Policy Assignment Deploy-Private-DNS-Zones of archetype es_corp is missing permissions on Connectivity Management Group

[nikolai-fra]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: v1.0.11

azure provider: 2.86.0

module: v1.1.0

Description

We have defined a custom landing zone with archetype_id es_corp below the "${var.root_id}-landing-zones" ManagementGroup. The es_corp archetype assigns the Deploy-Private-DNS-Zones policy set on it's scope.

This policy set contains among others the policy "Configure Container registries to use private DNS zones" (with id /providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32). That's a DINE policy linking private endpoints in landingzones via privateDnsZoneGroup to the Privatelink Private DNS Zone deployed in the Connectivity Subscription.

Now when deploying a Private Endpoint for an ACR the DINE deployment fails with the following error message: {"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"LinkedAuthorizationFailed","message":"The client '<some id>' with object id 'XXXXX' has permission to perform action 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write' on scope '/subscriptions/<subscription id below landingzone management group>/resourcegroups/<some rg>/providers/Microsoft.Network/privateEndpoints/private-endpoint-<some name>/privateDnsZoneGroups/deployedByPolicy'; however, it does not have permission to perform action 'Microsoft.Network/privateDnsZones/join/action' on the linked scope(s) '/subscriptions/<connectivity subscripition>/resourceGroups/<root_id>-dns/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net' or the linked scope(s) are invalid."}]} (error message edited to redact IDs)

The XXXXX object_id matches to the SystemAssigned identity of the poliy set assignment in Azure AD (Enterprise application "Deploy-Private-DNS-Zones")

The policy mentioned above defines "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" ] (= Network Contributor) The Network Contributor role is assigned at the management group level at the scope the policy set is assigned. (with two more roles comming from the policy set assignment: )

But the SystemAssigned Identity does NOT have any permissions at the Connectivity subscription scope.

Therefore the error.

When we've deployed custom policies to DINE privateDnsZoneGroups for private link subresources not covered by the builtin policies we encountered the exact same error. We added an role assignment at the Connectivity subscription scope (and the landingzone MG scope of course) and the DINE deployments worked afterwards.

Probably the CAF module should add such an role assignment at the Connectivity Management Group scope?

Note: We don't have deployed the "Connectivity Resources" via this module. We have deployed the required Privatelink Private DNS Zones in the required resource group with our own terraform code. But I was not able to find the missing role assignment in this module's code to be created when the "Connectivity Resources" would be used.

[krowlandson]

@nikolai-fra this is a great ask, and very timely too as we were discussing this just last week.

To create the Role Assignments, we have to determine the Role Definition(s) required by the Policy Definition(s) being assigned. This is one of the steps already performed by the module.

We then need to identify the scope(s) at which the Role Assignment(s) need to be created. Currently we are only able to use the scope of the corresponding Policy Assignment, but we are looking to make use of the relatively new metadata values for parameters within a Policy Definition which allow us to identify parameters which contain a resource ID for something which the Role Assignment must cover.

You can see a little more about this by reviewing the metadata.assignPermissions attribute under Parameter properties for a Policy Definition.

This may take a while to reach the top of our backlog, but we are hoping to use this feature to drive support additional scopes when creating these Role Assignments, and you can see how we've already created a placeholder in the code for this in the following refactor for how we create Role Assignments to fix #266 (pending PR):

https://github.com/krowlandson/terraform-azurerm-caf-enterprise-scale/blob/23020c03c2e5d45a7e6675da53769046c5b674f4/resources.role_assignments.tf#L24-L50

[jtracey93]

Trigger ADO Sync

[krowlandson]

Going to close as tracking on #439

[krowlandson]

Trigger ADO Sync