Preetisht/aro 20272 vmss ip tag #4464
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add IPTag struct and RpVmssIpTags field to Configuration - Add rpVmssIpTags parameter to ARM template with array type - Implement IP tags in VMSS PublicIPAddressConfiguration - Use conditional ARM logic for backward compatibility - Support FirstPartyUsage type with service tag values Update deployment assets Trigger new VMSS deployment for IP tags testing - eastus disabled region validation New commit ID
This allows RP VMSS and Gateway VMSS to have different FirstPartyUsage tags: - RP VMSS: /aroclassicnonprodinboundsvc (inbound) - Gateway VMSS: /aroclassicnonprodoutboundsvc (outbound)
…ew commit ID to test re-release
preetisht
requested review from
bennerv,
cadenmarchese,
fahlmant,
hawkowl,
hlipsig,
jharrington22,
kimorris27,
mociarain,
mrWinston,
pepedocs,
rogbas,
sankur-codes,
tiguelu,
tsatam,
wanghaoran1988 and
yjst2012
as code owners
Member
|
Might be worth a rebase and a re-run of the E2E. |
mociarain
reviewed
Nov 27, 2025
Member
mociarain
left a comment
mociarain
left a comment
There was a problem hiding this comment.
LGTM. I left a comment on an idea but it's not blocking
| VMSize *string `json:"vmSize,omitempty" value:"required"` | ||
| VMSSCleanupEnabled *bool `json:"vmssCleanupEnabled,omitempty"` | ||
| RPVmssIpTags []IPTag `json:"rpVmssIpTags,omitempty"` | ||
| RPVmssIpTagsDisabledRegions []string `json:"rpVmssIpTagsDisabledRegions,omitempty"` |
Member
There was a problem hiding this comment.
I've never considered it until now but could we do better than strings for regions i.e. enums. Outside the scope of this PR but I came across this: https://gist.github.com/ausfestivus/04e55c7d80229069bf3bc75870630ec8
What do you think?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue this PR addresses:
https://issues.redhat.com/browse/ARO-20272
Fixes
What this PR does / why we need it:
https://issues.redhat.com/browse/ARO-16025
This is a part of Microsoft Security Wave 5 fix. All our PublicIP's for both MSIT and AME environment for ARO Classic shoudl have FirstPartyUsage tags .
This PR implements IP tags support for Azure Red Hat OpenShift Virtual Machine Scale Sets (VMSS) to comply with Microsoft Security Wave 5 requirements. The implementation adds unified configuration parameters (vmssIpTags, vmssIpTagsDisabledRegions) that enable region-specific IP tagging for both RP and Gateway VMSS public IPs, with ARM template conditional logic that gracefully handles disabled regions by deploying empty IP tags arrays. The solution has ARM conditionals logic and includes edge case handling for missing or empty configuration scenarios.
Test plan for issue:
Is there any documentation that needs to be updated for this PR?
How do you know this will function as expected in production?