diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 64bee2c9..f17288c1 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -193,6 +193,7 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr | aks_identity | Use UserAssignedIdentity or Service Principal as [AKS identity](https://docs.microsoft.com/en-us/azure/aks/concepts-identity) | string | "uai" | A value of `uai` wil create a Managed Identity based on the permissions of the authenticated user or use [`AKS_UAI_NAME`](#use-existing), if set. A value of `sp` will use values from [`CLIENT_ID`/`CLIENT_SECRET`](#azure-authentication), if set. | | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` | | cluster_api_mode | Public or private IP for the cluster api | string | "public" | Valid Values: "public", "private" | +| aks_cluster_private_dns_zone_id | Specifies private DNS zone resource ID for AKS private cluster to use | string | "" | For `cluster_api_mode=private` if `aks_cluster_private_dns_zone_id` is not specified then the value `System` is used else it is set to null. For details see [Configure a private DNS zone](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal#configure-a-private-dns-zone) | | aks_cluster_sku_tier | Optimizes api server for cost vs availability | string | "Free" | Valid Values: "Free", "Standard" | ## Node Pools @@ -359,7 +360,7 @@ Each server element, like `foo = {}`, can contain none, some, or all of the para | administrator_password | The Password associated with the administrator_login for the PostgreSQL Flexible Server | string | "my$up3rS3cretPassw0rd" | The password must contain between 8 and 128 characters and must contain characters from three of the following categories: English uppercase letters, English lowercase letters, numbers (0 through 9), and non-alphanumeric characters (!, $, #, %, etc.). | | server_version | The version of the PostgreSQL Flexible server instance | string | "13" | Refer to the [SAS Viya Platform Administration Guide](https://go.documentation.sas.com/doc/en/sasadmincdc/default/itopssr/p05lfgkwib3zxbn1t6nyihexp12n.htm?fromDefault=#p1wq8ouke3c6ixn1la636df9oa1u) for the supported versions of PostgreSQL for the SAS Viya platform. | | ssl_enforcement_enabled | Enforce SSL on connection to the Azure Database for PostgreSQL Flexible server instance | bool | true | | -| connectivity_method | Network connectivity option to connect to your flexible server. There are two connectivity options available: Public access (allowed IP addresses) and Private access (VNet Integration). Defaults to public access with firewall rules enabled.| string | "public" | Valid options are `public` and `private`. See details [here](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking) | +| connectivity_method | Network connectivity option to connect to your flexible server. There are two connectivity options available: Public access (allowed IP addresses) and Private access (VNet Integration). Defaults to public access with firewall rules enabled.| string | "public" | Valid options are `public` and `private`. See sample input file [here](../examples/sample-input-postgres.tfvars) and Private access documentation [here](./user/PostgreSQLPrivateAccess.md). For more details see [Networking overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking) | | postgresql_configurations | Sets a PostgreSQL Configuration value on a Azure PostgreSQL Flexible Server | list(object) | [] | More details can be found [here](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-server-parameters-using-cli) | Multiple SAS offerings require a second PostgreSQL instance referred to as SAS Common Data Store, or CDS PostgreSQL. For more information, see [Common Customizations](https://go.documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p0wkxxi9s38zbzn19ukjjaxsc0kl). A list of SAS offerings that require CDS PostgreSQL is provided in [SAS Common Data Store Requirements](https://go.documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#n03wzanutmc6gon1val5fykas9aa). To create and configure an external CDS PostgreSQL instance in addition to the external platform PostgreSQL instance named `default`, specify `cds-postgres` as a second PostgreSQL instance, as shown in the example below. diff --git a/docs/user/PostgreSQLPrivateAccess.md b/docs/user/PostgreSQLPrivateAccess.md index 0be39d4d..75874412 100644 --- a/docs/user/PostgreSQLPrivateAccess.md +++ b/docs/user/PostgreSQLPrivateAccess.md @@ -9,7 +9,7 @@ In this document, we will focus on PostgreSQL server with Private access (VNet I You can deploy a flexible server into your Azure virtual network (VNet). Azure virtual networks provide private and secure network communication. Resources in a virtual network can communicate through private IP addresses that were assigned on this network. In Private access, the connections to the PostgreSQL server are restricted to only within your virtual network. To learn more about it, refer to [Private access (VNet Integration)](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking#private-access-vnet-integration). -To create PostgreSQL Flexible Server with the private access connectivity method use the example file provided [here](../../examples/sample-input-ppg.tfvars). +To create PostgreSQL Flexible Server with the private access connectivity method use the example file provided [here](../../examples/sample-input-postgres.tfvars). # Connect Azure Database for PostgreSQL Flexible Server with the private access connectivity method diff --git a/examples/sample-input-postgres.tfvars b/examples/sample-input-postgres.tfvars new file mode 100644 index 00000000..b8e7c05a --- /dev/null +++ b/examples/sample-input-postgres.tfvars @@ -0,0 +1,154 @@ +# !NOTE! - These are only a subset of CONFIG-VARS.md provided as examples. +# Customize this file to add any variables from 'CONFIG-VARS.md' whose default +# values you want to change. + +# **************** REQUIRED VARIABLES **************** +# Values for these required variables MUST be provided +prefix = "" # this is a prefix that you assign for the resources to be created +location = "" # e.g., "eastus2" +# **************** REQUIRED VARIABLES **************** + +# !NOTE! - Without specifying your CIDR block access rules, ingress traffic +# to your cluster will be blocked by default. + +# ************** RECOMMENDED VARIABLES *************** +default_public_access_cidrs = [] # e.g., ["123.45.6.89/32"] +ssh_public_key = "~/.ssh/id_rsa.pub" +# ************** RECOMMENDED VARIABLES *************** + +# Tags can be specified matching your tagging strategy. +tags = {} # for example: { "owner|email" = "@.", "key1" = "value1", "key2" = "value2" } + +# PostgreSQL + +# Postgres config - By having this entry a database server is created. +# Default networking option: Public access (allowed IP addresses) is enabled +# If you do not need an external database server remove the 'postgres_servers' +# block below. +postgres_servers = { + default = {}, +} + +# To use Private access (VNet Integration) remove the 'postgres_servers' block above and uncomment the blocks below: +# postgres_servers and subnets + +# postgres_servers = { +# default = { +# connectivity_method = "private" +# } +# } +# +# # Subnet for PostgreSQL +# subnets = { +# aks = { +# "prefixes" : ["192.168.0.0/23"], +# "service_endpoints" : ["Microsoft.Sql"], +# "private_endpoint_network_policies_enabled" : true, +# "private_link_service_network_policies_enabled" : false, +# "service_delegations" : {}, +# } +# misc = { +# "prefixes" : ["192.168.2.0/24"], +# "service_endpoints" : ["Microsoft.Sql"], +# "private_endpoint_network_policies_enabled" : true, +# "private_link_service_network_policies_enabled" : false, +# "service_delegations" : {}, +# } +# netapp = { +# "prefixes" : ["192.168.3.0/24"], +# "service_endpoints" : [], +# "private_endpoint_network_policies_enabled" : false, +# "private_link_service_network_policies_enabled" : false, +# "service_delegations" : { +# netapp = { +# "name" : "Microsoft.Netapp/volumes" +# "actions" : ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"] +# } +# } +# } +# postgresql = { +# "prefixes": ["192.168.4.0/24"], +# "service_endpoints": ["Microsoft.Sql"], +# "private_endpoint_network_policies_enabled": true, +# "private_link_service_network_policies_enabled": false, +# "service_delegations": { +# flexpostgres = { +# "name" : "Microsoft.DBforPostgreSQL/flexibleServers" +# "actions" : ["Microsoft.Network/virtualNetworks/subnets/join/action"] +# } +# } +# } +# } + +# Azure Container Registry config +create_container_registry = false +container_registry_sku = "Standard" +container_registry_admin_enabled = false + +# AKS config +kubernetes_version = "1.26" +default_nodepool_min_nodes = 2 +default_nodepool_vm_type = "Standard_D8s_v4" + +# AKS Node Pools config +node_pools = { + cas = { + "machine_type" = "Standard_E16s_v3" + "os_disk_size" = 200 + "min_nodes" = 1 + "max_nodes" = 1 + "max_pods" = 110 + "node_taints" = ["workload.sas.com/class=cas:NoSchedule"] + "node_labels" = { + "workload.sas.com/class" = "cas" + } + }, + compute = { + "machine_type" = "Standard_E16s_v3" + "os_disk_size" = 200 + "min_nodes" = 1 + "max_nodes" = 1 + "max_pods" = 110 + "node_taints" = ["workload.sas.com/class=compute:NoSchedule"] + "node_labels" = { + "workload.sas.com/class" = "compute" + "launcher.sas.com/prepullImage" = "sas-programming-environment" + } + }, + stateless = { + "machine_type" = "Standard_D16s_v3" + "os_disk_size" = 200 + "min_nodes" = 1 + "max_nodes" = 2 + "max_pods" = 110 + "node_taints" = ["workload.sas.com/class=stateless:NoSchedule"] + "node_labels" = { + "workload.sas.com/class" = "stateless" + } + }, + stateful = { + "machine_type" = "Standard_D8s_v3" + "os_disk_size" = 200 + "min_nodes" = 1 + "max_nodes" = 3 + "max_pods" = 110 + "node_taints" = ["workload.sas.com/class=stateful:NoSchedule"] + "node_labels" = { + "workload.sas.com/class" = "stateful" + } + } +} + +# Jump Server +create_jump_public_ip = true +jump_vm_admin = "jumpuser" +jump_vm_machine_type = "Standard_B2s" + +# Storage for SAS Viya CAS/Compute +storage_type = "standard" +# required ONLY when storage_type is "standard" to create NFS Server VM +create_nfs_public_ip = false +nfs_vm_admin = "nfsuser" +nfs_vm_machine_type = "Standard_D8s_v4" +nfs_raid_disk_size = 128 +nfs_raid_disk_type = "Standard_LRS" diff --git a/examples/sample-input-ppg.tfvars b/examples/sample-input-ppg.tfvars index 7dad5163..c79a12fa 100644 --- a/examples/sample-input-ppg.tfvars +++ b/examples/sample-input-ppg.tfvars @@ -19,8 +19,6 @@ ssh_public_key = "~/.ssh/id_rsa.pub" # Tags can be specified matching your tagging strategy. tags = {} # for example: { "owner|email" = "@.", "key1" = "value1", "key2" = "value2" } -# PostgreSQL - # Postgres config - By having this entry a database server is created. # Default networking option: Public access (allowed IP addresses) is enabled # If you do not need an external database server remove the 'postgres_servers' @@ -29,57 +27,6 @@ postgres_servers = { default = {}, } -# To use Private access (VNet Integration) remove the 'postgres_servers' block above and uncomment the blocks below: -# postgres_servers and subnets - -# postgres_servers = { -# default = { -# connectivity_method = "private" -# } -# } -# -# # Subnet for PostgreSQL -# subnets = { -# aks = { -# "prefixes" : ["192.168.0.0/23"], -# "service_endpoints" : ["Microsoft.Sql"], -# "private_endpoint_network_policies_enabled" : true, -# "private_link_service_network_policies_enabled" : false, -# "service_delegations" : {}, -# } -# misc = { -# "prefixes" : ["192.168.2.0/24"], -# "service_endpoints" : ["Microsoft.Sql"], -# "private_endpoint_network_policies_enabled" : true, -# "private_link_service_network_policies_enabled" : false, -# "service_delegations" : {}, -# } -# netapp = { -# "prefixes" : ["192.168.3.0/24"], -# "service_endpoints" : [], -# "private_endpoint_network_policies_enabled" : false, -# "private_link_service_network_policies_enabled" : false, -# "service_delegations" : { -# netapp = { -# "name" : "Microsoft.Netapp/volumes" -# "actions" : ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"] -# } -# } -# } -# postgresql = { -# "prefixes": ["192.168.4.0/24"], -# "service_endpoints": ["Microsoft.Sql"], -# "private_endpoint_network_policies_enabled": true, -# "private_link_service_network_policies_enabled": false, -# "service_delegations": { -# flexpostgres = { -# "name" : "Microsoft.DBforPostgreSQL/flexibleServers" -# "actions" : ["Microsoft.Network/virtualNetworks/subnets/join/action"] -# } -# } -# } -# } - # Azure Container Registry config create_container_registry = false container_registry_sku = "Standard" diff --git a/main.tf b/main.tf index 8d739936..0d716e77 100644 --- a/main.tf +++ b/main.tf @@ -145,6 +145,7 @@ module "aks" { aks_cluster_node_vm_size = var.default_nodepool_vm_type aks_cluster_node_admin = var.node_vm_admin aks_cluster_ssh_public_key = try(file(var.ssh_public_key), "") + aks_cluster_private_dns_zone_id = var.aks_cluster_private_dns_zone_id aks_vnet_subnet_id = module.vnet.subnets["aks"].id kubernetes_version = var.kubernetes_version aks_cluster_endpoint_public_access_cidrs = var.cluster_api_mode == "private" ? [] : local.cluster_endpoint_public_access_cidrs # "Private cluster cannot be enabled with AuthorizedIPRanges."" diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf index 20a9726b..d1d0098c 100644 --- a/modules/azure_aks/main.tf +++ b/modules/azure_aks/main.tf @@ -6,7 +6,9 @@ resource "azurerm_kubernetes_cluster" "aks" { name = var.aks_cluster_name location = var.aks_cluster_location resource_group_name = var.aks_cluster_rg - dns_prefix = var.aks_cluster_dns_prefix + dns_prefix = var.aks_private_cluster == false || var.aks_cluster_private_dns_zone_id == "" ? var.aks_cluster_dns_prefix : null + dns_prefix_private_cluster = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_dns_prefix : null + sku_tier = var.aks_cluster_sku_tier role_based_access_control_enabled = true http_application_routing_enabled = false @@ -16,7 +18,7 @@ resource "azurerm_kubernetes_cluster" "aks" { kubernetes_version = var.kubernetes_version api_server_authorized_ip_ranges = var.aks_cluster_endpoint_public_access_cidrs private_cluster_enabled = var.aks_private_cluster - private_dns_zone_id = var.aks_private_cluster ? "System" : null + private_dns_zone_id = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_private_dns_zone_id : (var.aks_private_cluster ? "System" : null) network_profile { network_plugin = var.aks_network_plugin diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf index 46b53b1a..92795558 100644 --- a/modules/azure_aks/variables.tf +++ b/modules/azure_aks/variables.tf @@ -223,3 +223,8 @@ variable "cluster_egress_type" { type = string default = "loadBalancer" } + +variable "aks_cluster_private_dns_zone_id" { + type = string + default = "" +} diff --git a/outputs.tf b/outputs.tf index c0db1f19..d8e52904 100644 --- a/outputs.tf +++ b/outputs.tf @@ -26,6 +26,10 @@ output "aks_cluster_password" { sensitive = true } +output "aks_pod_cidr" { + value = var.aks_pod_cidr +} + # postgres output "postgres_servers" { diff --git a/variables.tf b/variables.tf index 23cc644a..ee188417 100644 --- a/variables.tf +++ b/variables.tf @@ -754,6 +754,12 @@ variable "aks_identity" { } } +variable "aks_cluster_private_dns_zone_id" { + description = "Specify private DNS zone resource ID for AKS private cluster to use." + type = string + default = "" +} + ## Message Broker - Azure Service Bus - Experimental variable "create_azure_message_broker" { description = "Allows user to create a fully managed enterprise message broker: Azure Service Bus"