Merge pull request #453 from sassoftware/staging

10.2.0 - March 19, 2025

Author: saschjmil

.dockerignore

@@ -2,5 +2,4 @@ docs/
 *.md
 *.txt
 terraform.tfstate*
-examples/
 .terraform/

.github/workflows/default_plan_unit_tests.yml

@@ -0,0 +1,33 @@
+# Copyright © 2025, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Default Plan Unit Tests
+on:
+  push:
+    branches: ['**'] # '*' will cause the workflow to run on all commits to all branches.
+
+jobs:
+  go-tests:
+    name: Default Plan Unit Tests
+    runs-on: ubuntu-latest
+    environment: terraformSecrets
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - name: Build Docker Image
+        run: docker build -t viya4-iac-azure:terratest -f Dockerfile.terratest .
+      - name: Run Tests
+        run: |
+          docker run \
+            -e TF_VAR_subscription_id=$TF_VAR_subscription_id \
+            -e TF_VAR_tenant_id=$TF_VAR_tenant_id \
+            -e TF_VAR_client_id=$TF_VAR_client_id \
+            -e TF_VAR_client_secret=$TF_VAR_client_secret \
+            -v $(pwd):/viya4-iac-azure \
+            viya4-iac-azure:terratest -v
+        env:
+          # TF ENVIRONMENT
+          TF_VAR_subscription_id: "${{ secrets.TF_VAR_SUBSCRIPTION_ID }}"
+          TF_VAR_tenant_id: "${{ secrets.TF_VAR_TENANT_ID }}"
+          TF_VAR_client_id: "${{ secrets.TF_VAR_CLIENT_ID }}"
+          TF_VAR_client_secret: "${{ secrets.TF_VAR_CLIENT_SECRET }}"

.github/workflows/linter-analysis.yaml

@@ -46,6 +46,12 @@ jobs:
         path: ~/.tflint.d/plugins
         key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }}
 
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: "^1.10.5"
+        terraform_wrapper: false
+
     - name: Setup TFLint
       uses: terraform-linters/setup-tflint@v3.0.0
       with:

.gitignore

@@ -9,3 +9,8 @@ terraform.tfvars
 .terraform.lock.hcl
 .DS_Store
 sas_iac_buildinfo.yaml
+.idea
+.vscode
+test/bin
+test/pkg
+test/test_output

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+---
+default_stages: [pre-commit]
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.23.3
+    hooks:
+      - id: gitleaks
+
+ci:
+  autofix_prs: false
+  autoupdate_commit_msg: "chore: auto-update of pre-commit hooks"

CONTRIBUTING.md

@@ -1,19 +1,27 @@
 # How to Contribute
-We'd love to accept your patches and contributions to this project.
-We just ask that you follow our contribution guidelines when you do.
+This project is community-driven, and we'd love to accept your patches and contributions.
+We just ask that you follow our contribution guidelines when you do. Refer
+to the [Contributor Handbook](https://sassoftware.github.io/contributor-handbook.html)
+for guidance.
 
 ## Contributor License Agreement
 Contributions to this project must be accompanied by a signed [Contributor Agreement](ContributorAgreement.txt).
-You (or your employer) retain the copyright to your contribution; this simply grants us permission to use and redistribute your contributions as part of the project.
+You (or your employer) retain the copyright to your contribution; this agreement simply grants
+us permission to use and redistribute your contributions as part of the project.
 
-## Code reviews
-All submissions to this project—including submissions from project members—require review.
-Our review process typically involves performing unit tests, development tests, integration tests, and security scans using internal SAS infrastructure.
-For this reason, we don’t often merge pull requests directly from GitHub.
+## Code Reviews
+All submissions to this project—including submissions from project members—require
+review. Our review process typically involves performing unit tests, development
+tests, integration tests, and security scans.
 
-Instead, we work with submissions internally first, vetting them to ensure they meet our security and quality standards.
-We’ll do our best to work with contributors in public issues and pull requests; however, to ensure our code meets our internal compliance standards, we may need to incorporate your submission into a solution we push ourselves.
+## Pull Request Requirement
+All contributions (PRs) must be accompanied by passing unit and/or integration
+tests, following our  [testing philosophy](./docs/user/TestingPhilosophy.md). If you are unfamiliar with this process,
+we are happy to help you navigate it by providing continuous collaboration within the pull request.
+All pull requests must also pass our linter analysis checks. Contributions might
+be subjected to security scans before they can be accepted.
 
-This does not mean we don’t value or appreciate your contribution.
-We simply need to review your code internally before merging it.
-We work to ensure all contributors receive appropriate recognition for their contributions, at least by acknowledging them in our release notes.
+## Security Scans
+To ensure that all submissions meet our security and quality standards, we perform security
+scans using internal SAS infrastructure. Reporting of any Common Vulnerabilities and Exposures
+(CVEs) that are detected is not available in this project at this time.

Dockerfile

@@ -1,17 +1,17 @@
-ARG TERRAFORM_VERSION=1.9.6
-ARG AZURECLI_VERSION=2.64.0
+ARG TERRAFORM_VERSION=1.10.5
+ARG AZURECLI_VERSION=2.70.0
 
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
 FROM mcr.microsoft.com/azure-cli:$AZURECLI_VERSION
-ARG KUBECTL_VERSION=1.30.6
+ARG KUBECTL_VERSION=1.30.10
 
 WORKDIR /viya4-iac-azure
 
 COPY --from=terraform /bin/terraform /bin/terraform
 COPY . .
 
-RUN yum -y install git openssh jq which curl \
-  && yum clean all && rm -rf /var/cache/yum \
+RUN tdnf -y install git which \
+  && tdnf clean all && rm -rf /var/cache/tdnf \
   && curl -sLO https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \
   && chmod 755 ./kubectl /viya4-iac-azure/docker-entrypoint.sh \
   && mv ./kubectl /usr/local/bin/kubectl \

Dockerfile.terratest

@@ -0,0 +1,23 @@
+FROM golang:1.23
+
+# Install terraform from apt repository and terratest_log_parser
+RUN \
+    apt-get update \
+    && apt-get install -y jq lsb-release \
+    && wget -O - https://apt.releases.hashicorp.com/gpg \
+        | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
+        | tee /etc/apt/sources.list.d/hashicorp.list \
+    && apt update \
+    && apt install terraform \
+    && ssh-keygen -f ~/.ssh/id_rsa -P "" \
+    && go install github.com/gruntwork-io/terratest/cmd/terratest_log_parser@latest
+
+WORKDIR /viya4-iac-azure/test
+
+# Copy the test directory so it can install the go modules
+# during the docker build rather than the docker run
+COPY ./test ./
+RUN go mod tidy
+
+ENTRYPOINT ["/viya4-iac-azure/test/terratest_docker_entrypoint.sh"]

Makefile

@@ -0,0 +1,38 @@
+# Copyright © 2025, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# from .github/workflows/default_plan_unit_tests.yml
+
+IMAGE := viya4-iac-azure:terratest
+
+buildTests:
+ifeq ($(shell docker images -q $(IMAGE) 2> /dev/null),)
+	docker build -t $(IMAGE) -f Dockerfile.terratest .
+endif
+
+checkEnv:
+ifndef TF_VAR_subscription_id
+	$(error TF_VAR_subscription_id is undefined)
+endif
+ifndef TF_VAR_tenant_id
+	$(error TF_VAR_tenant_id is undefined)
+endif
+ifndef TF_VAR_client_id
+	$(error TF_VAR_client_id is undefined)
+endif
+ifndef TF_VAR_client_secret
+	$(error TF_VAR_client_secret is undefined)
+endif
+
+
+runTests: checkEnv buildTests
+	docker run -it --rm \
+            -e TF_VAR_subscription_id=$(TF_VAR_subscription_id) \
+            -e TF_VAR_tenant_id=$(TF_VAR_tenant_id) \
+            -e TF_VAR_client_id=$(TF_VAR_client_id) \
+            -e TF_VAR_client_secret=$(TF_VAR_client_secret) \
+            -v "$(PWD)":/viya4-iac-azure \
+            $(IMAGE) -v
+
+clean:
+	docker image rm $(IMAGE)

README.md

@@ -57,10 +57,10 @@ This project supports two options for running Terraform scripts:
 Access to an **Azure Subscription** and an [**Identity**](./docs/user/TerraformAzureAuthentication.md) with the *Contributor* role are required.
 
 #### Terraform Requirements:
-- [Terraform](https://www.terraform.io/downloads.html) - v1.9.6
-- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.30.6
+- [Terraform](https://www.terraform.io/downloads.html) - v1.10.5
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.30.10
 - [jq](https://stedolan.github.io/jq/) - v1.6
-- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.64.0
+- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure) - (optional - useful as an alternative to the Azure Portal) - v2.70.0
 
 #### Docker Requirements:
 - [Docker](https://docs.docker.com/get-docker/)

container-structure-test.yaml

@@ -21,7 +21,7 @@ commandTests:
   - name: "terraform version"
     command: "terraform"
     args: ["--version"]
-    expectedOutput: ["Terraform v1.9.6"]
+    expectedOutput: ["Terraform v1.10.5"]
   - name: "python version"
     command: "python3"
     args: ["--version"]
@@ -32,11 +32,11 @@ commandTests:
       - -c
       - |
         az version -o tsv
-    expectedOutput: ["2.64.0\t2.64.0\t1.1.0"]
+    expectedOutput: ["2.70.0\t2.70.0\t1.1.0"]
   - name: "kubectl version"
     command: "kubectl"
     args: ["version", "--client"]
-    expectedOutput: ["Client Version: v1.30.6"]
+    expectedOutput: ["Client Version: v1.30.10"]
 
 metadataTest:
   workdir: "/viya4-iac-azure"

docs/CONFIG-VARS.md

@@ -127,22 +127,22 @@ The default values for the `subnets` variable are as follows:
   aks = {
     "prefixes": ["192.168.0.0/23"],
     "service_endpoints": ["Microsoft.Sql"],
-    "private_endpoint_network_policies": "Disabled",
+    "private_endpoint_network_policies": "Enabled",
     "private_link_service_network_policies_enabled": false,
     "service_delegations": {},
   }
   misc = {
     "prefixes": ["192.168.2.0/24"],
     "service_endpoints": ["Microsoft.Sql"],
-    "private_endpoint_network_policies": "Disabled",
+    "private_endpoint_network_policies": "Enabled",
     "private_link_service_network_policies_enabled": false,
     "service_delegations": {},
   }
   ## If using ha storage then the following is also added
   netapp = {
     "prefixes": ["192.168.3.0/24"],
     "service_endpoints": [],
-    "private_endpoint_network_policies": "Disabled",
+    "private_endpoint_network_policies": "Enabled",
     "private_link_service_network_policies_enabled": false,
     "service_delegations": {
       netapp = {
@@ -211,6 +211,7 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 | aks_cluster_private_dns_zone_id | Specifies private DNS zone resource ID for AKS private cluster to use | string | "" | For `cluster_api_mode=private` if `aks_cluster_private_dns_zone_id` is not specified then the value `System` is used else it is set to null. For details see [Configure a private DNS zone](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal#configure-a-private-dns-zone) |
 | aks_cluster_sku_tier | The SKU Tier that should be used for this Kubernetes Cluster. Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" and "Premium" | 
 | cluster_support_tier | Specifies the support plan which should be used for this Kubernetes Cluster. | string | "KubernetesOfficial" | Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. To enable long term K8s support is a combination of setting `aks_cluster_sku_tier` to `Premium` tier and explicitly selecting the `cluster_support_tier` as `AKSLongTermSupport`. For details see [Long term Support](https://learn.microsoft.com/en-us/azure/aks/long-term-support) and for which K8s version has long term support see [AKS Kubernetes release calendar](https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar).| 
+| aks_cluster_run_command_enabled | Enable or disable the AKS Run Command feature | bool | false | The AKS Run Command feature in AKS allows you to remotely execute commands within a running container of your AKS cluster directly from the Azure CLI or Azure portal. To enable the Run Command feature for an AKS cluster where Run Command is disabled, navigate to the Run Command tab for your AKS Cluster in the Azure Portal and select the Enable button. |
 
 ## Node Pools
 
@@ -368,7 +369,7 @@ Each server element, like `foo = {}`, can contain none, some, or all of the para
 
 | Name | Description | Type | Default | Notes |
 | :--- | ---: | ---: | ---: | ---: |
-| sku_name| The SKU Name for the PostgreSQL Flexible Server | string | "GP_Standard_D4ds_v5" | The name pattern is the SKU, followed by the tier + family + cores (e.g. B_Standard_B1ms, GP_Standard_D2s_v3, MO_Standard_E4s_v3).|
+| sku_name| The SKU Name for the PostgreSQL Flexible Server | string | "GP_Standard_D4ds_v5" | The name pattern is the SKU, followed by the tier + family + cores (e.g. B_Standard_B1ms, GP_Standard_D2s_v5, MO_Standard_E4s_v5).|
 | storage_mb | The max storage allowed for the PostgreSQL Flexible Server | number | 131072 | Possible values are 32768, 65536, 131072, 262144, 524288, 1048576, 2097152, 4194304, 8388608, 16777216, and 33554432. |
 | backup_retention_days | Backup retention days for the PostgreSQL Flexible server | number | 7 | Supported values are between 7 and 35 days. |
 | geo_redundant_backup_enabled | Enable Geo-redundant or not for server backup | bool | false | Not supported for the basic tier. |

docs/user/TerratestDockerUsage.md

@@ -0,0 +1,99 @@
+# Using the Terratest Docker Container
+
+Use the Terratest Docker container to run the suite of Terratest Go tests. For more information on Terratest, follow the [Documentation](https://terratest.gruntwork.io/docs/) page. The Terratest Docker image is used by the [Github Workflow](../../.github/workflows/default_plan_unit_tests.yml) as a required check before merging changes.
+
+## Prereqs
+
+- Docker [installed on your workstation](../../README.md#docker).
+
+## Preparation
+
+### Docker image
+
+Run the following command to create the `viya4-iac-azure-terratest` Docker image using the provided [Dockerfile.terratest](../../Dockerfile.terratest)
+
+```bash
+docker build -t viya4-iac-azure-terratest -f Dockerfile.terratest .
+```
+
+The Docker image `viya4-iac-azure-terratest` will contain Terraform and Go executables, as well as the required Go modules. The Docker entrypoint for the image is `go test`, and it accepts several optional command-line arguments. For more information about command-line arguments, see [Command-Line Arguments](#command-line-arguments).
+
+### Docker Environment File for Azure Authentication
+
+Follow either one of the authentication methods that are described in [Authenticating Terraform to access Azure](./TerraformAzureAuthentication.md), and create a file with the authentication variable values to use with container invocation. Store these values outside of this repository in a secure file, such as
+`$HOME/.azure_docker_creds.env`. Protect that file with Azure credentials so that only you have Read access to it. **NOTE**: Do not use quotation marks around the values in the file, and be sure to avoid any trailing blank spaces.
+
+Now each time you invoke the container, specify the file with the [`--env-file`](https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file) option to pass Azure credentials to the container.
+
+### Docker Volume Mounts
+
+Run the following command:  
+`--volume="$(pwd)":/viya4-iac-azure`  
+Note that the project must be mounted to the `/viya4-iac-azure` directory.
+
+## Command-Line Arguments
+
+The `terratest_docker_entrypoint.sh` script supports several command-line arguments to customize the test execution. Here are the available options:
+
+* `-p, --package=PACKAGE`: The package to test. Default is './...'
+* `-r, --run=TEST`: The name of the test to run. Default is '.\*Plan.\*'.
+* `-v, --verbose`: Run the tests in verbose mode.
+* `-h, --help`: Display the help message.
+
+## Running Terratest Commands
+
+### Running the Default Tests
+
+To run the default suite of unit tests (only `terraform plan`), run the following Docker command:
+
+```bash
+# Run from the ./viya4-iac-azure directory
+docker run --rm \
+  --env-file=$HOME/.azure_docker_creds.env \
+  --volume "$(pwd)":/viya4-iac-azure \
+  viya4-iac-azure-terratest
+```
+
+### Running a Specific Go Test
+
+To run a specific test, run the following Docker command with the `-r` option:
+
+```bash
+# Run from the ./viya4-iac-azure directory
+docker run --rm \
+  --env-file=$HOME/.azure_docker_creds.env \
+  --volume "$(pwd)":/viya4-iac-azure \
+  viya4-iac-azure-terratest \
+  -r="YourTest"
+```
+To run multiple tests, pass in a regex to the `-r` option - "TestName1|TestName2|TestName3"
+
+### Running a Specific Go Package and Test
+
+If you want to specify the Go package and test name, run the following Docker command with the following options:
+
+```bash
+# Run from the ./viya4-iac-azure directory
+docker run --rm \
+  --env-file=$HOME/.azure_docker_creds.env \
+  --volume "$(pwd)":/viya4-iac-azure \
+  viya4-iac-azure-terratest \
+  -r="YourTest" \
+  -p="YourPackage"
+```
+
+### Running the Go Tests with verbose mode
+
+If you want to run the tests in verbose mode, run the Docker command with the `-v` option:
+
+```bash
+# Run from the ./viya4-iac-azure directory
+docker run --rm \
+  --env-file=$HOME/.azure_docker_creds.env \
+  --volume "$(pwd)":/viya4-iac-azure \
+  viya4-iac-azure-terratest -v
+```
+
+### Accessing test run logs
+
+After you have started the Docker container, log files are created in the `./viya4-iac-azure/test/test_output` directory. These files enable you to view the test results in XML format, as well as test logs that are generated by the terrratest_log_parser.