'" for i in edgeCertRoutes]) +"],:}" 
-            response = requests.request("POST", url, headers=headers, data=payload)
-            if(response.status_code == 200):
-
-                changed = True
     except requests.exceptions.RequestException as e:  # This is the correct syntax
         module.fail_json(msg = f"Error calling : {url}")
 

ibm/mas_devops/roles/suite_dns/README.md

@@ -209,6 +209,13 @@ Location to output the edge-routes-{mas_instance_id}.txt
 - Environment Variable: `OUTPUT_DIR`
 - Default: `.` (which will set the directory file in ibm/mas_devops)
 
+### saas_mode
+If true, saas_edge_certificate_routes.yml.j2 template will be used instead of edge_certificate_routes.yml.j2
+This template omits routes that will not be present in SaaS envs to reduce the hostname count to under 50 so only a single edge route certificate is required
+
+- Optional
+- Environment Variable: `SAAS_MODE`
+- Default: false
 
 Role Variables - AWS Route 53
 ------------------------------------------------------------

ibm/mas_devops/roles/suite_dns/defaults/main.yaml

@@ -65,6 +65,11 @@ delete_wildcards: "{{ lookup('env', 'DELETE_WILDCARDS') | default('false', true)
 # Override and delete any existing edge certificates in cis instance
 override_edge_certs: "{{ lookup('env', 'OVERRIDE_EDGE_CERTS') | default('true', true) | bool }}"
 
+# If true, saas_edge_certificate_routes.yml.j2 template will be used instead of edge_certificate_routes.yml.j2
+# This template omits routes that will not be present in SaaS envs to reduce the hostname count to under 50
+# so only a single edge route certificate is required
+saas_mode:  "{{ lookup('env', 'SAAS_MODE') | default('false', true) | bool }}"
+
 cis_apiservice:
   group_name: acme.cis.ibm.com
 

ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml

@@ -30,7 +30,19 @@
 - name: "cis : Define DNS Entries"
   set_fact:
     dns_entries: "{{ lookup('ansible.builtin.template', 'dnsentries.yml.j2') | from_yaml }}"
+
+
+- name: "cis : Read Edge Certificate Routes"
+  set_fact:
     list_edge_cert_routes: "{{ lookup('ansible.builtin.template', 'edge_certificate_routes.yml.j2') | from_yaml }}"
+  when:
+    - not saas_mode
+
+- name: "cis : Read Edge Certificate Routes (SaaS)"
+  set_fact:
+    list_edge_cert_routes: "{{ lookup('ansible.builtin.template', 'saas_edge_certificate_routes.yml.j2') | from_yaml }}"
+  when:
+    - saas_mode
 
 - name: "cis : Define Edge Certificate Routes"
   set_fact:

ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml

@@ -80,4 +80,4 @@
     ibmcloud cis certificate-order {{ _cis_domain_id }} --hostnames {{ item|join(',') }} -i {{ cis_service_name }}
   loop: "{{ edge_cert_routes | batch(50) | list }}"
   when:
-    - not hasDedicated or _deleted_certificate is defined
+    - not hasDedicated or _deleted_certificate["changed"]

ibm/mas_devops/roles/suite_dns/templates/saas_edge_certificate_routes.yml.j2

@@ -0,0 +1,50 @@
+edge_cert_routes:
+  - "{{mas_domain}}"
+  - sls.{{mas_domain}}
+  - admin.{{mas_domain}}
+  - api.{{mas_domain}}
+  - auth.{{mas_domain}}
+  - home.{{mas_domain}}
+  - {{ mas_workspace_id }}.home.{{mas_domain}}
+  - health.{{mas_domain}}
+  - {{ mas_workspace_id }}.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-all.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-ui.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-mea.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-rpt.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-cron.health.{{mas_domain}}
+  - {{ mas_workspace_id }}-jms.health.{{mas_domain}}
+  - maxinst.health.{{mas_domain}}
+  - iot.{{mas_domain}}
+  - {{ mas_workspace_id }}.iot.{{mas_domain}}
+  - messaging.iot.{{mas_domain}}
+  - {{ mas_workspace_id }}.messaging.iot.{{mas_domain}}
+  - edgeconfig.iot.{{mas_domain}}
+  - {{ mas_workspace_id }}.edgeconfig.iot.{{mas_domain}}
+  - edgeconfigapi.iot.{{mas_domain}}
+  - {{ mas_workspace_id }}.edgeconfigapi.iot.{{mas_domain}}
+  - manage.{{mas_domain}}
+  - {{ mas_workspace_id }}.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-all.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-ui.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-mea.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-rpt.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-cron.manage.{{mas_domain}}
+  - {{ mas_workspace_id }}-jms.manage.{{mas_domain}}
+  - maxinst.manage.{{mas_domain}}
+  - monitor.{{mas_domain}}
+  - {{ mas_workspace_id }}.monitor.{{mas_domain}}
+  - admin.monitor.{{mas_domain}}
+  - api.monitor.{{mas_domain}}
+  - {{ mas_workspace_id }}.api.monitor.{{mas_domain}}
+  - predict.{{mas_domain}}
+  - {{ mas_workspace_id }}.predict.{{mas_domain}}
+  - visualinspection.{{mas_domain}}
+  - {{ mas_workspace_id }}.visualinspection.{{mas_domain}}
+  - optimizer.{{mas_domain}}
+  - {{ mas_workspace_id }}.optimizer.{{mas_domain}}
+  - api.optimizer.{{mas_domain}}
+  - {{ mas_workspace_id }}.api.optimizer.{{mas_domain}}
+  - assist.{{mas_domain}}
+  - {{ mas_workspace_id }}.assist.{{mas_domain}}
+  - reportdb.{{mas_domain}}