New generic policy for PaaS resources private endpoint to override Private DNS zone.

Ravivarman13 commented 5 months ago

Overview/Summary

Policy Refresh Q3 Fy24

This PR fixes/adds/changes/removes

1.Added 2 new custom policy definitions 2.Policy 1: Deploy-Private DNS zone ID-PaaS-PE, this policy will DINE-configure private DNS zone group to override the DNS resolution for PaaS services private endpoint, added services which supports private DNS but doesn't have built in policy exist 3.Policy 2: Deploy-Private DNS zone-PaaS-PE-Generic, this policy will DINE-configure private DNS zone group to override the DNS resolution for PaaS services private endpoint, it is generic for the services which supports private DNS but doesn't have built in policy exist and also for the new services which supports private DNS in future

Breaking Changes

None

Testing Evidence

Please provide any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).

Testing URLs

The below URLs can be updated where the placeholders are, look for Ravivarman13 & main, to allow you to test your portal deployment experience.

Please also replace the curly brackets on the placeholders {}

Azure Public

As part of this Pull Request I have

[x] Checked for duplicate Pull Requests
[ ] Associated it with relevant issues, for tracking and closure.
[x] Ensured my code/branch is up-to-date with the latest changes in the main branch
[ ] Performed testing and provided evidence.
[ ] Ensured contribution guidance is followed.
[ ] Updated relevant and associated documentation.
[ ] Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

Springstone commented 5 months ago

@rozkurt can you please also review this PR.

Ravivarman13 commented 5 months ago

@Springstone Fixed the policy rule which was under parameters.

kamilzzz commented 3 months ago

I know this has been already merged but what do you think about potential improvement in terms of adding additional parameter to be able to specify evaluationDelay (https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists#:~:text=evaluationDelay)?

Similar feature-request requested for Azure built-in policies but without any response - https://github.com/Azure/azure-policy/issues/1050

eehret commented 2 months ago

I would love to use this, but am not even able to create the policy definition. This is what happens when I try to create it using Azure PowerShell:

The policy 'Deploy-Private-DNS-Generic' has defined parameters 'effect,privateDnsZoneId,resourceType,groupId,evaluationDelay' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the
     | policy rule.

I assume I must be doing something wrong, and that the policy content in the .json file isn't intended to be imported as-is....

EDIT: Yes it was probably me. When I copy the content from here instead, it seems to import just fine: https://www.azadvertizer.com/azpolicyadvertizer/Deploy-Private-DNS-Generic.html. Sorry for the noise, and thanks for the work on this policy, looks very useful!

Azure / Enterprise-Scale