Set to `userDefinedRouting` when using your own network [egress](https://docs.microsoft.com/en-us/azure/aks/egress-outboundtype).|
| aks_network_plugin | Network plugin to use for networking. Currently supported values are `azure` and `kubenet`| string | `kubenet`| For details see Azure's documentation on: [configure kubenet](https://docs.microsoft.com/en-us/azure/aks/configure-kubenet), [Configure Azure CNI](https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni).
**Note**: To support Azure CNI your Subnet must be large enough to accommodate the nodes, pods, and all Kubernetes and Azure resources that might be provisioned in your cluster.
To calculate the minimum subnet size including an additional node for upgrade operations use formula: `(number of nodes + 1) + ((number of nodes + 1) * maximum pods per node that you configure)`
Example for a 5 node cluster: `(5) + (5 * 110) = 555 (/22 or larger)`|
-| aks_network_policy | Sets up network policy to be used with Azure CNI. Network policy allows to control the traffic flow between pods. Currently supported values are `calico` and `azure`.| string | `azure`| Network policy `azure` is only supported for `aks_network_plugin = azure` and network policy `calico` is supported for both `aks_network_plugin` values `azure` and `kubenet`. |
-
+| aks_network_policy | Sets up network policy to be used with Azure CNI. Network policy allows to control the traffic flow between pods. Currently supported values are `calico` and `azure`.| string | null | Network policy `azure` is only supported for `aks_network_plugin = azure` and network policy `calico` is supported for both `aks_network_plugin` values `azure` and `kubenet`. |
+| aks_network_plugin_mode | Specifies the network plugin mode used for building the Kubernetes network. Possible value is `overlay`.| string | null | When `aks_network_plugin_mode` is set to `overlay` , the `aks_network_plugin` field can only be set to `azure`. For details see Azure's documentation on: [Configure Azure CNI Overlay networking](https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay).|
The default values for the `subnets` variable are as follows:
diff --git a/main.tf b/main.tf
index bd14d89b..af51e083 100644
--- a/main.tf
+++ b/main.tf
@@ -153,6 +153,7 @@ module "aks" {
aks_log_analytics_workspace_id = var.create_aks_azure_monitor ? azurerm_log_analytics_workspace.viya4[0].id : null
aks_network_plugin = var.aks_network_plugin
aks_network_policy = var.aks_network_policy
+ aks_network_plugin_mode = var.aks_network_plugin_mode
aks_dns_service_ip = var.aks_dns_service_ip
aks_docker_bridge_cidr = var.aks_docker_bridge_cidr
cluster_egress_type = local.cluster_egress_type
diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf
index 85078514..522039e7 100644
--- a/modules/azure_aks/main.tf
+++ b/modules/azure_aks/main.tf
@@ -21,9 +21,6 @@ resource "azurerm_kubernetes_cluster" "aks" {
private_dns_zone_id = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_private_dns_zone_id : (var.aks_private_cluster ? "System" : null)
network_profile {
- network_plugin = var.aks_network_plugin
- network_policy = var.aks_network_plugin == "kubenet" && var.aks_network_policy == "azure" ? null : var.aks_network_policy
-
# Docs on AKS Advanced Networking config
# https://docs.microsoft.com/en-us/azure/architecture/aws-professional/networking
# https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
@@ -32,12 +29,15 @@ resource "azurerm_kubernetes_cluster" "aks" {
# https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard
# https://docs.microsoft.com/en-us/azure/aks/egress-outboundtype
- service_cidr = var.aks_service_cidr
- dns_service_ip = var.aks_dns_service_ip
- pod_cidr = var.aks_network_plugin == "kubenet" ? var.aks_pod_cidr : null
- docker_bridge_cidr = var.aks_docker_bridge_cidr
- outbound_type = var.cluster_egress_type
- load_balancer_sku = "standard"
+ network_plugin = var.aks_network_plugin
+ network_policy = var.aks_network_policy
+ network_plugin_mode = var.aks_network_plugin_mode
+ service_cidr = var.aks_service_cidr
+ dns_service_ip = var.aks_dns_service_ip
+ pod_cidr = var.aks_network_plugin == "kubenet" ? var.aks_pod_cidr : null
+ docker_bridge_cidr = var.aks_docker_bridge_cidr
+ outbound_type = var.cluster_egress_type
+ load_balancer_sku = "standard"
}
dynamic "linux_profile" {
@@ -102,6 +102,14 @@ resource "azurerm_kubernetes_cluster" "aks" {
lifecycle {
ignore_changes = [default_node_pool[0].node_count]
+ precondition {
+ condition = var.aks_network_policy != "azure" || var.aks_network_plugin == "azure"
+ error_message = "When aks_network_policy is set to `azure`, the aks_network_plugin field can only be set to `azure`."
+ }
+ precondition {
+ condition = var.aks_network_plugin_mode != "overlay" || var.aks_network_plugin == "azure"
+ error_message = "When network_plugin_mode is set to `overlay`, the aks_network_plugin field can only be set to `azure`."
+ }
}
tags = var.aks_cluster_tags
diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf
index 787c01ef..05307a49 100644
--- a/modules/azure_aks/variables.tf
+++ b/modules/azure_aks/variables.tf
@@ -133,7 +133,13 @@ variable "aks_network_plugin" {
variable "aks_network_policy" {
description = "Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico and azure. Changing this forces a new resource to be created."
type = string
- default = "azure"
+ default = null
+}
+
+variable "aks_network_plugin_mode" {
+ description = "Specifies the network plugin mode used for building the Kubernetes network. Possible value is `overlay`. Changing this forces a new resource to be created."
+ type = string
+ default = null
}
variable "aks_dns_service_ip" {
diff --git a/variables.tf b/variables.tf
index 4515d73d..fb0ca297 100644
--- a/variables.tf
+++ b/variables.tf
@@ -169,12 +169,13 @@ variable "aks_network_plugin" {
variable "aks_network_policy" {
description = "Sets up network policy to be used with Azure CNI. Network policy allows control of the traffic flow between pods. Currently supported values are calico and azure. Changing this forces a new resource to be created."
type = string
- default = "azure"
+ default = null
+}
- validation {
- condition = contains(["azure", "calico"], var.aks_network_policy)
- error_message = "Error: Currently the supported values are 'calico' and 'azure'."
- }
+variable "aks_network_plugin_mode" {
+ description = "Specifies the network plugin mode used for building the Kubernetes network. Possible value is `overlay`. Changing this forces a new resource to be created."
+ type = string
+ default = null
}
variable "aks_dns_service_ip" {
From b3586f22e60319b1c6bf89e5bef4d2f870c6e85b Mon Sep 17 00:00:00 2001
From: Ritika Patil <94649368+riragh@users.noreply.github.com>
Date: Mon, 29 Jan 2024 14:12:37 -0600
Subject: [PATCH 2/4] feat: (IAC-1336) Add support for specifying K8s support
plan (#361)
---
docs/CONFIG-VARS.md | 3 ++-
main.tf | 1 +
modules/azure_aks/main.tf | 1 +
modules/azure_aks/variables.tf | 12 +++++++++---
variables.tf | 17 ++++++++++++++---
5 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
index 38cc73f9..83324f62 100644
--- a/docs/CONFIG-VARS.md
+++ b/docs/CONFIG-VARS.md
@@ -194,7 +194,8 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
| ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
| cluster_api_mode | Public or private IP for the cluster api | string | "public" | Valid Values: "public", "private" |
| aks_cluster_private_dns_zone_id | Specifies private DNS zone resource ID for AKS private cluster to use | string | "" | For `cluster_api_mode=private` if `aks_cluster_private_dns_zone_id` is not specified then the value `System` is used else it is set to null. For details see [Configure a private DNS zone](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal#configure-a-private-dns-zone) |
-| aks_cluster_sku_tier | Optimizes api server for cost vs availability | string | "Free" | Valid Values: "Free", "Standard" |
+| aks_cluster_sku_tier | The SKU Tier that should be used for this Kubernetes Cluster. Optimizes api server for cost vs availability | string | "Free" | Valid Values: "Free", "Standard" and "Premium" |
+| cluster_support_tier | Specifies the support plan which should be used for this Kubernetes Cluster. | string | "KubernetesOfficial" | Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. To enable long term K8s support is a combination of setting `aks_cluster_sku_tier` to `Premium` tier and explicitly selecting the `cluster_support_tier` as `AKSLongTermSupport`. For details see [Long term Support](https://learn.microsoft.com/en-us/azure/aks/long-term-support) and for which K8s version has long term support see [AKS Kubernetes release calendar](https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar).|
## Node Pools
diff --git a/main.tf b/main.tf
index af51e083..3fcc5166 100644
--- a/main.tf
+++ b/main.tf
@@ -134,6 +134,7 @@ module "aks" {
aks_cluster_dns_prefix = "${var.prefix}-aks"
aks_cluster_sku_tier = var.aks_cluster_sku_tier
aks_cluster_location = var.location
+ cluster_support_tier = var.cluster_support_tier
fips_enabled = var.fips_enabled
aks_cluster_node_auto_scaling = var.default_nodepool_min_nodes == var.default_nodepool_max_nodes ? false : true
aks_cluster_node_count = var.default_nodepool_min_nodes
diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf
index 522039e7..6efb6954 100644
--- a/modules/azure_aks/main.tf
+++ b/modules/azure_aks/main.tf
@@ -10,6 +10,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
dns_prefix_private_cluster = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_dns_prefix : null
sku_tier = var.aks_cluster_sku_tier
+ support_plan = var.cluster_support_tier
role_based_access_control_enabled = true
http_application_routing_enabled = false
diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf
index 05307a49..4d8f0944 100644
--- a/modules/azure_aks/variables.tf
+++ b/modules/azure_aks/variables.tf
@@ -23,16 +23,22 @@ variable "aks_cluster_location" {
}
variable "aks_cluster_sku_tier" {
- description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Standard (which includes the Uptime SLA). Defaults to Free"
+ description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free"
type = string
default = "Free"
validation {
- condition = contains(["Free", "Standard"], var.aks_cluster_sku_tier)
- error_message = "ERROR: Valid types are \"Free\" and \"Standard\"!"
+ condition = contains(["Free", "Standard", "Premium"], var.aks_cluster_sku_tier)
+ error_message = "ERROR: Valid types are \"Free\", \"Standard\" and \"Premium\"!"
}
}
+variable "cluster_support_tier" {
+ description = "Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are 'KubernetesOfficial' and 'AKSLongTermSupport'. Defaults to 'KubernetesOfficial'."
+ type = string
+ default = "KubernetesOfficial"
+}
+
variable "fips_enabled" {
description = "Should the nodes in this Node Pool have Federal Information Processing Standard enabled? Changing this forces a new resource to be created."
type = bool
diff --git a/variables.tf b/variables.tf
index fb0ca297..9a179c08 100644
--- a/variables.tf
+++ b/variables.tf
@@ -59,13 +59,24 @@ variable "location" {
}
variable "aks_cluster_sku_tier" {
- description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Standard (which includes the Uptime SLA). Defaults to Free"
+ description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free"
type = string
default = "Free"
validation {
- condition = contains(["Free", "Standard"], var.aks_cluster_sku_tier)
- error_message = "ERROR: Valid types are \"Free\" and \"Standard\"!"
+ condition = contains(["Free", "Standard", "Premium"], var.aks_cluster_sku_tier)
+ error_message = "ERROR: Valid types are \"Free\", \"Standard\" and \"Premium\"!"
+ }
+}
+
+variable "cluster_support_tier" {
+ description = "Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are 'KubernetesOfficial' and 'AKSLongTermSupport'. Defaults to 'KubernetesOfficial'."
+ type = string
+ default = "KubernetesOfficial"
+
+ validation {
+ condition = contains(["KubernetesOfficial", "AKSLongTermSupport"], var.cluster_support_tier)
+ error_message = "ERROR: Valid types are \"KubernetesOfficial\" and \"AKSLongTermSupport\"!"
}
}
From 2a737205186fef1a92f4688bf5d56258d911de26 Mon Sep 17 00:00:00 2001
From: Ritika Patil <94649368+riragh@users.noreply.github.com>
Date: Tue, 30 Jan 2024 15:55:55 -0600
Subject: [PATCH 3/4] docs: (IAC-1307) Document update for network policy
(#362)
---
docs/CONFIG-VARS.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
index 83324f62..9b86745f 100644
--- a/docs/CONFIG-VARS.md
+++ b/docs/CONFIG-VARS.md
@@ -101,9 +101,9 @@ az vm image terms accept --urn Canonical:0001-com-ubuntu-pro-focal-fips:pro-fips
| vnet_address_space | Address space for created vnet | string | "192.168.0.0/16" | This variable is ignored when vnet_name is set (AKA bring your own vnet). |
| subnets | Subnets to be created and their settings | map(object) | *check below* | This variable is ignored when subnet_names is set (AKA bring your own subnets). All defined subnets must exist within the vnet address space. |
| cluster_egress_type | The outbound (egress) routing method to be used for this Kubernetes Cluster | string | "loadBalancer" | Possible values:
Set to `userDefinedRouting` when using your own network [egress](https://docs.microsoft.com/en-us/azure/aks/egress-outboundtype).|
-| aks_network_plugin | Network plugin to use for networking. Currently supported values are `azure` and `kubenet`| string | `kubenet`| For details see Azure's documentation on: [configure kubenet](https://docs.microsoft.com/en-us/azure/aks/configure-kubenet), [Configure Azure CNI](https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni).
**Note**: To support Azure CNI your Subnet must be large enough to accommodate the nodes, pods, and all Kubernetes and Azure resources that might be provisioned in your cluster.
To calculate the minimum subnet size including an additional node for upgrade operations use formula: `(number of nodes + 1) + ((number of nodes + 1) * maximum pods per node that you configure)`
Example for a 5 node cluster: `(5) + (5 * 110) = 555 (/22 or larger)`|
-| aks_network_policy | Sets up network policy to be used with Azure CNI. Network policy allows to control the traffic flow between pods. Currently supported values are `calico` and `azure`.| string | null | Network policy `azure` is only supported for `aks_network_plugin = azure` and network policy `calico` is supported for both `aks_network_plugin` values `azure` and `kubenet`. |
-| aks_network_plugin_mode | Specifies the network plugin mode used for building the Kubernetes network. Possible value is `overlay`.| string | null | When `aks_network_plugin_mode` is set to `overlay` , the `aks_network_plugin` field can only be set to `azure`. For details see Azure's documentation on: [Configure Azure CNI Overlay networking](https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay).|
+| aks_network_plugin | Network plugin to use for networking. | string | "kubenet"| Possible values are `kubenet` and `azure`. For details see Azure's documentation on: [Configure kubenet](https://docs.microsoft.com/en-us/azure/aks/configure-kubenet), [Configure Azure CNI](https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni).
**Note**: To support Azure CNI your Subnet must be large enough to accommodate the nodes, pods, and all Kubernetes and Azure resources that might be provisioned in your cluster.
To calculate the minimum subnet size including an additional node for upgrade operations use formula: `(number of nodes + 1) + ((number of nodes + 1) * maximum pods per node that you configure)`
Example for a 5 node cluster: `(5) + (5 * 110) = 555 (/22 or larger)`|
+| aks_network_policy | Sets up network policy to be used with Azure CNI. Network policy allows to control the traffic flow between pods. | string | null | Possible values are `calico` and `azure`. Network policy `azure` (Azure Network Policy Manager) is only supported for `aks_network_plugin = azure` and network policy `calico` is supported for both `aks_network_plugin` values `azure` and `kubenet`. For more details see [network policies in Azure Kubernetes Service](https://learn.microsoft.com/en-us/azure/aks/use-network-policies).|
+| aks_network_plugin_mode | Specifies the network plugin mode used for building the Kubernetes network. | string | null | Possible value is `overlay`. When `aks_network_plugin_mode` is set to `overlay` , the `aks_network_plugin` field can only be set to `azure`. For details see Azure's documentation on: [Configure Azure CNI Overlay networking](https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay).|
The default values for the `subnets` variable are as follows:
From 4518516e61632e573eaeaa8feafbd76a40486db6 Mon Sep 17 00:00:00 2001
From: Ritika Patil <94649368+riragh@users.noreply.github.com>
Date: Fri, 9 Feb 2024 10:43:35 -0600
Subject: [PATCH 4/4] feat: (IAC-1346) Update external Postgres server default
version to 15 (#364)
---
docs/CONFIG-VARS.md | 2 +-
modules/azurerm_postgresql_flex/variables.tf | 4 ++--
variables.tf | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
index 9b86745f..17162f62 100644
--- a/docs/CONFIG-VARS.md
+++ b/docs/CONFIG-VARS.md
@@ -359,7 +359,7 @@ Each server element, like `foo = {}`, can contain none, some, or all of the para
| geo_redundant_backup_enabled | Enable Geo-redundant or not for server backup | bool | false | Not supported for the basic tier. |
| administrator_login | The Administrator Login for the PostgreSQL Flexible Server. Changing this forces a new resource to be created. | string | "pgadmin" | The admin login name cannot be azure_superuser, azure_pg_admin, admin, administrator, root, guest, or public. It cannot start with pg_. See: [Microsoft Quickstart Server Database](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/quickstart-create-server-portal) |
| administrator_password | The Password associated with the administrator_login for the PostgreSQL Flexible Server | string | "my$up3rS3cretPassw0rd" | The password must contain between 8 and 128 characters and must contain characters from three of the following categories: English uppercase letters, English lowercase letters, numbers (0 through 9), and non-alphanumeric characters (!, $, #, %, etc.). |
-| server_version | The version of the PostgreSQL Flexible server instance | string | "13" | Refer to the [SAS Viya Platform Administration Guide](https://documentation.sas.com/?cdcId=sasadmincdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#p1wq8ouke3c6ixn1la636df9oa1u) for the supported versions of PostgreSQL for the SAS Viya platform. |
+| server_version | The version of the PostgreSQL Flexible server instance | string | "15" | Refer to the [SAS Viya Platform Administration Guide](https://documentation.sas.com/?cdcId=sasadmincdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#p1wq8ouke3c6ixn1la636df9oa1u) for the supported versions of PostgreSQL for the SAS Viya platform. |
| ssl_enforcement_enabled | Enforce SSL on connection to the Azure Database for PostgreSQL Flexible server instance | bool | true | |
| connectivity_method | Network connectivity option to connect to your flexible server. There are two connectivity options available: Public access (allowed IP addresses) and Private access (VNet Integration). Defaults to public access with firewall rules enabled.| string | "public" | Valid options are `public` and `private`. See sample input file [here](../examples/sample-input-postgres.tfvars) and Private access documentation [here](./user/PostgreSQLPrivateAccess.md). For more details see [Networking overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking) |
| postgresql_configurations | Sets a PostgreSQL Configuration value on a Azure PostgreSQL Flexible Server | list(object) | [] | More details can be found [here](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-server-parameters-using-cli) |
diff --git a/modules/azurerm_postgresql_flex/variables.tf b/modules/azurerm_postgresql_flex/variables.tf
index 68ef4bfc..6b958703 100644
--- a/modules/azurerm_postgresql_flex/variables.tf
+++ b/modules/azurerm_postgresql_flex/variables.tf
@@ -51,9 +51,9 @@ variable "administrator_password" {
}
variable "server_version" {
- description = "Specifies the version of PostgreSQL to use. The version of PostgreSQL Flexible Server to use. Possible values are 11, 12 and 13. Changing this forces a new PostgreSQL Flexible Server to be created."
+ description = "Specifies the version of PostgreSQL to use. The version of PostgreSQL Flexible Server to use. Possible values are from 12 - 15. Changing this forces a new PostgreSQL Flexible Server to be created."
type = string
- default = "13"
+ default = "15"
}
variable "connectivity_method" {
diff --git a/variables.tf b/variables.tf
index 9a179c08..c240d4cd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -276,7 +276,7 @@ variable "postgres_server_defaults" {
geo_redundant_backup_enabled = false
administrator_login = "pgadmin"
administrator_password = "my$up3rS3cretPassw0rd"
- server_version = "13"
+ server_version = "15"
ssl_enforcement_enabled = true
connectivity_method = "public"
postgresql_configurations = []