Merge branch 'staging' into kubelet_disk_type_temp

Author: Carus11

.dockerignore

@@ -2,5 +2,4 @@ docs/
 *.md
 *.txt
 terraform.tfstate*
-examples/
 .terraform/

.github/workflows/default_plan_unit_tests.yml

@@ -0,0 +1,33 @@
+# Copyright © 2025, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Default Plan Unit Tests
+on:
+  push:
+    branches: ['**'] # '*' will cause the workflow to run on all commits to all branches.
+
+jobs:
+  go-tests:
+    name: Default Plan Unit Tests
+    runs-on: ubuntu-latest
+    environment: terraformSecrets
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - name: Build Docker Image
+        run: docker build -t viya4-iac-azure:terratest -f Dockerfile.terratest .
+      - name: Run Tests
+        run: |
+          docker run \
+            -e TF_VAR_subscription_id=$TF_VAR_subscription_id \
+            -e TF_VAR_tenant_id=$TF_VAR_tenant_id \
+            -e TF_VAR_client_id=$TF_VAR_client_id \
+            -e TF_VAR_client_secret=$TF_VAR_client_secret \
+            -v $(pwd):/viya4-iac-azure \
+            viya4-iac-azure:terratest -v
+        env:
+          # TF ENVIRONMENT
+          TF_VAR_subscription_id: "${{ secrets.TF_VAR_SUBSCRIPTION_ID }}"
+          TF_VAR_tenant_id: "${{ secrets.TF_VAR_TENANT_ID }}"
+          TF_VAR_client_id: "${{ secrets.TF_VAR_CLIENT_ID }}"
+          TF_VAR_client_secret: "${{ secrets.TF_VAR_CLIENT_SECRET }}"

.github/workflows/linter-analysis.yaml

@@ -46,6 +46,12 @@ jobs:
         path: ~/.tflint.d/plugins
         key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }}
 
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: "^1.10.5"
+        terraform_wrapper: false
+
     - name: Setup TFLint
       uses: terraform-linters/[email protected]
       with:

.gitignore

@@ -9,3 +9,8 @@ terraform.tfvars
 .terraform.lock.hcl
 .DS_Store
 sas_iac_buildinfo.yaml
+.idea
+.vscode
+test/bin
+test/pkg
+test/test_output

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+---
+default_stages: [pre-commit]
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.23.3
+    hooks:
+      - id: gitleaks
+
+ci:
+  autofix_prs: false
+  autoupdate_commit_msg: "chore: auto-update of pre-commit hooks"

CONTRIBUTING.md

@@ -1,19 +1,27 @@
 # How to Contribute
-We'd love to accept your patches and contributions to this project.
-We just ask that you follow our contribution guidelines when you do.
+This project is community-driven, and we'd love to accept your patches and contributions.
+We just ask that you follow our contribution guidelines when you do. Refer
+to the [Contributor Handbook](https://sassoftware.github.io/contributor-handbook.html)
+for guidance.
 
 ## Contributor License Agreement
 Contributions to this project must be accompanied by a signed [Contributor Agreement](ContributorAgreement.txt).
-You (or your employer) retain the copyright to your contribution; this simply grants us permission to use and redistribute your contributions as part of the project.
+You (or your employer) retain the copyright to your contribution; this agreement simply grants
+us permission to use and redistribute your contributions as part of the project.
 
-## Code reviews
-All submissions to this project—including submissions from project members—require review.
-Our review process typically involves performing unit tests, development tests, integration tests, and security scans using internal SAS infrastructure.
-For this reason, we don’t often merge pull requests directly from GitHub.
+## Code Reviews
+All submissions to this project—including submissions from project members—require
+review. Our review process typically involves performing unit tests, development
+tests, integration tests, and security scans.
 
-Instead, we work with submissions internally first, vetting them to ensure they meet our security and quality standards.
-We’ll do our best to work with contributors in public issues and pull requests; however, to ensure our code meets our internal compliance standards, we may need to incorporate your submission into a solution we push ourselves.
+## Pull Request Requirement
+All contributions (PRs) must be accompanied by passing unit and/or integration
+tests, following our  [testing philosophy](./docs/user/TestingPhilosophy.md). If you are unfamiliar with this process,
+we are happy to help you navigate it by providing continuous collaboration within the pull request.
+All pull requests must also pass our linter analysis checks. Contributions might
+be subjected to security scans before they can be accepted.
 
-This does not mean we don’t value or appreciate your contribution.
-We simply need to review your code internally before merging it.
-We work to ensure all contributors receive appropriate recognition for their contributions, at least by acknowledging them in our release notes.
+## Security Scans
+To ensure that all submissions meet our security and quality standards, we perform security
+scans using internal SAS infrastructure. Reporting of any Common Vulnerabilities and Exposures
+(CVEs) that are detected is not available in this project at this time.

Dockerfile

@@ -1,23 +1,23 @@
-ARG TERRAFORM_VERSION=1.9.6
-ARG AZURECLI_VERSION=2.64.0
+ARG TERRAFORM_VERSION=1.10.5
+ARG AZURECLI_VERSION=2.70.0
 
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
 FROM mcr.microsoft.com/azure-cli:$AZURECLI_VERSION
-ARG KUBECTL_VERSION=1.29.7
+ARG KUBECTL_VERSION=1.30.10
 
 WORKDIR /viya4-iac-azure
 
 COPY --from=terraform /bin/terraform /bin/terraform
 COPY . .
 
-RUN yum -y install git openssh jq which curl \
-  && yum clean all && rm -rf /var/cache/yum \
-  && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \
+RUN tdnf -y install git which \
+  && tdnf clean all && rm -rf /var/cache/tdnf \
+  && curl -sLO https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \
   && chmod 755 ./kubectl /viya4-iac-azure/docker-entrypoint.sh \
   && mv ./kubectl /usr/local/bin/kubectl \
-  && chmod g=u -R /etc/passwd /etc/group /viya4-iac-azure \
   && git config --system --add safe.directory /viya4-iac-azure \
-  && terraform init
+  && terraform init \
+  && chmod g=u -R /etc/passwd /etc/group /viya4-iac-azure
 
 ENV TF_VAR_iac_tooling=docker
 ENTRYPOINT ["/viya4-iac-azure/docker-entrypoint.sh"]

Dockerfile.terratest

@@ -0,0 +1,23 @@
+FROM golang:1.23
+
+# Install terraform from apt repository and terratest_log_parser
+RUN \
+    apt-get update \
+    && apt-get install -y jq lsb-release \
+    && wget -O - https://apt.releases.hashicorp.com/gpg \
+        | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
+        | tee /etc/apt/sources.list.d/hashicorp.list \
+    && apt update \
+    && apt install terraform \
+    && ssh-keygen -f ~/.ssh/id_rsa -P "" \
+    && go install github.com/gruntwork-io/terratest/cmd/terratest_log_parser@latest
+
+WORKDIR /viya4-iac-azure/test
+
+# Copy the test directory so it can install the go modules
+# during the docker build rather than the docker run
+COPY ./test ./
+RUN go mod tidy
+
+ENTRYPOINT ["/viya4-iac-azure/test/terratest_docker_entrypoint.sh"]

Makefile

@@ -0,0 +1,37 @@
+# Copyright © 2025, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# from .github/workflows/default_plan_unit_tests.yml
+
+IMAGE := viya4-iac-azure:terratest
+
+buildTests:
+ifeq ($(shell docker images -q $(IMAGE) 2> /dev/null),)
+	docker build -t $(IMAGE) -f Dockerfile.terratest .
+endif
+
+checkEnv:
+ifndef TF_VAR_subscription_id
+	$(error TF_VAR_subscription_id is undefined)
+endif
+ifndef TF_VAR_tenant_id
+	$(error TF_VAR_tenant_id is undefined)
+endif
+ifndef TF_VAR_client_id
+	$(error TF_VAR_client_id is undefined)
+endif
+ifndef TF_VAR_client_secret
+	$(error TF_VAR_client_secret is undefined)
+endif
+
+
+runTests: checkEnv buildTests
+	docker run -it --rm \
+            -e TF_VAR_subscription_id=$(TF_VAR_subscription_id) \
+            -e TF_VAR_tenant_id=$(TF_VAR_tenant_id) \
+            -e TF_VAR_client_id=$(TF_VAR_client_id) \
+            -e TF_VAR_client_secret=$(TF_VAR_client_secret) \
+            $(IMAGE) -v
+
+clean:
+	docker image rm $(IMAGE)

README.md

@@ -57,10 +57,10 @@ This project supports two options for running Terraform scripts:
 Access to an **Azure Subscription** and an [**Identity**](./docs/user/TerraformAzureAuthentication.md) with the *Contributor* role are required.
 
 #### Terraform Requirements:
-- [Terraform](https://www.terraform.io/downloads.html) - v1.9.6
-- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.29.7
+- [Terraform](https://www.terraform.io/downloads.html) - v1.10.5
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.30.10
 - [jq](https://stedolan.github.io/jq/) - v1.6
-- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.64.0
+- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.70.0
 
 #### Docker Requirements:
 - [Docker](https://docs.docker.com/get-docker/)