Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Incorrect role assignments for policy Deploy-Private-DNS-Generic #1209

Open
w3b3rf opened this issue Nov 28, 2024 · 0 comments
Open

Bug Report: Incorrect role assignments for policy Deploy-Private-DNS-Generic #1209

w3b3rf opened this issue Nov 28, 2024 · 0 comments

Comments

@w3b3rf
Copy link

w3b3rf commented Nov 28, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.9.8

azure provider: 3.108

module: 6.2.0

Description

Describe the bug

The policy Deploy-Private-DNS-Generic can be used to add private DNS zone records for resources not supported by the default policy Deploy-Private-DNS-Zones. Using the generic policy does not work however, since the required role assignment on the connectivity management group scope is not set.

Steps to Reproduce

  1. Add policy assignment for policy Deploy-Private-DNS-Generic and configure the required parameters
  2. Check policy compliance and create remediation task
  3. Remediation task will fail with the following error message:
    LinkedAuthorizationFailed
    The client '********-****-****-****-************' with object id '********-****-****-****-************' has permission to perform action 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write' on scope '/subscriptions/***-application-landing-zone-subscription-***/resourcegroups/**********/providers/Microsoft.Network/privateEndpoints/********-psql/privateDnsZoneGroups/deployedByPolicy'; however, it does not have permission to perform action(s) 'Microsoft.Network/privateDnsZones/join/action' on the linked scope(s) '/subscriptions/***-connectivity-subscription-***/resourceGroups/******-dns/providers/Microsoft.Network/privateDnsZones/privatelink.postgres.database.azure.com' (respectively) or the linked scope(s) are invalid.

Screenshots

Additional context

I think this is similar to #794. Reading the commits there I was able to create a workaround outside of the module with this code:

# We use policy Deploy-Private-DNS-Generic to add Private DNS Zone records for resources that are not supported by the default policy Deploy-Private-DNS-Zones
# Permissions for this policy are not correctly assigned, so this creates the required assignments
resource "azurerm_role_assignment" "private_dns_zone_contributor_connectivity" {
  # Create role assignment for each policy assignment that uses the policy Deploy-Private-DNS-Generic
  for_each             = { for k, v in module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(v.policy_definition_id, "policyDefinitions/Deploy-Private-DNS-Generic") }
  provider             = azurerm.connectivity
  role_definition_name = "Private DNS Zone Contributor"
  scope                = "/providers/Microsoft.Management/managementGroups/${var.root_id}-connectivity"
  principal_id         = each.value.identity[0].principal_id
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@w3b3rf