Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Bug Report: Deploy Private DNS Zones - Built-in policies missing from initiative

Open juanandmsft opened this issue 2 years ago • 2 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.6.3

azure provider: 3.80.0

module: 5.0.2

Description

Describe the bug

The following built-in policies to manage private endpoints at scale are not included in the ALZ policy initiative definition at [modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json]:

Policy File Policy displayName Policy ID
PrivateLinkForAzureAD_PrivateLinkDns_DeployIfNotExists.json Configure Private Link for Azure AD to use private DNS zones 7e4301f9-5f32-4738-ad9f-7ec2d15563ad
BotService_PrivateDNSZone_DeployIfNotExists.json Configure BotService resources to use private DNS zones 6a4e6f44-f2af-4082-9702-033c9e88b9f8
AMG_PrivateDNSZone_DeployIfNotExists.json Configure Azure Managed Grafana workspaces to use private DNS zones 4c8537f8-cd1b-49ec-b704-18e82a42fd58
DVHostpool_PrivateDNSZone_DINE.json Configure Azure Virtual Desktop hostpool resources to use private DNS zones 9427df23-0f42-4e1e-bf99-a6133d841c4a
DVWorkspace_PrivateDNSZone_DINE.json Configure Azure Virtual Desktop workspace resources to use private DNS zones 34804460-d88b-4922-a7ca-537165e060ed
DeviceUpdate_DeployPrivateDnsZoneForPrivateEndpoint_Deploy.json Configure Azure Device Update for IoT Hub accounts to use private DNS zones a222b93a-e6c2-4c01-817f-21e092455b2a
Arc_PrivateEndpoint_DNS_Deploy.json Configure Azure Arc Private Link Scopes to use private DNS zones 55c4db33-97b0-437b-8469-c4f4498f5df9
IoTCentral_DeployPrivateDnsZoneForPrivateEndpoint_Deploy.json Deploy - Configure IoT Central to use private DNS zones d627d7c6-ded5-481a-8f2e-7e16b1e6faf6
AzBackupRSVault_PeDnsConfigDeploy.json [Preview]: Configure Recovery Services vaults to use private DNS zones for backup af783da1-4ad1-42be-800d-d19c70038820
StoragePrivateDnsZoneGroup_Table.json Configure a private DNS Zone ID for table groupID 028bbd88-e9b5-461f-9424-a1b63a7bee1a
StoragePrivateDnsZoneGroup_TableSecondary.json Configure a private DNS Zone ID for table_secondary groupID c1d634a5-f73d-4cdd-889f-2cc7006eb47f

Storage table referred also at Azure/Enterprise-Scale#1502

Steps to Reproduce

  1. Create a private endpoint for the resources types above without DNS integration.
  2. The assigned initiative does not deploy the corresponding dnsZoneGroup sub-resource.

Screenshots

Additional context

When working with private endpoints at scale, along with the ALZ initiative additional custom initiative or per-policy-assigments are needed to match additional private endpoint types.

juanandmsft avatar Nov 24 '23 13:11 juanandmsft

Hi!

Thanks for raising. This needs to go upstream to Enterprise Scale repo. I will move

matt-FFFFFF avatar Nov 24 '23 17:11 matt-FFFFFF

@rozkurt easy one for you to tackle.

Springstone avatar Dec 18 '23 14:12 Springstone

As per #1578 we've addressed all the missing Private DNS Zone entities EXCEPT AAD, as even though there is a policy there is no supporting documentation and testing has raised some concerns, so we will leave this out for now. We'll add to the backlog to review Entra ID private link, but closing this issue as it is largely addressed.

Springstone avatar Apr 29 '24 07:04 Springstone