Bug Report: Deploy Private DNS Zones - Storage Table - Policy deployment missing

uol-amrae commented 11 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.6.3

azure provider: 3.80.0

module: 5.0.2

Description

Describe the bug

Using the connectivity option to create privatelink.table.core.windows.net Private DNS zones and the associated Azure Policy, the 'table' zone is not populated.

seems that the config for 'table' is missing partly from at least: [modules/connectivity/locals.tf] ( definitions not under Deploy-Private-DNS-Zones ? )

seems that the config for 'table' is missing complete from at least: [modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json] [modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json]

but it is however defined in the audit policy: [modules/archetypes/lib/policy_definitions/policy_definition_es_audit_privatelinkdnszones.json]

hopefully I've got all that the right way round and explained well enough

Steps to Reproduce

Deploy CAF ES module, configuring Private DNS Zone implementation.

blob, web, file, queue, dfs, etc. - PDNS Zones created & Policy Definition is created & deployed
table - PDNS Zone created, but no Policy Definition/Association

locals { configure_connectivity_resources = { settings = { ... dns = { enabled = true config = { enable_private_link_by_service = { ... storage_account_blob = true storage_account_file = true storage_account_queue = true storage_account_table = true ...

juanandmsft commented 11 months ago

The two available built-in policies for Azure Storage tables integration with private DNS zones are missing from the initiative definition/assignment: "table" groupId: 028bbd88-e9b5-461f-9424-a1b63a7bee1a "table_secondary" groupId: c1d634a5-f73d-4cdd-889f-2cc7006eb47f

In the case of "table" groupId, there is also a collision issue described here that causes Azure Cosmos DB for Table private endpoints get wrongly associated to privatelink.table.core.windows.net zone, instead of privatelink.table.cosmos.azure.com zone.

Ideally adding these policies for table storage to the initiative should occur after the built-in policy for "table" groupId gets fixed to avoid registering Cosmos in the Storage zone.

There are also other built-in policies not included in the ALZ initiative Azure/Enterprise-Scale#1485

matt-FFFFFF commented 11 months ago

Moving upstream to track - possible duplicate though

Springstone commented 3 weeks ago

This has been resolved in a previous release. Closing as no further action required. Feel free to re-open if needed.

Azure / Enterprise-Scale