From ab9ada5141a4ba177a3ad717855a5120adbaee12 Mon Sep 17 00:00:00 2001 From: Ritika Patil <94649368+riragh@users.noreply.github.com> Date: Thu, 26 Oct 2023 09:24:14 -0500 Subject: [PATCH 1/5] feat: (IAC-1191) Remediate security vulnerabilities (#344) --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 08b28d3d..660618ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ ARG TERRAFORM_VERSION=1.4.5 -ARG AZURECLI_VERSION=2.48.1 +ARG AZURECLI_VERSION=2.53.0 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform FROM mcr.microsoft.com/azure-cli:$AZURECLI_VERSION -ARG KUBECTL_VERSION=1.26.3 +ARG KUBECTL_VERSION=1.26.6 WORKDIR /viya4-iac-azure From 85d2bf6aa636778686dc07c6d16abe683690f63e Mon Sep 17 00:00:00 2001 From: Ritika Patil <94649368+riragh@users.noreply.github.com> Date: Mon, 27 Nov 2023 14:34:12 -0600 Subject: [PATCH 2/5] chore: (IAC-1238) Resolve TFLint issue (#348) --- main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 0d716e77..dc607342 100644 --- a/main.tf +++ b/main.tf @@ -281,13 +281,13 @@ resource "kubernetes_config_map" "sas_iac_buildinfo" { } data = { - git-hash = lookup(data.external.git_hash.result, "git-hash") + git-hash = data.external.git_hash.result["git-hash"] iac-tooling = var.iac_tooling terraform = < Date: Wed, 29 Nov 2023 11:18:53 -0600 Subject: [PATCH 3/5] docs: (IAC-1205) Update SAS doc links (#349) --- README.md | 4 ++-- docs/CONFIG-VARS.md | 4 ++-- docs/sas-updates.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b478282e..e6b4b6a7 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ This project helps you to automate the cluster-provisioning phase of SAS Viya pl [Architecture Diagram](./docs/images/viya4-iac-azure-diag.png?raw=true) -This project addresses the first of three steps in [Steps for Getting Started](https://go.documentation.sas.com/doc/en/itopscdc/default/itopscon/n12fgslcw9swbsn10rva4bp0mr2w.htm) in _SAS® Viya® Platform Operations_: +This project addresses the first of three steps in [Steps for Getting Started](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=itopscon&docsetTarget=n12fgslcw9swbsn10rva4bp0mr2w.htm) in _SAS® Viya® Platform Operations_: 1. Provision resources. 1. Prepare for the deployment. @@ -25,7 +25,7 @@ This project addresses the first of three steps in [Steps for Getting Started](h Once the cloud resources are provisioned, use the [viya4-deployment](https://github.com/sassoftware/viya4-deployment) project to deploy the SAS Viya platform in your cloud environment. To learn about all phases and options of the SAS Viya platform deployment process, see -[Getting Started with SAS Viya and Azure Kubernetes Service](https://go.documentation.sas.com/doc/en/itopscdc/default/itopscon/n1d7qc4nfr3s5zn103a1qy0kj4l1.htm) in _SAS Viya Platform Operations_. +[Getting Started with SAS Viya and Azure Kubernetes Service](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=itopscon&docsetTarget=n1d7qc4nfr3s5zn103a1qy0kj4l1.htm) in _SAS Viya Platform Operations_. This project follows the [SemVer](https://semver.org/#summary) versioning scheme. Given a version number MAJOR.MINOR.PATCH, we increment the: diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index f17288c1..47a11ac4 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -358,12 +358,12 @@ Each server element, like `foo = {}`, can contain none, some, or all of the para | geo_redundant_backup_enabled | Enable Geo-redundant or not for server backup | bool | false | Not supported for the basic tier. | | administrator_login | The Administrator Login for the PostgreSQL Flexible Server. Changing this forces a new resource to be created. | string | "pgadmin" | The admin login name cannot be azure_superuser, azure_pg_admin, admin, administrator, root, guest, or public. It cannot start with pg_. See: [Microsoft Quickstart Server Database](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/quickstart-create-server-portal) | | administrator_password | The Password associated with the administrator_login for the PostgreSQL Flexible Server | string | "my$up3rS3cretPassw0rd" | The password must contain between 8 and 128 characters and must contain characters from three of the following categories: English uppercase letters, English lowercase letters, numbers (0 through 9), and non-alphanumeric characters (!, $, #, %, etc.). | -| server_version | The version of the PostgreSQL Flexible server instance | string | "13" | Refer to the [SAS Viya Platform Administration Guide](https://go.documentation.sas.com/doc/en/sasadmincdc/default/itopssr/p05lfgkwib3zxbn1t6nyihexp12n.htm?fromDefault=#p1wq8ouke3c6ixn1la636df9oa1u) for the supported versions of PostgreSQL for the SAS Viya platform. | +| server_version | The version of the PostgreSQL Flexible server instance | string | "13" | Refer to the [SAS Viya Platform Administration Guide](https://documentation.sas.com/?cdcId=sasadmincdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#p1wq8ouke3c6ixn1la636df9oa1u) for the supported versions of PostgreSQL for the SAS Viya platform. | | ssl_enforcement_enabled | Enforce SSL on connection to the Azure Database for PostgreSQL Flexible server instance | bool | true | | | connectivity_method | Network connectivity option to connect to your flexible server. There are two connectivity options available: Public access (allowed IP addresses) and Private access (VNet Integration). Defaults to public access with firewall rules enabled.| string | "public" | Valid options are `public` and `private`. See sample input file [here](../examples/sample-input-postgres.tfvars) and Private access documentation [here](./user/PostgreSQLPrivateAccess.md). For more details see [Networking overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking) | | postgresql_configurations | Sets a PostgreSQL Configuration value on a Azure PostgreSQL Flexible Server | list(object) | [] | More details can be found [here](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-server-parameters-using-cli) | -Multiple SAS offerings require a second PostgreSQL instance referred to as SAS Common Data Store, or CDS PostgreSQL. For more information, see [Common Customizations](https://go.documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p0wkxxi9s38zbzn19ukjjaxsc0kl). A list of SAS offerings that require CDS PostgreSQL is provided in [SAS Common Data Store Requirements](https://go.documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#n03wzanutmc6gon1val5fykas9aa). To create and configure an external CDS PostgreSQL instance in addition to the external platform PostgreSQL instance named `default`, specify `cds-postgres` as a second PostgreSQL instance, as shown in the example below. +Multiple SAS offerings require a second PostgreSQL instance referred to as SAS Common Data Store, or CDS PostgreSQL. For more information, see [Common Customizations](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p0wkxxi9s38zbzn19ukjjaxsc0kl). A list of SAS offerings that require CDS PostgreSQL is provided in [SAS Common Data Store Requirements](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#n03wzanutmc6gon1val5fykas9aa). To create and configure an external CDS PostgreSQL instance in addition to the external platform PostgreSQL instance named `default`, specify `cds-postgres` as a second PostgreSQL instance, as shown in the example below. Here is an example of the `postgres_servers` variable with the `default` server entry overriding only the `administrator_password` and `postgresql_configurations` parameters, and the `cds-postgres` entry overriding the `sku_name`, `storage_mb`, `backup_retention_days`, `administrator_login` and `administrator_password` parameters: diff --git a/docs/sas-updates.md b/docs/sas-updates.md index 38526aae..f2a99127 100644 --- a/docs/sas-updates.md +++ b/docs/sas-updates.md @@ -1,10 +1,10 @@ -New in the SAS Viya platform 2021.2.6: the connect workload class is no longer required. For more information, see [Connect Workload Class Changes](https://go.documentation.sas.com/doc/en/itopscdc/v_026/itopswn/n0jh2fbifqgoksn1uou9p2zgbzdy.htm#p15778dvqwzjtgn1e95nq9v0y1wv). +New in the SAS Viya platform 2021.2.6: the connect workload class is no longer required. For more information, see [Connect Workload Class Changes](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=itopswn&docsetTarget=n0jh2fbifqgoksn1uou9p2zgbzdy.htm#p15778dvqwzjtgn1e95nq9v0y1wv). To deploy the SAS Viya platform 2021.2.6 and later, use the most recent version of SAS Viya 4 Infrastructure as Code. The default settings do not create a connect node pool. If your current software order has a requirement for the connect node pool, you can use the connect node pool example file in `examples/sample-input-connect.tfvars`. If you are updating the SAS Viya platform to version 2021.2.6, take some additional steps to remove the connect nodes. -1. Perform the update by following the steps in the [SAS Viya platform documentation](https://go.documentation.sas.com/doc/en/itopscdc/default/k8sag/p043aa4ghwwom6n1beyfifdgkve7.htm). +1. Perform the update by following the steps in the [SAS Viya platform documentation](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=k8sag&docsetTarget=p043aa4ghwwom6n1beyfifdgkve7.htm). 2. When the update to 2021.2.6 has completed successfully, use the `examples/sample-input.tfvars` file or edit your customized variable definition file (tfvars) to remove `connect={}` from the "node_pools" section. 3. Run `terraform apply` using your edited tfvars file. From 8ba81811ad3349d88af540b8c88ddbbf71e15da2 Mon Sep 17 00:00:00 2001 From: Ritika Patil <94649368+riragh@users.noreply.github.com> Date: Wed, 29 Nov 2023 11:19:16 -0600 Subject: [PATCH 4/5] docs: (IAC-802) Added note for setting CIDR range to avoid security violation (#347) --- docs/CONFIG-VARS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 47a11ac4..696ec959 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -70,7 +70,7 @@ You can use `default_public_access_cidrs` to set a default range for all created | Name | Description | Type | Default | Notes | | :--- | ---: | ---: | ---: | ---: | -| default_public_access_cidrs | IP address ranges allowed to access all created cloud resources | list of strings | | Sets a default for all resources. | +| default_public_access_cidrs | IP address ranges allowed to access all created cloud resources | list of strings | | Sets a default for all resources. Not setting the CIDR range creates a fully public site, this is not recommended for security reasons. | | cluster_endpoint_public_access_cidrs | IP address ranges allowed to access the AKS cluster API | list of strings | | For client admin access to the cluster api (by `kubectl`, for example). Only used with `cluster_api_mode=public`| | vm_public_access_cidrs | IP address ranges allowed to access the VMs | list of strings | | Opens port 22 for SSH access to the jump server and/or NFS VM by adding Ingress Rule on the NSG. Only used with `create_jump_public_ip=true` or `create_nfs_public_ip=true` | | postgres_public_access_cidrs | IP address ranges allowed to access the Azure PostgreSQL Flexible Server | list of strings || Opens port 5432 by adding Ingress Rule on the NSG. Only used when creating postgres instances. | From 28bd31f50c3dfe3e2d2b90c6d84a330cadc0ceef Mon Sep 17 00:00:00 2001 From: Ritika Patil <94649368+riragh@users.noreply.github.com> Date: Wed, 29 Nov 2023 12:22:37 -0600 Subject: [PATCH 5/5] feat: (IAC-1221) Update terraform and terraform provider versions (#352) --- Dockerfile | 8 ++++---- README.md | 4 ++-- container-structure-test.yaml | 4 ++-- versions.tf | 12 ++++++------ 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index 660618ce..1f92e10c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ -ARG TERRAFORM_VERSION=1.4.5 -ARG AZURECLI_VERSION=2.53.0 +ARG TERRAFORM_VERSION=1.6.4 +ARG AZURECLI_VERSION=2.54.0 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform FROM mcr.microsoft.com/azure-cli:$AZURECLI_VERSION -ARG KUBECTL_VERSION=1.26.6 +ARG KUBECTL_VERSION=1.26.10 WORKDIR /viya4-iac-azure @@ -12,7 +12,7 @@ COPY . . RUN apk update \ && apk upgrade \ - && apk add --no-cache git openssh \ + && apk add --no-cache git openssh curl\ && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \ && chmod 755 ./kubectl /viya4-iac-azure/docker-entrypoint.sh \ && mv ./kubectl /usr/local/bin/kubectl \ diff --git a/README.md b/README.md index e6b4b6a7..ce6592d3 100644 --- a/README.md +++ b/README.md @@ -57,10 +57,10 @@ This project supports two options for running Terraform scripts: Access to an **Azure Subscription** and an [**Identity**](./docs/user/TerraformAzureAuthentication.md) with the *Contributor* role are required. #### Terraform Requirements: -- [Terraform](https://www.terraform.io/downloads.html) - v1.4.5 +- [Terraform](https://www.terraform.io/downloads.html) - v1.6.4 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.26 - [jq](https://stedolan.github.io/jq/) - v1.6 -- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.48.1 +- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.54.0 #### Docker Requirements: - [Docker](https://docs.docker.com/get-docker/) diff --git a/container-structure-test.yaml b/container-structure-test.yaml index d139c374..56008126 100644 --- a/container-structure-test.yaml +++ b/container-structure-test.yaml @@ -17,7 +17,7 @@ commandTests: - name: "terraform version" command: "terraform" args: ["--version"] - expectedOutput: ["Terraform v1.4.5"] + expectedOutput: ["Terraform v1.6.4"] - name: "python version" command: "python3" args: ["--version"] @@ -29,7 +29,7 @@ commandTests: - -c - | az version -o tsv - expectedOutput: ["2.48.1\t2.48.1\t1.0.8"] + expectedOutput: ["2.54.0\t2.54.0\t1.1.0"] metadataTest: workdir: "/viya4-iac-azure" diff --git a/versions.tf b/versions.tf index 2c514cfe..045f1d38 100644 --- a/versions.tf +++ b/versions.tf @@ -3,20 +3,20 @@ terraform { - required_version = ">= 1.4.5" + required_version = ">= 1.6.4" required_providers { azurerm = { source = "hashicorp/azurerm" - version = "3.64.0" + version = "3.81.0" } azuread = { source = "hashicorp/azuread" - version = "2.39.0" + version = "2.46.0" } external = { source = "hashicorp/external" - version = "2.3.1" + version = "2.3.2" } local = { source = "hashicorp/local" @@ -24,7 +24,7 @@ terraform { } null = { source = "hashicorp/null" - version = "3.2.1" + version = "3.2.2" } tls = { source = "hashicorp/tls" @@ -36,7 +36,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "2.20.0" + version = "2.23.0" } } }