r/kubernetes_cluster: support for v2 of the azure policy addon

Fixes #6994
hashicorp · Jun 5, 2020 · bb8d8e3 · bb8d8e3
1 parent eaae76b
commit bb8d8e3
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 7 deletions.
diff --git a/azurerm/internal/services/containers/kubernetes_addons.go b/azurerm/internal/services/containers/kubernetes_addons.go
@@ -75,6 +75,18 @@ func schemaKubernetesAddOnProfiles() *schema.Schema {
 								Type:     schema.TypeBool,
 								Required: true,
 							},
+
+							"version": {
+								Type:     schema.TypeString,
+								Required: true,
+								ValidateFunc: validation.StringInSlice([]string{
+									// NOTE: v1 will be removed "after Spring 2020" - https://github.com/terraform-providers/terraform-provider-azurerm/issues/6994
+									// The current cluster uses policy add-on V1. Please migrate to V2 by disabling the add-on, and re-enabling it.
+									// Azure Policy will not support V1 after spring 2020. V2 is a breaking change, so please read carefully on the instruction and impact at: https://aka.ms/akspolicydoc
+									"v1",
+									"v2",
+								}, false),
+							},
 						},
 					},
 				},
@@ -232,10 +244,13 @@ func expandKubernetesAddOnProfiles(input []interface{}, env azure.Environment) (
 	if len(azurePolicy) > 0 && azurePolicy[0] != nil {
 		value := azurePolicy[0].(map[string]interface{})
 		enabled := value["enabled"].(bool)
+		version := value["version"].(string)
 
 		addonProfiles[azurePolicyKey] = &containerservice.ManagedClusterAddonProfile{
 			Enabled: utils.Bool(enabled),
-			Config:  nil,
+			Config: map[string]*string{
+				"version": utils.String(version),
+			},
 		}
 	}
 
@@ -309,8 +324,15 @@ func flattenKubernetesAddOnProfiles(profile map[string]*containerservice.Managed
 			enabled = *enabledVal
 		}
 
+		// not returned for v1
+		version := "v1"
+		if versionVal, ok := azurePolicy.Config["version"]; ok && *versionVal != "" {
+			version = *versionVal
+		}
+
 		azurePolicies = append(azurePolicies, map[string]interface{}{
 			"enabled": enabled,
+			"version": version,
 		})
 	}
 

diff --git a/azurerm/internal/services/containers/kubernetes_cluster_data_source.go b/azurerm/internal/services/containers/kubernetes_cluster_data_source.go
@@ -114,6 +114,10 @@ func dataSourceArmKubernetesCluster() *schema.Resource {
 										Type:     schema.TypeBool,
 										Computed: true,
 									},
+									"version": {
+										Type:     schema.TypeString,
+										Computed: true,
+									},
 								},
 							},
 						},
@@ -808,8 +812,14 @@ func flattenKubernetesClusterDataSourceAddonProfiles(profile map[string]*contain
 			enabled = *enabledVal
 		}
 
+		version := "v1"
+		if versionVal, ok := azurePolicy.Config["version"]; ok && *versionVal != "" {
+			version = *versionVal
+		}
+
 		output := map[string]interface{}{
 			"enabled": enabled,
+			"version": version,
 		}
 		azurePolicies = append(azurePolicies, output)
 	}

diff --git a/azurerm/internal/services/containers/tests/kubernetes_cluster_addons_resource_test.go b/azurerm/internal/services/containers/tests/kubernetes_cluster_addons_resource_test.go
@@ -12,6 +12,8 @@ var kubernetesAddOnTests = map[string]func(t *testing.T){
 	"addonProfileAciConnectorLinux":         testAccAzureRMKubernetesCluster_addonProfileAciConnectorLinux,
 	"addonProfileAciConnectorLinuxDisabled": testAccAzureRMKubernetesCluster_addonProfileAciConnectorLinuxDisabled,
 	"addonProfileAzurePolicy":               testAccAzureRMKubernetesCluster_addonProfileAzurePolicy,
+	"addonProfileAzurePolicyV1ToV2":         testAccAzureRMKubernetesCluster_addonProfileAzurePolicyV1ToV2,
+	"addonProfileAzurePolicyV2":             testAccAzureRMKubernetesCluster_addonProfileAzurePolicyV2,
 	"addonProfileKubeDashboard":             testAccAzureRMKubernetesCluster_addonProfileKubeDashboard,
 	"addonProfileOMS":                       testAccAzureRMKubernetesCluster_addonProfileOMS,
 	"addonProfileOMSToggle":                 testAccAzureRMKubernetesCluster_addonProfileOMSToggle,
@@ -89,11 +91,22 @@ func testAccAzureRMKubernetesCluster_addonProfileAzurePolicy(t *testing.T) {
 		CheckDestroy: testCheckAzureRMKubernetesClusterDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAzureRMKubernetesCluster_addonProfileAzurePolicyConfig(data),
+				Config: testAccAzureRMKubernetesCluster_addonProfileAzurePolicyConfig(data, "v1"),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMKubernetesClusterExists(data.ResourceName),
 					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.#", "1"),
 					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.0.enabled", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.0.version", "v1"),
+				),
+			},
+			data.ImportStep(),
+			{
+				Config: testAccAzureRMKubernetesCluster_addonProfileAzurePolicyConfig(data, "v2"),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKubernetesClusterExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.#", "1"),
+					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.0.enabled", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.0.version", "v2"),
 				),
 			},
 			data.ImportStep(),
@@ -382,7 +395,7 @@ resource "azurerm_kubernetes_cluster" "test" {
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger)
 }
 
-func testAccAzureRMKubernetesCluster_addonProfileAzurePolicyConfig(data acceptance.TestData) string {
+func testAccAzureRMKubernetesCluster_addonProfileAzurePolicyConfig(data acceptance.TestData, version string) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {}
@@ -416,14 +429,15 @@ resource "azurerm_kubernetes_cluster" "test" {
   addon_profile {
     azure_policy {
       enabled = true
+      version = "%s"
     }
   }
 
   identity {
     type = "SystemAssigned"
   }
 }
-`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger)
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger, version)
 }
 
 func testAccAzureRMKubernetesCluster_addonProfileKubeDashboardConfig(data acceptance.TestData) string {

diff --git a/azurerm/internal/services/containers/tests/kubernetes_cluster_data_source_test.go b/azurerm/internal/services/containers/tests/kubernetes_cluster_data_source_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance"
 )
 
-var kubernetesDataSourceTests = map[string]func(t *testing.T) {
+var kubernetesDataSourceTests = map[string]func(t *testing.T){
 	"basic":                                       testAccDataSourceAzureRMKubernetesCluster_basic,
 	"roleBasedAccessControl":                      testAccDataSourceAzureRMKubernetesCluster_roleBasedAccessControl,
 	"roleBasedAccessControlAAD":                   testAccDataSourceAzureRMKubernetesCluster_roleBasedAccessControlAAD,
@@ -500,6 +500,7 @@ func testAccDataSourceAzureRMKubernetesCluster_addOnProfileAzurePolicy(t *testin
 					testCheckAzureRMKubernetesClusterExists(data.ResourceName),
 					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.#", "1"),
 					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.0.enabled", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "addon_profile.0.azure_policy.0.version", "v2"),
 				),
 			},
 		},
@@ -833,7 +834,7 @@ data "azurerm_kubernetes_cluster" "test" {
 }
 
 func testAccDataSourceAzureRMKubernetesCluster_addOnProfileAzurePolicyConfig(data acceptance.TestData) string {
-	r := testAccAzureRMKubernetesCluster_addonProfileAzurePolicyConfig(data)
+	r := testAccAzureRMKubernetesCluster_addonProfileAzurePolicyConfig(data, "v2")
 	return fmt.Sprintf(`
 %s
 

diff --git a/website/docs/d/kubernetes_cluster.html.markdown b/website/docs/d/kubernetes_cluster.html.markdown
@@ -246,6 +246,8 @@ A `azure_policy` block supports the following:
 
 * `enabled` - Is Azure Policy for Kubernetes enabled?
 
+* `version`- The version of Azure Policy being used.
+
 ---
 
 A `role_based_access_control` block exports the following:

diff --git a/website/docs/r/kubernetes_cluster.html.markdown b/website/docs/r/kubernetes_cluster.html.markdown
@@ -155,7 +155,7 @@ A `addon_profile` block supports the following:
 
 -> **NOTE:** At this time Azure Policy is not supported in Azure US Government.
 
--> **NOTE**: Azure Policy for Azure Kubernetes Service is currently in preview and not available to subscriptions that have not [opted-in](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/rego-for-aks?toc=/azure/aks/toc.json) to join `Azure Policy` preview.
+~> **Note:** Azure Policy is in Public Preview - more information and details on how to opt into the Preview [can be found in this article](https://docs.microsoft.com/en-gb/azure/governance/policy/concepts/policy-for-kubernetes).
 
 * `http_application_routing` - (Optional) A `http_application_routing` block as defined below.
 
@@ -216,6 +216,10 @@ A `azure_policy` block supports the following:
 
 * `enabled` - (Required) Is the Azure Policy for Kubernetes Add On enabled?
 
+* `version` - (Required) The Version of Azure Policy which should be installed on this Kubernetes Cluster. Possible values are `v1` and `v2`.
+
+!> **Note:** Support for `v1` is in Private Preview will be removed by AKS "after Spring 2020".
+
 ---
 
 A `default_node_pool` block supports the following:
-Original file line number
+Diff line change
@@ Expand Up / @@ -246,6 +246,8 @@ A `azure_policy` block supports the following: @@
     * `enabled` - Is Azure Policy for Kubernetes enabled?
+    * `version`- The version of Azure Policy being used.
     ---
     A `role_based_access_control` block exports the following:
@@ Expand Down @@