Merge pull request #287 from sassoftware/staging

6.2.0 - February 17, 2023
sassoftware · Feb 17, 2023 · b4c783b · b4c783b
2 parents 67ca32d + bf82e54
commit b4c783b
Show file tree

Hide file tree

Showing 15 changed files with 99 additions and 30 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ ARG AZURECLI_VERSION=2.24.2
 
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
 FROM mcr.microsoft.com/azure-cli:$AZURECLI_VERSION
-ARG KUBECTL_VERSION=1.23.8
+ARG KUBECTL_VERSION=1.23.12
 
 WORKDIR /viya4-iac-azure
 

diff --git a/README.md b/README.md
@@ -58,7 +58,7 @@ Access to an **Azure Subscription** and an [**Identity**](./docs/user/TerraformA
 
 #### Terraform Requirements:
 - [Terraform](https://www.terraform.io/downloads.html) - v1.0.0
-- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.23.8
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.23.12
 - [jq](https://stedolan.github.io/jq/) - v1.6
 - [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.24.2
 

diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -63,7 +63,7 @@ To do set these permissions as part of this Terraform script, specify ranges of
 
 NOTE: When deploying infrastructure into a private network (e.g. a VPN), with no public endpoints, the options documented in this block are not applicable.
 
-NOTE: The script will either create a new NSG, or use an existing NSG, if specified in the [`nsg_name`](#use-existing) variable. 
+NOTE: The script will either create a new NSG, or use an existing NSG, if specified in the [`nsg_name`](#use-existing) variable.
 
 You can use `default_public_access_cidrs` to set a default range for all created resources. To set different ranges for other resources, define the appropriate variable. Use an empty list `[]` to disallow access explicitly.
 
@@ -75,7 +75,7 @@ You can use `default_public_access_cidrs` to set a default range for all created
 | postgres_public_access_cidrs | IP address ranges allowed to access the Azure PostgreSQL Flexible Server | list of strings || Opens port 5432 by adding Ingress Rule on the NSG. Only used when creating postgres instances. |
 | acr_public_access_cidrs | IP address ranges allowed to access the ACR instance | list of strings || Only used with `create_container_registry=true` |
 
-**NOTE:** In a SCIM environment, the AzureActiveDirectory service tag must be granted access to port 443/HTTPS for the Ingress IP address. 
+**NOTE:** In a SCIM environment, the AzureActiveDirectory service tag must be granted access to port 443/HTTPS for the Ingress IP address.
 
 ## Networking
 
@@ -147,7 +147,7 @@ Example for the `subnet_names` variable:
 ```yaml
 subnet_names = {
   ## Required subnets
-  'aks': '<my_aks_subnet_name>', 
+  'aks': '<my_aks_subnet_name>',
   'misc': '<my_misc_subnet_name>',
 
   ## If using ha storage then the following is also required
@@ -163,7 +163,7 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 | :--- | ---: | ---: | ---: | ---: |
 | partner_id | A GUID that is registered with Microsoft to facilitate partner resource usage attribution | string | "5d27f3ae-e49c-4dea-9aa3-b44e4750cd8c" | Defaults to SAS partner GUID. When you deploy this Terraform configuration, Microsoft can identify the installation of SAS software with the deployed Azure resources. Microsoft can then correlate the resources that are used to support the software. Microsoft collects this information to provide the best experiences with their products and to operate their business. The data is collected and governed by Microsoft's privacy policies, located at https://www.microsoft.com/trustcenter. |
 | create_static_kubeconfig | Allows the user to create a provider / service account-based kubeconfig file | bool | true | A value of `false` will default to using the cloud provider's mechanism for generating the kubeconfig file. A value of `true` will create a static kubeconfig that uses a `Service Account` and `Cluster Role Binding` to provide credentials. |
-| kubernetes_version | The AKS cluster Kubernetes version | string | "1.23.8" | |
+| kubernetes_version | The AKS cluster Kubernetes version | string | "1.23.12" | |
 | create_jump_vm | Create bastion host | bool | true | |
 | create_jump_public_ip | Add public IP address to the jump VM | bool | true | |
 | jump_vm_admin | Operating system Admin User for the jump VM | string | "jumpuser" | |
@@ -261,7 +261,7 @@ In addition, you can control the placement for the additional node pools using t
 
 | Name | Description | Type | Default | Notes |
 | :--- | ---: | ---: | ---: | ---: |
-| node_pools_availability_zone | Availability Zone for the additional node pools and the NFS VM, for `storage_type="standard"'| string | "1" | The possible values depend on the region set in the "location" variable. |
+| node_pools_availability_zone | Availability Zone for the additional node pools and the NFS VM, for `storage_type="standard"`| string | "1" | The possible values depend on the region set in the "location" variable. |
 | node_pools_proximity_placement | Co-locates all node pool VMs for improved application performance. | bool | false | Selecting proximity placement imposes an additional constraint on VM creation and can lead to more frequent denials of VM allocation requests. We recommend that you set `node_pools_availability_zone=""` and allocate all required resources at one time by setting `min_nodes` and `max_nodes` to the same value for all node pools.  Additional information: [Proximity Group Placement](./user/ProximityPlacementGroup.md). |
 
 ## Storage

diff --git a/examples/sample-input-byo.tfvars b/examples/sample-input-byo.tfvars
@@ -45,7 +45,7 @@ container_registry_sku              = "Standard"
 container_registry_admin_enabled    = false
 
 # AKS config
-kubernetes_version         = "1.23.8"
+kubernetes_version         = "1.23.12"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "Standard_D8s_v4"
 

diff --git a/examples/sample-input-connect.tfvars b/examples/sample-input-connect.tfvars
@@ -34,7 +34,7 @@ container_registry_sku              = "Standard"
 container_registry_admin_enabled    = false
 
 # AKS config
-kubernetes_version         = "1.23.8"
+kubernetes_version         = "1.23.12"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "Standard_D8s_v4"
 

diff --git a/examples/sample-input-ha.tfvars b/examples/sample-input-ha.tfvars
@@ -32,7 +32,7 @@ container_registry_sku              = "Standard"
 container_registry_admin_enabled    = false
 
 # AKS config
-kubernetes_version         = "1.23.8"
+kubernetes_version         = "1.23.12"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "Standard_D8s_v4"
 

diff --git a/examples/sample-input-minimal.tfvars b/examples/sample-input-minimal.tfvars
@@ -32,7 +32,7 @@ container_registry_sku              = "Standard"
 container_registry_admin_enabled    = false
 
 # AKS config
-kubernetes_version         = "1.23.8"
+kubernetes_version         = "1.23.12"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "Standard_D4_v3"
 #v3 still has local temp storage

diff --git a/examples/sample-input-ppg.tfvars b/examples/sample-input-ppg.tfvars
@@ -32,7 +32,7 @@ container_registry_sku              = "Standard"
 container_registry_admin_enabled    = false
 
 # AKS config
-kubernetes_version         = "1.23.8"
+kubernetes_version         = "1.23.12"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "Standard_D8s_v4"
 

diff --git a/examples/sample-input-singlestore.tfvars b/examples/sample-input-singlestore.tfvars
@@ -34,7 +34,7 @@ container_registry_sku              = "Standard"
 container_registry_admin_enabled    = false
 
 # AKS config
-kubernetes_version         = "1.23.8"
+kubernetes_version         = "1.23.12"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "Standard_D8s_v4"
 

diff --git a/examples/sample-input.tfvars b/examples/sample-input.tfvars
@@ -34,7 +34,7 @@ container_registry_sku              = "Standard"
 container_registry_admin_enabled    = false
 
 # AKS config
-kubernetes_version         = "1.23.8"
+kubernetes_version         = "1.23.12"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "Standard_D8s_v4"
 

diff --git a/files/cloud-init/nfs/cloud-config b/files/cloud-init/nfs/cloud-config
@@ -41,17 +41,17 @@ runcmd:
   #
   # Create Raid5 Array
   #
-  # NOTE: We need to sleep 5 minutes here to ensure the drives have been attached
-  #
-  # - sleep 300
   - pvcreate $(find /dev/disk/azure/scsi1/ -type l | xargs)
   - vgcreate data-vg01 $(find /dev/disk/azure/scsi1/ -type l | xargs)
   - lvcreate --type raid5 --extents 100%FREE --stripes 3 --name data-lv01 data-vg01
   - mkfs -t ext4 /dev/data-vg01/data-lv01
   #
   # Update /etc/fstab
   #
-  - echo "/dev/data-vg01/data-lv01       /export        ext4        defaults,nofail,x-systemd.requires=cloud-init.service,barrier=0,discard        0  2" >>/etc/fstab
+  - device=`lsblk -r | grep lvm | cut -d " " -f1 | grep -v "_"`
+  - mntDir='/export'
+  - deviceUUID=`sudo blkid /dev/mapper/$device | sed -r 's/.*UUID="([^"]*).*"/\1/g'`
+  - echo "UUID=$deviceUUID $mntDir auto defaults,acl,nofail 0 2" | sudo tee -a /etc/fstab > /dev/null
   - mount -a
   #
   # Update /etc/exports - NOTE: The CIDR provided works for the whole VPC

diff --git a/main.tf b/main.tf
@@ -196,7 +196,7 @@ module "node_pools" {
   max_pods                     = each.value.max_pods == null ? 110 : each.value.max_pods
   node_taints                  = each.value.node_taints
   node_labels                  = each.value.node_labels
-  zones                        = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : [var.node_pools_availability_zone]
+  zones                        = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : (var.node_pools_availability_zones != null) ? var.node_pools_availability_zones : [var.node_pools_availability_zone]
   proximity_placement_group_id = element(coalescelist(azurerm_proximity_placement_group.proximity.*.id, [""]), 0)
   orchestrator_version         = var.kubernetes_version
   tags                         = var.tags

diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf
@@ -67,7 +67,7 @@ variable "aks_cluster_max_pods" {
 
 variable kubernetes_version {
   description = "The AKS cluster K8s version"
-  default     = "1.23.8"
+  default     = "1.23.12"
 }
 variable "aks_cluster_endpoint_public_access_cidrs" {
   description = "Kubernetes cluster access IP ranges"

diff --git a/monitor.tf b/monitor.tf
@@ -37,3 +37,43 @@ resource "azurerm_log_analytics_solution" "viya4" {
   tags = var.tags
 
 }
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting
+
+resource "azurerm_monitor_diagnostic_setting" "audit" {
+  count = var.create_aks_azure_monitor ? 1 : 0
+
+  name                       = "${var.prefix}-monitor_diagnostic_setting"
+  target_resource_id         = module.aks.cluster_id
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.viya4[0].id
+
+  dynamic "log" {
+    iterator = log_category
+    for_each = var.resource_log_category
+
+    content {
+      category = log_category.value
+      enabled  = true
+
+      retention_policy {
+        enabled = true
+        days    = var.log_retention_in_days
+      }
+    }
+  }
+
+  dynamic "metric" {
+    iterator = metric_category
+    for_each = var.metric_category
+
+    content {
+      category = metric_category.value
+      enabled  = true
+
+      retention_policy {
+        enabled = true
+        days    = var.log_retention_in_days
+      }
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -41,13 +41,13 @@ variable "location" {
   default     = "eastus"
 }
 
-variable aks_cluster_sku_tier {
+variable "aks_cluster_sku_tier" {
   description = "The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid (which includes the Uptime SLA). Defaults to Free"
-  default = "Free"
-  type = string 
+  default     = "Free"
+  type        = string
 
   validation {
-    condition     = contains(["Free", "Paid"],  var.aks_cluster_sku_tier)
+    condition     = contains(["Free", "Paid"], var.aks_cluster_sku_tier)
     error_message = "ERROR: Valid types are \"Free\" and \"Paid\"!"
   }
 }
@@ -92,7 +92,7 @@ variable "default_nodepool_vm_type" {
 }
 variable "kubernetes_version" {
   description = "The AKS cluster K8s version"
-  default     = "1.23.8"
+  default     = "1.23.12"
 }
 
 variable "default_nodepool_max_nodes" {
@@ -113,7 +113,7 @@ variable "default_nodepool_max_pods" {
 }
 
 variable "default_nodepool_availability_zones" {
-  type    = list(any)
+  type    = list(string)
   default = ["1"]
 }
 
@@ -364,7 +364,7 @@ variable "netapp_volume_path" {
 
 variable "netapp_network_features" {
   description = "Indicates which network feature to use, accepted values are Basic or Standard, it defaults to Basic if not defined."
-  type    = string
+  type        = string
   default     = "Basic"
 }
 
@@ -373,6 +373,12 @@ variable "node_pools_availability_zone" {
   default = "1"
 }
 
+variable "node_pools_availability_zones" {
+  description = "Specifies a list of Availability Zones in which the Kubernetes Cluster Node Pool should be located. Changing this forces a new Kubernetes Cluster Node Pool to be created."
+  type    = list(string)
+  default = null
+}
+
 variable "node_pools_proximity_placement" {
   type    = bool
   default = false
@@ -439,7 +445,7 @@ variable "node_pools" {
   }
 }
 
-# Azure Monitor
+# Azure Monitor - Undocumented
 variable "create_aks_azure_monitor" {
   type        = bool
   description = "Enable Azure Log Analytics agent on AKS cluster"
@@ -488,6 +494,29 @@ variable "log_analytics_solution_promotion_code" {
   default     = ""
 }
 
+## Azure Monitor Diagonostic setting - Undocumented
+variable "resource_log_category" {
+  type        = list(string)
+  description = "List of all resource logs category types supported in Azure Monitor. See https://learn.microsoft.com/en-us/azure/aks/monitor-aks-reference#resource-logs."
+  default     = ["kube-controller-manager", "kube-apiserver", "kube-scheduler"]
+
+  validation {
+    condition     = length(var.resource_log_category) > 0
+    error_message = "Please specify at least one resource log category. See the list of all resource logs category types supported in Azure Monitor here: https://learn.microsoft.com/en-us/azure/aks/monitor-aks-reference#resource-logs."
+  }
+}
+
+variable "metric_category" {
+  type        = list(string)
+  description = "List of all metric category types supported in Azure Monitor. See https://learn.microsoft.com/en-us/azure/aks/monitor-aks-reference#metrics."
+  default     = ["AllMetrics"]
+
+  validation {
+    condition     = length(var.metric_category) > 0
+    error_message = "Please specify at least one metric category. See the list of all platform metrics supported in Azure Monitor here: https://learn.microsoft.com/en-us/azure/aks/monitor-aks-reference#metrics."
+  }
+}
+
 # BYO
 variable "resource_group_name" {
   type        = string
@@ -531,8 +560,8 @@ variable "subnet_names" {
   description = "Map subnet usage roles to existing subnet names"
   # Example:
   # subnet_names = {
-  #   'aks': 'my_aks_subnet', 
-  #   'misc': 'my_misc_subnet', 
+  #   'aks': 'my_aks_subnet',
+  #   'misc': 'my_misc_subnet',
   #   'netapp': 'my_netapp_subnet'
   # }
 }