From 5c90b2e539dae0225a3421589705731e0225f900 Mon Sep 17 00:00:00 2001 From: "Vinicius D. Cerutti" <51954708+viniciusdc@users.noreply.github.com> Date: Mon, 6 Jan 2025 09:19:52 -0300 Subject: [PATCH] Add azure kubernetes policy add-on (#2888) --- src/_nebari/stages/infrastructure/__init__.py | 2 ++ src/_nebari/stages/infrastructure/template/azure/main.tf | 1 + .../template/azure/modules/kubernetes/main.tf | 3 +++ .../template/azure/modules/kubernetes/variables.tf | 6 ++++++ .../stages/infrastructure/template/azure/variables.tf | 5 +++++ 5 files changed, 17 insertions(+) diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py index 243abd160..c38bd667b 100644 --- a/src/_nebari/stages/infrastructure/__init__.py +++ b/src/_nebari/stages/infrastructure/__init__.py @@ -104,6 +104,7 @@ class AzureInputVars(schema.Base): tags: Dict[str, str] = {} max_pods: Optional[int] = None network_profile: Optional[Dict[str, str]] = None + azure_policy_enabled: bool = None workload_identity_enabled: bool = False @@ -809,6 +810,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]): network_profile=self.config.azure.network_profile, max_pods=self.config.azure.max_pods, workload_identity_enabled=self.config.azure.workload_identity_enabled, + azure_policy_enabled=self.config.azure.azure_policy_enabled, ).model_dump() elif self.config.provider == schema.ProviderEnum.aws: return AWSInputVars( diff --git a/src/_nebari/stages/infrastructure/template/azure/main.tf b/src/_nebari/stages/infrastructure/template/azure/main.tf index 2d6e2e2af..594a6a4aa 100644 --- a/src/_nebari/stages/infrastructure/template/azure/main.tf +++ b/src/_nebari/stages/infrastructure/template/azure/main.tf @@ -43,4 +43,5 @@ module "kubernetes" { vnet_subnet_id = var.vnet_subnet_id private_cluster_enabled = var.private_cluster_enabled workload_identity_enabled = var.workload_identity_enabled + azure_policy_enabled = var.azure_policy_enabled } diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf index f093f048c..66b46e13e 100644 --- a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf +++ b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf @@ -15,6 +15,9 @@ resource "azurerm_kubernetes_cluster" "main" { # Azure requires that a new, non-existent Resource Group is used, as otherwise the provisioning of the Kubernetes Service will fail. node_resource_group = var.node_resource_group_name private_cluster_enabled = var.private_cluster_enabled + # https://learn.microsoft.com/en-ie/azure/governance/policy/concepts/policy-for-kubernetes + azure_policy_enabled = var.azure_policy_enabled + dynamic "network_profile" { for_each = var.network_profile != null ? [var.network_profile] : [] diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf index b93a9fae2..355b284ba 100644 --- a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf +++ b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf @@ -76,3 +76,9 @@ variable "workload_identity_enabled" { type = bool default = false } + +variable "azure_policy_enabled" { + description = "Enable Azure Policy" + type = bool + default = false +} diff --git a/src/_nebari/stages/infrastructure/template/azure/variables.tf b/src/_nebari/stages/infrastructure/template/azure/variables.tf index dcef2c97c..657435c7d 100644 --- a/src/_nebari/stages/infrastructure/template/azure/variables.tf +++ b/src/_nebari/stages/infrastructure/template/azure/variables.tf @@ -82,3 +82,8 @@ variable "workload_identity_enabled" { type = bool default = false } + +variable "azure_policy_enabled" { + description = "Enable Azure Policy" + type = bool +}