Merge pull request #331 from sassoftware/staging

8.8.0 - March 19, 2025

Author: dhoucgitter

.github/workflows/default_plan_unit_tests.yml

@@ -0,0 +1,29 @@
+# Copyright © 2025, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Default Plan Unit Tests
+on:
+  push:
+    branches: ['**'] # '*' will cause the workflow to run on all commits to all branches.
+
+jobs:
+  go-tests:
+    name: Default Plan Unit Tests
+    runs-on: ubuntu-latest
+    environment: terraformSecrets
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - name: Build Docker Image
+        run: docker build -t viya4-iac-aws:terratest -f Dockerfile.terratest .
+      - name: Run Tests
+        run: |
+          docker run \
+            -e TF_VAR_aws_access_key_id=$TF_VAR_aws_access_key_id \
+            -e TF_VAR_aws_secret_access_key=$TF_VAR_aws_secret_access_key \
+            -v $(pwd):/viya4-iac-aws \
+            viya4-iac-aws:terratest -v
+        env:
+          # TF ENVIRONMENT
+          TF_VAR_aws_access_key_id: "${{ secrets.TF_VAR_AWS_ACCESS_KEY_ID }}"
+          TF_VAR_aws_secret_access_key: "${{ secrets.TF_VAR_AWS_SECRET_ACCESS_KEY }}"

.github/workflows/linter-analysis.yaml

@@ -48,6 +48,12 @@ jobs:
         path: ~/.tflint.d/plugins
         key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }}
 
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: "^1.10.5"
+        terraform_wrapper: false
+
     - name: Setup TFLint
       uses: terraform-linters/[email protected]
       with:

.gitignore

@@ -1,6 +1,10 @@
 # Local .terraform directories
 **/.terraform/*
 
+# Local IDE configurations
+.vscode/*
+.idea/*
+
 # .tfstate files
 *.tfstate
 *.tfstate.*
@@ -41,3 +45,6 @@ terraform.tfvars
 
 # Configuration files
 *.conf
+
+# Testing output files
+test/test_output/*

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+---
+default_stages: [pre-commit]
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.23.3
+    hooks:
+      - id: gitleaks
+
+ci:
+  autofix_prs: false
+  autoupdate_commit_msg: "chore: auto-update of pre-commit hooks"

CONTRIBUTING.md

@@ -1,19 +1,27 @@
 # How to Contribute
-We'd love to accept your patches and contributions to this project.
-We just ask that you follow our contribution guidelines when you do.
+This project is community-driven, and we'd love to accept your patches and contributions.
+We just ask that you follow our contribution guidelines when you do. Refer
+to the [Contributor Handbook](https://sassoftware.github.io/contributor-handbook.html)
+for guidance.
 
 ## Contributor License Agreement
 Contributions to this project must be accompanied by a signed [Contributor Agreement](ContributorAgreement.txt).
-You (or your employer) retain the copyright to your contribution; this simply grants us permission to use and redistribute your contributions as part of the project.
+You (or your employer) retain the copyright to your contribution; this agreement simply grants
+us permission to use and redistribute your contributions as part of the project.
 
-## Code reviews
-All submissions to this project—including submissions from project members—require review.
-Our review process typically involves performing unit tests, development tests, integration tests, and security scans using internal SAS infrastructure.
-For this reason, we don’t often merge pull requests directly from GitHub.
+## Code Reviews
+All submissions to this project—including submissions from project members—require
+review. Our review process typically involves performing unit tests, development
+tests, integration tests, and security scans.
 
-Instead, we work with submissions internally first, vetting them to ensure they meet our security and quality standards.
-We’ll do our best to work with contributors in public issues and pull requests; however, to ensure our code meets our internal compliance standards, we may need to incorporate your submission into a solution we push ourselves.
+## Pull Request Requirement
+All contributions (PRs) must be accompanied by passing unit and/or integration
+tests, following our  [testing philosophy](./docs/user/TestingPhilosophy.md). If you are unfamiliar with this process,
+we are happy to help you navigate it by providing continuous collaboration within the pull request.
+All pull requests must also pass our linter analysis checks. Contributions might
+be subjected to security scans before they can be accepted.
 
-This does not mean we don’t value or appreciate your contribution.
-We simply need to review your code internally before merging it.
-We work to ensure all contributors receive appropriate recognition for their contributions, at least by acknowledging them in our release notes.
+## Security Scans
+To ensure that all submissions meet our security and quality standards, we perform security
+scans using internal SAS infrastructure. Reporting of any Common Vulnerabilities and Exposures
+(CVEs) that are detected is not available in this project at this time.

Dockerfile

@@ -1,12 +1,12 @@
-ARG TERRAFORM_VERSION=1.9.6
-ARG AWS_CLI_VERSION=2.17.58
+ARG TERRAFORM_VERSION=1.10.5
+ARG AWS_CLI_VERSION=2.24.16
 FROM hashicorp/terraform:$TERRAFORM_VERSION AS terraform
 
 FROM almalinux:minimal AS amin
 WORKDIR /app
 USER root
-ARG KUBECTL_VERSION=1.30.6
-ARG KUBECTL_CHECKSUM=7a3adf80ca74b1b2afdfc7f4570f0005ca03c2812367ffb6ee2f731d66e45e61
+ARG KUBECTL_VERSION=1.30.10
+ARG KUBECTL_CHECKSUM=bc74dbeefd4b9d53f03016f6778f3ffc9a72ef4ca7b7c80fd5dc1a41d52dcab7
 RUN /usr/bin/bash -eux \
   && curl -fSLO https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \
   && chmod 755 ./kubectl \

Dockerfile.terratest

@@ -0,0 +1,23 @@
+FROM golang:1.23
+
+# Install terraform from apt repository and terratest_log_parser
+RUN \
+    apt-get update \
+    && apt-get install -y jq lsb-release \
+    && wget -O - https://apt.releases.hashicorp.com/gpg \
+        | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
+        | tee /etc/apt/sources.list.d/hashicorp.list \
+    && apt update \
+    && apt install terraform \
+    && ssh-keygen -f ~/.ssh/id_rsa -P "" \
+    && go install github.com/gruntwork-io/terratest/cmd/terratest_log_parser@latest
+
+WORKDIR /viya4-iac-aws/test
+
+# Copy the test directory so it can install the go modules
+# during the docker build rather than the docker run
+COPY ./test ./
+RUN go mod tidy
+
+ENTRYPOINT ["/viya4-iac-aws/test/terratest_docker_entrypoint.sh"]

README.md

@@ -47,18 +47,18 @@ The following are also required:
 
 #### Terraform Requirements:
 
-- [Terraform](https://www.terraform.io/downloads.html) v1.9.6
-- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) - v1.30.6
+- [Terraform](https://www.terraform.io/downloads.html) v1.10.5
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) - v1.30.10
 - [jq](https://stedolan.github.io/jq/) v1.6
-- [AWS CLI](https://aws.amazon.com/cli) (optional; useful as an alternative to the AWS Web Console) v2.17.58
+- [AWS CLI](https://aws.amazon.com/cli) (optional; useful as an alternative to the AWS Web Console) v2.24.16
 
 #### Docker Requirements:
 
 - [Docker](https://docs.docker.com/get-docker/)
 
 ## Getting Started
 
-Ubuntu 18.04 LTS is the operating system that is used on the jump server and NFS server VMs. Ubuntu creates the `/mnt` location as an ephemeral drive, so it cannot be used as the root location of the `jump_rwx_filestore_path` variable.
+Ubuntu 20.04 LTS is the operating system that is used on the jump server and NFS server VMs. Ubuntu creates the `/mnt` location as an ephemeral drive, so it cannot be used as the root location of the `jump_rwx_filestore_path` variable.
 
 ### Clone this Project
 

container-structure-test.yaml

@@ -17,14 +17,14 @@ commandTests:
   - name: "terraform version"
     command: "terraform"
     args: ["--version"]
-    expectedOutput: ["Terraform v1.9.6"]
+    expectedOutput: ["Terraform v1.10.5"]
   - name: "aws-cli version"
     command: "sh"
     args:
       - -c
       - |
         aws --version
-    expectedOutput: ["aws-cli/2.17.58"]
+    expectedOutput: ["aws-cli/2.24.16"]
 
 metadataTest:
   workdir: "/viya4-iac-aws"

docs/CONFIG-VARS.md

@@ -187,7 +187,7 @@ By default, two custom IAM policies and two custom IAM roles (with instance prof
 
 | <div style="width:50px">Name</div> | <div style="width:150px">Description</div> | <div style="width:50px">Type</div> | <div style="width:75px">Default</div> | <div style="width:150px">Notes</div> |
 | :--- | :--- | :--- | :--- | :--- |
-| cluster_iam_role_arn | ARN of the pre-existing IAM role for the EKS cluster | string | null | If an existing EKS cluster IAM role is being used, the IAM role's 'ARN' is required. |
+| cluster_iam_role_arn | Amazon Resource Name (ARN) of the pre-existing IAM role for the EKS cluster | string | null | If an existing EKS cluster IAM role is being used, the IAM role's 'ARN' is required. |
 | workers_iam_role_arn | ARN of the pre-existing IAM role for the cluster node VMs | string | null | If an existing EKS node IAM role is being used, the IAM role's 'ARN' is required. |
 
 The cluster IAM role must include three AWS-managed policies and one custom policy.
@@ -266,6 +266,8 @@ Custom policy:
 | autoscaling_enabled | Enable cluster autoscaling | bool | true | |
 | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
 | cluster_api_mode | Public or private IP for the cluster api| string|"public"|Valid Values: "public", "private" |
+| authentication_mode | The authentication mode for the EKS cluster.| string|"API_AND_CONFIG_MAP"| Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP |
+| admin_access_entry_role_arns | Create an EKS access entry associated with the AmazonEKSClusterAdminPolicy for each of the existing IAM role ARNs that are included in this list. | list of strings | | **Note:** Do not include the assumed-role that is used to authenticate to Terraform in this list. The format for role ARNs resembles the following example: "arn:aws:iam::<Account_ID>:role/<rolename>"|
 
 ## Node Pools
 
@@ -388,8 +390,8 @@ Each server element, like `foo = {}`, can contain none, some, or all of the para
 | <div style="width:50px">Name</div> | <div style="width:150px">Description</div> | <div style="width:50px">Type</div> | <div style="width:75px">Default</div> | <div style="width:150px">Notes</div> |
 | :--- | :--- | :--- | :--- | :--- |
 | server_version | The version of the PostgreSQL server | string | "15" | Refer to the [SAS Viya platform Administration Guide](https://documentation.sas.com/?cdcId=sasadmincdc&cdcVersion=default&docsetId=itopssr&docsetTarget=p05lfgkwib3zxbn1t6nyihexp12n.htm#p1wq8ouke3c6ixn1la636df9oa1u) for the supported versions of PostgreSQL for the SAS Viya platform. |
-| instance_type | The VM type for the PostgreSQL Server | string | "db.m5.xlarge" | |
-| storage_size | Max storage allowed for the PostgreSQL server in MB | number | 50 |  |
+| instance_type | The VM type for the PostgreSQL Server | string | "db.m6idn.xlarge" | |
+| storage_size | Max storage allowed for the PostgreSQL server in GB | number | 128 |  |
 | backup_retention_days | Backup retention days for the PostgreSQL server | number | 7 | Supported values are between 7 and 35 days. |
 | storage_encrypted | Encrypt PostgreSQL data at rest | bool | false| |
 | administrator_login | The Administrator Login for the PostgreSQL Server | string | "pgadmin" | The admin login name can not be 'admin', must start with a letter, and must be between 1-16 characters in length, and can only contain underscores, letters, and numbers. Changing this forces a new resource to be created |
@@ -410,8 +412,8 @@ postgres_servers = {
     administrator_password       = "D0ntL00kTh1sWay"
   },
   cds-postgres = {
-    instance_type                = "db.m5.xlarge"
-    storage_size                 = 50
+    instance_type                = "db.m6idn.xlarge"
+    storage_size                 = 128
     storage_encrypted            = false
     backup_retention_days        = 7
     multi_az                     = false