Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Feature Request - Deploy-Private-DNS-Zones is missing policy for App Service Slots

Open MikaelJcSoderberg opened this issue 1 year ago • 4 comments

Describe the solution you'd like

I cant find a policy for you to include as part of Deploy-Private-DNS-Zones

that would add the feature, so either the product team will need to add it or Enterprise Scale would have a Custom Policy that does the same. Is there a similiar issue with Function App slots?

MikaelJcSoderberg avatar Oct 04 '24 06:10 MikaelJcSoderberg

@MikaelJcSoderberg we have included a generic Private DNS Zone policy that allows you to configure Private DNS Zones for those services that don't yet have a built-in policy for the same. Have you looked at implementing this?

https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json

Springstone avatar Oct 10 '24 08:10 Springstone

The generic would work if the group ID is static, but for app service slots it is dynamic values starting with "sites-*"

When I wrote my custom policy that works for me I have to use like instead of equals

Image

MikaelJcSoderberg avatar Oct 10 '24 09:10 MikaelJcSoderberg

The generic would work if the group ID is static, but for app service slots it is dynamic values starting with "sites-*"

When I wrote my custom policy that works for me I have to use like instead of equals

Image

This modification to the Generic policy worked for us as well based on Microsoft "unofficial" suggestion (btw, they may have just got it from this issue). However, I kept what was there already in the as-published Generic policy (Deploy-Private-DNS-Generic.json) and injected the above rule as well as follows:

  "if": {
    "allOf": [
      {
        "field": "location",
        "equals": "[parameters('location')]"
      },
      {
        "field": "type",
        "equals": "Microsoft.Network/privateEndpoints"
      },
      {
        "count": {
          "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
          "where": {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "[parameters('resourceType')]"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds",
                    "like": "sites-*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "[parameters('resourceType')]"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "[parameters('groupId')]"
                  }
                ]
              }
            ]
          }
        },
        "greaterOrEquals": 1
      }
    ]
  },

mlgnghaz-blip avatar Sep 22 '25 23:09 mlgnghaz-blip

Hoping this suggestion by Mike and I above could be incorporated into the next version of Deploy-Private-DNS-Generic.json

mlgnghaz-blip avatar Sep 22 '25 23:09 mlgnghaz-blip