feat: (IAC-886) Enable FIPS support (#288)

riragh · web-flow · commit 52964a1631fd · 2023-03-21T14:39:57.000-05:00
* feat: (IAC-886) Enable FIPS support

* feat: (IAC-924) Update provider Kubernetes version
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 ARG TERRAFORM_VERSION=1.0.0
-ARG AZURECLI_VERSION=2.24.2
+ARG AZURECLI_VERSION=2.45.0
 
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
 FROM mcr.microsoft.com/azure-cli:$AZURECLI_VERSION
diff --git a/README.md b/README.md
@@ -60,7 +60,7 @@ Access to an **Azure Subscription** and an [**Identity**](./docs/user/TerraformA
 - [Terraform](https://www.terraform.io/downloads.html) - v1.0.0
 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.24
 - [jq](https://stedolan.github.io/jq/) - v1.6
-- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.24.2
+- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.45.0
 
 #### Docker Requirements:
 - [Docker](https://docs.docker.com/get-docker/)
diff --git a/container-structure-test.yaml b/container-structure-test.yaml
@@ -29,7 +29,7 @@ commandTests:
       - -c
       - |
         az version -o tsv
-    expectedOutput: ["2.24.2\t2.24.2\t1.0.6"]
+    expectedOutput: ["2.45.0\t2.45.0\t1.0.8"]
 
 metadataTest:
   workdir: "/viya4-iac-azure"
diff --git a/iam.tf b/iam.tf
@@ -2,13 +2,13 @@
 # SPDX-License-Identifier: Apache-2.0
 
 data "azurerm_user_assigned_identity" "uai" {
-  count               = var.aks_identity == "uai" ? ( var.aks_uai_name == null ? 0 : 1 ) : 0
+  count               = var.aks_identity == "uai" ? (var.aks_uai_name == null ? 0 : 1) : 0
   name                = var.aks_uai_name
   resource_group_name = local.network_rg.name
 }
 
 resource "azurerm_user_assigned_identity" "uai" {
-  count               = var.aks_identity == "uai" ? ( var.aks_uai_name == null ? 1 : 0 ) : 0
+  count               = var.aks_identity == "uai" ? (var.aks_uai_name == null ? 1 : 0) : 0
   name                = "${var.prefix}-aks-identity"
   resource_group_name = local.aks_rg.name
   location            = var.location
diff --git a/locals.tf b/locals.tf
@@ -23,9 +23,9 @@ locals {
   kubeconfig_path     = var.iac_tooling == "docker" ? "/workspace/${local.kubeconfig_filename}" : local.kubeconfig_filename
 
   # PostgreSQL
-  default_postgres_configuration = [{name: "max_prepared_transactions", value: 1024}]
-  postgres_servers        = var.postgres_servers == null ? {} : { for k, v in var.postgres_servers : k => merge(var.postgres_server_defaults, v, ) }
-  postgres_firewall_rules = [for addr in local.postgres_public_access_cidrs : { "name" : replace(replace(addr, "/", "_"), ".", "_"), "start_ip" : cidrhost(addr, 0), "end_ip" : cidrhost(addr, abs(pow(2, 32 - split("/", addr)[1]) - 1)) }]
+  default_postgres_configuration = [{ name : "max_prepared_transactions", value : 1024 }]
+  postgres_servers               = var.postgres_servers == null ? {} : { for k, v in var.postgres_servers : k => merge(var.postgres_server_defaults, v, ) }
+  postgres_firewall_rules        = [for addr in local.postgres_public_access_cidrs : { "name" : replace(replace(addr, "/", "_"), ".", "_"), "start_ip" : cidrhost(addr, 0), "end_ip" : cidrhost(addr, abs(pow(2, 32 - split("/", addr)[1]) - 1)) }]
 
   postgres_outputs = length(module.flex_postgresql) != 0 ? { for k, v in module.flex_postgresql :
     k => {
diff --git a/main.tf b/main.tf
@@ -135,6 +135,7 @@ module "aks" {
   aks_cluster_dns_prefix                   = "${var.prefix}-aks"
   aks_cluster_sku_tier                     = var.aks_cluster_sku_tier
   aks_cluster_location                     = var.location
+  fips_enabled                             = var.fips_enabled
   aks_cluster_node_auto_scaling            = var.default_nodepool_min_nodes == var.default_nodepool_max_nodes ? false : true
   aks_cluster_node_count                   = var.default_nodepool_min_nodes
   aks_cluster_min_nodes                    = var.default_nodepool_min_nodes == var.default_nodepool_max_nodes ? null : var.default_nodepool_min_nodes
@@ -189,6 +190,7 @@ module "node_pools" {
   aks_cluster_id = module.aks.cluster_id
   vnet_subnet_id = module.vnet.subnets["aks"].id
   machine_type   = each.value.machine_type
+  fips_enabled   = var.fips_enabled
   os_disk_size   = each.value.os_disk_size
   # TODO: enable with azurerm v2.37.0
   #  os_disk_type                 = each.value.os_disk_type
@@ -223,9 +225,9 @@ module "flex_postgresql" {
   server_version               = each.value.server_version
   firewall_rule_prefix         = "${var.prefix}-${each.key}-postgres-firewall-"
   firewall_rules               = local.postgres_firewall_rules
-  postgresql_configurations    = each.value.ssl_enforcement_enabled ? concat(each.value.postgresql_configurations, local.default_postgres_configuration) : concat(
-    each.value.postgresql_configurations, [{name: "require_secure_transport", value: "OFF"}], local.default_postgres_configuration)
-  tags                         = var.tags
+  postgresql_configurations = each.value.ssl_enforcement_enabled ? concat(each.value.postgresql_configurations, local.default_postgres_configuration) : concat(
+  each.value.postgresql_configurations, [{ name : "require_secure_transport", value : "OFF" }], local.default_postgres_configuration)
+  tags = var.tags
 }
 
 module "netapp" {
diff --git a/modules/aks_node_pool/main.tf b/modules/aks_node_pool/main.tf
@@ -9,6 +9,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "autoscale_node_pool" {
   kubernetes_cluster_id        = var.aks_cluster_id
   vnet_subnet_id               = var.vnet_subnet_id
   zones                        = var.zones
+  fips_enabled                 = var.fips_enabled
   proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id
   vm_size                      = var.machine_type
   os_disk_size_gb              = var.os_disk_size
@@ -38,6 +39,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "static_node_pool" {
   kubernetes_cluster_id        = var.aks_cluster_id
   vnet_subnet_id               = var.vnet_subnet_id
   zones                        = var.zones
+  fips_enabled                 = var.fips_enabled
   proximity_placement_group_id = var.proximity_placement_group_id == "" ? null : var.proximity_placement_group_id
   vm_size                      = var.machine_type
   os_disk_size_gb              = var.os_disk_size
diff --git a/modules/aks_node_pool/variables.tf b/modules/aks_node_pool/variables.tf
@@ -17,6 +17,12 @@ variable "zones" {
   default     = []
 }
 
+variable "fips_enabled" {
+  description = "Should the nodes in this Node Pool have Federal Information Processing Standard enabled? Changing this forces a new resource to be created."
+  type        = bool
+  default     = false
+}
+
 variable "vnet_subnet_id" {
   description = "The ID of the Subnet where this Node Pool should exist. Changing this forces a new resource to be created."
   type        = string
diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf
@@ -55,6 +55,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
     enable_node_public_ip = false
     node_labels           = {}
     node_taints           = []
+    fips_enabled          = var.fips_enabled
     max_pods              = var.aks_cluster_max_pods
     os_disk_size_gb       = var.aks_cluster_os_disk_size
     max_count             = var.aks_cluster_max_nodes
diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf
@@ -38,6 +38,12 @@ variable "aks_cluster_sku_tier" {
   }
 }
 
+variable "fips_enabled" {
+  description = "Should the nodes in this Node Pool have Federal Information Processing Standard enabled? Changing this forces a new resource to be created."
+  type        = bool
+  default     = false
+}
+
 variable "aks_private_cluster" {
   description = "Enables cluster API endpoint to use Private IP address"
   type        = bool
diff --git a/modules/azurerm_vm/main.tf b/modules/azurerm_vm/main.tf
@@ -85,11 +85,20 @@ resource "azurerm_linux_virtual_machine" "vm" {
 
   source_image_reference {
     publisher = var.os_publisher
-    offer     = var.os_offer
-    sku       = var.os_sku
+    offer     = var.fips_enabled ? "0001-com-ubuntu-pro-focal-fips" : var.os_offer
+    sku       = var.fips_enabled ? "pro-fips-20_04-gen2" : var.os_sku
     version   = var.os_version
   }
 
+  dynamic "plan" {
+    for_each = var.fips_enabled ? [1] : []
+    content {
+      name       = "pro-fips-20_04-gen2"
+      publisher  = "canonical"
+      product    = "0001-com-ubuntu-pro-focal-fips"
+    }
+  }
+
   additional_capabilities {
     ultra_ssd_enabled = var.data_disk_storage_account_type == "UltraSSD_LRS" ? true : false
   }
diff --git a/modules/azurerm_vm/variables.tf b/modules/azurerm_vm/variables.tf
@@ -44,6 +44,12 @@ variable "vm_zone" {
   default     = null
 }
 
+variable "fips_enabled" {
+  description = "Should the nodes in this Node Pool have Federal Information Processing Standard enabled? Changing this forces a new resource to be created."
+  type        = bool
+  default     = false
+}
+
 variable "ssh_public_key" {
   description = "Path to ssh public key"
   type        = string
diff --git a/variables.tf b/variables.tf
@@ -69,6 +69,15 @@ variable "aks_cluster_sku_tier" {
   }
 }
 
+## Enable FIPS support - Experimental
+## Before your subscription can be used to enable the FIPS support, you need to accept the legal terms of the image. To accept the terms please run following az command before deploying cluster:
+### `az vm image terms accept --urn Canonical:0001-com-ubuntu-pro-focal-fips:pro-fips-20_04-gen2:latest --subscription $subscription_id`
+variable "fips_enabled" {
+  description = "Enables the Federal Information Processing Standard for the nodes in this cluster's Node Pool. Changing this forces a new resource to be created."
+  type        = bool
+  default     = false
+}
+
 variable "ssh_public_key" {
   description = "A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created."
   type        = string
diff --git a/versions.tf b/versions.tf
@@ -40,7 +40,7 @@ terraform {
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.13.0"
+      version = "2.14.0"
     }
   }
 }
diff --git a/vms.tf b/vms.tf
@@ -2,14 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 
 locals {
-  rwx_filestore_endpoint  = ( var.storage_type == "none"
-                              ? ""
-                              : var.storage_type == "ha" ? module.netapp.0.netapp_endpoint : module.nfs.0.private_ip_address 
-                            )
- rwx_filestore_path      = ( var.storage_type == "none"
-                              ? ""
-                              : var.storage_type == "ha" ? module.netapp.0.netapp_path : "/export"
-                           )
+  rwx_filestore_endpoint = (var.storage_type == "none"
+    ? ""
+    : var.storage_type == "ha" ? module.netapp.0.netapp_endpoint : module.nfs.0.private_ip_address
+  )
+  rwx_filestore_path = (var.storage_type == "none"
+    ? ""
+    : var.storage_type == "ha" ? module.netapp.0.netapp_path : "/export"
+  )
 }
 
 
@@ -18,17 +18,17 @@ data "template_file" "jump-cloudconfig" {
   count    = var.create_jump_vm ? 1 : 0
 
   vars = {
-    mounts = ( var.storage_type == "none"
-               ? "[]"
-               : jsonencode(
-                  [ "${local.rwx_filestore_endpoint}:${local.rwx_filestore_path}",
-                    "${var.jump_rwx_filestore_path}",
-                    "nfs",
-                    "_netdev,auto,x-systemd.automount,x-systemd.mount-timeout=10,timeo=14,x-systemd.idle-timeout=1min,relatime,hard,rsize=1048576,wsize=1048576,vers=3,tcp,namlen=255,retrans=2,sec=sys,local_lock=none",
-                    "0",
-                    "0"
-                  ])
-             )
+    mounts = (var.storage_type == "none"
+      ? "[]"
+      : jsonencode(
+        ["${local.rwx_filestore_endpoint}:${local.rwx_filestore_path}",
+          "${var.jump_rwx_filestore_path}",
+          "nfs",
+          "_netdev,auto,x-systemd.automount,x-systemd.mount-timeout=10,timeo=14,x-systemd.idle-timeout=1min,relatime,hard,rsize=1048576,wsize=1048576,vers=3,tcp,namlen=255,retrans=2,sec=sys,local_lock=none",
+          "0",
+          "0"
+      ])
+    )
     rwx_filestore_endpoint  = local.rwx_filestore_endpoint
     rwx_filestore_path      = local.rwx_filestore_path
     jump_rwx_filestore_path = var.jump_rwx_filestore_path
@@ -49,7 +49,7 @@ data "template_cloudinit_config" "jump" {
 }
 
 module "jump" {
-  source            = "./modules/azurerm_vm"
+  source = "./modules/azurerm_vm"
 
   count             = var.create_jump_vm ? 1 : 0
   name              = "${var.prefix}-jump"
@@ -61,6 +61,7 @@ module "jump" {
   tags              = var.tags
   vm_admin          = var.jump_vm_admin
   vm_zone           = var.jump_vm_zone
+  fips_enabled      = var.fips_enabled
   ssh_public_key    = local.ssh_public_key
   cloud_init        = data.template_cloudinit_config.jump.0.rendered
   create_public_ip  = var.create_jump_public_ip
@@ -92,7 +93,7 @@ data "template_cloudinit_config" "nfs" {
 }
 
 module "nfs" {
-  source                         = "./modules/azurerm_vm"
+  source = "./modules/azurerm_vm"
 
   count                          = var.storage_type == "standard" ? 1 : 0
   name                           = "${var.prefix}-nfs"
@@ -105,6 +106,7 @@ module "nfs" {
   tags                           = var.tags
   vm_admin                       = var.nfs_vm_admin
   vm_zone                        = var.nfs_vm_zone
+  fips_enabled                   = var.fips_enabled
   ssh_public_key                 = local.ssh_public_key
   cloud_init                     = data.template_cloudinit_config.nfs.0.rendered
   create_public_ip               = var.create_nfs_public_ip
@@ -116,12 +118,12 @@ module "nfs" {
 }
 
 resource "azurerm_network_security_rule" "vm-ssh" {
-  name                        = "${var.prefix}-ssh"
-  description                 = "Allow SSH from source"
-  count                       = ( length(local.vm_public_access_cidrs) > 0
-                                  && (( var.create_jump_public_ip && var.create_jump_vm ) || (var.create_nfs_public_ip && var.storage_type == "standard"))
-                                  ? 1 : 0
-                                )
+  name        = "${var.prefix}-ssh"
+  description = "Allow SSH from source"
+  count = (length(local.vm_public_access_cidrs) > 0
+    && ((var.create_jump_public_ip && var.create_jump_vm) || (var.create_nfs_public_ip && var.storage_type == "standard"))
+    ? 1 : 0
+  )
   priority                    = 120
   direction                   = "Inbound"
   access                      = "Allow"

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,12 @@ variable "aks_cluster_sku_tier" {`
`38`	`38`	`}`
`39`	`39`	`}`
`40`	`40`
	`41`	`+variable "fips_enabled" {`
	`42`	`+ description = "Should the nodes in this Node Pool have Federal Information Processing Standard enabled? Changing this forces a new resource to be created."`
	`43`	`+ type = bool`
	`44`	`+ default = false`
	`45`	`+}`
	`46`	`+`
`41`	`47`	`variable "aks_private_cluster" {`
`42`	`48`	`description = "Enables cluster API endpoint to use Private IP address"`
`43`	`49`	`type = bool`