Springstone
commented
1 year ago @cveld Thanks for raising the issue. Our initiative is based on available built-in policies (there are none for that namespace :)), and we do this as much as possible to minimize our teams overhead maintaining initiatives (and in particular custom policies). It is valuable feedback, and understand the high value this has, and will raise this in our next internal review, and action accordingly (will provide an update here).
steph409
Wopienkaatwork
Describe the solution you'd like
Not all resource types seem to be included at this point in the policy set Deploy-Private DNS-Zone. Source: https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json
E.g. privatelink.database.windows.net
It would be great if this zone were added to the policy set, if not all remaining others.
Side node: Maybe the name of the policy set can be improved, to e.g. Deploy dns zone groups to private endpoints
Custom policy definition example code
```json { "name": "Config-Private-DNS-SQL", "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2022-06-01", "scope": null, "properties": { "displayName": "Configure Azure SQL DB to use private DNS zones", "policyType": "Custom", "mode": "Indexed", "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SQL Database account. Learn more at: https://aka.ms/privatednszone.", "metadata": { "version": "2.0.0", "category": "SQL DB" }, "parameters": { "privateDnsZoneId": { "type": "String", "metadata": { "displayName": "Private Dns Zone Id", "description": "The private DNS zone to deploy in a new private DNS zone group and link to the private endpoint", "strongType": "Microsoft.Network/privateDnsZones" } }, "groupId": { "type": "String", "metadata": { "displayName": "Group ID", "description": "A group Id for the private endpoint" }, "defaultValue": "sqlServer" }, "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "DeployIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/privateEndpoints" }, { "count": { "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]", "where": { "allOf": [ { "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", "contains": "Microsoft.Sql/servers" }, { "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", "equals": "[parameters('groupId')]" } ] } }, "greaterOrEquals": 1 } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "privateDnsZoneId": { "type": "string" }, "privateEndpointName": { "type": "string" }, "location": { "type": "string" } }, "resources": [ { "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2020-03-01", "location": "[parameters('location')]", "properties": { "privateDnsZoneConfigs": [ { "name": "privatelink_database_windows_net", "properties": { "privateDnsZoneId": "[parameters('privateDnsZoneId')]" } } ] } } ] }, "parameters": { "privateDnsZoneId": { "value": "[parameters('privateDnsZoneId')]" }, "privateEndpointName": { "value": "[field('name')]" }, "location": { "value": "[field('location')]" } } } } } } } } } ```