Merge pull request #495 from sassoftware/staging

10.4.0 - May 8, 2025

Author: saschjmil

Dockerfile.terratest

@@ -1,6 +1,6 @@
 FROM golang:1.24
 
-# Install terraform from apt repository and terratest_log_parser
+# Install terraform from apt repository, terratest_log_parser, jq, azure-cli
 RUN \
     apt-get update \
     && apt-get install -y jq lsb-release \
@@ -11,7 +11,8 @@ RUN \
     && apt update \
     && apt install terraform \
     && ssh-keygen -f ~/.ssh/id_rsa -P "" \
-    && go install github.com/gruntwork-io/terratest/cmd/terratest_log_parser@latest
+    && go install github.com/gruntwork-io/terratest/cmd/terratest_log_parser@latest \
+    && curl -sL https://aka.ms/InstallAzureCLIDeb | bash
 
 WORKDIR /viya4-iac-azure/test
 

docs/CONFIG-VARS.md

@@ -99,12 +99,12 @@ You can use `default_public_access_cidrs` to set a default range for all created
 
 The Federal Information Processing Standard (FIPS) 140 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Azure Kubernetes Service (AKS) allows the creation of node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools provide increased security and help meet security controls as part of FedRAMP compliance. For more information on FIPS 140-2, see [Federal Information Processing Standard (FIPS) 140](https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-fips-140-2).
 
-To enable the FIPS support in your subscription, you first need to accept the legal terms of the `Ubuntu Pro FIPS 20.04 LTS` image that will be used in the deployment. For details see [Ubuntu Pro FIPS 20.04 LTS](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips?tab=Overview).
+To enable the FIPS support in your subscription, you first need to accept the legal terms of the `Ubuntu Pro FIPS 22.04 LTS` image that will be used in the deployment. For details see [Ubuntu Pro FIPS 22.04 LTS](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/canonical.0001-com-ubuntu-pro-jammy-fips?tab=Overview).
 
 To accept the terms please run following az command before deploying cluster:
 
 ```bash
-az vm image terms accept --urn Canonical:0001-com-ubuntu-pro-focal-fips:pro-fips-20_04-gen2:latest --subscription $subscription_id
+az vm image terms accept --urn Canonical:0001-com-ubuntu-pro-focal-fips:pro-fips-22_04-gen2:latest --subscription $subscription_id
 ```
 
 | Name | Description | Type | Default | Notes |
@@ -193,7 +193,7 @@ subnet_names = {
 
 ## General
 
-Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu creates the `/mnt` location as an ephemeral drive that cannot be used as the root location of the `jump_rwx_filestore_path` variable.
+Ubuntu 22.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu creates the `/mnt` location as an ephemeral drive that cannot be used as the root location of the `jump_rwx_filestore_path` variable.
 
 | Name | Description | Type | Default | Notes |
 | :--- | ---: | ---: | ---: | ---: |

docs/community/community_config_vars.md

@@ -0,0 +1,40 @@
+# Community-Contributed Configuration Variables
+
+Community-contributed configuration variables are listed in the tables below. These variables can also be specified on the terraform command line.
+
+> [!CAUTION]
+> Community members are responsible for maintaining these features. While project maintainers will verify these features work as expected when merged, they cannot guarantee future releases will not break them. If you encounter issues while using these features, start a [GitHub Discussion](https://github.com/sassoftware/viya4-iac-azure/discussions) or open a Pull Request to fix them. As a last resort, you can create a GitHub Issue.
+
+## Table of Contents
+
+* [Spot Nodes](#spot_nodes)
+* [Netapp Volume Size](#netapp_volume_size)
+
+<a name="spot_nodes"></a>
+## Spot Nodes
+
+Spot Nodes allow you to run Azure Kubernetes Service (AKS) workloads on low-cost, surplus compute capacity offered by Azure. These Spot Virtual Machines (VMs) can significantly reduce infrastructure costs, especially for workloads that are fault-tolerant or batch-oriented or temporary lab environments. However, Spot VMs can be preempted (evicted) by Azure at any time if the capacity is needed elsewhere, which makes them less suitable for critical or stateful workloads.
+
+For further information, see https://learn.microsoft.com/en-us/azure/aks/spot-node-pool
+
+> [!CAUTION] 
+> Spot nodes can be evicted with little notice. They are best used for non-production, non-critical workloads or for scenarios where cost savings outweigh the risk of eviction. This is a configuration not supported by SAS Technical Support. Monitor eviction rates and ensure your workloads can tolerate sudden node loss.
+
+To enable a Spot node pool in your AKS cluster using this module, configure the community-maintained variables listed below. These options customize the behavior of the Spot node pool and its underlying virtual machine scale set.
+
+| Name | Description | Type | Default | Release Added | Notes |
+| :--- | ---: | ---: | ---: | ---: | ---: |
+| community_priority | (Optional) The Priority for Virtual Machines within the Virtual Machine Scale Set that powers this Node Pool. Possible values are Regular and Spot. Defaults to Regular. Changing this forces a new resource to be created. | string | `Regular` | 10.3.0 | Changing this to Spot enables the Spot node pool functionality |
+| community_eviction_policy | (Optional) The Eviction Policy which should be used for Virtual Machines within the Virtual Machine Scale Set powering this Node Pool. Possible values are Deallocate and Delete. Changing this forces a new resource to be created. | string | `Delete` | 10.3.0 | |
+| community_spot_max_price | (Optional) The maximum price you're willing to pay in USD per Virtual Machine. Valid values are -1 (the current on-demand price for a Virtual Machine) or a positive value with up to five decimal places. Changing this forces a new resource to be created. | string | `-1` | 10.3.0 | |
+
+<a name="netapp_volume_size"></a>
+## Netapp Volume Size
+
+Netapp Volume Size control allows you to create a Netapp Volume smaller than the Netapp Pool. This will allow other tools outside of this Terraform to create Netapp Volumes within the pool.
+
+To control the Netapp Volume size use the below community-maintained variable listed below. This will allow you to control the size of the Netapp Volume in GBs. This value must be smaller than the Netapp Pool size. There is no validation for this during the planning phase of Terraform. If this is misconfigured, the Terraform Apply will fail when attempting to deploy the volume.
+
+| Name | Description | Type | Default | Release Added | Notes |
+| :--- | ---: | ---: | ---: | ---: | ---: |
+| community_netapp_volume_size | Size of the netapp volume | number | 0 | 10.3.0 | Zero will disable, must be smaller than the Netapp Pool. The value is given in GB |

docs/user/TerratestDockerUsage.md

@@ -21,14 +21,24 @@ The Docker image `viya4-iac-azure-terratest` will contain Terraform and Go execu
 ### Docker Environment File for Azure Authentication
 
 Follow either one of the authentication methods that are described in [Authenticating Terraform to access Azure](./TerraformAzureAuthentication.md), and create a file with the authentication variable values to use with container invocation. Store these values outside of this repository in a secure file, such as
-`$HOME/.azure_docker_creds.env`. Protect that file with Azure credentials so that only you have Read access to it. **NOTE**: Do not use quotation marks around the values in the file, and be sure to avoid any trailing blank spaces.
+`$HOME/.azure_docker_creds.env`.
+
+**NOTE**: Do not use quotation marks around the values in the file, and be sure to avoid any trailing blank spaces.
+
+#### Public Access Cidrs Environment File
+
+In order to run  ```terraform apply``` integration tests, you will also need to define your ```TF_VAR_public_cidrs``` as described in [Admin Access](../CONFIG-VARS.md#admin-access), and create a file with the public access cidr values to use with container invocation.  Store these values in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) outside of this repository in a secure file, such as `$HOME/.azure_public_cidrs.env`. Protect that file with public access cidr values so that only you have Read access to it. Below is an example of what the file should look like.
+
+```bash
+TF_VAR_public_cidrs=["123.456.7.8/16", "98.76.54.32/32"]
+```
 
 Now each time you invoke the container, specify the file with the [`--env-file`](https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file) option to pass Azure credentials to the container.
 
 ### Docker Volume Mounts
 
-Run the following command:  
-`--volume="$(pwd)":/viya4-iac-azure`  
+To mount the current working directory, add the following argument to the docker run command:
+`--volume="$(pwd)":/viya4-iac-azure`
 Note that the project must be mounted to the `/viya4-iac-azure` directory.
 
 ## Command-Line Arguments
@@ -42,9 +52,9 @@ The `terratest_docker_entrypoint.sh` script supports several command-line argume
 
 ## Running Terratest Commands
 
-### Running the Default Tests
+### Running the Plan Tests
 
-To run the default suite of unit tests (only `terraform plan`), run the following Docker command:
+To run the suite of unit tests (only `terraform plan`), run the following Docker command:
 
 ```bash
 # Run from the ./viya4-iac-azure directory
@@ -54,6 +64,20 @@ docker run --rm \
   viya4-iac-azure-terratest
 ```
 
+### Running the Apply Tests
+
+To run the suite of integration tests (only `terraform apply`), run the following Docker command:
+
+```bash
+# Run from the ./viya4-iac-azure directory
+docker run --rm \
+  --env-file=$HOME/.azure_docker_creds.env \
+  --env-file=$HOME/.azure_public_cidrs.env \
+  --volume "$(pwd)":/viya4-iac-azure \
+  viya4-iac-azure-terratest \
+  -r=".*Apply.*"
+```
+
 ### Running a Specific Go Test
 
 To run a specific test, run the following Docker command with the `-r` option:
@@ -62,12 +86,27 @@ To run a specific test, run the following Docker command with the `-r` option:
 # Run from the ./viya4-iac-azure directory
 docker run --rm \
   --env-file=$HOME/.azure_docker_creds.env \
+  --env-file=$HOME/.azure_public_cidrs.env \ #env file for integration tests
   --volume "$(pwd)":/viya4-iac-azure \
   viya4-iac-azure-terratest \
   -r="YourTest"
 ```
 To run multiple tests, pass in a regex to the `-r` option - "TestName1|TestName2|TestName3"
 
+####  Running a Specific Integration Go Test
+
+To run a specific integration test, modify the main test runner function (e.g. YourIntegrationTestMainFunction) to define the test name you desire and run the following Docker command with the `-r` option:
+
+```bash
+# Run from the ./viya4-iac-azure directory
+docker run --rm \
+  --env-file=$HOME/.azure_docker_creds.env \
+  --env-file=$HOME/.azure_public_cidrs.env \
+  --volume "$(pwd)":/viya4-iac-azure \
+  viya4-iac-azure-terratest \
+  -r="YourIntegrationTestMainFunction"
+```
+
 ### Running a Specific Go Package and Test
 
 If you want to specify the Go package and test name, run the following Docker command with the following options:
@@ -82,6 +121,21 @@ docker run --rm \
   -p="YourPackage"
 ```
 
+####  Running a Specific Integration Go Package and Test
+
+To run a specific integration Go package and test name, modify the main test runner function in the desired packaged to define the test name you want and run the following Docker command with the following options:
+
+```bash
+# Run from the ./viya4-iac-azure directory
+docker run --rm \
+  --env-file=$HOME/.azure_docker_creds.env \
+  --env-file=$HOME/.azure_public_cidrs.env \
+  --volume "$(pwd)":/viya4-iac-azure \
+  viya4-iac-azure-terratest \
+  -r="YourIntegrationTestMainFunction" \
+  -p="YourPackage"
+```
+
 ### Running the Go Tests with verbose mode
 
 If you want to run the tests in verbose mode, run the Docker command with the `-v` option:

docs/user/TestingPhilosophy.md

@@ -15,7 +15,7 @@ The unit tests in this project are designed to quickly and efficiently verify th
 
 The unit tests are written as [table-driven tests](https://go.dev/wiki/TableDrivenTests) so that they are easier to read, understand, and expand. The tests are divided into two packages, [defaultplan](../../test/defaultplan) and [nondefaultplan](../../test/nondefaultplan).
 
-The test package defaultplan validates the default values of a Terraform plan. This testing ensures that there are no regressions in the default behavior of the code base. The test package nondefaultplan modifies the input values before running the Terraform plan. After generating the plan file, the test verifies that it contains the expected values. Both sets of tests are written to be table-driven.
+The test package defaultplan validates the default values of a `terraform plan`. This testing ensures that there are no regressions in the default behavior of the code base. The test package nondefaultplan modifies the input values before running the Terraform plan. After generating the plan file, the test verifies that it contains the expected values. Both sets of tests are written to be table-driven.
 
 To see an example, look at the `TestPlanStorage` function in the defaultplan/storage_test.go file that is shown below.
 
@@ -59,19 +59,59 @@ To create a unit test, you can add an entry to an existing test table if it's re
 
 ### Integration Testing
 
-The integration tests are designed to thoroughly verify the code base using `terraform apply`. Unlike the unit tests, these tests provision resources in cloud platforms. Careful consideration is required to avoid unnecessary infrastructure costs.
-
-These test are still a work-in-progress. We will update these sections once we have more examples to reference.
+The integration tests are designed to thoroughly verify the code base using `terraform apply`. The tests are intended to validate that the cloud provider creates the expected resources. Unlike the unit tests, these tests provision resources through the cloud provider. Careful consideration is required to avoid unnecessary infrastructure costs. The integration test framework is designed to optimize resource utilization and reduce associated costs by enabling multiple test cases to run against a single provisioned resource group, provided the test cases are compatible with the resource’s configuration and state.
 
 ### Integration Testing Structure
 
-These test are still a work-in-progress. We will update these sections once we have more examples to reference.
+The integration tests are also written as [table-driven tests](https://go.dev/wiki/TableDrivenTests) so that they are easier to read, understand, and expand. The tests are divided into two packages, [defaultapply](../../test/defaultapply) and [nondefaultapply](../../test/nondefaultapply).
+
+The test package defaultapply validates that the provisioned resources match the default configuration values. The test package nondefaultapply validates that, when given non-default input configuration values, the provisioned resources match the input configuration values. This level of integration testing ensures the cloud provider is correctly creating the resources via Terraform.
+
+### Resource Management
+
+As running `terraform apply` provisions infrastructure, it inherently incurs costs. To manage and minimize these expenses, it is essential that our testing framework optimizes resource utilization and ensures proper teardown and cleanup of any infrastructure created during testing.
+
+To support this, we have implemented main function test runners for our integration tests that handle the setup of the testing environment by provisioning resources based on the provided Terraform options. These runners also include deferred cleanup routines that automatically decommission resources once tests are completed.
+
+We encourage developers contributing integration tests to be mindful of resource usage. Add your tests to the defaultapply suite if no configuration changes are needed.  If testing non default options, please modify the nondefault suite as long as the new options do not conflict with the existing overrides. If the existing packages do not fit your testing needs, please add a new non default apply package, test runner, and test suite for your unique option configuration.
+
+### Error Handling
+
+Terratest provides some flexibility with how to [handle errors](https://terratest.gruntwork.io/docs/testing-best-practices/error-handling/). Every method in Terratest comes in two versions (e.g., `terraform.Apply` and `terraform.ApplyE` )
+
+* `terraform.Apply`: The base method takes a `t *testing.T` as an argument. If the method hits any errors, it calls `t.Fatal` to fail the test
+* `terraform.ApplyE`: Methods that end with the capital letter `E` always return an error as the last argument and never call `t.Fatal` themselves. This allows you to decide how to handle errors.
+
+We recommend using the capital letter `E` version of Terratest methods. This allows the test to handle the error rather than immediately calling `t.Fatal`. `t.Fatal` causes test run to exit, preventing other tests from running and stopping the deferred cleanup routine from being executed.
+
+Here's an example of how we handle terratest method calls:
+
+```go
+resourceGroup, err := azure.GetAResourceGroupE(resourceGroupName, os.Getenv("TF_VAR_subscription_id"))
+	if err != nil {
+		t.Errorf("Error: %s\n", err)
+	}
+}
+```
+
+### Adding Integration Tests
+
+To create an integration test, you can add a new test file with your table tests to the appropriate package and update the desired main function test runner to call and run your test.  If you don't see a main function test runner that fits your needs, you are welcome to create a new package, main function test runner, and test suite in a similar format.
+
+Below is an example of a possible structure for the new package, main function test runner, and test suite:
+
+    .
+    └── test/
+        └── nondefaultapply/
+            └── nondefaultapplycustomconfig/
+                ├── non_default_apply_custom_config_main_test.go
+                └── test_custom_config.go
+
 
 ## How to Run the Tests Locally
 
 Before changes can be merged, all unit tests must pass as part of the SAS CI/CD process. Unit tests are automatically run against every PR using the [Dockerfile.terratest](../../Dockerfile.terratest) Docker image. Refer to [TerratestDockerUsage.md](./TerratestDockerUsage.md) document for more information about running the tests locally.
 
-
 ## Additional Documents
 
 * [Go Table-Driven Testing](https://go.dev/wiki/TableDrivenTests)

main.tf

@@ -216,6 +216,10 @@ module "node_pools" {
   host_encryption_enabled      = var.aks_cluster_enable_host_encryption
   tags                         = var.tags
   linux_os_config              = each.value.linux_os_config
+  community_priority           = each.value.community_priority 
+  community_eviction_policy    = each.value.community_eviction_policy
+  community_spot_max_price     = each.value.community_spot_max_price
+
 }
 
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server
@@ -260,6 +264,8 @@ module "netapp" {
   tags                = var.tags
   allowed_clients     = concat(module.vnet.subnets["aks"].address_prefixes, module.vnet.subnets["misc"].address_prefixes)
   depends_on          = [module.vnet]
+
+  community_netapp_volume_size = var.community_netapp_volume_size
 }
 
 data "external" "git_hash" {