Merge pull request #463 from sassoftware/pr-pskd-1488

Merge pull request #390 from simon-z22:simon_modifications

Author: illianov

docs/CONFIG-VARS.md

@@ -197,18 +197,23 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 | :--- | ---: | ---: | ---: | ---: |
 | partner_id | A GUID that is registered with Microsoft to facilitate partner resource usage attribution | string | "5d27f3ae-e49c-4dea-9aa3-b44e4750cd8c" | Defaults to SAS partner GUID. When you deploy this Terraform configuration, Microsoft can identify the installation of SAS software with the deployed Azure resources. Microsoft can then correlate the resources that are used to support the software. Microsoft collects this information to provide the best experiences with their products and to operate their business. The data is collected and governed by Microsoft's privacy policies, located at https://www.microsoft.com/trustcenter. |
 | create_static_kubeconfig | Allows the user to create a provider / service account-based kubeconfig file | bool | true | A value of `false` will default to using the cloud provider's mechanism for generating the kubeconfig file. A value of `true` will create a static kubeconfig that uses a `Service Account` and `Cluster Role Binding` to provide credentials. |
-| kubernetes_version | The AKS cluster Kubernetes version | string | "1.30" |Use of specific versions is still supported. If you need exact kubernetes version please use format `x.y.z`, where `x` is the major version, `y` is the minor version, and `z` is the patch version |
+| kubernetes_version | The AKS cluster Kubernetes version | string | "1.30" | Use of specific versions is still supported. If you need exact kubernetes version please use format `x.y.z`, where `x` is the major version, `y` is the minor version, and `z` is the patch version |
 | create_jump_vm | Create bastion host | bool | true | |
 | create_jump_public_ip | Add public IP address to the jump VM | bool | true | |
 | enable_jump_public_static_ip | Enables `Static` allocation method for the public IP address of Jump Server. Setting false will enable `Dynamic` allocation method. | bool | true | Only used with `create_jump_public_ip=true` |
 | jump_vm_admin | Operating system Admin User for the jump VM | string | "jumpuser" | |
-| jump_vm_machine_type | SKU to use for the jump VM | string | "Standard_B2s" | To check for valid types for your subscription, run: `az vm list-skus --resource-type virtualMachines --subscription $subscription --location $location -o table`|
+| jump_vm_machine_type | SKU to use for the jump VM | string | "Standard_B2s" | To check for valid types for your subscription, run: `az vm list-skus --resource-type virtualMachines --subscription $subscription --location $location -o table` |
 | jump_rwx_filestore_path | File store mount point on jump server | string | "/viya-share" | This location cannot include `/mnt` as its root location. This disk is ephemeral on Ubuntu, which is the operating system being used for the jump/NFS servers. |
 | tags | Map of common tags to be placed on all Azure resources created by this script | map | { project_name = "sasviya4", environment = "dev" } | |
-| aks_identity | Use UserAssignedIdentity or Service Principal as  [AKS identity](https://docs.microsoft.com/en-us/azure/aks/concepts-identity) | string | "uai" | A value of `uai` wil create a Managed Identity based on the permissions of the authenticated user or use [`AKS_UAI_NAME`](#use-existing), if set. A value of `sp` will use values from [`CLIENT_ID`/`CLIENT_SECRET`](#azure-authentication), if set. |
+| aks_identity | Use UserAssignedIdentity or Service Principal as [AKS identity](https://docs.microsoft.com/en-us/azure/aks/concepts-identity) | string | "uai" | A value of `uai` wil create a Managed Identity based on the permissions of the authenticated user or use [`AKS_UAI_NAME`](#use-existing), if set. A value of `sp` will use values from [`CLIENT_ID`/`CLIENT_SECRET`](#azure-authentication), if set. |
 | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
 | cluster_api_mode | Public or private IP for the cluster api | string | "public" | Valid Values: "public", "private" |
 | aks_cluster_private_dns_zone_id | Specifies private DNS zone resource ID for AKS private cluster to use | string | "" | For `cluster_api_mode=private` if `aks_cluster_private_dns_zone_id` is not specified then the value `System` is used else it is set to null. For details see [Configure a private DNS zone](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal#configure-a-private-dns-zone) |
+| aks_cluster_sku_tier | The SKU Tier that should be used for this Kubernetes Cluster. Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" and "Premium" | 
+| cluster_support_tier | Specifies the support plan which should be used for this Kubernetes Cluster. | string | "KubernetesOfficial" | Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. To enable long term K8s support is a combination of setting `aks_cluster_sku_tier` to `Premium` tier and explicitly selecting the `cluster_support_tier` as `AKSLongTermSupport`. For details see [Long term Support](https://learn.microsoft.com/en-us/azure/aks/long-term-support) and for which K8s version has long term support see [AKS Kubernetes release calendar](https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar). | 
+| aks_cluster_run_command_enabled | Enable or disable the AKS Run Command feature | bool | false | The AKS Run Command feature in AKS allows you to remotely execute commands within a running container of your AKS cluster directly from the Azure CLI or Azure portal. To enable the Run Command feature for an AKS cluster where Run Command is disabled, navigate to the Run Command tab for your AKS Cluster in the Azure Portal and select the Enable button. |
+| aks_azure_policy_enabled | Enable or disable the Azure Policy Add-on or extension | bool | false | Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes cluster components from one place. By using Azure Policy's Add-on or Extension, governing your cluster components is enhanced with Azure Policy features, like the ability to use selectors and overrides for safe policy rollout and rollback. |
+| node_resource_group_name | Specifies the resource group name for the cluster resources | string | `MC_${local.aks_rg.name}_${var.prefix}-aks_${var.location}` | |
 | aks_cluster_sku_tier | The SKU Tier that should be used for this Kubernetes Cluster. Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" and "Premium" |
 | cluster_support_tier | Specifies the support plan which should be used for this Kubernetes Cluster. | string | "KubernetesOfficial" | Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. To enable long term K8s support is a combination of setting `aks_cluster_sku_tier` to `Premium` tier and explicitly selecting the `cluster_support_tier` as `AKSLongTermSupport`. For details see [Long term Support](https://learn.microsoft.com/en-us/azure/aks/long-term-support) and for which K8s version has long term support see [AKS Kubernetes release calendar](https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar).|
 | aks_cluster_run_command_enabled | Enable or disable the AKS Run Command feature | bool | false | The AKS Run Command feature in AKS allows you to remotely execute commands within a running container of your AKS cluster directly from the Azure CLI or Azure portal. To enable the Run Command feature for an AKS cluster where Run Command is disabled, navigate to the Run Command tab for your AKS Cluster in the Azure Portal and select the Enable button. |
@@ -230,17 +235,18 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 
 ### Additional Node Pools
 
-Additional node pools can be created separate from the default node pool. This is done with the `node_pools` variable, which is a map of objects. Irrespective of the default values, the following variables are required for each node pool:
+Additional node pools can be created separate from the default node pool. This is done with the `node_pools` variable, which is a map of objects. Irrespective of the default values, the following variables are required for each node pool unless marked optional:
 
 | Name | Description | Type | Notes |
 | :--- | ---: | ---: | ---: |
 | machine_type | Type of the node pool VMs | string | |
 | os_disk_size | Disk size for node pool VMs in GB | number | |
 | min_nodes | Minimum number of nodes for the node pool | number | Value must be between 0 and 100. Setting min and max node counts to the same value disables autoscaling |
 | max_nodes | Maximum number of nodes for the node pool | number | Value must be between 0 and 100. Setting min and max node counts to the same value disables autoscaling |
-| max_pods | Maximum number of pods per node | number | Default is 110
+| max_pods | Maximum number of pods per node | number | Default is 110 |
 | node_taints | Taints for the node pool VMs | list of strings | |
 | node_labels | Labels to add to the node pool VMs | map | |
+| vm_max_map_count (Optional) | Linux kernel parameter that defines the maximum number of memory map areas that a process can have | map | Value is set as follows: "linux_os_config" = {"sysctl_config" = {"vm_max_map_count" = 262144}} |
 
 The default values for the `node_pools` variable are as follows:
 

main.tf

@@ -135,6 +135,7 @@ module "aks" {
   aks_cluster_dns_prefix                   = "${var.prefix}-aks"
   aks_cluster_sku_tier                     = var.aks_cluster_sku_tier
   aks_cluster_location                     = var.location
+  node_resource_group_name                 = var.node_resource_group_name != "" ? var.node_resource_group_name : "MC_${local.aks_rg.name}_${var.prefix}-aks_${var.location}"
   cluster_support_tier                     = var.cluster_support_tier
   fips_enabled                             = var.fips_enabled
   aks_cluster_node_auto_scaling            = var.default_nodepool_min_nodes == var.default_nodepool_max_nodes ? false : true
@@ -213,6 +214,7 @@ module "node_pools" {
   orchestrator_version         = var.kubernetes_version
   host_encryption_enabled      = var.aks_cluster_enable_host_encryption
   tags                         = var.tags
+  linux_os_config              = each.value.linux_os_config
 }
 
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server

modules/aks_node_pool/main.tf

@@ -29,6 +29,12 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscale_node_pool" {
   lifecycle {
     ignore_changes = [node_count]
   }
+
+  linux_os_config {
+    sysctl_config {
+      vm_max_map_count = try(var.linux_os_config.sysctl_config.vm_max_map_count,null)
+    }
+  }
 }
 
 resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" {
@@ -52,4 +58,10 @@ resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" {
   node_taints                  = var.node_taints
   orchestrator_version         = var.orchestrator_version
   tags                         = var.tags
+
+  linux_os_config {
+    sysctl_config {
+      vm_max_map_count = try(var.linux_os_config.sysctl_config.vm_max_map_count,null)
+    }
+  }
 }

modules/aks_node_pool/variables.tf

@@ -115,3 +115,13 @@ variable "proximity_placement_group_id" {
   type        = string
   default     = ""
 }
+
+variable "linux_os_config"{
+  description = "Specifications of linux os config. Changing this forces a new resource to be created."
+  type = object({
+      sysctl_config = optional(object({
+        vm_max_map_count = optional(number)
+        }))
+      })
+  default = {}
+}

modules/azure_aks/main.tf

@@ -6,6 +6,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   name                       = var.aks_cluster_name
   location                   = var.aks_cluster_location
   resource_group_name        = var.aks_cluster_rg
+  node_resource_group        = var.node_resource_group_name
   dns_prefix                 = var.aks_private_cluster == false || var.aks_cluster_private_dns_zone_id == "" ? var.aks_cluster_dns_prefix : null
   dns_prefix_private_cluster = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_dns_prefix : null
 
@@ -139,7 +140,7 @@ data "azurerm_public_ip" "cluster_public_ip" {
 
   # effective_outbound_ips is a set of strings, that needs to be converted to a list type
   name                = split("/", tolist(azurerm_kubernetes_cluster.aks.network_profile[0].load_balancer_profile[0].effective_outbound_ips)[0])[8]
-  resource_group_name = "MC_${var.aks_cluster_rg}_${var.aks_cluster_name}_${var.aks_cluster_location}"
+  resource_group_name = var.node_resource_group_name
 
   depends_on = [azurerm_kubernetes_cluster.aks]
 }

modules/azure_aks/variables.tf

@@ -265,3 +265,8 @@ variable "aks_cluster_run_command_enabled" {
   type        = bool
   default     = false
 }
+
+variable "node_resource_group_name" {
+  type    = string
+  default = ""
+}

variables.tf

@@ -562,6 +562,11 @@ variable "node_pools" {
     max_pods     = string
     node_taints  = list(string)
     node_labels  = map(string)
+    linux_os_config = optional(object({
+      sysctl_config = optional(object({
+        vm_max_map_count = optional(number)
+      }))
+    }))
   }))
 
   default = {
@@ -814,3 +819,9 @@ variable "aks_cluster_run_command_enabled" {
   type        = bool
   default     = false
 }
+
+variable "node_resource_group_name" {
+  description = "Resource group name for the AKS cluster resources."
+  type    = string
+  default = ""
+}