Skip to content

New generic policy for PaaS resources private endpoint to override Private DNS zone. #1618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jtracey93 merged 32 commits into from
May 7, 2024
Merged

New generic policy for PaaS resources private endpoint to override Private DNS zone. #1618

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
cb7c68c
Create Deploy-Private DNS zone-PaaS-Private endpoint.json
Ravivarman13 Apr 12, 2024
61740f6
Create Deploy-Private DNS zone-PaaS-Private endpoint-Allowed values.json
Ravivarman13 Apr 12, 2024
6b5f0d2
Merge branch 'policy-refresh-q3fy24' into main
Springstone Apr 22, 2024
f9dd4fb
Update and rename Deploy-Private DNS zone-PaaS-Private endpoint-Allow…
Ravivarman13 Apr 22, 2024
163a4fa
Update and rename Deploy-Private DNS zone-PaaS-Private endpoint.json …
Ravivarman13 Apr 22, 2024
18c23c7
Update Whats-new.md
Ravivarman13 Apr 22, 2024
84c9af7
Update and rename Deploy-Private DNS zone ID-PaaS-PE.json to Deploy-P…
Ravivarman13 Apr 24, 2024
137c9d7
Update and rename Deploy-Private DNS zone-PaaS-PE-Generic.json to Dep…
Ravivarman13 Apr 24, 2024
501c795
Update Deploy-Private-DNS-zone-ID-PaaS-PE.json
Ravivarman13 Apr 24, 2024
9916128
Update Deploy-Private-DNS-zone-PaaS-PE-Generic.json
Ravivarman13 Apr 24, 2024
f5f0d59
Update policies.bicep
Ravivarman13 Apr 24, 2024
e35159f
Update Deploy-Private-DNS-zone-ID-PaaS-PE.json
Ravivarman13 Apr 24, 2024
31cbaf5
Auto-update Portal experience [Springstone/651f57a7]
github-actions[bot] Apr 25, 2024
b519233
Update Deploy-Private-DNS-zone-ID-PaaS-PE.json
Ravivarman13 Apr 25, 2024
3222694
Auto-update Portal experience [Ravivarman13/651f57a7]
github-actions[bot] Apr 25, 2024
00d2353
Update Deploy-Private-DNS-zone-PaaS-PE-Generic.json
Ravivarman13 Apr 25, 2024
cf32b6d
Auto-update Portal experience [Ravivarman13/651f57a7]
github-actions[bot] Apr 25, 2024
5e2f612
Update and rename Deploy-Private-DNS-zone-ID-PaaS-PE.json to Deploy-P…
Ravivarman13 Apr 30, 2024
4095626
Update and rename Deploy-Private-DNS-zone-PaaS-PE-Generic.json to Dep…
Ravivarman13 Apr 30, 2024
cab3551
Update Whats-new.md
Ravivarman13 Apr 30, 2024
31526a1
Update policies.bicep
Ravivarman13 Apr 30, 2024
817a0dd
Auto-update Portal experience [Ravivarman13/651f57a7]
github-actions[bot] Apr 30, 2024
9f661a4
Apply suggestions from JT code review
jtracey93 May 3, 2024
166cd1b
Auto-update Portal experience [jtracey93/b646a5d5]
github-actions[bot] May 3, 2024
92b61bb
Update Whats-new.md
Ravivarman13 May 6, 2024
0f69d16
Update policies.bicep
Ravivarman13 May 6, 2024
4b6ef7c
Auto-update Portal experience [Ravivarman13/b646a5d5]
github-actions[bot] May 6, 2024
c1d87a0
Delete src/resources/Microsoft.Authorization/policyDefinitions/Deploy…
Ravivarman13 May 6, 2024
d26ffb8
Merge branch 'policy-refresh-q3fy24' of https://github.com/Azure/Ente…
Ravivarman13 May 6, 2024
c408761
Auto-update Portal experience [Ravivarman13/79c74f4d]
github-actions[bot] May 6, 2024
c9defbd
Merge branch 'policy-refresh-q3fy24' of https://github.com/Azure/Ente…
Ravivarman13 May 7, 2024
092195b
Auto-update Portal experience [Ravivarman13/21908c03]
github-actions[bot] May 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 5 additions & 10 deletions docs/wiki/Whats-new.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,16 +84,11 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
- Add an additional role assignment for ChangeTracking Policies that are assigned at Landing Zone management group scope, granting the Managed Identity the Reader role on the Platform management group.
- Add an additional role assignment to Azure Update Manger Policies, granting Managed Identity Operator at the same scope as the assignment.
- **To update an existing deployment:**
- For each of the VMInsights and ChangeTracking Initiative assignments:
- **Only required for the Initiatives assigned to Landing Zones Management group scope**
- Go to the Initiative assignment, go to the Managed Identity tab and copy the Principal ID
- Go to Management Groups, select the Platform Management group and go to Access control (IAM)
- Add a new role assignment and assign the Reader role the Principal ID that was copied in the first step.
- For each of the Azure Update Manger Initiative assignments:
- **Applies to the Initiatives assigned to both the Landing Zones and the Platform Management group scopes**
- Go to the Initiative assignment, go to the Managed Identity tab and copy the Principal ID
- Go to Management Groups, select the same management group as the assignment you copied the Principal ID from and go to Access control (IAM)
- Add a new role assignment and assign the Managed Identity Operator role the Principal ID that was copied in the first step.
- This script [Set-RBACAmaPolicyAssignment.ps1](https://github.com/Azure/Enterprise-Scale/blob/main/src/scripts/Set-RBACAmaPolicyAssignment.ps1) will update the required role assignments. The `enterpriseScaleCompanyPrefix` parameter is required for running the script and should contain the intermediate root management group name.

```powershell
.\Set-RBACAmaPolicyAssignment.ps1 -enterpriseScaleCompanyPrefix contoso
```

### February 2024

Expand Down
233 changes: 233 additions & 0 deletions ...ation/policyDefinitions/Deploy-Private DNS zone-PaaS-Private endpoint-Allowed values.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,233 @@
{
"name": "Configure a private DNS Zone ID for Paas services-Generic policy for PaaS services dosent has builtin policies",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "All",
"displayName": "Configure a private DNS Zone ID for Paas services-Generic policy for PaaS services dosent has builtin policies",
"description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint",
"metadata": {
"version": "1.1.0",
"category": "Generic",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud"
]
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"privateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "Private DNS Zone ID for Paas services",
"description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.",
"strongType": "Microsoft.Network/privateDnsZones",
"assignPermissions": true
}
},
"ResourceType": {
"type": "String",
"metadata": {
"displayName": "PaaS private endpoint resource type",
"description": "The PaaS service endpoint resource type."
},
"allowedValues": [
"Microsoft.CognitiveServices/accounts",
"Microsoft.BotService/botServices",
"Microsoft.Synapse/privateLinkHubs",
"Microsoft.EventHub/namespaces",
"Microsoft.ServiceBus/namespaces",
"Microsoft.DataFactory/factories",
"Microsoft.Kusto/Clusters",
"Microsoft.PowerBI/privateLinkServicesForPowerBI",
"Microsoft.Databricks/workspaces",
"Microsoft.Batch/batchAccounts",
"Microsoft.DesktopVirtualization/workspaces",
"Microsoft.DesktopVirtualization/hostpools",
"Microsoft.ContainerService/managedClusters",
"Microsoft.ContainerRegistry/registries",
"Microsoft.Sql/servers",
"Microsoft.Sql/managedInstances",
"Microsoft.DocumentDB/databaseAccounts",
"Microsoft.DBforPostgreSQL/serverGroupsv2",
"Microsoft.DBforPostgreSQL/servers",
"Microsoft.DBforMySQL/servers",
"Microsoft.DBforMySQL/flexibleServers",
"Microsoft.DBforMariaDB/servers",
"Microsoft.Cache/RedisEnterprise",
"Microsoft.EventGrid/partnerNamespaces",
"Microsoft.ApiManagement/service",
"Microsoft.HealthcareApis/workspaces",
"Microsoft.Devices/ProvisioningServices",
"Microsoft.DeviceUpdate/accounts",
"Microsoft.IoTCentral/IoTApps",
"Microsoft.DigitalTwins/digitalTwinsInstances",
"Microsoft.RecoveryServices/vaults",
"Microsoft.Purview/accounts",
"Microsoft.Authorization/resourceManagementPrivateLinks",
"Microsoft.Dashboard/grafana",
"Microsoft.KeyVault/managedHSMs",
"Microsoft.AppConfiguration/configurationStores",
"Microsoft.Attestation/attestationProviders",
"Microsoft.Storage/storageAccounts",
"Microsoft.StorageSync/storageSyncServices",
"Microsoft.Compute/diskAccesses",
"Microsoft.Search/searchServices",
"Microsoft.Relay/namespaces"
]
},
"groupId": {
"type": "String",
"metadata": {
"displayName": "PaaS Private endpoint group ID",
"description": "The group ID of the PaaS private endpoint."
},
"allowedValues": [
"Account",
"Bot",
"Token",
"Web",
"namespace",
"dataFactory",
"portal",
"cluster",
"tenant",
"databricks_ui_api",
"browser_authentication",
"nodeManagement",
"global",
"feed",
"connection",
"management",
"registry",
"sqlServer",
"managedInstance",
"Analytical",
"coordinator",
"postgresqlServer",
"mysqlServer",
"mariadbServer",
"redisEnterprise",
"partnernamespace",
"gateway",
"healthcareworkspace",
"iotDps",
"DeviceUpdate",
"iotApp",
"API",
"AzureBackup",
"account",
"ResourceManagement",
"grafana",
"managedhsm",
"configurationStores",
"standard",
"table",
"table_secondary",
"afs",
"disks",
"searchService"
]
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/privateEndpoints"
},
{
"count": {
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"contains": "[parameters('ResourceType')]"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "[parameters('groupId')]"
}
]
}
},
"greaterOrEquals": 1
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"privateDnsZoneId": {
"type": "string"
},
"privateEndpointName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2020-03-01",
"location": "[parameters('location')]",
"properties": {
"privateDnsZoneConfigs": [
{
"name": "PaasService-privateDnsZone",
"properties": {
"privateDnsZoneId": "[parameters('privateDnsZoneId')]"
}
}
]
}
}
]
},
"parameters": {
"privateDnsZoneId": {
"value": "[parameters('privateDnsZoneId')]"
},
"privateEndpointName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
}
}
}
143 changes: 143 additions & 0 deletions ...rosoft.Authorization/policyDefinitions/Deploy-Private DNS zone-PaaS-Private endpoint.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
{
"name": "Configure a private DNS Zone ID for Paas services-Generic policy",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "All",
"displayName": "Configure a private DNS Zone ID for Paas services-Generic policy",
"description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint",
"metadata": {
"version": "1.1.0",
"category": "Generic",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud"
]
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"privateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "Private DNS Zone ID for Paas services",
"description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.",
"strongType": "Microsoft.Network/privateDnsZones",
"assignPermissions": true
}
},
"ResourceType": {
"type": "String",
"metadata": {
"displayName": "PaaS private endpoint resource type",
"description": "The PaaS endpoint resource type."
}
},
"groupId": {
"type": "String",
"metadata": {
"displayName": "PaaS Private endpoint group ID",
"description": "The group ID of the PaaS private endpoint."
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/privateEndpoints"
},
{
"count": {
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"contains": "[parameters('ResourceType')]"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "[parameters('groupId')]"
}
]
}
},
"greaterOrEquals": 1
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"privateDnsZoneId": {
"type": "string"
},
"privateEndpointName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2020-03-01",
"location": "[parameters('location')]",
"properties": {
"privateDnsZoneConfigs": [
{
"name": "PaasService-privateDnsZone",
"properties": {
"privateDnsZoneId": "[parameters('privateDnsZoneId')]"
}
}
]
}
}
]
},
"parameters": {
"privateDnsZoneId": {
"value": "[parameters('privateDnsZoneId')]"
},
"privateEndpointName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
}
}
}
Loading