Added log_analytics_workspace_id and Azure Policy add-ons

adamrushuk · Nov 15, 2020 · bf4f9d3 · bf4f9d3
1 parent 53e1b75
commit bf4f9d3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 11 deletions.
diff --git a/aks.tf b/aks.tf
@@ -12,6 +12,7 @@ resource "azuread_group" "aks_admins" {
   description = "${var.name} Kubernetes cluster administrators"
 }
 
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster
 resource "azurerm_kubernetes_cluster" "aks" {
   name                = var.name
   location            = var.location
@@ -54,6 +55,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
     type = "SystemAssigned"
   }
 
+  # https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac
   role_based_access_control {
     enabled = true
 
@@ -70,16 +72,19 @@ resource "azurerm_kubernetes_cluster" "aks" {
   }
 
   addon_profile {
+    # https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/policy-for-kubernetes
+    azure_policy { enabled = true }
+
     # cannot remove this deprecated block yet, due to this issue:
     # https://github.com/terraform-providers/terraform-provider-azurerm/issues/7716
     kube_dashboard {
       enabled = false
     }
 
-    # oms_agent {
-    #   enabled                    = var.aks_container_insights_enabled
-    #   log_analytics_workspace_id = var.aks_container_insights_enabled ? azurerm_log_analytics_workspace.aks[0].id : null
-    # }
+    oms_agent {
+      enabled                    = var.log_analytics_workspace_id != "" ? true : false
+      log_analytics_workspace_id = var.log_analytics_workspace_id != "" ? var.log_analytics_workspace_id : null
+    }
   }
 
   tags = var.tags

diff --git a/variables.tf b/variables.tf
@@ -22,13 +22,6 @@ variable "kubernetes_version" {
   default     = "1.16.15"
 }
 
-# http://man.hubwiz.com/docset/Terraform.docset/Contents/Resources/Documents/docs/providers/azurerm/r/kubernetes_cluster.html#azure_active_directory
-variable "aad_auth_enabled" {
-  description = "Should AAD authentication be enabled"
-  type        = bool
-  default     = true
-}
-
 variable "sla_sku" {
   description = "Defines the SLA under which the managed master control plane of AKS is running"
   type        = string
@@ -80,3 +73,19 @@ EOD
   type    = map(any)
   default = {}
 }
+
+
+# ADD-ONS
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_active_directory
+# https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac
+variable "aad_auth_enabled" {
+  description = "Should AAD authentication be enabled"
+  type        = bool
+  default     = true
+}
+
+variable "log_analytics_workspace_id" {
+  description = "The ID of the Log Analytics Workspace which the OMS Agent should send data to"
+  type        = string
+  default     = ""
+}