last sync: 2021-Nov-26 17:15:01 UTC

Azure Policy definition

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Name Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Azure Portal
Id a8eff44f-8c92-45c3-a3fb-9880802d67a7
Version 2.0.0
details on versioning
Category Kubernetes
Microsoft docs
Description Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed: deployIfNotExists
Used RBAC Role
Role Name Role Id
Azure Kubernetes Service Contributor Role ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Major (1.0.0 > 2.0.0)
2020-10-20 13:29:33 add a8eff44f-8c92-45c3-a3fb-9880802d67a7
Used in Initiatives none
JSON Changes

JSON
{
  "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.",
  "metadata": {
    "version": "2.0.0",
    "category": "Kubernetes"
  },
  "parameters": {},
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.ContainerService/managedClusters"
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.ContainerService/managedClusters",
        "name": "[field('name')]",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8"
        ],
        "existenceCondition": {
          "field": "Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled",
          "equals": "true"
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "clusterName": {
                  "type": "string"
                },
                "clusterResourceGroupName": {
                  "type": "string"
                }
              },
              "variables": {
                "clusterGetDeploymentName": "[concat('PolicyDeployment-Get-', parameters('clusterName'))]",
                "clusterUpdateDeploymentName": "[concat('PolicyDeployment-Update-', parameters('clusterName'))]"
              },
              "resources": [
                {
                  "apiVersion": "2020-06-01",
                  "type": "Microsoft.Resources/deployments",
                  "name": "[variables('clusterGetDeploymentName')]",
                  "properties": {
                    "mode": "Incremental",
                    "template": {
                      "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                      "contentVersion": "1.0.0.0",
                      "resources": [],
                      "outputs": {
                        "aksCluster": {
                          "type": "object",
                          "value": "[reference(resourceId(parameters('clusterResourceGroupName'), 'Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2020-04-01', 'Full')]"
                        }
                      }
                    }
                  }
                },
                {
                  "apiVersion": "2020-06-01",
                  "type": "Microsoft.Resources/deployments",
                  "name": "[variables('clusterUpdateDeploymentName')]",
                  "properties": {
                    "mode": "Incremental",
                    "expressionEvaluationOptions": {
                      "scope": "inner"
                    },
                    "template": {
                      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                      "contentVersion": "1.0.0.0",
                      "parameters": {
                        "aksClusterName": {
                          "type": "string"
                        },
                        "aksClusterContent": {
                          "type": "object"
                        }
                      },
                      "resources": [
                        {
                          "apiVersion": "2021-07-01",
                          "type": "Microsoft.ContainerService/managedClusters",
                          "name": "[parameters('aksClusterName')]",
                          "location": "[parameters('aksClusterContent').location]",
                          "sku": "[parameters('aksClusterContent').sku]",
                          "tags": "[if(contains(parameters('aksClusterContent'), 'tags'), parameters('aksClusterContent').tags, json('null'))]",
                          "properties": {
                            "kubernetesVersion": "[parameters('aksClusterContent').properties.kubernetesVersion]",
                            "dnsPrefix": "[parameters('aksClusterContent').properties.dnsPrefix]",
                            "agentPoolProfiles": "[if(contains(parameters('aksClusterContent').properties, 'agentPoolProfiles'), parameters('aksClusterContent').properties.agentPoolProfiles, json('null'))]",
                            "linuxProfile": "[if(contains(parameters('aksClusterContent').properties, 'linuxProfile'), parameters('aksClusterContent').properties.linuxProfile, json('null'))]",
                            "windowsProfile": "[if(contains(parameters('aksClusterContent').properties, 'windowsProfile'), parameters('aksClusterContent').properties.windowsProfile, json('null'))]",
                            "servicePrincipalProfile": "[if(contains(parameters('aksClusterContent').properties, 'servicePrincipalProfile'), parameters('aksClusterContent').properties.servicePrincipalProfile, json('null'))]",
                            "addonProfiles": {
                              "azurepolicy": {
                                "enabled": true
                              }
                            },
                            "nodeResourceGroup": "[parameters('aksClusterContent').properties.nodeResourceGroup]",
                            "enableRBAC": "[if(contains(parameters('aksClusterContent').properties, 'enableRBAC'), parameters('aksClusterContent').properties.enableRBAC, json('null'))]",
                            "enablePodSecurityPolicy": "[if(contains(parameters('aksClusterContent').properties, 'enablePodSecurityPolicy'), parameters('aksClusterContent').properties.enablePodSecurityPolicy, json('null'))]",
                            "networkProfile": "[if(contains(parameters('aksClusterContent').properties, 'networkProfile'), parameters('aksClusterContent').properties.networkProfile, json('null'))]",
                            "aadProfile": "[if(contains(parameters('aksClusterContent').properties, 'aadProfile'), parameters('aksClusterContent').properties.aadProfile, json('null'))]",
                            "autoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoScalerProfile'), parameters('aksClusterContent').properties.autoScalerProfile, json('null'))]",
                            "apiServerAccessProfile": "[if(contains(parameters('aksClusterContent').properties, 'apiServerAccessProfile'), parameters('aksClusterContent').properties.apiServerAccessProfile, json('null'))]",
                            "diskEncryptionSetID": "[if(contains(parameters('aksClusterContent').properties, 'diskEncryptionSetID'), parameters('aksClusterContent').properties.diskEncryptionSetID, json('null'))]",
                            "identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]"
                          }
                        }
                      ],
                      "outputs": {}
                    },
                    "parameters": {
                      "aksClusterName": {
                        "value": "[parameters('clusterName')]"
                      },
                      "aksClusterContent": {
                        "value": "[reference(variables('clusterGetDeploymentName')).outputs.aksCluster.value]"
                      }
                    }
                  }
                }
              ]
            },
            "parameters": {
              "clusterName": {
                "value": "[field('name')]"
              },
              "clusterResourceGroupName": {
                "value": "[resourceGroup().name]"
              }
            }
          }
        }
      }
    }
  }
}