azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard

Published 20 hours ago verified publisher icon Azure

Conflicting policies: PrivateDNSZone Synapse Workspace and CosmosDB

Open chasdesj opened this issue 3 years ago • 1 comments
trafficstars

Details of the scenario you tried and the problem that is occurring

When implementing both:

Cosmos_PrivateDNSZone_DeployIfNotExists.json
SynapseWorkspaceUsePrivateDnsZones_DeployIfNotExists.json

The targetSubResource parameters for Synapse's version is ambiguous with CosmosDB's since both have a sub-resource called Sql as defined here.

Verbose logs showing the problem

N/A

Suggested solution to the issue

Validating the PrivateLinkServiceId would allow using the right private DNS Zone in both cases

If policy is Guest Configuration - details about target node

chasdesj avatar Jun 21 '22 17:06 chasdesj

Had the same issue a few months ago: https://github.com/Azure/azure-policy/issues/858 Still open since then. But wanted to mention this here. Suggested solution is the right way to go.

Cognitive Services Policy has done this right: https://www.azadvertizer.net/azpolicyadvertizer/c4bc6f10-cb41-49eb-b000-d5ab82e2a091.html

            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Network/privateEndpoints"
                },
                {
                    "count": {
                        "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
                        "where": {
                            "allOf": [
                                {
                                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                                    "contains": "Microsoft.CognitiveServices/accounts"
                                },
                                {
                                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                                    "equals": "account"
                                }
                            ]
                        }
                    },
                    "greaterOrEquals": 1
                }
            ]

cloudchristoph avatar Jul 31 '22 11:07 cloudchristoph

Hi @cloudchristoph,

After many discussions with MS support, the policy has been correctly fixed 2 weeks ago.

Obviously, it can be confirmed here : Cosmos_PrivateDNSZone_DeployIfNotExists.json

Hope it helps!

chasdesj avatar Aug 23 '22 15:08 chasdesj

Hi again @cloudchristoph,

Just had confirmation from MS support that Synapse's built-in was going to be fixed also. That was crucial since the conflict was still there even after the fix mentionned above.

Basically, the change has not hit production yet, but here is a peak of what is coming:

{
  "count": {
-      "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
+      "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
+      "where": {
+         "allOf": [
+            {
+                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
+                "contains": "Microsoft.Synapse/workspaces"
+             },
+             {
+               "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
+               "equals": "[parameters('targetSubResource')]"
+             }
+        ]
+     }
  },
  "greaterOrEquals": 1
}

chasdesj avatar Aug 31 '22 14:08 chasdesj