search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
415 stars 221 forks source link

Deploy-Private-DNS-Endpoint instantly #325

Closed Acenl12 closed 1 year ago

Acenl12 commented 1 year ago

I would like to change the policysetassignment for ALZ of the Deploy-Private-DNS with an EvaluationDelay of 0 second. See what I changed in bold marked. @techlake
So I need some help integrating in the policy assignment 

"details": {
        "evaluationDelay": "AfterProvisioning" }

Please check if this is the right way:

                {
                    "nodeName": "DNZZones",
                    "assignment": {
                        "name": "Deploy-Private-DNS-Zones",
                        "displayName": "Configure Azure PaaS services to use private DNS zones",
                        "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones."
                    },
                    "definitionEntry": {
                        "policySetName": "Deploy-Private-DNS-Zones",
                        "displayName": "Deploy Private DNS Zones"
                    },
                    "parameters": {
                        // Replace --DNSZonePrefix-- with a value similar to 
                        // "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myorg-dns/providers/Microsoft.Network/privateDnsZones/"
                        // but modify to reference your connectivity subscription.
                        // Also update additionalRoleAssignments block to ensure your connectivity subscription Id is referenced.
                        // If you don't require this then remove the assignment block. 
                        "azureFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.afs.azure.net",
                        "azureAutomationWebhookPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
                        "azureAutomationDSCHybridPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
                        "azureCosmosSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.documents.azure.com",
                        "azureCosmosMongoPrivateDnsZoneId": "--DNSZonePrefix--privatelink.mongo.cosmos.azure.com",
                        "azureCosmosCassandraPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cassandra.cosmos.azure.com",
                        "azureCosmosGremlinPrivateDnsZoneId": "--DNSZonePrefix--privatelink.gremlin.cosmos.azure.com",
                        "azureCosmosTablePrivateDnsZoneId": "--DNSZonePrefix--privatelink.table.cosmos.azure.com",
                        "azureDataFactoryPrivateDnsZoneId": "--DNSZonePrefix--privatelink.datafactory.azure.net",
                        "azureDataFactoryPortalPrivateDnsZoneId": "--DNSZonePrefix--privatelink.adf.azure.com",
                        "azureHDInsightPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurehdinsight.net",
                        "azureMigratePrivateDnsZoneId": "--DNSZonePrefix--privatelink.prod.migration.windowsazure.com",
                        "azureStorageBlobPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
                        "azureStorageBlobSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
                        "azureStorageQueuePrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
                        "azureStorageQueueSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
                        "azureStorageFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.file.core.windows.net",
                        "azureStorageStaticWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
                        "azureStorageStaticWebSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
                        "azureStorageDFSPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net",
                        "azureStorageDFSSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net",
                        "azureSynapseSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
                        "azureSynapseSQLODPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
                        "azureSynapseDevPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dev.azuresynapse.net",
                        "azureMediaServicesKeyPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
                        "azureMediaServicesLivePrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
                        "azureMediaServicesStreamPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
                        "azureMonitorPrivateDnsZoneId1": "--DNSZonePrefix--privatelink.monitor.azure.com",
                        "azureMonitorPrivateDnsZoneId2": "--DNSZonePrefix--privatelink.oms.opinsights.azure.com",
                        "azureMonitorPrivateDnsZoneId3": "--DNSZonePrefix--privatelink.ods.opinsights.azure.com",
                        "azureMonitorPrivateDnsZoneId4": "--DNSZonePrefix--privatelink.agentsvc.azure-automation.net",
                        "azureMonitorPrivateDnsZoneId5": "--DNSZonePrefix--privatelink.blob.core.windows.net",
                        "azureWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.webpubsub.azure.com",
                        "azureBatchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.batch.azure.com",
                        "azureAppPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azconfig.io",
                        "azureAsrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.siterecovery.windowsazure.com",
                        "azureIotPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices-provisioning.net",
                        "azureKeyVaultPrivateDnsZoneId": "--DNSZonePrefix--privatelink.vaultcore.azure.net",
                        "azureSignalRPrivateDnsZoneId": "--DNSZonePrefix--privatelink.service.signalr.net",
                        "azureAppServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurewebsites.net",
                        "azureEventGridTopicsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net",
                        "azureDiskAccessPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
                        "azureCognitiveServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cognitiveservices.azure.com",
                        "azureIotHubsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices.net",
                        "azureEventGridDomainsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net",
                        "azureRedisCachePrivateDnsZoneId": "--DNSZonePrefix--privatelink.redis.cache.windows.net",
                        "azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io",
                        "azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
                        "azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms",
                        "azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
                        "azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net"
                    },
                    "details": {
                           "evaluationDelay": "AfterProvisioning" },
                    "nonComplianceMessages": [
                        {
                            "message": "Azure PaaS services must use private DNS zones."
                        }
                    ],
                    "additionalRoleAssignments": {
                        "*": [
                            {
                                "roleDefinitionId": "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
                                "scope": "/subscriptions/connectivity--subscription--id"
                            }
                        ]
                    }
                },
Acenl12 commented 1 year ago

It looks I also need to some changing the policy set definition:


Line |
 279 |  … splayName = Set-AzPolicyAssignmentRestMethod -Assignment $_ -CurrentD …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Assignment error 400 -- {"error":{"code":"UndefinedPolicyParameter","message":"The policy assignment
     | 'Deploy-Private-DNS-Zones' has the parameter(s) 'evaluationDelay' which are not defined in the policy definition
     | 'Deploy-Private-DNS-Zones'."}}
techlake commented 1 year ago

evaluationDelay is a property on an individual Policy definition and NOT on a Policy Assignment.

This can only be changed within a Policy definition.

anwather commented 1 year ago

That policy set is built up of a number of built-in policies - you would have to clone each of them, add an evaluation delay and build your new policy set before assigning it.

anwather commented 1 year ago

Closing as non EPAC issue.