Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with the Private link DNS zones: Policy Assignment with Incorrect resource group name as default #1161

Open
jayaprasad-github opened this issue Oct 18, 2024 · 5 comments
Open

Issue with the Private link DNS zones: Policy Assignment with Incorrect resource group name as default #1161

jayaprasad-github opened this issue Oct 18, 2024 · 5 comments
Labels
Needs: Author Feedback Status: No Recent Activity

Comments

@jayaprasad-github
Copy link

Description:
We have the CAF policy which is being deployed and assigned for configuring the private endpoints for the Azure PaaS Resources which is taking the default DNS Resource group as {prefix}-dns.

It appears that the resource_group_name cannot be changed in the same way that other resources can be changed using advanced settings.

Is there any other workaround to change the resource group name in the policy parameter value for the below policy, overriding the default value to our own RG ?

Policy Initiative / Assignment: Configure Azure PaaS services to use private DNS zones.

CAF Version : 6.1.0
@jayaprasad-github jayaprasad-github changed the title Private link DNS zones Policy Assignment with Incorrect resource group name as default Issue with the Private link DNS zones: Policy Assignment with Incorrect resource group name as default Oct 18, 2024
@falowomi
Copy link

@jayaprasad-github, You can create a directory lib in your alz root module and a file archetype_extension_es_root.tmpl.json under the lib directory and add below code to set the existing private dns zone resources id with your own resource group".

Providing this setting should help override the default settings in the alz deployment for Private DNS Zones policy assignment.

NOTE; Please change the appropriate value below as needed.

{
  "extend_es_root": {
    "policy_assignments": ["Deploy-Private-DNS-Zones"],
    "policy_definitions": [],
    "policy_set_definitions": [],
    "role_definitions": [],
    "archetype_config": {
      "parameters": {
        "Deploy-Private-DNS-Zones": {
          "azureFilePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.afs.azure.net",
          "azureAutomationWebhookPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azure-automation.net",
          "azureAutomationDSCHybridPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azure-automation.net",
          "azureCosmosSQLPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com",
          "azureCosmosMongoPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.mongo.cosmos.azure.com",
          "azureCosmosCassandraPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.cassandra.cosmos.azure.com",
          "azureCosmosGremlinPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.gremlin.cosmos.azure.com",
          "azureCosmosTablePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.table.cosmos.azure.com",
          "azureDataFactoryPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.datafactory.azure.net",
          "azureDataFactoryPortalPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.adf.azure.com",
          "azureDatabricksPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azuredatabricks.net",
          "azureHDInsightPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azurehdinsight.net",
          "azureMigratePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.prod.migration.windowsazure.com",
          "azureStorageBlobPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net",
          "azureStorageBlobSecPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net",
          "azureStorageQueuePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net",
          "azureStorageQueueSecPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net",
          "azureStorageFilePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net",
          "azureStorageStaticWebPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net",
          "azureStorageStaticWebSecPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net",
          "azureStorageDFSPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.dfs.core.windows.net",
          "azureStorageDFSSecPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.dfs.core.windows.net",
          "azureSynapseSQLPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.sql.azuresynapse.net",
          "azureSynapseSQLODPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.sql.azuresynapse.net",
          "azureSynapseDevPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.dev.azuresynapse.net",
          "azureMediaServicesKeyPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.media.azure.net",
          "azureMediaServicesLivePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.media.azure.net",
          "azureMediaServicesStreamPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.media.azure.net",
          "azureMonitorPrivateDnsZoneId1": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.monitor.azure.com",
          "azureMonitorPrivateDnsZoneId2": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.oms.opinsights.azure.com",
          "azureMonitorPrivateDnsZoneId3": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.ods.opinsights.azure.com",
          "azureMonitorPrivateDnsZoneId4": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.agentsvc.azure-automation.net",
          "azureMonitorPrivateDnsZoneId5": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net",
          "azureWebPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.webpubsub.azure.com",
          "azureBatchPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.batch.azure.com",
          "azureAppPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azconfig.io",
          "azureAsrPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.siterecovery.windowsazure.com",
          "azureIotPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azure-devices-provisioning.net",
          "azureKeyVaultPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net",
          "azureSignalRPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.service.signalr.net",
          "azureAppServicesPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net",
          "azureEventGridTopicsPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net",
          "azureDiskAccessPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net",
          "azureCognitiveServicesPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.cognitiveservices.azure.com",
          "azureIotHubsPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azure-devices.net",
          "azureEventGridDomainsPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net",
          "azureRedisCachePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net",
          "azureAcrPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azurecr.io",
          "azureEventHubNamespacePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net",
          "azureMachineLearningWorkspacePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms",
          "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.notebooks.azure.net",
          "azureServiceBusNamespacePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net",
          "azureCognitiveSearchPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.search.windows.net",
          "azureBotServicePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.directline.botframework.com",
          "azureManagedGrafanaWorkspacePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.grafana.azure.com",
          "azureVirtualDesktopHostpoolPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.wvd.microsoft.com",
          "azureVirtualDesktopWorkspacePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.wvd.microsoft.com",
          "azureIotDeviceupdatePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azure-devices.net",
          "azureArcGuestconfigurationPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.guestconfiguration.azure.com",
          "azureArcHybridResourceProviderPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.his.arc.azure.com",
          "azureArcKubernetesConfigurationPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.dp.kubernetesconfiguration.azure.com",
          "azureIotCentralPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.azureiotcentral.com",
          "azureStorageTablePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net",
          "azureStorageTableSecondaryPrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net",
          "azureSiteRecoveryBackupPrivateDnsZoneID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.${connectivity_location_short}.backup.windowsazure.com",
          "azureSiteRecoveryBlobPrivateDnsZoneID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net",
          "azureSiteRecoveryQueuePrivateDnsZoneID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resource group name>/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net"
        }
      },
      "access_control": {}
    }
  }
}

Finally, you need to add library_path = "${path.root}/lib" to your module block. See below for example.

  module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }

  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = "myorg"
  root_name      = "My Organization"
  library_path   = "${path.root}/lib"
}

Hope that helps

@falowomi
Copy link

You can also go by my theory using the easy route by providing the advance setting in your connectivity configuration block in your local file. using below snippet.

NOTE: Use of the advanced setting is currently undocumented and experimental. Please be aware that using this setting may result in future breaking changes.

This works perfect for now

... other connectivity configuration

#Advance settings you need to fix the issue.
locals {
  configure_connectivity_resources = {
    advanced = {
      custom_settings_by_resource_type = {
        azurerm_resource_group = {
          dns = {
            ("location1 name") = {
              name = "customize resource group name"
            },
            #Remove location 2 if not needed.
            ("location2 name") = {
              name = "customize resource group name"
            }
          }
        }
      }
    }
  }
}

@jayaprasad-github
Copy link
Author

Thank you @falowomi, we have the lib and arch type structure created in our local repo and it update the Overrides to use the our existing Subscription and RG for DNS and works with override but just need updating the DNS URI's/Paths shared in the above comment with /providers/

ex:
"azureFilePrivateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups//providers/Microsoft.Network/privateDnsZones/privatelink.afs.azure.net",

@matt-FFFFFF
Copy link
Member

Hi is this resolved?

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Author Feedback Status: No Recent Activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matt-FFFFFF @falowomi @jayaprasad-github