-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Preview]: Configure Azure Key Vaults with private endpoints: Incorrectly reports resources as non-compliant #862
Comments
Hi @valtynikov, can you please provide the policyDefinition ID for this policy so I can investigate further? |
@nehakulkarni123 the policy definition ID is |
Thank you-- since the private endpoint was created, it seems that the existenceCondition is correct. How long has the vault remained non-compliant after private endpoint deployment? Is it still non-compliant? |
@nehakulkarni123 the policy keeps reporting the Key Vault non-compliant, even days after the private endpoint was created. Also, it's reporting other Key Vaults that already had private endpoints associated with them as non-compliant. |
@nehakulkarni123 please let me know if you need any additional information. The policy's been enabled for a few weeks now and is still reporting that the Key Vault is non-compliant, even though it definitely has an associated private endpoint. |
Adding @sebansal from the Key Vault team to address @valtynikov's question. |
@sebansal hello, just wanted to check if there's anything else I can assist with to troubleshoot the issue. |
Hi @valtynikov, another approach would be to reach out to the support team. They will be able to take a look at your specific environment and offer specific feedback. |
@nehakulkarni123 sure, I can reach out to the support team. Would they support it even though it's still in preview? |
Hi all, Here is a comparison: Export of the Key Vault ARM template with Private Endpoint: {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_kv_test_hd6_name": {
"defaultValue": "kv-test-hd6",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-07-01",
"name": "[parameters('vaults_kv_test_hd6_name')]",
"location": "germanywestcentral",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "xxx",
"accessPolicies": [
{
"tenantId": "xxx",
"objectId": "xxx",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"GetRotationPolicy",
"SetRotationPolicy",
"Rotate"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 7,
"enableRbacAuthorization": false,
"vaultUri": "[concat('https://', parameters('vaults_kv_test_hd6_name'), '.vault.azure.net/')]",
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled"
}
}
]
}
Notice NO Private Endpoint Sub-Resource. Export of Storage Account ARM Template with Private Endpoint: {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccounts_xxx_name": {
"defaultValue": "xxx",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-05-01",
"name": "[parameters('storageAccounts_xxx_name')]",
"location": "northcentralus",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": false,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/privateEndpointConnections",
"apiVersion": "2022-05-01",
"name": "[concat(parameters('storageAccounts_xxx_name'), '/', parameters('storageAccounts_xxx_name'), '.5ec963bc-3520-43ff-ab25-bbf3ca0aed18')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_xxx_name'))]"
],
"properties": {
"provisioningState": "Succeeded",
"privateEndpoint": {},
"privateLinkServiceConnectionState": {
"status": "Approved",
"description": "Auto-Approved",
"actionRequired": "None"
}
}
}
]
}
Notice Private Endpoint Sub-Resource for Storage Account. For the Storage Account, there is a sub-resource in the ARM template that matches the Existence Condition. For Key Vault this sub-resource is missing, although a Private Endpoint is configured. This looks like a bug to me. Can anyone from Microsoft check this? Thanks! |
I'm pretty sure this is due to the Key Vault private endpoint policy using an older |
@valtynikov yes, this is also my assumption. @nehakulkarni123 @sebansal may you have any update on this? |
Details of the scenario you tried and the problem that is occurring
The policy successfully detected and created a private endpoint for a Key Vault but keeps reporting the Key Vault as non-compliant.
Verbose logs showing the problem
N/A
Suggested solution to the issue
N/A
If policy is Guest Configuration - details about target node
N/A
The text was updated successfully, but these errors were encountered: