This message was deleted.

it looks like this isn't exposed by the ARM service, so you'll have to fall back to the azure provider to create your AKS cluster, unfortunately

This is exposed by the Azure native provider, but because of the way Azure expose add-ons in their ARM APIs, it isn't strongly typed like the classic Azure provider and also isn't well documented unfortunately. You'll need to configure the addonprofile and add an entry for Azure policy. I don't have a code example to hand, but here is an example configuring the KubeDashboard Addon. The concept will be the same for Azure policy.

Yeah it’s definitely one of the annoying things about Azure add-ons. I think the Azure Portal shows it too but it’s not in the ARM API spec for the cluster. The last time I was snooping around trying to find info on add-ons I found this issue and this comment was helpful: https://github.com/Azure/azure-cli/issues/10000#issuecomment-561900955 tl;dr; you might be able to use Azure CLI to find out which add-ons are available and what options they take:

~ via ⬢ v14.17.5 took 2s 
❯ az aks enable-addons -h

Command
  az aks enable-addons : Enable Kubernetes addons.
    These addons are available:
      http_application_routing - configure ingress with automatic public DNS name creation.
      monitoring - turn on Log Analytics monitoring. Requires "--workspace-resource-id".
             If monitoring addon is enabled --no-wait argument will have no effect
      virtual-node - enable AKS Virtual Node. Requires --subnet-name to provide the name of an
    existing subnet for the Virtual Node to use.
      azure-policy - enable Azure policy. The Azure Policy add-on for AKS enables at-scale
    enforcements and safeguards on your clusters in a centralized, consistent manner.
             Learn more at <http://aka.ms/aks/policy|aka.ms/aks/policy>.
      ingress-appgw - enable Application Gateway Ingress Controller addon.

AddonProfiles =
            {
               { "KubeDashboard", new ManagedClusterAddonProfileArgs
                {
                    Enabled = false,
                }
               },
               { "azurepolicy", new ManagedClusterAddonProfileArgs
                {
                    Enabled = true,
                }
               },
               { "omsagent", new ManagedClusterAddonProfileArgs
                {
                    Enabled = true,
                    Config = new InputMap<string>{ {"logAnalyticsWorkspaceResourceID", workspace.Id} }
                }
               },
            },

This is what it looks like in c#. Docs for this are shockingly absent.

Thanks, that worked like a charm.

addonProfiles: {
                "omsagent": {
                    enabled: true,
                    config: {
                        logAnalyticsWorkspaceResourceID: WrkspID
                    },
                },
                "azurepolicy": {
                    enabled: true,
                }
            },

thanks for the awesome input all, I learned something myself! I've opened this issue: https://github.com/pulumi/pulumi-azure-native/issues/1302 to see if we can improve this