nehakulkarni123
commented
2 years ago Hi @valtynikov, can you please provide the policyDefinition ID for this policy so I can investigate further?
Open valtynikov opened 2 years ago
nehakulkarni123
commented
2 years ago Hi @valtynikov, can you please provide the policyDefinition ID for this policy so I can investigate further?
valtynikov
commented
2 years ago @nehakulkarni123 the policy definition ID is /providers/Microsoft.Authorization/policyDefinitions/9d4fad1f-5189-4a42-b29e-cf7929c6b6df. Thanks!
nehakulkarni123
commented
2 years ago Thank you-- since the private endpoint was created, it seems that the existenceCondition is correct. How long has the vault remained non-compliant after private endpoint deployment? Is it still non-compliant?
valtynikov
commented
2 years ago @nehakulkarni123 the policy keeps reporting the Key Vault non-compliant, even days after the private endpoint was created. Also, it's reporting other Key Vaults that already had private endpoints associated with them as non-compliant.
valtynikov
commented
2 years ago @nehakulkarni123 please let me know if you need any additional information. The policy's been enabled for a few weeks now and is still reporting that the Key Vault is non-compliant, even though it definitely has an associated private endpoint.
nehakulkarni123
commented
2 years ago Adding @sebansal from the Key Vault team to address @valtynikov's question.
valtynikov
commented
2 years ago @sebansal hello, just wanted to check if there's anything else I can assist with to troubleshoot the issue.
nehakulkarni123
commented
2 years ago Hi @valtynikov, another approach would be to reach out to the support team. They will be able to take a look at your specific environment and offer specific feedback.
valtynikov
commented
2 years ago @nehakulkarni123 sure, I can reach out to the support team. Would they support it even though it's still in preview?
dani3lheidemann
commented
2 years ago Hi all, facing the same issue as @valtynikov. It seems that for Key Vaults in the ARM template, the sub-resource "Microsoft.KeyVault/vaults/privateEndpointConnections" for the Private Endpoint Config is missing. For this reason, the Azure Policy DINE Existence Condition cannot check the Private Endpoint Configuration on the Key Vault resource.
Here is a comparison:
Export of the Key Vault ARM template with Private Endpoint:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_kv_test_hd6_name": {
"defaultValue": "kv-test-hd6",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-07-01",
"name": "[parameters('vaults_kv_test_hd6_name')]",
"location": "germanywestcentral",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "xxx",
"accessPolicies": [
{
"tenantId": "xxx",
"objectId": "xxx",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"GetRotationPolicy",
"SetRotationPolicy",
"Rotate"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 7,
"enableRbacAuthorization": false,
"vaultUri": "[concat('https://', parameters('vaults_kv_test_hd6_name'), '.vault.azure.net/')]",
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled"
}
}
]
}
Notice NO Private Endpoint Sub-Resource.
Export of Storage Account ARM Template with Private Endpoint:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccounts_xxx_name": {
"defaultValue": "xxx",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-05-01",
"name": "[parameters('storageAccounts_xxx_name')]",
"location": "northcentralus",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": false,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/privateEndpointConnections",
"apiVersion": "2022-05-01",
"name": "[concat(parameters('storageAccounts_xxx_name'), '/', parameters('storageAccounts_xxx_name'), '.5ec963bc-3520-43ff-ab25-bbf3ca0aed18')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_xxx_name'))]"
],
"properties": {
"provisioningState": "Succeeded",
"privateEndpoint": {},
"privateLinkServiceConnectionState": {
"status": "Approved",
"description": "Auto-Approved",
"actionRequired": "None"
}
}
}
]
}
Notice Private Endpoint Sub-Resource for Storage Account.
For the Storage Account, there is a sub-resource in the ARM template that matches the Existence Condition. For Key Vault this sub-resource is missing, although a Private Endpoint is configured. This looks like a bug to me.
Can anyone from Microsoft check this?
Thanks! Daniel
valtynikov
commented
2 years ago I'm pretty sure this is due to the Key Vault private endpoint policy using an older apiVersion when checking resource compliance. Should be a very simple fix and they resolved it quickly when I reported a similar issue for ACR but the Key Vault team is just ignoring it for some reason. I guess not enough people complained yet.
dani3lheidemann
commented
2 years ago @valtynikov yes, this is also my assumption. @nehakulkarni123 @sebansal may you have any update on this? Thank you!
Details of the scenario you tried and the problem that is occurring
The policy successfully detected and created a private endpoint for a Key Vault but keeps reporting the Key Vault as non-compliant.
Verbose logs showing the problem
N/A
Suggested solution to the issue
N/A
If policy is Guest Configuration - details about target node
N/A