deployIfNotExists policy not triggering automatically for Azure Static Apps #1545
Description
Details of the scenario you tried and the problem that is occurring
We have built the deployIfNotExists policy for Azure Static Apps (attached). The good news is that it remediates perfectly with this json (Policy Definition, Assignment, and Remediation). But unfortunately, the bad news is that when a Azure Static App private endpoint is created, the deployIfNotExists is not triggered automatically. We just need it to trigger automatically.
(see attached for full context)
Note: dnsZoneSuffix (for example ".4.azurestaticapps.net") is passed in as a parameter when building the Policy Definition and Assignment.
And if we remove that rule, the policyDeployment triggers automatically as it always has… but unfortunately, we need the logic of that added rule for Static Apps, due to the dynamic partitionId.
We don’t want our customers to have to manually create remediations. As all of our other policies work automatically.
Let me know if anything above is unclear.
This is the PolicyRule that is added to the json that is stopping the automatic trigger of deployIfNotExists.
{
"field": "Microsoft.Network/privateEndpoints/customDnsConfigs[*].fqdn",
"contains": "[parameters('dnsZoneSuffix')]"
},
We have tried every combination of evaluationDelay (Immediate, After Successful provision, 30 min, 3 hours), none of them trigger the policy automatically.
We have also tried hardcoding the parameter-value (to test123 or any static value), the trigger does not execute automatically. Leads me to believe an unhandled and unreported exception is encountered when referencing the field (Microsoft.Network/privateEndpoints/customDnsConfigs[*].fqdn)
Original json template pulled and customized for Static App from AzAdvertizer
Deploy-Private-DNS-PartitionId-Static-Web-Apps.json
Verbose logs showing the problem
Suggested solution to the issue
PLEASE add Microsoft.Network/privateEndpoints/customDnsConfigs or just the zone of the fqdn that will be created TO the payload of the Create private-endpoint. Maybe defaultHostname?
allow us to reference this Microsoft.Network/privateEndpoints/customDnsConfigs[*].fqdn (or the just the zone) for deployIfNotExists on automatic Policy trigger, just as is done in remediation....
{
"field": "Microsoft.Network/privateEndpoints/customDnsConfigs[*].fqdn",
"contains": "[parameters('dnsZoneSuffix')]"
},