Open lodrantl opened 3 months ago
We encountered the same problem and caused us a lot of headaches first. I don't know if this workaround works with Terraform but at least in bicep if you explicitly define an empty array for virtualNetworkPeerings the policy stops complaining
resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
name: 'test-vnet'
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
virtualNetworkPeerings: [
]
}
}
@lodrantl and @anttonalkio just to let you know, a bug has been detected in policy enforcement that is impacting this specific policy. Engineering is working on addressing the issue and we'll keep you posted.
@lodrantl and @anttonalkio is this still an issue, as a fix was published that addressed this particular policy behavior.
Describe the bug When the Deny-VNET-Peering-To-Non-Approved-VNETs with action Deny is applied on a subscription you cannot create a new vnet without any peerings into that subscription.
Steps to reproduce
Terraform code for vNET:
Deployment error
If policy is set to Audit, the isolated vNet is marked as compliant.
https://github.com/lodrantl/Enterprise-Scale/commit/4d6d6e9632720c57fb04230e8809b586e166267a could possibly fix the issue, but I am not certain if it changes the way the policy was meant to work.