Merge branch 'staging' into pr-pskd-1488

Author: illianov

docs/CONFIG-VARS.md

@@ -212,7 +212,12 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 | aks_cluster_sku_tier | The SKU Tier that should be used for this Kubernetes Cluster. Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" and "Premium" | 
 | cluster_support_tier | Specifies the support plan which should be used for this Kubernetes Cluster. | string | "KubernetesOfficial" | Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. To enable long term K8s support is a combination of setting `aks_cluster_sku_tier` to `Premium` tier and explicitly selecting the `cluster_support_tier` as `AKSLongTermSupport`. For details see [Long term Support](https://learn.microsoft.com/en-us/azure/aks/long-term-support) and for which K8s version has long term support see [AKS Kubernetes release calendar](https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar). | 
 | aks_cluster_run_command_enabled | Enable or disable the AKS Run Command feature | bool | false | The AKS Run Command feature in AKS allows you to remotely execute commands within a running container of your AKS cluster directly from the Azure CLI or Azure portal. To enable the Run Command feature for an AKS cluster where Run Command is disabled, navigate to the Run Command tab for your AKS Cluster in the Azure Portal and select the Enable button. |
+| aks_azure_policy_enabled | Enable or disable the Azure Policy Add-on or extension | bool | false | Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes cluster components from one place. By using Azure Policy's Add-on or Extension, governing your cluster components is enhanced with Azure Policy features, like the ability to use selectors and overrides for safe policy rollout and rollback. |
 | node_resource_group_name | Specifies the resource group name for the cluster resources | string | `MC_${local.aks_rg.name}_${var.prefix}-aks_${var.location}` | |
+| aks_cluster_sku_tier | The SKU Tier that should be used for this Kubernetes Cluster. Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" and "Premium" |
+| cluster_support_tier | Specifies the support plan which should be used for this Kubernetes Cluster. | string | "KubernetesOfficial" | Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. To enable long term K8s support is a combination of setting `aks_cluster_sku_tier` to `Premium` tier and explicitly selecting the `cluster_support_tier` as `AKSLongTermSupport`. For details see [Long term Support](https://learn.microsoft.com/en-us/azure/aks/long-term-support) and for which K8s version has long term support see [AKS Kubernetes release calendar](https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar).|
+| aks_cluster_run_command_enabled | Enable or disable the AKS Run Command feature | bool | false | The AKS Run Command feature in AKS allows you to remotely execute commands within a running container of your AKS cluster directly from the Azure CLI or Azure portal. To enable the Run Command feature for an AKS cluster where Run Command is disabled, navigate to the Run Command tab for your AKS Cluster in the Azure Portal and select the Enable button. |
+| aks_azure_policy_enabled | Enable or disable the Azure Policy Add-on or extension | bool | false | Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes cluster components from one place. By using Azure Policy's Add-on or Extension, governing your cluster components is enhanced with Azure Policy features, like the ability to use selectors and overrides for safe policy rollout and rollback. |
 
 ## Node Pools
 

docs/user/TestingPhilosophy.md

@@ -13,52 +13,49 @@ The unit tests in this project are designed to quickly and efficiently verify th
 
 ### Unit Testing Structure
 
-The unit tests are written as [table-driven tests](https://go.dev/wiki/TableDrivenTests) so that they are easier to read, understand, and expand. The tests are divided into two files, [default_unit_test.go](../../test/default_unit_test.go) and [non_default_unit_test.go](../../test/non_default_unit_test.go).
+The unit tests are written as [table-driven tests](https://go.dev/wiki/TableDrivenTests) so that they are easier to read, understand, and expand. The tests are divided into two packages, [defaultplan](../../test/defaultplan) and [nondefaultplan](../../test/nondefaultplan).
 
-The test file named default_unit_test.go validates the default values of a Terraform plan. This testing ensures that there are no regressions in the default behavior of the code base. The test file named non_default_unit_test.go modifies the input values before running the Terraform plan. After generating the plan file, the test verifies that it contains the expected values. Both files are written as table-driven tests.
+The test package defaultplan validates the default values of a Terraform plan. This testing ensures that there are no regressions in the default behavior of the code base. The test package nondefaultplan modifies the input values before running the Terraform plan. After generating the plan file, the test verifies that it contains the expected values. Both sets of tests are written to be table-driven.
 
-To see an example, look at the `TestPlanStorageDefaults` function in the default_unit_test.go file that is shown below.
+To see an example, look at the `TestPlanStorage` function in the defaultplan/storage_test.go file that is shown below.
 
-With the Table-Driven approach, each entry in the `storageTests` map is a test. These tests verify that the expected value matches the actual value of the "module.nfs[0].azurerm_linux_virtual_machine.vm" resource.  We use the [k8s.io JsonPath](https://pkg.go.dev/k8s.io/[email protected]/util/jsonpath) library to parse the Terraform output and extract the desired attribute.  The runTest call is a helper function that runs through each test in the map and perform assertions. See the [helpers.go](../../test/helpers.go) file for more information on the common helper functions.
+With the Table-Driven approach, each entry in the `tests` map is a test. These tests verify that the expected value matches the actual value of the "module.nfs[0].azurerm_linux_virtual_machine.vm" resource.  We use the [k8s.io JsonPath](https://pkg.go.dev/k8s.io/[email protected]/util/jsonpath) library to parse the Terraform output and extract the desired attribute.  The RunTests call is a helper function that runs through each test in the map and perform the supplied assertions. See the [helpers](../../test/helpers) package for more information on the common helper functions.
 
 ```go
-// Function containing all unit tests for the Storage type
-// and its default values.
-func TestPlanStorageDefaults(t *testing.T) {
-    // Map containing the different tests. Each entry is 
-    // a separate test.
-    storageTests := map[string]testCase{
-        // Verify that the default user is 'nfsuser'.
+func TestPlanStorage(t *testing.T) {
+    t.Parallel()
+
+
+    tests := map[string]helpers.TestCase{
         "userTest": {
-            expected:          "nfsuser",
-            resourceMapName:   "module.nfs[0].azurerm_linux_virtual_machine.vm",
-            attributeJsonPath: "{$.admin_username}",
+            Expected:          "nfsuser",
+            ResourceMapName:   "module.nfs[0].azurerm_linux_virtual_machine.vm",
+            AttributeJsonPath: "{$.admin_username}",
         },
-        // Verify that the default size is 'Standard_D4s_v5'.
         "sizeTest": {
-            expected:          "Standard_D4s_v5",
-            resourceMapName:   "module.nfs[0].azurerm_linux_virtual_machine.vm",
-            attributeJsonPath: "{$.size}",
+            Expected:          "Standard_D4s_v5",
+            ResourceMapName:   "module.nfs[0].azurerm_linux_virtual_machine.vm",
+            AttributeJsonPath: "{$.size}",
+        },
+        "vmNotNilTest": {
+            Expected:          "<nil>",
+            ResourceMapName:   "module.nfs[0].azurerm_linux_virtual_machine.vm",
+            AttributeJsonPath: "{$}",
+            AssertFunction:    assert.NotEqual,
         },
-    }
-
-    // Generate a Plan file using the default input variables.
-    variables := getDefaultPlanVars(t)
-    plan, err := initPlanWithVariables(t, variables)
-    require.NotNil(t, plan)
-    require.NoError(t, err)
-    
-    // For each test in the Test Table, run the test helper function
-    for name, tc := range storageTests {
-        t.Run(name, func(t *testing.T) {
-            runTest(t, tc, plan)
-        })
-    }
+        "vmZoneEmptyStrTest": {
+            Expected:          "",
+            ResourceMapName:   "module.nfs[0].azurerm_linux_virtual_machine.vm",
+            AttributeJsonPath: "{$.vm_zone}",
+        },
+
+    // Run the tests using the default input variables.
+    helpers.RunTests(t, tests, helpers.GetDefaultPlan(t))
 }
 ```
 ### Adding Unit Tests
 
-To create a unit test, you can add an entry to an existing test table in the [default_unit_test.go](../../test/default_unit_test.go) file or the [non_default_unit_test.go](../../test/non_default_unit_test.go) file, depending on the test type. If you don't see an existing test table that fits your needs, you are welcome to create a new function in a similar table-driven test format.
+To create a unit test, you can add an entry to an existing test table if it's related to the resources being validated. If you don't see an existing test table that fits your needs, you are welcome to create a new file in a similar table-driven test format and drop it in the appropriate package.
 
 ### Integration Testing
 

main.tf

@@ -173,6 +173,7 @@ module "aks" {
   rbac_aad_admin_group_object_ids          = var.rbac_aad_admin_group_object_ids
   aks_private_cluster                      = var.cluster_api_mode == "private" ? true : false
   depends_on                               = [module.vnet]
+  aks_azure_policy_enabled                 = var.aks_azure_policy_enabled
 }
 
 module "kubeconfig" {

modules/azure_aks/main.tf

@@ -15,6 +15,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   role_based_access_control_enabled = true
   http_application_routing_enabled  = false
   disk_encryption_set_id            = var.aks_node_disk_encryption_set_id
+  azure_policy_enabled              = var.aks_azure_policy_enabled
 
   # https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions
   # az aks get-versions --location eastus -o table

modules/azure_aks/variables.tf

@@ -143,6 +143,12 @@ variable "aks_node_disk_encryption_set_id" {
   default     = null
 }
 
+variable "aks_azure_policy_enabled" {
+  description = "Enables the Azure Policy Add-On for Azure Kubernetes Service."
+  type        = bool
+  default     = false
+}
+
 variable "kubernetes_version" {
   description = "The AKS cluster K8s version"
   type        = string