Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Preview]: Configure Azure Key Vaults with private endpoints: Incorrectly reports resources as non-compliant #862

Open
valtynikov opened this issue Nov 17, 2021 · 12 comments
Assignees

Comments

@valtynikov
Copy link

Details of the scenario you tried and the problem that is occurring

The policy successfully detected and created a private endpoint for a Key Vault but keeps reporting the Key Vault as non-compliant.

Reason for non-compliance
No related resources match the effect details in the policy definition. (Error code: Not Found)

Existence condition

Type
Microsoft.KeyVault/vaults/privateEndpointConnections

Verbose logs showing the problem

N/A

Suggested solution to the issue

N/A

If policy is Guest Configuration - details about target node

N/A

@nehakulkarni123
Copy link
Collaborator

Hi @valtynikov, can you please provide the policyDefinition ID for this policy so I can investigate further?

@valtynikov
Copy link
Author

@nehakulkarni123 the policy definition ID is /providers/Microsoft.Authorization/policyDefinitions/9d4fad1f-5189-4a42-b29e-cf7929c6b6df. Thanks!

@nehakulkarni123
Copy link
Collaborator

Thank you-- since the private endpoint was created, it seems that the existenceCondition is correct. How long has the vault remained non-compliant after private endpoint deployment? Is it still non-compliant?

@valtynikov
Copy link
Author

@nehakulkarni123 the policy keeps reporting the Key Vault non-compliant, even days after the private endpoint was created. Also, it's reporting other Key Vaults that already had private endpoints associated with them as non-compliant.

@valtynikov
Copy link
Author

@nehakulkarni123 please let me know if you need any additional information. The policy's been enabled for a few weeks now and is still reporting that the Key Vault is non-compliant, even though it definitely has an associated private endpoint.

@nehakulkarni123
Copy link
Collaborator

Adding @sebansal from the Key Vault team to address @valtynikov's question.

@valtynikov
Copy link
Author

@sebansal hello, just wanted to check if there's anything else I can assist with to troubleshoot the issue.

@nehakulkarni123
Copy link
Collaborator

Hi @valtynikov, another approach would be to reach out to the support team. They will be able to take a look at your specific environment and offer specific feedback.

@valtynikov
Copy link
Author

@nehakulkarni123 sure, I can reach out to the support team. Would they support it even though it's still in preview?

@dani3lheidemann
Copy link

Hi all,
facing the same issue as @valtynikov.
It seems that for Key Vaults in the ARM template, the sub-resource "Microsoft.KeyVault/vaults/privateEndpointConnections" for the Private Endpoint Config is missing. For this reason, the Azure Policy DINE Existence Condition cannot check the Private Endpoint Configuration on the Key Vault resource.

Here is a comparison:

Export of the Key Vault ARM template with Private Endpoint:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vaults_kv_test_hd6_name": {
            "defaultValue": "kv-test-hd6",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.KeyVault/vaults",
            "apiVersion": "2022-07-01",
            "name": "[parameters('vaults_kv_test_hd6_name')]",
            "location": "germanywestcentral",
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "Standard"
                },
                "tenantId": "xxx",
                "accessPolicies": [
                    {
                        "tenantId": "xxx",
                        "objectId": "xxx",
                        "permissions": {
                            "keys": [
                                "Get",
                                "List",
                                "Update",
                                "Create",
                                "Import",
                                "Delete",
                                "Recover",
                                "Backup",
                                "Restore",
                                "GetRotationPolicy",
                                "SetRotationPolicy",
                                "Rotate"
                            ],
                            "secrets": [
                                "Get",
                                "List",
                                "Set",
                                "Delete",
                                "Recover",
                                "Backup",
                                "Restore"
                            ],
                            "certificates": [
                                "Get",
                                "List",
                                "Update",
                                "Create",
                                "Import",
                                "Delete",
                                "Recover",
                                "Backup",
                                "Restore",
                                "ManageContacts",
                                "ManageIssuers",
                                "GetIssuers",
                                "ListIssuers",
                                "SetIssuers",
                                "DeleteIssuers"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": false,
                "enabledForDiskEncryption": false,
                "enabledForTemplateDeployment": false,
                "enableSoftDelete": true,
                "softDeleteRetentionInDays": 7,
                "enableRbacAuthorization": false,
                "vaultUri": "[concat('https://', parameters('vaults_kv_test_hd6_name'), '.vault.azure.net/')]",
                "provisioningState": "Succeeded",
                "publicNetworkAccess": "Enabled"
            }
        }
    ]
}


Notice NO Private Endpoint Sub-Resource.



Export of Storage Account ARM Template with Private Endpoint:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "storageAccounts_xxx_name": {
            "defaultValue": "xxx",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2022-05-01",
            "name": "[parameters('storageAccounts_xxx_name')]",
            "location": "northcentralus",
            "sku": {
                "name": "Standard_LRS",
                "tier": "Standard"
            },
            "kind": "StorageV2",
            "properties": {
                "minimumTlsVersion": "TLS1_2",
                "allowBlobPublicAccess": false,
                "networkAcls": {
                    "bypass": "AzureServices",
                    "virtualNetworkRules": [],
                    "ipRules": [],
                    "defaultAction": "Allow"
                },
                "supportsHttpsTrafficOnly": true,
                "encryption": {
                    "services": {
                        "file": {
                            "keyType": "Account",
                            "enabled": true
                        },
                        "blob": {
                            "keyType": "Account",
                            "enabled": true
                        }
                    },
                    "keySource": "Microsoft.Storage"
                },
                "accessTier": "Cool"
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts/privateEndpointConnections",
            "apiVersion": "2022-05-01",
            "name": "[concat(parameters('storageAccounts_xxx_name'), '/', parameters('storageAccounts_xxx_name'), '.5ec963bc-3520-43ff-ab25-bbf3ca0aed18')]",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_xxx_name'))]"
            ],
            "properties": {
                "provisioningState": "Succeeded",
                "privateEndpoint": {},
                "privateLinkServiceConnectionState": {
                    "status": "Approved",
                    "description": "Auto-Approved",
                    "actionRequired": "None"
                }
            }
        }
    ]
}

Notice Private Endpoint Sub-Resource for Storage Account.


For the Storage Account, there is a sub-resource in the ARM template that matches the Existence Condition. For Key Vault this sub-resource is missing, although a Private Endpoint is configured. This looks like a bug to me.

Can anyone from Microsoft check this?

Thanks!
Daniel

@valtynikov
Copy link
Author

I'm pretty sure this is due to the Key Vault private endpoint policy using an older apiVersion when checking resource compliance. Should be a very simple fix and they resolved it quickly when I reported a similar issue for ACR but the Key Vault team is just ignoring it for some reason. I guess not enough people complained yet.

@dani3lheidemann
Copy link

@valtynikov yes, this is also my assumption. @nehakulkarni123 @sebansal may you have any update on this?
Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants
@valtynikov @dani3lheidemann @sebansal @nehakulkarni123 and others