admin管理员组文章数量:1434978
I have created custom policy for adding private endpoints on Synapse Analytics Workspace. See Script below.
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Synapse/workspaces"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Network/privateEndpoints",
"existenceScope": "subscription",
"existenceCondition": {
"allOf": [
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "SqlOnDemand"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "Sql"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "dev"
}
]
}
]
},
But the above policy is Non-Compliant. See image below
I believe there were a mismatch fields on the script, your help is truly appreciated. Thank you in advance geez!
I have created custom policy for adding private endpoints on Synapse Analytics Workspace. See Script below.
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Synapse/workspaces"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Network/privateEndpoints",
"existenceScope": "subscription",
"existenceCondition": {
"allOf": [
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "SqlOnDemand"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "Sql"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "dev"
}
]
}
]
},
But the above policy is Non-Compliant. See image below
I believe there were a mismatch fields on the script, your help is truly appreciated. Thank you in advance geez!
Share Improve this question edited Nov 19, 2024 at 16:13 artless-noise-bye-due2AI 22.5k6 gold badges73 silver badges110 bronze badges asked Nov 18, 2024 at 10:54 RomeoRomeo 451 silver badge7 bronze badges 7- Are you getting any error with your code? – Venkat V Commented Nov 18, 2024 at 10:56
- Hi @VenkatV Thank you for responding, no error with the code but when checking Policy - Compliance it says Non-Compliant. – Romeo Commented Nov 19, 2024 at 1:25
- Do you want to check non-complaint resources that do not have private endpoint enabled, or enable private endpoint if it does not exist? – Venkat V Commented Nov 19, 2024 at 3:55
- The effect is DeployIfNotExists, then the result after deployment is Compliant. – Romeo Commented Nov 19, 2024 at 4:18
- Are you still facing the issue? @Romeo – Jahnavi Commented Nov 22, 2024 at 6:32
1 Answer
Reset to default 0As mentioned by @Romeo, replacing allOf with anyOf should resolve the issue here. Posting our discussion as an answer for the community benefit.
The functionality of allOf operator in a policy rule is to make sure that all the given conditions under a specific block should be true. If it satisfies, then only it does evaluate and triggers effect trigger. Whereas the anyOf operator evaluates to true if there is a one included condition is true.
Refer MSDoc on explaining multiple policy rules with sample definitions.
Modified existenceCondition block is given below:
Using anyOf rather than allOf checks if any one of the private endpoint configurations such as SqlOnDemand, Sql, or dev exists in the synapse, then the policy evaluates it as compliant one.
"existenceCondition": {
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "SqlOnDemand"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "Sql"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "dev"
}
]
}
]
},
Definition created successfully:
Reference MSDoc for exploring all the logical operators available in Azure policy definition structure.
本文标签: azureCustom Policy for Synapse Analytics Private Endpoint NonCompliantStack Overflow
版权声明:本文标题:azure - Custom Policy for Synapse Analytics Private Endpoint Non-Compliant - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745624213a2666871.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论