Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Bug Report: Deploy Private DNS Zones - Storage Table - Policy deployment missing

Open uol-amrae opened this issue 2 years ago • 2 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.6.3

azure provider: 3.80.0

module: 5.0.2

Description

Describe the bug

Using the connectivity option to create privatelink.table.core.windows.net Private DNS zones and the associated Azure Policy, the 'table' zone is not populated.

seems that the config for 'table' is missing partly from at least: [modules/connectivity/locals.tf] ( definitions not under Deploy-Private-DNS-Zones ? )

seems that the config for 'table' is missing complete from at least: [modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json] [modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json]

but it is however defined in the audit policy: [modules/archetypes/lib/policy_definitions/policy_definition_es_audit_privatelinkdnszones.json]

hopefully I've got all that the right way round and explained well enough

Steps to Reproduce

Deploy CAF ES module, configuring Private DNS Zone implementation.

  • blob, web, file, queue, dfs, etc. - PDNS Zones created & Policy Definition is created & deployed
  • table - PDNS Zone created, but no Policy Definition/Association

locals { configure_connectivity_resources = { settings = { ... dns = { enabled = true config = { enable_private_link_by_service = { ... storage_account_blob = true storage_account_file = true storage_account_queue = true storage_account_table = true ...

uol-amrae avatar Nov 15 '23 19:11 uol-amrae

The two available built-in policies for Azure Storage tables integration with private DNS zones are missing from the initiative definition/assignment: "table" groupId: 028bbd88-e9b5-461f-9424-a1b63a7bee1a "table_secondary" groupId: c1d634a5-f73d-4cdd-889f-2cc7006eb47f

In the case of "table" groupId, there is also a collision issue described here that causes Azure Cosmos DB for Table private endpoints get wrongly associated to privatelink.table.core.windows.net zone, instead of privatelink.table.cosmos.azure.com zone.

Ideally adding these policies for table storage to the initiative should occur after the built-in policy for "table" groupId gets fixed to avoid registering Cosmos in the Storage zone.

There are also other built-in policies not included in the ALZ initiative Azure/Enterprise-Scale#1485

juanandmsft avatar Nov 24 '23 13:11 juanandmsft

Moving upstream to track - possible duplicate though

matt-FFFFFF avatar Dec 12 '23 16:12 matt-FFFFFF