Merge pull request #342 from sassoftware/staging

riragh · web-flow · commit d20ef07953dd · 2023-10-19T08:08:13.000-05:00
8.3.0 - October 19, 2023
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -193,6 +193,7 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 | aks_identity | Use UserAssignedIdentity or Service Principal as  [AKS identity](https://docs.microsoft.com/en-us/azure/aks/concepts-identity) | string | "uai" | A value of `uai` wil create a Managed Identity based on the permissions of the authenticated user or use [`AKS_UAI_NAME`](#use-existing), if set. A value of `sp` will use values from [`CLIENT_ID`/`CLIENT_SECRET`](#azure-authentication), if set. |
 | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
 | cluster_api_mode | Public or private IP for the cluster api | string | "public" | Valid Values: "public", "private" |
+| aks_cluster_private_dns_zone_id | Specifies private DNS zone resource ID for AKS private cluster to use | string | "" | For `cluster_api_mode=private` if `aks_cluster_private_dns_zone_id` is not specified then the value `System` is used else it is set to null. For details see [Configure a private DNS zone](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal#configure-a-private-dns-zone) |
 | aks_cluster_sku_tier | Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" | 
 
 ## Node Pools
@@ -359,7 +360,7 @@ Each server element, like `foo = {}`, can contain none, some, or all of the para
 | administrator_password | The Password associated with the administrator_login for the PostgreSQL Flexible Server | string | "my$up3rS3cretPassw0rd" | The password must contain between 8 and 128 characters and must contain characters from three of the following categories: English uppercase letters, English lowercase letters, numbers (0 through 9), and non-alphanumeric characters (!, $, #, %, etc.). |
 | server_version | The version of the PostgreSQL Flexible server instance | string | "13" | Refer to the [SAS Viya Platform Administration Guide](https://go.documentation.sas.com/doc/en/sasadmincdc/default/itopssr/p05lfgkwib3zxbn1t6nyihexp12n.htm?fromDefault=#p1wq8ouke3c6ixn1la636df9oa1u) for the supported versions of PostgreSQL for the SAS Viya platform. |
 | ssl_enforcement_enabled | Enforce SSL on connection to the Azure Database for PostgreSQL Flexible server instance | bool | true | |
-| connectivity_method | Network connectivity option to connect to your flexible server. There are two connectivity options available: Public access (allowed IP addresses) and Private access (VNet Integration). Defaults to public access with firewall rules enabled.| string | "public" | Valid options are `public` and `private`. See details [here](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking) |
+| connectivity_method | Network connectivity option to connect to your flexible server. There are two connectivity options available: Public access (allowed IP addresses) and Private access (VNet Integration). Defaults to public access with firewall rules enabled.| string | "public" | Valid options are `public` and `private`. See sample input file [here](../examples/sample-input-postgres.tfvars) and Private access documentation [here](./user/PostgreSQLPrivateAccess.md). For more details see [Networking overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking) |
 | postgresql_configurations | Sets a PostgreSQL Configuration value on a Azure PostgreSQL Flexible Server | list(object) | [] | More details can be found [here](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-server-parameters-using-cli) |
 
 Multiple SAS offerings require a second PostgreSQL instance referred to as SAS Common Data Store, or CDS PostgreSQL. For more information, see [Common Customizations](https://go.documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p0wkxxi9s38zbzn19ukjjaxsc0kl). A list of SAS offerings that require CDS PostgreSQL is provided in [SAS Common Data Store Requirements](https://go.documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#n03wzanutmc6gon1val5fykas9aa). To create and configure an external CDS PostgreSQL instance in addition to the external platform PostgreSQL instance named `default`, specify `cds-postgres` as a second PostgreSQL instance, as shown in the example below.
diff --git a/docs/user/PostgreSQLPrivateAccess.md b/docs/user/PostgreSQLPrivateAccess.md
@@ -9,7 +9,7 @@ In this document, we will focus on PostgreSQL server with Private access (VNet I
 
 You can deploy a flexible server into your Azure virtual network (VNet). Azure virtual networks provide private and secure network communication. Resources in a virtual network can communicate through private IP addresses that were assigned on this network. In Private access, the connections to the PostgreSQL server are restricted to only within your virtual network. To learn more about it, refer to [Private access (VNet Integration)](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking#private-access-vnet-integration).
 
-To create PostgreSQL Flexible Server with the private access connectivity method use the example file provided [here](../../examples/sample-input-ppg.tfvars).
+To create PostgreSQL Flexible Server with the private access connectivity method use the example file provided [here](../../examples/sample-input-postgres.tfvars).
 
 # Connect Azure Database for PostgreSQL Flexible Server with the private access connectivity method
 
diff --git a/examples/sample-input-postgres.tfvars b/examples/sample-input-postgres.tfvars
@@ -0,0 +1,154 @@
+# !NOTE! - These are only a subset of CONFIG-VARS.md provided as examples.
+# Customize this file to add any variables from 'CONFIG-VARS.md' whose default
+# values you want to change.
+
+# ****************  REQUIRED VARIABLES  ****************
+# Values for these required variables MUST be provided
+prefix   = "<prefix-value>" # this is a prefix that you assign for the resources to be created
+location = "<azure-location-value>" # e.g., "eastus2"
+# ****************  REQUIRED VARIABLES  ****************
+
+# !NOTE! - Without specifying your CIDR block access rules, ingress traffic
+#          to your cluster will be blocked by default.
+
+# **************  RECOMMENDED  VARIABLES  ***************
+default_public_access_cidrs = [] # e.g., ["123.45.6.89/32"]
+ssh_public_key              = "~/.ssh/id_rsa.pub"
+# **************  RECOMMENDED  VARIABLES  ***************
+
+# Tags can be specified matching your tagging strategy.
+tags = {} # for example: { "owner|email" = "<you>@<domain>.<com>", "key1" = "value1", "key2" = "value2" }
+
+# PostgreSQL
+
+# Postgres config - By having this entry a database server is created. 
+#                   Default networking option: Public access (allowed IP addresses) is enabled
+#                   If you do not need an external database server remove the 'postgres_servers'
+#                   block below.
+postgres_servers = {
+  default = {},
+}
+
+# To use Private access (VNet Integration) remove the 'postgres_servers' block above and uncomment the blocks below:
+# postgres_servers and subnets
+
+# postgres_servers = {
+#   default = {
+#     connectivity_method = "private"
+#   }
+# }
+#
+# # Subnet for PostgreSQL
+# subnets = {
+#   aks = {
+#     "prefixes" : ["192.168.0.0/23"],
+#     "service_endpoints" : ["Microsoft.Sql"],
+#     "private_endpoint_network_policies_enabled" : true,
+#     "private_link_service_network_policies_enabled" : false,
+#     "service_delegations" : {},
+#   }
+#   misc = {
+#     "prefixes" : ["192.168.2.0/24"],
+#     "service_endpoints" : ["Microsoft.Sql"],
+#     "private_endpoint_network_policies_enabled" : true,
+#     "private_link_service_network_policies_enabled" : false,
+#     "service_delegations" : {},
+#   }
+#   netapp = {
+#     "prefixes" : ["192.168.3.0/24"],
+#     "service_endpoints" : [],
+#     "private_endpoint_network_policies_enabled" : false,
+#     "private_link_service_network_policies_enabled" : false,
+#     "service_delegations" : {
+#       netapp = {
+#         "name" : "Microsoft.Netapp/volumes"
+#         "actions" : ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"]
+#       }
+#     }
+#   }
+#   postgresql = {
+#     "prefixes": ["192.168.4.0/24"],
+#     "service_endpoints": ["Microsoft.Sql"],
+#     "private_endpoint_network_policies_enabled": true,
+#     "private_link_service_network_policies_enabled": false,
+#     "service_delegations": {
+#       flexpostgres = {
+#         "name"    : "Microsoft.DBforPostgreSQL/flexibleServers"
+#         "actions" : ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+#       }
+#     }
+#   }
+# }
+
+# Azure Container Registry config
+create_container_registry           = false
+container_registry_sku              = "Standard"
+container_registry_admin_enabled    = false
+
+# AKS config
+kubernetes_version         = "1.26"
+default_nodepool_min_nodes = 2
+default_nodepool_vm_type   = "Standard_D8s_v4"
+
+# AKS Node Pools config
+node_pools = {
+  cas = {
+    "machine_type" = "Standard_E16s_v3"
+    "os_disk_size" = 200
+    "min_nodes"    = 1
+    "max_nodes"    = 1
+    "max_pods"     = 110
+    "node_taints"  = ["workload.sas.com/class=cas:NoSchedule"]
+    "node_labels" = {
+      "workload.sas.com/class" = "cas"
+    }
+  },
+  compute = {
+    "machine_type" = "Standard_E16s_v3"
+    "os_disk_size" = 200
+    "min_nodes"    = 1
+    "max_nodes"    = 1
+    "max_pods"     = 110
+    "node_taints"  = ["workload.sas.com/class=compute:NoSchedule"]
+    "node_labels" = {
+      "workload.sas.com/class"        = "compute"
+      "launcher.sas.com/prepullImage" = "sas-programming-environment"
+    }
+  },
+  stateless = {
+    "machine_type" = "Standard_D16s_v3"
+    "os_disk_size" = 200
+    "min_nodes"    = 1
+    "max_nodes"    = 2
+    "max_pods"     = 110
+    "node_taints"  = ["workload.sas.com/class=stateless:NoSchedule"]
+    "node_labels" = {
+      "workload.sas.com/class" = "stateless"
+    }
+  },
+  stateful = {
+    "machine_type" = "Standard_D8s_v3"
+    "os_disk_size" = 200
+    "min_nodes"    = 1
+    "max_nodes"    = 3
+    "max_pods"     = 110
+    "node_taints"  = ["workload.sas.com/class=stateful:NoSchedule"]
+    "node_labels" = {
+      "workload.sas.com/class" = "stateful"
+    }
+  }
+}
+
+# Jump Server
+create_jump_public_ip = true
+jump_vm_admin        = "jumpuser"
+jump_vm_machine_type = "Standard_B2s"
+
+# Storage for SAS Viya CAS/Compute
+storage_type = "standard"
+# required ONLY when storage_type is "standard" to create NFS Server VM
+create_nfs_public_ip = false
+nfs_vm_admin         = "nfsuser"
+nfs_vm_machine_type  = "Standard_D8s_v4"
+nfs_raid_disk_size   = 128
+nfs_raid_disk_type   = "Standard_LRS"
diff --git a/examples/sample-input-ppg.tfvars b/examples/sample-input-ppg.tfvars
@@ -19,8 +19,6 @@ ssh_public_key              = "~/.ssh/id_rsa.pub"
 # Tags can be specified matching your tagging strategy.
 tags = {} # for example: { "owner|email" = "<you>@<domain>.<com>", "key1" = "value1", "key2" = "value2" }
 
-# PostgreSQL
-
 # Postgres config - By having this entry a database server is created. 
 #                   Default networking option: Public access (allowed IP addresses) is enabled
 #                   If you do not need an external database server remove the 'postgres_servers'
@@ -29,57 +27,6 @@ postgres_servers = {
   default = {},
 }
 
-# To use Private access (VNet Integration) remove the 'postgres_servers' block above and uncomment the blocks below:
-# postgres_servers and subnets
-
-# postgres_servers = {
-#   default = {
-#     connectivity_method = "private"
-#   }
-# }
-#
-# # Subnet for PostgreSQL
-# subnets = {
-#   aks = {
-#     "prefixes" : ["192.168.0.0/23"],
-#     "service_endpoints" : ["Microsoft.Sql"],
-#     "private_endpoint_network_policies_enabled" : true,
-#     "private_link_service_network_policies_enabled" : false,
-#     "service_delegations" : {},
-#   }
-#   misc = {
-#     "prefixes" : ["192.168.2.0/24"],
-#     "service_endpoints" : ["Microsoft.Sql"],
-#     "private_endpoint_network_policies_enabled" : true,
-#     "private_link_service_network_policies_enabled" : false,
-#     "service_delegations" : {},
-#   }
-#   netapp = {
-#     "prefixes" : ["192.168.3.0/24"],
-#     "service_endpoints" : [],
-#     "private_endpoint_network_policies_enabled" : false,
-#     "private_link_service_network_policies_enabled" : false,
-#     "service_delegations" : {
-#       netapp = {
-#         "name" : "Microsoft.Netapp/volumes"
-#         "actions" : ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"]
-#       }
-#     }
-#   }
-#   postgresql = {
-#     "prefixes": ["192.168.4.0/24"],
-#     "service_endpoints": ["Microsoft.Sql"],
-#     "private_endpoint_network_policies_enabled": true,
-#     "private_link_service_network_policies_enabled": false,
-#     "service_delegations": {
-#       flexpostgres = {
-#         "name"    : "Microsoft.DBforPostgreSQL/flexibleServers"
-#         "actions" : ["Microsoft.Network/virtualNetworks/subnets/join/action"]
-#       }
-#     }
-#   }
-# }
-
 # Azure Container Registry config
 create_container_registry           = false
 container_registry_sku              = "Standard"
diff --git a/main.tf b/main.tf
@@ -145,6 +145,7 @@ module "aks" {
   aks_cluster_node_vm_size                 = var.default_nodepool_vm_type
   aks_cluster_node_admin                   = var.node_vm_admin
   aks_cluster_ssh_public_key               = try(file(var.ssh_public_key), "")
+  aks_cluster_private_dns_zone_id          = var.aks_cluster_private_dns_zone_id
   aks_vnet_subnet_id                       = module.vnet.subnets["aks"].id
   kubernetes_version                       = var.kubernetes_version
   aks_cluster_endpoint_public_access_cidrs = var.cluster_api_mode == "private" ? [] : local.cluster_endpoint_public_access_cidrs # "Private cluster cannot be enabled with AuthorizedIPRanges.""
diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf
@@ -6,7 +6,9 @@ resource "azurerm_kubernetes_cluster" "aks" {
   name                               = var.aks_cluster_name
   location                           = var.aks_cluster_location
   resource_group_name                = var.aks_cluster_rg
-  dns_prefix                         = var.aks_cluster_dns_prefix
+  dns_prefix                         = var.aks_private_cluster == false || var.aks_cluster_private_dns_zone_id == "" ? var.aks_cluster_dns_prefix : null
+  dns_prefix_private_cluster         = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_dns_prefix : null
+
   sku_tier                           = var.aks_cluster_sku_tier
   role_based_access_control_enabled  = true
   http_application_routing_enabled   = false
@@ -16,7 +18,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   kubernetes_version                 = var.kubernetes_version
   api_server_authorized_ip_ranges    = var.aks_cluster_endpoint_public_access_cidrs
   private_cluster_enabled            = var.aks_private_cluster
-  private_dns_zone_id                = var.aks_private_cluster ? "System" : null
+  private_dns_zone_id                = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_private_dns_zone_id : (var.aks_private_cluster ? "System" : null)
 
   network_profile {
     network_plugin = var.aks_network_plugin
diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf
@@ -223,3 +223,8 @@ variable "cluster_egress_type" {
   type        = string
   default     = "loadBalancer"
 }
+
+variable "aks_cluster_private_dns_zone_id" {
+  type = string
+  default = ""
+}
diff --git a/outputs.tf b/outputs.tf
@@ -26,6 +26,10 @@ output "aks_cluster_password" {
   sensitive = true
 }
 
+output "aks_pod_cidr" {
+  value = var.aks_pod_cidr
+}
+
 # postgres
 
 output "postgres_servers" {
diff --git a/variables.tf b/variables.tf
@@ -754,6 +754,12 @@ variable "aks_identity" {
   }
 }
 
+variable "aks_cluster_private_dns_zone_id" {
+  description = "Specify private DNS zone resource ID for AKS private cluster to use."
+  type = string
+  default = ""
+}
+
 ## Message Broker - Azure Service Bus - Experimental
 variable "create_azure_message_broker" {
   description = "Allows user to create a fully managed enterprise message broker: Azure Service Bus"

Original file line number	Diff line number	Diff line change
`@@ -223,3 +223,8 @@ variable "cluster_egress_type" {`
`223`	`223`	`type = string`
`224`	`224`	`default = "loadBalancer"`
`225`	`225`	`}`
	`226`	`+`
	`227`	`+variable "aks_cluster_private_dns_zone_id" {`
	`228`	`+ type = string`
	`229`	`+ default = ""`
	`230`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,10 @@ output "aks_cluster_password" {`
`26`	`26`	`sensitive = true`
`27`	`27`	`}`
`28`	`28`
	`29`	`+output "aks_pod_cidr" {`
	`30`	`+ value = var.aks_pod_cidr`
	`31`	`+}`
	`32`	`+`
`29`	`33`	`# postgres`
`30`	`34`
`31`	`35`	`output "postgres_servers" {`
Original file line number	Diff line number	Diff line change
`@@ -754,6 +754,12 @@ variable "aks_identity" {`
`754`	`754`	`}`
`755`	`755`	`}`
`756`	`756`
	`757`	`+variable "aks_cluster_private_dns_zone_id" {`
	`758`	`+ description = "Specify private DNS zone resource ID for AKS private cluster to use."`
	`759`	`+ type = string`
	`760`	`+ default = ""`
	`761`	`+}`
	`762`	`+`
`757`	`763`	`## Message Broker - Azure Service Bus - Experimental`
`758`	`764`	`variable "create_azure_message_broker" {`
`759`	`765`	`description = "Allows user to create a fully managed enterprise message broker: Azure Service Bus"`