2

I have created custom policy for adding private endpoints on Synapse Analytics Workspace. See Script below.

"policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Synapse/workspaces"
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Network/privateEndpoints",
          "existenceScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "SqlOnDemand"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "Sql"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "equals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Synapse/workspaces/{synapseWorkspaceName}"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "dev"
                  }
                ]
              }
            ]
          },

But the above policy is Non-Compliant. See image below

I believe there were a mismatch fields on the script, your help is truly appreciated. Thank you in advance geez!

Improve this question
7
  • Are you getting any error with your code? Commented Nov 18, 2024 at 10:56
  • Hi @VenkatV Thank you for responding, no error with the code but when checking Policy - Compliance it says Non-Compliant. Commented Nov 19, 2024 at 1:25
  • Do you want to check non-complaint resources that do not have private endpoint enabled, or enable private endpoint if it does not exist? Commented Nov 19, 2024 at 3:55
  • The effect is DeployIfNotExists, then the result after deployment is Compliant. Commented Nov 19, 2024 at 4:18
  • Are you still facing the issue? @Romeo Commented Nov 22, 2024 at 6:32

1 Answer 1

Reset to default
0

As mentioned by @Romeo, replacing allOf with anyOf should resolve the issue here. Posting our discussion as an answer for the community benefit.

The functionality of allOf operator in a policy rule is to make sure that all the given conditions under a specific block should be true. If it satisfies, then only it does evaluate and triggers effect trigger. Whereas the anyOf operator evaluates to true if there is a one included condition is true.

Refer MSDoc on explaining multiple policy rules with sample definitions.

Modified existenceCondition block is given below:

Using anyOf rather than allOf checks if any one of the private endpoint configurations such as SqlOnDemand, Sql, or dev exists in the synapse, then the policy evaluates it as compliant one.

 "existenceCondition": {
          "anyOf": [
            {
              "allOf": [
                {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                  "equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
                },
                {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                  "equals": "SqlOnDemand"
                }
              ]
            },
            {
              "allOf": [
                {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                  "equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
                },
                {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                  "equals": "Sql"
                }
              ]
            },
            {
              "allOf": [
                {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                  "equals": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Synapse/workspaces/', parameters('synapseWorkspaceName'))]"
                },
                {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                  "equals": "dev"
                }
              ]
            }
          ]
      },

Definition created successfully:

enter image description here

Reference MSDoc for exploring all the logical operators available in Azure policy definition structure.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.