From af703105914d00ba002d9f013ecffcf2e81826de Mon Sep 17 00:00:00 2001
From: Zidong Lu <duzitong811@126.com>
Date: Mon, 30 Sep 2024 15:15:19 +0800
Subject: [PATCH] add keyvault_secrets to define secrets sequence and suffixes
 (#18)

* add keyvault_secrets to define secrets sequence and suffixes
add variables to customize rdma properties

* fix expression

* format
---
 README.md    | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 keyvault.tf  |  8 ++++----
 locals.tf    | 51 ++++++++++++++++++++-------------------------------
 variables.tf | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 123 insertions(+), 35 deletions(-)

diff --git a/README.md b/README.md
index af119f5..0bf6cbc 100644
--- a/README.md
+++ b/README.md
@@ -482,6 +482,42 @@ Type: `bool`
 
 Default: `true`
 
+### <a name="input_keyvault_secrets"></a> [keyvault\_secrets](#input\_keyvault\_secrets)
+
+Description: A list of key vault secrets.
+
+Type:
+
+```hcl
+list(object({
+    eceSecretName = string
+    secretSuffix  = string
+  }))
+```
+
+Default:
+
+```json
+[
+  {
+    "eceSecretName": "AzureStackLCMUserCredential",
+    "secretSuffix": "AzureStackLCMUserCredential"
+  },
+  {
+    "eceSecretName": "LocalAdminCredential",
+    "secretSuffix": "LocalAdminCredential"
+  },
+  {
+    "eceSecretName": "DefaultARBApplication",
+    "secretSuffix": "DefaultARBApplication"
+  },
+  {
+    "eceSecretName": "WitnessStorageKey",
+    "secretSuffix": "WitnessStorageKey"
+  }
+]
+```
+
 ### <a name="input_keyvault_soft_delete_retention_days"></a> [keyvault\_soft\_delete\_retention\_days](#input\_keyvault\_soft\_delete\_retention\_days)
 
 Description: The number of days that items should be retained for soft delete.
@@ -604,6 +640,22 @@ Type: `bool`
 
 Default: `false`
 
+### <a name="input_rdma_jumbo_packet"></a> [rdma\_jumbo\_packet](#input\_rdma\_jumbo\_packet)
+
+Description: The jumbo packet size for RDMA.
+
+Type: `string`
+
+Default: `"9014"`
+
+### <a name="input_rdma_protocol"></a> [rdma\_protocol](#input\_rdma\_protocol)
+
+Description: The RDMA protocol.
+
+Type: `string`
+
+Default: `"RoCEv2"`
+
 ### <a name="input_role_assignments"></a> [role\_assignments](#input\_role\_assignments)
 
 Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
diff --git a/keyvault.tf b/keyvault.tf
index 7a050eb..e446155 100644
--- a/keyvault.tf
+++ b/keyvault.tf
@@ -28,7 +28,7 @@ data "azurerm_key_vault" "key_vault" {
 
 resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {
   key_vault_id = local.key_vault.id
-  name         = var.use_legacy_key_vault_model ? "AzureStackLCMUserCredential" : "${var.name}-AzureStackLCMUserCredential"
+  name         = local.keyvault_secret_names["AzureStackLCMUserCredential"]
   value        = base64encode("${var.deployment_user}:${var.deployment_user_password}")
   content_type = one(flatten([var.azure_stack_lcm_user_credential_content_type]))
   tags         = var.azure_stack_lcm_user_credential_tags
@@ -41,7 +41,7 @@ resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {
 
 resource "azurerm_key_vault_secret" "local_admin_credential" {
   key_vault_id = local.key_vault.id
-  name         = var.use_legacy_key_vault_model ? "LocalAdminCredential" : "${var.name}-LocalAdminCredential"
+  name         = local.keyvault_secret_names["LocalAdminCredential"]
   value        = base64encode("${var.local_admin_user}:${var.local_admin_password}")
   content_type = one(flatten([var.local_admin_credential_content_type]))
   tags         = var.local_admin_credential_tags
@@ -54,7 +54,7 @@ resource "azurerm_key_vault_secret" "local_admin_credential" {
 
 resource "azurerm_key_vault_secret" "default_arb_application" {
   key_vault_id = local.key_vault.id
-  name         = var.use_legacy_key_vault_model ? "DefaultARBApplication" : "${var.name}-DefaultARBApplication"
+  name         = local.keyvault_secret_names["DefaultARBApplication"]
   value        = base64encode("${var.service_principal_id}:${var.service_principal_secret}")
   content_type = one(flatten([var.default_arb_application_content_type]))
   tags         = var.default_arb_application_tags
@@ -67,7 +67,7 @@ resource "azurerm_key_vault_secret" "default_arb_application" {
 
 resource "azurerm_key_vault_secret" "witness_storage_key" {
   key_vault_id = local.key_vault.id
-  name         = var.use_legacy_key_vault_model ? "WitnessStorageKey" : "${var.name}-WitnessStorageKey"
+  name         = local.keyvault_secret_names["WitnessStorageKey"]
   value        = base64encode(var.create_witness_storage_account ? azurerm_storage_account.witness[0].primary_access_key : data.azurerm_storage_account.witness[0].primary_access_key)
   content_type = one(flatten([var.witness_storage_key_content_type]))
   tags         = var.witness_storage_key_tags
diff --git a/locals.tf b/locals.tf
index 9503423..5569e05 100644
--- a/locals.tf
+++ b/locals.tf
@@ -72,28 +72,7 @@ locals {
     }
     adouPath        = var.adou_path
     secretsLocation = var.use_legacy_key_vault_model ? local.secrets_location : (var.secrets_location == "" ? null : var.secrets_location)
-    secrets = var.use_legacy_key_vault_model ? null : [
-      {
-        secretName     = "${var.name}-AzureStackLCMUserCredential"
-        eceSecretName  = "AzureStackLCMUserCredential"
-        secretLocation = "${local.secrets_location}secrets/${var.name}-AzureStackLCMUserCredential"
-      },
-      {
-        secretName     = "${var.name}-LocalAdminCredential"
-        eceSecretName  = "LocalAdminCredential"
-        secretLocation = "${local.secrets_location}secrets/${var.name}-LocalAdminCredential"
-      },
-      {
-        secretName     = "${var.name}-DefaultARBApplication"
-        eceSecretName  = "DefaultARBApplication"
-        secretLocation = "${local.secrets_location}secrets/${var.name}-DefaultARBApplication"
-      },
-      {
-        secretName     = "${var.name}-WitnessStorageKey"
-        eceSecretName  = "WitnessStorageKey"
-        secretLocation = "${local.secrets_location}secrets/${var.name}-WitnessStorageKey"
-      }
-    ]
+    secrets         = var.use_legacy_key_vault_model ? null : local.keyvault_secrets
     optionalServices = {
       customLocation = var.custom_location_name
     }
@@ -114,11 +93,26 @@ locals {
   }
   deployment_setting_properties_omit_null = { for k, v in local.deployment_setting_properties : k => v if v != null }
   key_vault                               = var.create_key_vault ? azurerm_key_vault.deployment_keyvault[0] : data.azurerm_key_vault.key_vault[0]
-  owned_user_storages                     = [for storage in local.decoded_user_storages : storage if lower(storage.extendedLocation.name) == lower(data.azapi_resource.customlocation.id)]
+  keyvault_secret_names = var.use_legacy_key_vault_model ? {
+    "AzureStackLCMUserCredential" = "AzureStackLCMUserCredential"
+    "LocalAdminCredential"        = "LocalAdminCredential"
+    "DefaultARBApplication"       = "DefaultARBApplication"
+    "WitnessStorageKey"           = "WitnessStorageKey"
+    } : {
+    for secret in var.keyvault_secrets : secret.eceSecretName => "${var.name}-${secret.secretSuffix}"
+  }
+  keyvault_secrets = [
+    for secret in var.keyvault_secrets : {
+      secretName     = local.keyvault_secret_names[secret.eceSecretName]
+      eceSecretName  = secret.eceSecretName
+      secretLocation = "${local.secrets_location}secrets/${local.keyvault_secret_names[secret.eceSecretName]}"
+    }
+  ]
+  owned_user_storages = [for storage in local.decoded_user_storages : storage if lower(storage.extendedLocation.name) == lower(data.azapi_resource.customlocation.id)]
   rdma_adapter_properties = {
-    jumboPacket             = "9014"
+    jumboPacket             = var.rdma_jumbo_packet
     networkDirect           = "Enabled"
-    networkDirectTechnology = "RoCEv2"
+    networkDirectTechnology = var.rdma_protocol
   }
   role_assignments = flatten([
     for server_key, arcserver in data.azurerm_arc_machine.arcservers : [
@@ -164,7 +158,7 @@ locals {
         loadBalancingAlgorithm = ""
       },
       qosPolicyOverrides       = var.storage_qos_policy_overrides,
-      adapterPropertyOverrides = var.storage_rdma_enabled ? (var.storage_connectivity_switchless ? local.switchless_adapter_properties : local.rdma_adapter_properties) : local.adapter_properties
+      adapterPropertyOverrides = var.storage_rdma_enabled ? local.rdma_adapter_properties : local.adapter_properties
   }]
   storage_adapters = flatten([for storageNetwork in var.storage_networks : storageNetwork.networkAdapterName])
   storage_networks = var.storage_adapter_ip_info == null ? flatten(var.storage_networks) : [
@@ -175,10 +169,5 @@ locals {
       storageAdapterIPInfo = var.storage_adapter_ip_info[storageNetwork.name]
     }
   ]
-  switchless_adapter_properties = {
-    jumboPacket             = "9014"
-    networkDirect           = "Enabled"
-    networkDirectTechnology = "iWARP"
-  }
   witness_storage_account_resource_group_name = var.witness_storage_account_resource_group_name == "" ? var.resource_group_name : var.witness_storage_account_resource_group_name
 }
diff --git a/variables.tf b/variables.tf
index 61ab681..ee1861f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -339,6 +339,41 @@ variable "keyvault_purge_protection_enabled" {
   description = "Indicates whether purge protection is enabled."
 }
 
+variable "keyvault_secrets" {
+  type = list(object({
+    eceSecretName = string
+    secretSuffix  = string
+  }))
+  default = [
+    {
+      eceSecretName = "AzureStackLCMUserCredential"
+      secretSuffix  = "AzureStackLCMUserCredential"
+    },
+    {
+      eceSecretName = "LocalAdminCredential"
+      secretSuffix  = "LocalAdminCredential"
+    },
+    {
+      eceSecretName = "DefaultARBApplication"
+      secretSuffix  = "DefaultARBApplication"
+    },
+    {
+      eceSecretName = "WitnessStorageKey"
+      secretSuffix  = "WitnessStorageKey"
+    }
+  ]
+  description = "A list of key vault secrets."
+
+  validation {
+    condition     = var.use_legacy_key_vault_model || length(var.keyvault_secrets) == 4
+    error_message = "keyvault_secrets must be provided when use_legacy_key_vault_model is false. EceSecretNames are AzureStackLCMUserCredential, LocalAdminCredential, DefaultARBApplication, WitnessStorageKey."
+  }
+  validation {
+    condition     = var.use_legacy_key_vault_model || alltrue([for secret in var.keyvault_secrets : contains(["AzureStackLCMUserCredential", "LocalAdminCredential", "DefaultARBApplication", "WitnessStorageKey"], secret.eceSecretName)])
+    error_message = "keyvault_secrets must be provided when use_legacy_key_vault_model is false. EceSecretNames are AzureStackLCMUserCredential, LocalAdminCredential, DefaultARBApplication, WitnessStorageKey."
+  }
+}
+
 variable "keyvault_soft_delete_retention_days" {
   type        = number
   default     = 30
@@ -437,6 +472,18 @@ variable "rdma_enabled" {
   description = "Enables RDMA when set to true. In a converged network configuration, this will make the network use RDMA. In a dedicated storage network configuration, enabling this will enable RDMA on the storage network."
 }
 
+variable "rdma_jumbo_packet" {
+  type        = string
+  default     = "9014"
+  description = "The jumbo packet size for RDMA."
+}
+
+variable "rdma_protocol" {
+  type        = string
+  default     = "RoCEv2"
+  description = "The RDMA protocol."
+}
+
 variable "role_assignments" {
   type = map(object({
     role_definition_id_or_name             = string