From 6a1f9e4f75321de65809c22f186b40ac23360502 Mon Sep 17 00:00:00 2001
From: viniciusdc <vinivdc2009@hotmail.com>
Date: Tue, 17 Dec 2024 11:48:25 -0300
Subject: [PATCH] add azure kuberntes policy add-on

---
 src/_nebari/stages/infrastructure/__init__.py               | 2 ++
 src/_nebari/stages/infrastructure/template/azure/main.tf    | 1 +
 .../template/azure/modules/kubernetes/main.tf               | 3 +++
 .../template/azure/modules/kubernetes/variables.tf          | 6 ++++++
 .../stages/infrastructure/template/azure/variables.tf       | 5 +++++
 5 files changed, 17 insertions(+)

diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py
index 243abd1608..c38bd667b8 100644
--- a/src/_nebari/stages/infrastructure/__init__.py
+++ b/src/_nebari/stages/infrastructure/__init__.py
@@ -104,6 +104,7 @@ class AzureInputVars(schema.Base):
     tags: Dict[str, str] = {}
     max_pods: Optional[int] = None
     network_profile: Optional[Dict[str, str]] = None
+    azure_policy_enabled: bool = None
     workload_identity_enabled: bool = False
 
 
@@ -809,6 +810,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
                 network_profile=self.config.azure.network_profile,
                 max_pods=self.config.azure.max_pods,
                 workload_identity_enabled=self.config.azure.workload_identity_enabled,
+                azure_policy_enabled=self.config.azure.azure_policy_enabled,
             ).model_dump()
         elif self.config.provider == schema.ProviderEnum.aws:
             return AWSInputVars(
diff --git a/src/_nebari/stages/infrastructure/template/azure/main.tf b/src/_nebari/stages/infrastructure/template/azure/main.tf
index 2d6e2e2afa..594a6a4aa2 100644
--- a/src/_nebari/stages/infrastructure/template/azure/main.tf
+++ b/src/_nebari/stages/infrastructure/template/azure/main.tf
@@ -43,4 +43,5 @@ module "kubernetes" {
   vnet_subnet_id            = var.vnet_subnet_id
   private_cluster_enabled   = var.private_cluster_enabled
   workload_identity_enabled = var.workload_identity_enabled
+  azure_policy_enabled      = var.azure_policy_enabled
 }
diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
index f093f048c6..66b46e13eb 100644
--- a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
+++ b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
@@ -15,6 +15,9 @@ resource "azurerm_kubernetes_cluster" "main" {
   # Azure requires that a new, non-existent Resource Group is used, as otherwise the provisioning of the Kubernetes Service will fail.
   node_resource_group     = var.node_resource_group_name
   private_cluster_enabled = var.private_cluster_enabled
+  # https://learn.microsoft.com/en-ie/azure/governance/policy/concepts/policy-for-kubernetes
+  azure_policy_enabled = var.azure_policy_enabled
+
 
   dynamic "network_profile" {
     for_each = var.network_profile != null ? [var.network_profile] : []
diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
index b93a9fae2d..355b284ba0 100644
--- a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
+++ b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
@@ -76,3 +76,9 @@ variable "workload_identity_enabled" {
   type        = bool
   default     = false
 }
+
+variable "azure_policy_enabled" {
+  description = "Enable Azure Policy"
+  type        = bool
+  default     = false
+}
diff --git a/src/_nebari/stages/infrastructure/template/azure/variables.tf b/src/_nebari/stages/infrastructure/template/azure/variables.tf
index dcef2c97cb..657435c7da 100644
--- a/src/_nebari/stages/infrastructure/template/azure/variables.tf
+++ b/src/_nebari/stages/infrastructure/template/azure/variables.tf
@@ -82,3 +82,8 @@ variable "workload_identity_enabled" {
   type        = bool
   default     = false
 }
+
+variable "azure_policy_enabled" {
+  description = "Enable Azure Policy"
+  type        = bool
+}