Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8.3.0 - October 19, 2023 #342

Merged
merged 3 commits into from
Oct 19, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/CONFIG-VARS.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,7 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
| aks_identity | Use UserAssignedIdentity or Service Principal as [AKS identity](https://docs.microsoft.com/en-us/azure/aks/concepts-identity) | string | "uai" | A value of `uai` wil create a Managed Identity based on the permissions of the authenticated user or use [`AKS_UAI_NAME`](#use-existing), if set. A value of `sp` will use values from [`CLIENT_ID`/`CLIENT_SECRET`](#azure-authentication), if set. |
| ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
| cluster_api_mode | Public or private IP for the cluster api | string | "public" | Valid Values: "public", "private" |
| aks_cluster_private_dns_zone_id | Specifies private DNS zone resource ID for AKS private cluster to use | string | "" | For `cluster_api_mode=private` if `aks_cluster_private_dns_zone_id` is not specified then the value `System` is used else it is set to null. For details see [Configure a private DNS zone](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal#configure-a-private-dns-zone) |
| aks_cluster_sku_tier | Optimizes api server for cost vs availability | string | "Free" | Valid Values: "Free", "Standard" |

## Node Pools
Expand Down Expand Up @@ -359,7 +360,7 @@ Each server element, like `foo = {}`, can contain none, some, or all of the para
| administrator_password | The Password associated with the administrator_login for the PostgreSQL Flexible Server | string | "my$up3rS3cretPassw0rd" | The password must contain between 8 and 128 characters and must contain characters from three of the following categories: English uppercase letters, English lowercase letters, numbers (0 through 9), and non-alphanumeric characters (!, $, #, %, etc.). |
| server_version | The version of the PostgreSQL Flexible server instance | string | "13" | Refer to the [SAS Viya Platform Administration Guide](https://go.documentation.sas.com/doc/en/sasadmincdc/default/itopssr/p05lfgkwib3zxbn1t6nyihexp12n.htm?fromDefault=#p1wq8ouke3c6ixn1la636df9oa1u) for the supported versions of PostgreSQL for the SAS Viya platform. |
| ssl_enforcement_enabled | Enforce SSL on connection to the Azure Database for PostgreSQL Flexible server instance | bool | true | |
| connectivity_method | Network connectivity option to connect to your flexible server. There are two connectivity options available: Public access (allowed IP addresses) and Private access (VNet Integration). Defaults to public access with firewall rules enabled.| string | "public" | Valid options are `public` and `private`. See details [here](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking) |
| connectivity_method | Network connectivity option to connect to your flexible server. There are two connectivity options available: Public access (allowed IP addresses) and Private access (VNet Integration). Defaults to public access with firewall rules enabled.| string | "public" | Valid options are `public` and `private`. See sample input file [here](../examples/sample-input-postgres.tfvars) and Private access documentation [here](./user/PostgreSQLPrivateAccess.md). For more details see [Networking overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking) |
| postgresql_configurations | Sets a PostgreSQL Configuration value on a Azure PostgreSQL Flexible Server | list(object) | [] | More details can be found [here](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-server-parameters-using-cli) |

Multiple SAS offerings require a second PostgreSQL instance referred to as SAS Common Data Store, or CDS PostgreSQL. For more information, see [Common Customizations](https://go.documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p0wkxxi9s38zbzn19ukjjaxsc0kl). A list of SAS offerings that require CDS PostgreSQL is provided in [SAS Common Data Store Requirements](https://go.documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#n03wzanutmc6gon1val5fykas9aa). To create and configure an external CDS PostgreSQL instance in addition to the external platform PostgreSQL instance named `default`, specify `cds-postgres` as a second PostgreSQL instance, as shown in the example below.
Expand Down
2 changes: 1 addition & 1 deletion docs/user/PostgreSQLPrivateAccess.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ In this document, we will focus on PostgreSQL server with Private access (VNet I

You can deploy a flexible server into your Azure virtual network (VNet). Azure virtual networks provide private and secure network communication. Resources in a virtual network can communicate through private IP addresses that were assigned on this network. In Private access, the connections to the PostgreSQL server are restricted to only within your virtual network. To learn more about it, refer to [Private access (VNet Integration)](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking#private-access-vnet-integration).

To create PostgreSQL Flexible Server with the private access connectivity method use the example file provided [here](../../examples/sample-input-ppg.tfvars).
To create PostgreSQL Flexible Server with the private access connectivity method use the example file provided [here](../../examples/sample-input-postgres.tfvars).

# Connect Azure Database for PostgreSQL Flexible Server with the private access connectivity method

Expand Down
154 changes: 154 additions & 0 deletions examples/sample-input-postgres.tfvars
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
# !NOTE! - These are only a subset of CONFIG-VARS.md provided as examples.
# Customize this file to add any variables from 'CONFIG-VARS.md' whose default
# values you want to change.

# **************** REQUIRED VARIABLES ****************
# Values for these required variables MUST be provided
prefix = "<prefix-value>" # this is a prefix that you assign for the resources to be created
location = "<azure-location-value>" # e.g., "eastus2"
# **************** REQUIRED VARIABLES ****************

# !NOTE! - Without specifying your CIDR block access rules, ingress traffic
# to your cluster will be blocked by default.

# ************** RECOMMENDED VARIABLES ***************
default_public_access_cidrs = [] # e.g., ["123.45.6.89/32"]
ssh_public_key = "~/.ssh/id_rsa.pub"
# ************** RECOMMENDED VARIABLES ***************

# Tags can be specified matching your tagging strategy.
tags = {} # for example: { "owner|email" = "<you>@<domain>.<com>", "key1" = "value1", "key2" = "value2" }

# PostgreSQL

# Postgres config - By having this entry a database server is created.
# Default networking option: Public access (allowed IP addresses) is enabled
# If you do not need an external database server remove the 'postgres_servers'
# block below.
postgres_servers = {
default = {},
}

# To use Private access (VNet Integration) remove the 'postgres_servers' block above and uncomment the blocks below:
# postgres_servers and subnets

# postgres_servers = {
# default = {
# connectivity_method = "private"
# }
# }
#
# # Subnet for PostgreSQL
# subnets = {
# aks = {
# "prefixes" : ["192.168.0.0/23"],
# "service_endpoints" : ["Microsoft.Sql"],
# "private_endpoint_network_policies_enabled" : true,
# "private_link_service_network_policies_enabled" : false,
# "service_delegations" : {},
# }
# misc = {
# "prefixes" : ["192.168.2.0/24"],
# "service_endpoints" : ["Microsoft.Sql"],
# "private_endpoint_network_policies_enabled" : true,
# "private_link_service_network_policies_enabled" : false,
# "service_delegations" : {},
# }
# netapp = {
# "prefixes" : ["192.168.3.0/24"],
# "service_endpoints" : [],
# "private_endpoint_network_policies_enabled" : false,
# "private_link_service_network_policies_enabled" : false,
# "service_delegations" : {
# netapp = {
# "name" : "Microsoft.Netapp/volumes"
# "actions" : ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"]
# }
# }
# }
# postgresql = {
# "prefixes": ["192.168.4.0/24"],
# "service_endpoints": ["Microsoft.Sql"],
# "private_endpoint_network_policies_enabled": true,
# "private_link_service_network_policies_enabled": false,
# "service_delegations": {
# flexpostgres = {
# "name" : "Microsoft.DBforPostgreSQL/flexibleServers"
# "actions" : ["Microsoft.Network/virtualNetworks/subnets/join/action"]
# }
# }
# }
# }

# Azure Container Registry config
create_container_registry = false
container_registry_sku = "Standard"
container_registry_admin_enabled = false

# AKS config
kubernetes_version = "1.26"
default_nodepool_min_nodes = 2
default_nodepool_vm_type = "Standard_D8s_v4"

# AKS Node Pools config
node_pools = {
cas = {
"machine_type" = "Standard_E16s_v3"
"os_disk_size" = 200
"min_nodes" = 1
"max_nodes" = 1
"max_pods" = 110
"node_taints" = ["workload.sas.com/class=cas:NoSchedule"]
"node_labels" = {
"workload.sas.com/class" = "cas"
}
},
compute = {
"machine_type" = "Standard_E16s_v3"
"os_disk_size" = 200
"min_nodes" = 1
"max_nodes" = 1
"max_pods" = 110
"node_taints" = ["workload.sas.com/class=compute:NoSchedule"]
"node_labels" = {
"workload.sas.com/class" = "compute"
"launcher.sas.com/prepullImage" = "sas-programming-environment"
}
},
stateless = {
"machine_type" = "Standard_D16s_v3"
"os_disk_size" = 200
"min_nodes" = 1
"max_nodes" = 2
"max_pods" = 110
"node_taints" = ["workload.sas.com/class=stateless:NoSchedule"]
"node_labels" = {
"workload.sas.com/class" = "stateless"
}
},
stateful = {
"machine_type" = "Standard_D8s_v3"
"os_disk_size" = 200
"min_nodes" = 1
"max_nodes" = 3
"max_pods" = 110
"node_taints" = ["workload.sas.com/class=stateful:NoSchedule"]
"node_labels" = {
"workload.sas.com/class" = "stateful"
}
}
}

# Jump Server
create_jump_public_ip = true
jump_vm_admin = "jumpuser"
jump_vm_machine_type = "Standard_B2s"

# Storage for SAS Viya CAS/Compute
storage_type = "standard"
# required ONLY when storage_type is "standard" to create NFS Server VM
create_nfs_public_ip = false
nfs_vm_admin = "nfsuser"
nfs_vm_machine_type = "Standard_D8s_v4"
nfs_raid_disk_size = 128
nfs_raid_disk_type = "Standard_LRS"
53 changes: 0 additions & 53 deletions examples/sample-input-ppg.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ ssh_public_key = "~/.ssh/id_rsa.pub"
# Tags can be specified matching your tagging strategy.
tags = {} # for example: { "owner|email" = "<you>@<domain>.<com>", "key1" = "value1", "key2" = "value2" }

# PostgreSQL

# Postgres config - By having this entry a database server is created.
# Default networking option: Public access (allowed IP addresses) is enabled
# If you do not need an external database server remove the 'postgres_servers'
Expand All @@ -29,57 +27,6 @@ postgres_servers = {
default = {},
}

# To use Private access (VNet Integration) remove the 'postgres_servers' block above and uncomment the blocks below:
# postgres_servers and subnets

# postgres_servers = {
# default = {
# connectivity_method = "private"
# }
# }
#
# # Subnet for PostgreSQL
# subnets = {
# aks = {
# "prefixes" : ["192.168.0.0/23"],
# "service_endpoints" : ["Microsoft.Sql"],
# "private_endpoint_network_policies_enabled" : true,
# "private_link_service_network_policies_enabled" : false,
# "service_delegations" : {},
# }
# misc = {
# "prefixes" : ["192.168.2.0/24"],
# "service_endpoints" : ["Microsoft.Sql"],
# "private_endpoint_network_policies_enabled" : true,
# "private_link_service_network_policies_enabled" : false,
# "service_delegations" : {},
# }
# netapp = {
# "prefixes" : ["192.168.3.0/24"],
# "service_endpoints" : [],
# "private_endpoint_network_policies_enabled" : false,
# "private_link_service_network_policies_enabled" : false,
# "service_delegations" : {
# netapp = {
# "name" : "Microsoft.Netapp/volumes"
# "actions" : ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"]
# }
# }
# }
# postgresql = {
# "prefixes": ["192.168.4.0/24"],
# "service_endpoints": ["Microsoft.Sql"],
# "private_endpoint_network_policies_enabled": true,
# "private_link_service_network_policies_enabled": false,
# "service_delegations": {
# flexpostgres = {
# "name" : "Microsoft.DBforPostgreSQL/flexibleServers"
# "actions" : ["Microsoft.Network/virtualNetworks/subnets/join/action"]
# }
# }
# }
# }

# Azure Container Registry config
create_container_registry = false
container_registry_sku = "Standard"
Expand Down
1 change: 1 addition & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ module "aks" {
aks_cluster_node_vm_size = var.default_nodepool_vm_type
aks_cluster_node_admin = var.node_vm_admin
aks_cluster_ssh_public_key = try(file(var.ssh_public_key), "")
aks_cluster_private_dns_zone_id = var.aks_cluster_private_dns_zone_id
aks_vnet_subnet_id = module.vnet.subnets["aks"].id
kubernetes_version = var.kubernetes_version
aks_cluster_endpoint_public_access_cidrs = var.cluster_api_mode == "private" ? [] : local.cluster_endpoint_public_access_cidrs # "Private cluster cannot be enabled with AuthorizedIPRanges.""
Expand Down
6 changes: 4 additions & 2 deletions modules/azure_aks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ resource "azurerm_kubernetes_cluster" "aks" {
name = var.aks_cluster_name
location = var.aks_cluster_location
resource_group_name = var.aks_cluster_rg
dns_prefix = var.aks_cluster_dns_prefix
dns_prefix = var.aks_private_cluster == false || var.aks_cluster_private_dns_zone_id == "" ? var.aks_cluster_dns_prefix : null
dns_prefix_private_cluster = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_dns_prefix : null

sku_tier = var.aks_cluster_sku_tier
role_based_access_control_enabled = true
http_application_routing_enabled = false
Expand All @@ -16,7 +18,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
kubernetes_version = var.kubernetes_version
api_server_authorized_ip_ranges = var.aks_cluster_endpoint_public_access_cidrs
private_cluster_enabled = var.aks_private_cluster
private_dns_zone_id = var.aks_private_cluster ? "System" : null
private_dns_zone_id = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_private_dns_zone_id : (var.aks_private_cluster ? "System" : null)

network_profile {
network_plugin = var.aks_network_plugin
Expand Down
5 changes: 5 additions & 0 deletions modules/azure_aks/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -223,3 +223,8 @@ variable "cluster_egress_type" {
type = string
default = "loadBalancer"
}

variable "aks_cluster_private_dns_zone_id" {
type = string
default = ""
}
4 changes: 4 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ output "aks_cluster_password" {
sensitive = true
}

output "aks_pod_cidr" {
value = var.aks_pod_cidr
}

# postgres

output "postgres_servers" {
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -754,6 +754,12 @@ variable "aks_identity" {
}
}

variable "aks_cluster_private_dns_zone_id" {
description = "Specify private DNS zone resource ID for AKS private cluster to use."
type = string
default = ""
}

## Message Broker - Azure Service Bus - Experimental
variable "create_azure_message_broker" {
description = "Allows user to create a fully managed enterprise message broker: Azure Service Bus"
Expand Down