Add support for Azure Policy Add-On for AKS (#389)

* Add support for Azure Policy Add-On for AKS

* Add support for Azure Policy Add-On for AKS

* add aks_azure_policy_enabled to main.tf and update config-vars.md

* DCO Remediation Commit for Ian Dominno <[email protected]>

I, Ian Dominno <[email protected]>, hereby add my Signed-off-by to this commit: 5580cf63961a299a80b1680bc4c161a3be6b8dd1

Signed-off-by: Ian Dominno <[email protected]>

---------

Signed-off-by: Ian Dominno <[email protected]>
Co-authored-by: Stef Pierre <[email protected]>
Co-authored-by: Ian Dominno <[email protected]>

Author: 3 people

docs/CONFIG-VARS.md

@@ -209,9 +209,10 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
 | cluster_api_mode | Public or private IP for the cluster api | string | "public" | Valid Values: "public", "private" |
 | aks_cluster_private_dns_zone_id | Specifies private DNS zone resource ID for AKS private cluster to use | string | "" | For `cluster_api_mode=private` if `aks_cluster_private_dns_zone_id` is not specified then the value `System` is used else it is set to null. For details see [Configure a private DNS zone](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal#configure-a-private-dns-zone) |
-| aks_cluster_sku_tier | The SKU Tier that should be used for this Kubernetes Cluster. Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" and "Premium" | 
-| cluster_support_tier | Specifies the support plan which should be used for this Kubernetes Cluster. | string | "KubernetesOfficial" | Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. To enable long term K8s support is a combination of setting `aks_cluster_sku_tier` to `Premium` tier and explicitly selecting the `cluster_support_tier` as `AKSLongTermSupport`. For details see [Long term Support](https://learn.microsoft.com/en-us/azure/aks/long-term-support) and for which K8s version has long term support see [AKS Kubernetes release calendar](https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar).| 
+| aks_cluster_sku_tier | The SKU Tier that should be used for this Kubernetes Cluster. Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" and "Premium" |
+| cluster_support_tier | Specifies the support plan which should be used for this Kubernetes Cluster. | string | "KubernetesOfficial" | Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. To enable long term K8s support is a combination of setting `aks_cluster_sku_tier` to `Premium` tier and explicitly selecting the `cluster_support_tier` as `AKSLongTermSupport`. For details see [Long term Support](https://learn.microsoft.com/en-us/azure/aks/long-term-support) and for which K8s version has long term support see [AKS Kubernetes release calendar](https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar).|
 | aks_cluster_run_command_enabled | Enable or disable the AKS Run Command feature | bool | false | The AKS Run Command feature in AKS allows you to remotely execute commands within a running container of your AKS cluster directly from the Azure CLI or Azure portal. To enable the Run Command feature for an AKS cluster where Run Command is disabled, navigate to the Run Command tab for your AKS Cluster in the Azure Portal and select the Enable button. |
+| aks_azure_policy_enabled | Enable or disable the Azure Policy Add-on or extension | bool | false | Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes cluster components from one place. By using Azure Policy's Add-on or Extension, governing your cluster components is enhanced with Azure Policy features, like the ability to use selectors and overrides for safe policy rollout and rollback. |
 
 ## Node Pools
 

main.tf

@@ -172,6 +172,7 @@ module "aks" {
   rbac_aad_admin_group_object_ids          = var.rbac_aad_admin_group_object_ids
   aks_private_cluster                      = var.cluster_api_mode == "private" ? true : false
   depends_on                               = [module.vnet]
+  aks_azure_policy_enabled                 = var.aks_azure_policy_enabled
 }
 
 module "kubeconfig" {

modules/azure_aks/main.tf

@@ -14,6 +14,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   role_based_access_control_enabled = true
   http_application_routing_enabled  = false
   disk_encryption_set_id            = var.aks_node_disk_encryption_set_id
+  azure_policy_enabled              = var.aks_azure_policy_enabled
 
   # https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions
   # az aks get-versions --location eastus -o table

modules/azure_aks/variables.tf

@@ -143,6 +143,12 @@ variable "aks_node_disk_encryption_set_id" {
   default     = null
 }
 
+variable "aks_azure_policy_enabled" {
+  description = "Enables the Azure Policy Add-On for Azure Kubernetes Service."
+  type        = bool
+  default     = false
+}
+
 variable "kubernetes_version" {
   description = "The AKS cluster K8s version"
   type        = string

variables.tf

@@ -196,6 +196,12 @@ variable "aks_node_disk_encryption_set_id" {
   default     = null
 }
 
+variable "aks_azure_policy_enabled" {
+  description = "Enables the Azure Policy Add-On for Azure Kubernetes Service."
+  type        = bool
+  default     = false
+}
+
 # AKS advanced network config
 variable "aks_network_plugin" {
   description = "Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created."