Merge branch 'main' into azure-entra-ID-rbac

nebari-dev · Jan 6, 2025 · 7ec952c · 7ec952c
2 parents cee4476 + 5c90b2e
commit 7ec952c
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 0 deletions.
diff --git a/src/_nebari/cli.py b/src/_nebari/cli.py
@@ -65,6 +65,7 @@ def common(
             [],
             "--import-plugin",
             help="Import nebari plugin",
+            callback=import_plugin,
         ),
         excluded_stages: typing.List[str] = typer.Option(
             [],

diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py
@@ -125,6 +125,7 @@ class AzureInputVars(schema.Base):
     tags: Dict[str, str] = {}
     max_pods: Optional[int] = None
     network_profile: Optional[Dict[str, str]] = None
+    azure_policy_enabled: bool = None
     workload_identity_enabled: bool = False
     azure_rbac: Optional[AzureRBAC] = None
 
@@ -833,6 +834,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
                 max_pods=self.config.azure.max_pods,
                 workload_identity_enabled=self.config.azure.workload_identity_enabled,
                 azure_rbac=self.config.azure.azure_rbac,
+                azure_policy_enabled=self.config.azure.azure_policy_enabled,
             ).model_dump()
         elif self.config.provider == schema.ProviderEnum.aws:
             return AWSInputVars(

diff --git a/src/_nebari/stages/infrastructure/template/azure/main.tf b/src/_nebari/stages/infrastructure/template/azure/main.tf
@@ -44,4 +44,5 @@ module "kubernetes" {
   private_cluster_enabled   = var.private_cluster_enabled
   workload_identity_enabled = var.workload_identity_enabled
   azure_rbac                = var.azure_rbac
+  azure_policy_enabled      = var.azure_policy_enabled
 }
diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
@@ -19,6 +19,9 @@ resource "azurerm_kubernetes_cluster" "main" {
   # Azure requires that a new, non-existent Resource Group is used, as otherwise the provisioning of the Kubernetes Service will fail.
   node_resource_group     = var.node_resource_group_name
   private_cluster_enabled = var.private_cluster_enabled
+  # https://learn.microsoft.com/en-ie/azure/governance/policy/concepts/policy-for-kubernetes
+  azure_policy_enabled = var.azure_policy_enabled
+
 
   dynamic "network_profile" {
     for_each = var.network_profile != null ? [var.network_profile] : []

diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
@@ -91,3 +91,9 @@ variable "azure_rbac" {
   }
   nullable = false
 }
+
+variable "azure_policy_enabled" {
+  description = "Enable Azure Policy"
+  type        = bool
+  default     = false
+}
diff --git a/src/_nebari/stages/infrastructure/template/azure/variables.tf b/src/_nebari/stages/infrastructure/template/azure/variables.tf
@@ -96,3 +96,8 @@ variable "azure_rbac" {
     admin_group_object_ids : []
   }
 }
+
+variable "azure_policy_enabled" {
+  description = "Enable Azure Policy"
+  type        = bool
+}