For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-azure-aks-uses-azure-policies-addon-disabled.md. A documentation index is available at /llms.txt.

Azure Policy Add-on Disabled in AKS Cluster

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-azure-aks-uses-azure-policies-addon-disabled

Provider: Azure

Platform: Terraform

Severity: Low

Category: Best Practices

Learn More

Description

Enabling the Azure Policy Add-On for Azure Kubernetes Service (AKS) clusters helps enforce organizational standards and compliance at scale by applying policy controls directly to the cluster. If the addon_profile.azure_policy.enabled attribute is set to false, as shown below, the cluster will not have Azure Policy integration, leaving it vulnerable to resource misconfigurations and violating compliance policies.

addon_profile {
  azure_policy {
    enabled = false
  }
}

To mitigate this vulnerability, the policy add-on should be enabled by setting enabled = true, ensuring that security and compliance policies are consistently enforced within the AKS environment.

addon_profile {
  azure_policy {
    enabled = true
  }
}

Compliant Code Examples

resource "azurerm_kubernetes_cluster" "negative" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  addon_profile {

   azure_policy {

     enabled = true

   }
 }
}

resource "azurerm_kubernetes_cluster" "negative" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  azure_policy_enabled = true
}

Non-Compliant Code Examples

resource "azurerm_kubernetes_cluster" "positive1" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  addon_profile {

   azure_policy {

     enabled = false

   }
 }
}

resource "azurerm_kubernetes_cluster" "positive2" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  azure_policy_enabled = false
}

resource "azurerm_kubernetes_cluster" "positive3" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  addon_profile {}
}