Merge pull request #230 from sassoftware/staging

7.2.0 - September 6, 2023

README.md

@@ -10,6 +10,7 @@ This project contains Terraform scripts to provision the AWS cloud infrastructur
   >- Infrastructure to deploy the SAS Viya platform CAS server in SMP or MPP mode
   >- Amazon Elastic Block Storage (EBS) for NFS
   >- Amazon Elastic File System (EFS)
+  >- Amazon FSx for NetApp ONTAP File System
   >- Amazon Relational Database Service (RDS)
 
 [<img src="./docs/images/viya4-iac-aws-diag.png" alt="Architecture Diagram" width="750"/>](./docs/images/viya4-iac-aws-diag.png?raw=true)
@@ -40,6 +41,8 @@ This project supports two options for running Terraform scripts:
 
 The following are also required:
 - Access to an **AWS account** with a user that is associated with the applied [IAM Policy](./files/policies/devops-iac-eks-policy.json)
+
+  **NOTE:** The base [IAM Policy](./files/policies/devops-iac-eks-policy.json) document has been updated for the 7.2.0 release, you will need to adopt the updated permission list to take advantage of new features added to the viya4-iac-aws project code.
 - Subscription to [Ubuntu 20.04 LTS - Focal](https://aws.amazon.com/marketplace/pp/prodview-iftkyuwv2sjxi)
 
 #### Terraform Requirements:

docs/CONFIG-VARS.md

@@ -21,6 +21,7 @@ Supported configuration variables are listed in the tables below.  All variables
   - [Storage](#storage)
     - [NFS Server](#nfs-server)
     - [AWS Elastic File System (EFS)](#aws-elastic-file-system-efs)
+    - [AWS FSx for NetApp ONTAP File System](#aws-fsx-for-netapp-ontap-file-system)
     - [AWS Elastic Block Store (EBS)](#aws-elastic-block-store-ebs)
   - [PostgreSQL Server](#postgresql-server)
 
@@ -251,9 +252,10 @@ Additional node pools can be created separately from the default node pool. This
 
 ## Storage
 
-| <div style="width:50px">Name</div> | <div style="width:150px">Description</div> | <div style="width:50px">Type</div> | <div style="width:75px">Default</div> | <div style="width:150px">Notes</div> |
+| <div style="width:50px">Name</div> | <div style="width:130px">Description</div> | <div style="width:40px">Type</div> | <div style="width:200px">Default</div> | <div style="width:150px">Notes</div> |
 | :--- | :--- | :--- | :--- | :--- |
-| storage_type | Type of Storage. Valid Values: "standard", "ha"  | string | "standard" | A value of "standard" creates NFS server VM; a value of "ha" creates an AWS EFS mountpoint. |
+| storage_type | Type of Storage. Valid Values: "standard", "ha"  | string | "standard" | A value of "standard" creates a NFS server VM; a value of "ha" creates an AWS EFS mountpoint by default. |
+| storage_type_backend | The storage backend employed for the chosen `storage_type`. | string | If `storage_type=standard` the default is "nfs";<br>If `storage_type=ha` the default is "efs" | Valid Values: "nfs" if `storage_type=standard`; "efs" or "ontap" if `storage_type=ha` |
 
 ### NFS Server
 
@@ -270,7 +272,7 @@ When `storage_type=standard`, an NFS server VM is created, and the following var
 
 ### AWS Elastic File System (EFS)
 
-When `storage_type=ha`, the [AWS Elastic File System](https://aws.amazon.com/efs/) service is created, and the following variables are applicable:
+When `storage_type=ha` and `storage_type_backend=efs`, an [AWS Elastic File System](https://aws.amazon.com/efs/) service is created, and the following variables are applicable:
 
 <!--| Name | Description | Type | Default | Notes | -->
 | <div style="width:50px">Name</div> | <div style="width:150px">Description</div> | <div style="width:50px">Type</div> | <div style="width:75px">Default</div> | <div style="width:150px">Notes</div> |
@@ -279,6 +281,19 @@ When `storage_type=ha`, the [AWS Elastic File System](https://aws.amazon.com/efs
 | enable_efs_encryption | Enable encryption on EFS file systems | bool | false | When set to 'true', the EFS file systems will be encrypted. |
 | efs_throughput_mode | EFS throughput mode | string | bursting | Supported values are 'bursting' and 'provisioned'. When using 'provisioned', 'efs_throughput_rate' is required. |
 | efs_throughput_rate | EFS throughput rate, measured in MiB/s | number | 1024 | Valid values range from 1 to 1024 - MiB/s. Only applicable with 'efs_throughput_mode' set to 'provisioned'. |
+
+### AWS FSx for NetApp ONTAP File System
+
+When `storage_type=ha` and `storage_type_backend=ontap`, an [AWS FSx for NetApp ONTAP File System](https://aws.amazon.com/fsx/netapp-ontap/) is created, and the following variables are applicable:
+
+<!--| Name | Description | Type | Default | Notes | -->
+| <div style="width:50px">Name</div> | <div style="width:150px">Description</div> | <div style="width:50px">Type</div> | <div style="width:75px">Default</div> | <div style="width:150px">Notes</div> |
+| :--- | :--- | :--- | :--- | :--- |
+| aws_fsx_ontap_deployment_type | The FSx file system availability zone deployment type. | string | SINGLE_AZ_1 | Supported values are `MULTI_AZ_1` and `SINGLE_AZ_1`. |
+| aws_fsx_ontap_file_system_storage_capacity | The storage capacity of the ONTAP file system in GiB. | number | 1024 | Valid values range from  1024 to 196608. |
+| aws_fsx_ontap_file_system_throughput_capacity | The throughput capacity of the ONTAP file system in MBps. | number | 512 | Valid values are 128, 256, 512, 1024, 2048 and 4096. |
+| aws_fsx_ontap_fsxadmin_password | The ONTAP administrative password for the fsxadmin user. | string | "v3RyS3cretPa$sw0rd" | |
+
 ### AWS Elastic Block Store (EBS)
 
 [AWS Elastic Block Store](https://aws.amazon.com/ebs/) is a block-level storage service provided by AWS for use with EC2 instances. EBS provides persistent storage for EC2 instances, allowing data to persist even after an EC2 instance is stopped or terminated. EBS volumes can be used as the root device for an EC2 instance, or as additional storage volumes. They can be attached and detached from instances as needed and can also be encrypted for increased security.

files/policies/devops-iac-eks-policy.json

@@ -110,6 +110,8 @@
                 "ecr:ListTagsForResource",
                 "iam:AddRoleToInstanceProfile",
                 "iam:AttachRolePolicy",
+                "iam:AttachUserPolicy",
+                "iam:DetachUserPolicy",
                 "iam:CreateAccessKey",
                 "iam:CreateInstanceProfile",
                 "iam:CreateOpenIDConnectProvider",

linting-configs/.tflint.hcl

@@ -22,17 +22,17 @@ plugin "terraform" {
   enabled = true
 }
 
-# Disallow // comments in favor of #. 
+# Disallow // comments in favor of #.
 rule "terraform_comment_syntax" {
   enabled = true
 }
 
-# Disallow legacy dot index syntax. 
+# Disallow legacy dot index syntax.
 rule "terraform_deprecated_index" {
-  enabled = true 
+  enabled = true
 }
 
-# Disallow deprecated (0.11-style) interpolation. 
+# Disallow deprecated (0.11-style) interpolation.
 rule "terraform_deprecated_interpolation" {
   enabled = true
 }
@@ -47,17 +47,17 @@ rule "terraform_documented_variables" {
   enabled = true
 }
 
-# Disallow comparisons with [] when checking if a collection is empty. 	
+# Disallow comparisons with [] when checking if a collection is empty.
 rule "terraform_empty_list_equality" {
   enabled = true
 }
 
-# Disallow specifying a git or mercurial repository as a module source without pinning to a version. 
+# Disallow specifying a git or mercurial repository as a module source without pinning to a version.
 rule "terraform_module_pinned_source" {
   enabled = true
 }
 
-# Checks that Terraform modules sourced from a registry specify a version. 
+# Checks that Terraform modules sourced from a registry specify a version.
 rule "terraform_module_version" {
   enabled = true
 }
@@ -96,27 +96,27 @@ rule "terraform_naming_convention" {
 
 }
 
-# Require that all providers have version constraints through required_providers. 
+# Require that all providers have version constraints through required_providers.
 rule "terraform_required_providers" {
-  enabled = true
+  enabled = false
 }
 
-# Disallow terraform declarations without require_version. 
+# Disallow terraform declarations without require_version.
 rule "terraform_required_version" {
-  enabled = true
+  enabled = false
 }
 
 # Ensure that a module complies with the Terraform Standard Module Structure
 rule "terraform_standard_module_structure" {
   enabled = true
 }
 
-# Disallow variable declarations without type. 
+# Disallow variable declarations without type.
 rule "terraform_typed_variables" {
   enabled = true
 }
 
-# Disallow variables, data sources, and locals that are declared but never used. 
+# Disallow variables, data sources, and locals that are declared but never used.
 rule "terraform_unused_declarations" {
   enabled = true
 }
@@ -126,7 +126,7 @@ rule "terraform_unused_required_providers" {
   enabled = false
 }
 
-# terraform.workspace should not be used with a "remote" backend with remote execution. 
+# terraform.workspace should not be used with a "remote" backend with remote execution.
 rule "terraform_workspace_remote" {
   enabled = true
 }

locals.tf

@@ -3,6 +3,9 @@
 
 locals {
 
+  # AWS caller identity user_name derived from ARN value
+  aws_caller_identity_user_name = element(split("/", data.aws_caller_identity.terraform.arn), length(split("/", data.aws_caller_identity.terraform.arn)) - 1)
+
   # General
   security_group_id         = var.security_group_id == null ? aws_security_group.sg[0].id : data.aws_security_group.sg[0].id
   cluster_security_group_id = var.cluster_security_group_id == null ? aws_security_group.cluster_security_group[0].id : var.cluster_security_group_id
@@ -14,7 +17,7 @@ locals {
   # aws_shared_credentials_file - is DEPRECATED and will be removed in a future release
   use_aws_shared_credentials_file = var.aws_shared_credentials_file != null ? length(var.aws_shared_credentials_file) > 0 ? true : false : false
   # Assign correct credential file value - If the old value is false, then new value must be used.
-  aws_shared_credentials          = local.use_aws_shared_credentials_file ? [var.aws_shared_credentials_file] : var.aws_shared_credentials_files
+  aws_shared_credentials = local.use_aws_shared_credentials_file ? [var.aws_shared_credentials_file] : var.aws_shared_credentials_files
 
   # CIDRs
   default_public_access_cidrs           = var.default_public_access_cidrs == null ? [] : var.default_public_access_cidrs
@@ -33,6 +36,11 @@ locals {
     : null
   )
 
+  # Storage
+  storage_type_backend = (var.storage_type == "none" ? "none"
+    : var.storage_type == "standard" ? "nfs"
+    : var.storage_type == "ha" && var.storage_type_backend == "ontap" ? "ontap"
+  : var.storage_type == "ha" ? "efs" : "none")
 
   # Kubernetes
   kubeconfig_filename = "${local.cluster_name}-kubeconfig.conf"

main.tf

@@ -188,6 +188,15 @@ module "ebs" {
   oidc_url     = module.eks.cluster_oidc_issuer_url
 }
 
+module "ontap" {
+  source = "./modules/aws_fsx_ontap"
+
+  prefix        = var.prefix
+  cluster_name  = local.cluster_name
+  tags          = local.tags
+  iam_user_name = local.aws_caller_identity_user_name
+}
+
 module "kubeconfig" {
   source                   = "./modules/kubeconfig"
   prefix                   = var.prefix

modules/aws_autoscaling/variables.tf

@@ -4,13 +4,13 @@
 variable "prefix" {
   description = "A prefix used for all AWS Cloud resources created by this script"
   type        = string
-  default     = null
+  default     = ""
 }
 
 variable "cluster_name" {
   description = "Name of EKS cluster"
   type        = string
-  default     = null
+  default     = ""
 }
 
 variable "tags" {
@@ -22,5 +22,5 @@ variable "tags" {
 variable "oidc_url" {
   description = "OIDC URL of EKS cluster"
   type        = string
-  default     = null
+  default     = ""
 }

modules/aws_ebs_csi/variables.tf

@@ -4,13 +4,13 @@
 variable "prefix" {
   description = "A prefix used for all AWS Cloud resources created by this script"
   type        = string
-  default     = null
+  default     = ""
 }
 
 variable "cluster_name" {
   description = "Name of EKS cluster"
   type        = string
-  default     = null
+  default     = ""
 }
 
 variable "tags" {
@@ -22,5 +22,5 @@ variable "tags" {
 variable "oidc_url" {
   description = "OIDC URL of EKS cluster"
   type        = string
-  default     = null
+  default     = ""
 }

modules/aws_fsx_ontap/main.tf

@@ -0,0 +1,83 @@
+# Copyright © 2021-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Permissions based off the IAM Policies required to manage fsx_ontap resources in this project
+data "aws_iam_policy_document" "worker_fsx_ontap" {
+  statement {
+    sid       = "fsxFileSystemOwn"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "fsx:CreateFileSystem",
+      "fsx:UpdateFileSystem",
+      "fsx:UntagResource",
+      "fsx:CreateBackup",
+      "fsx:TagResource",
+      "fsx:DeleteFileSystem",
+    ]
+  }
+
+  statement {
+    sid       = "fsxFileSystemAll"
+    effect    = "Allow"
+    resources = ["arn:aws:fsx:*:*:*/*"]
+
+    actions = [
+      "fsx:CreateVolume",
+      "fsx:DeleteStorageVirtualMachine",
+      "fsx:UpdateVolume",
+      "fsx:CreateStorageVirtualMachine",
+      "fsx:DeleteVolume",
+    ]
+  }
+
+  statement {
+    sid       = "fsxVolumeOwn"
+    effect    = "Allow"
+    resources = ["arn:aws:fsx:*:*:volume/*"]
+
+    actions = [
+      "fsx:CreateVolume",
+      "fsx:UpdateVolume",
+      "fsx:DeleteVolume",
+    ]
+  }
+
+  statement {
+    sid       = "fsxDescribeAll"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "fsx:DescribeFileSystems",
+      "fsx:DescribeVolumes",
+      "fsx:DescribeStorageVirtualMachines",
+      "fsx:UntagResource",
+      "fsx:TagResource",
+    ]
+  }
+
+  statement {
+    sid       = "fsxListTagsAll"
+    effect    = "Allow"
+    resources = ["arn:aws:fsx:*:*:*/*"]
+    actions   = ["fsx:ListTagsForResource"]
+  }
+}
+
+resource "aws_iam_policy" "worker_fsx_ontap" {
+  name_prefix = "${var.prefix}-fsx-ontap"
+  description = "EKS worker node fsx_ontap policy for cluster ${var.cluster_name}"
+  policy      = data.aws_iam_policy_document.worker_fsx_ontap.json
+  tags        = var.tags
+}
+
+data "aws_iam_user" "terraform" {
+  user_name = var.iam_user_name
+}
+
+resource "aws_iam_user_policy_attachment" "attachment" {
+  user       = data.aws_iam_user.terraform.user_name
+  policy_arn = aws_iam_policy.worker_fsx_ontap.arn
+}

modules/aws_fsx_ontap/outputs.tf

@@ -0,0 +1,2 @@
+# Copyright © 2021-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0

modules/aws_fsx_ontap/variables.tf

@@ -0,0 +1,26 @@
+# Copyright © 2021-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+variable "prefix" {
+  description = "A prefix used for all AWS Cloud resources created by this script"
+  type        = string
+  default     = ""
+}
+
+variable "cluster_name" {
+  description = "Name of EKS cluster"
+  type        = string
+  default     = ""
+}
+
+variable "tags" {
+  description = "Tags used for fsx_ontap"
+  type        = map(any)
+  default     = null
+}
+
+variable "iam_user_name" {
+  description = "AWS caller identity user name parsed from the ARN value"
+  type        = string
+  default     = ""
+}

modules/aws_vm/main.tf

@@ -85,6 +85,14 @@ resource "aws_instance" "vm" {
 
   tags = merge(var.tags, tomap({ Name : "${var.name}-vm" }))
 
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      ami,
+    ]
+  }
+
 }
 
 resource "aws_eip" "eip" {