I have created custom policy for adding private endpoints on Synapse Analytics Workspace. See Script below.
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Synapse/workspaces"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Network/privateEndpoints",
"existenceScope": "subscription",
"existenceCondition": {
"allOf": [
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "SqlOnDemand"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "Sql"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "dev"
}
]
}
]
},
But the above policy is Non-Compliant. See image below
I believe there were a mismatch fields on the script, your help is truly appreciated. Thank you in advance geez!
I have created custom policy for adding private endpoints on Synapse Analytics Workspace. See Script below.
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Synapse/workspaces"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Network/privateEndpoints",
"existenceScope": "subscription",
"existenceCondition": {
"allOf": [
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "SqlOnDemand"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "Sql"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "dev"
}
]
}
]
},
But the above policy is Non-Compliant. See image below
I believe there were a mismatch fields on the script, your help is truly appreciated. Thank you in advance geez!
Share Improve this question edited Nov 19, 2024 at 16:13 artless-noise-bye-due2AI 22.5k6 gold badges73 silver badges110 bronze badges asked Nov 18, 2024 at 10:54 RomeoRomeo 451 silver badge7 bronze badges 7- Are you getting any error with your code? – Venkat V Commented Nov 18, 2024 at 10:56
- Hi @VenkatV Thank you for responding, no error with the code but when checking Policy - Compliance it says Non-Compliant. – Romeo Commented Nov 19, 2024 at 1:25
- Do you want to check non-complaint resources that do not have private endpoint enabled, or enable private endpoint if it does not exist? – Venkat V Commented Nov 19, 2024 at 3:55
- The effect is DeployIfNotExists, then the result after deployment is Compliant. – Romeo Commented Nov 19, 2024 at 4:18
- Are you still facing the issue? @Romeo – Jahnavi Commented Nov 22, 2024 at 6:32
1 Answer
Reset to default 0As mentioned by @Romeo, replacing allOf with anyOf should resolve the issue here. Posting our discussion as an answer for the community benefit.
The functionality of allOf operator in a policy rule is to make sure that all the given conditions under a specific block should be true. If it satisfies, then only it does evaluate and triggers effect trigger. Whereas the anyOf operator evaluates to true if there is a one included condition is true.
Refer MSDoc on explaining multiple policy rules with sample definitions.
Modified existenceCondition block is given below:
Using anyOf rather than allOf checks if any one of the private endpoint configurations such as SqlOnDemand, Sql, or dev exists in the synapse, then the policy evaluates it as compliant one.
"existenceCondition": {
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "SqlOnDemand"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "Sql"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "dev"
}
]
}
]
},
Definition created successfully:
Reference MSDoc for exploring all the logical operators available in Azure policy definition structure.