Moved CMK resources to HUB (Azure#842)

commit
ARPA-H · Feb 6, 2024 · 4fce287 · 4fce287
1 parent bc7f251
commit 4fce287
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 49 deletions.
diff --git a/src/bicep/core/hub-customer-managed-keys.bicep b/src/bicep/core/hub-customer-managed-keys.bicep
@@ -0,0 +1,52 @@
+/*
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT License.
+*/
+
+param diskEncryptionSetName string
+param deploymentNameSuffix string
+param keyVaultName string
+param keyVaultPrivateDnsZoneResourceId string
+param location string
+param resourcePrefix string
+param subnetResourceId string
+param tags object
+param userAssignedIdentityName string
+
+module keyVault '../modules/key-vault.bicep' = {
+  name: 'deploy-key-vault-${deploymentNameSuffix}'
+  params: {
+    keyVaultName: keyVaultName
+    keyVaultPrivateDnsZoneResourceId: keyVaultPrivateDnsZoneResourceId
+    location: location
+    resourcePrefix: resourcePrefix
+    subnetResourceId: subnetResourceId
+    tags: tags
+  }
+}
+
+module diskEncryptionSet '../modules/disk-encryption-set.bicep' = {
+  name: 'deploy-disk-encryption-set_${deploymentNameSuffix}'
+  params: {
+    deploymentNameSuffix: deploymentNameSuffix
+    diskEncryptionSetName: diskEncryptionSetName
+    keyUrl: keyVault.outputs.keyUriWithVersion
+    keyVaultResourceId: keyVault.outputs.keyVaultResourceId
+    location: location
+    tags: contains(tags, 'Microsoft.Compute/diskEncryptionSets') ? tags['Microsoft.Compute/diskEncryptionSets'] : {}
+  }
+}
+
+module userAssignedIdentity '../modules/user-assigned-identity.bicep' = {
+  name: 'deploy-user-assigned-identity-${deploymentNameSuffix}'
+  params: {
+    location: location
+    name: userAssignedIdentityName
+    tags: tags
+  }
+}
+
+output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId
+output keyVaultUri string = keyVault.outputs.keyVaultUri
+output storageKeyName string = keyVault.outputs.storageKeyName
+output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId
diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep
@@ -564,6 +564,10 @@ var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'v
 
 var hubName = 'hub'
 var hubShortName = 'hub'
+var hubDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, hubName)
+var hubKeyVaultName = take(hubKeyVaultUniqueName, 24)
+var hubKeyVaultShortName = replace(keyVaultNamingConvention, nameToken, hubShortName)
+var hubKeyVaultUniqueName = replace(hubKeyVaultShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId))
 var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 24)
 var hubLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, hubShortName)
 var hubLogStorageAccountUniqueName = replace(hubLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId))
@@ -572,6 +576,7 @@ var hubNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention,
 var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName)
 var hubRouteTableName = replace(routeTableNamingConvention, nameToken, hubName)
 var hubSubnetName = replace(subnetNamingConvention, nameToken, hubName)
+var hubUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, hubName)
 var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, hubName)
 
 // IDENTITY NAMES
@@ -591,18 +596,14 @@ var identityVirtualNetworkName = replace(virtualNetworkNamingConvention, nameTok
 
 var operationsName = 'operations'
 var operationsShortName = 'ops'
-var operationsDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, operationsName)
-var operationsKeyVaultName = take(operationsKeyVaultUniqueName, 24)
-var operationsKeyVaultShortName = replace(keyVaultNamingConvention, nameToken, operationsShortName)
-var operationsKeyVaultUniqueName = replace(operationsKeyVaultShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId))
 var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName, 24)
 var operationsLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, operationsShortName)
 var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId))
 var operationsNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, operationsName)
 var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName)
 var operationsRouteTableName = replace(routeTableNamingConvention, nameToken, operationsName)
 var operationsSubnetName = replace(subnetNamingConvention, nameToken, operationsName)
-var operationsUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, operationsName)
+
 var operationsVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, operationsName)
 
 // SHARED SERVICES NAMES
@@ -904,25 +905,22 @@ module privateDnsZones './modules/private-dns.bicep' = {
   ]
 }
 
-// OPERATIONS CMK DEPENDANCIES
+// CUSTOMER MANAGED KEYS
 
-module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bicep' = {
-  name: 'deploy-cmk-ops-${deploymentNameSuffix}'
-  scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
+module customerManagedKeys './core/hub-customer-managed-keys.bicep' = {
+  name: 'deploy-cmk-hub-${deploymentNameSuffix}'
+  scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
   params: {
     deploymentNameSuffix: deploymentNameSuffix
-    diskEncryptionSetName: operationsDiskEncryptionSetName
-    keyVaultName: operationsKeyVaultName
+    diskEncryptionSetName: hubDiskEncryptionSetName
+    keyVaultName: hubKeyVaultName
     keyVaultPrivateDnsZoneResourceId: privateDnsZones.outputs.keyvaultDnsPrivateDnsZoneId
     location: location
     resourcePrefix: resourcePrefix
-    subnetResourceId: spokeNetworks[0].outputs.subnetResourceId
+    subnetResourceId: hubNetwork.outputs.subnetResourceId
     tags: calculatedTags
-    userAssignedIdentityName: operationsUserAssignedIdentityName
+    userAssignedIdentityName: hubUserAssignedIdentityName
   }
-  dependsOn: [
-    spokeNetworks
-  ]
 }
 
 // AZURE MONITOR
@@ -994,7 +992,7 @@ module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) {
     windowsVmSku: windowsVmSku
     windowsVmStorageAccountType: windowsVmStorageAccountType
     windowsVmVersion: windowsVmVersion
-    diskEncryptionSetResourceId: operationsCustomerManagedKeys.outputs.diskEncryptionSetResourceId
+    diskEncryptionSetResourceId: customerManagedKeys.outputs.diskEncryptionSetResourceId
     hybridUseBenefit: hybridUseBenefit
     linuxDiskName: linuxDiskName
     windowsDiskName: windowsDiskName
@@ -1011,16 +1009,16 @@ module hubStorage './core/hub-storage.bicep' = {
   scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
   params: {
     blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId
-    keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri
+    keyVaultUri: customerManagedKeys.outputs.keyVaultUri
     location: location
     logStorageAccountName: hubLogStorageAccountName
     logStorageSkuName: logStorageSkuName
     resourcePrefix: resourcePrefix
-    storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName
+    storageEncryptionKeyName: customerManagedKeys.outputs.storageKeyName
     subnetResourceId: hubNetwork.outputs.subnetResourceId
     tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId
     tags: calculatedTags
-    userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId
+    userAssignedIdentityResourceId: customerManagedKeys.outputs.userAssignedIdentityResourceId
   }
   dependsOn: [
     remoteAccess
@@ -1034,16 +1032,16 @@ module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: {
   scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName)
   params: {
     blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId
-    keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri
+    keyVaultUri: customerManagedKeys.outputs.keyVaultUri
     location: location
     logStorageAccountName: spoke.logStorageAccountName
     logStorageSkuName: logStorageSkuName
     resourcePrefix: resourcePrefix
-    storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName
+    storageEncryptionKeyName: customerManagedKeys.outputs.storageKeyName
     subnetResourceId: spokeNetworks[i].outputs.subnetResourceId
     tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId
     tags: tags
-    userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId
+    userAssignedIdentityResourceId: customerManagedKeys.outputs.userAssignedIdentityResourceId
   }
   dependsOn: [
     remoteAccess