feat: Improve efficiency of Deploy-Private-DNS-Generic policy evaluation

Azure · May 28, 2024 · 83ebd47 · 83ebd47
1 parent c62e87e
commit 83ebd47
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -87,7 +87,7 @@ This release includes:
   - [Virtual Machine should have TrustedLaunch enabled](https://www.azadvertizer.net/azpolicyadvertizer/c95b54ad-0614-4633-ab29-104b01235cbf.html)
 - Updated ARM deployment for Defender for APIs, which now requires a sub plan be specified. We're defaulting to sub plan "P1", and have confirmed that costs will only be incurred once an API has expressly been onboarded to Defender for APIs. Please thoroughly review Defender for API plans as they related to your environment and adjust the sub plan as needed.
 - Deprecated custom policy [Storage Account set to minimum TLS and Secure transfer should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Storage-minTLS.html) and replaced with two built-in policies [Secure transfer to storage accounts should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html) and [Storage accounts should have the specified minimum TLS version](https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html).
-- Added new custom policy "Deploy-Private-DNS-Generic" this policy will DINE-configure private DNS zone groups to override the DNS resolution for PaaS services private endpoint. It is generic to enable private DNS zones for the services which supports private DNS but don't have built-in policies available and also for the new services which support private DNS in future. This policy is also configured to evaluate immediately after successfully provisioning a resource, instead of waiting the default 10 minutes.
+- Added new custom policy "Deploy-Private-DNS-Generic" this policy will DINE-configure private DNS zone groups to override the DNS resolution for PaaS services private endpoint. It is generic to enable private DNS zones for the services which supports private DNS but don't have built-in policies available and also for the new services which support private DNS in future. This policy is also configured to evaluate immediately after successfully provisioning a resource by default, with the ability to configure the evaluation delay, instead of waiting the default 10 minutes.
 - Deprecated [Deploy-EncryptTransit](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit.html) initiative and superseded with [Deploy-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit_20240509.html) to minimize breaking change impact on existing deployments.
 - Fixed the assignment for [Configure periodic checking for missing system updates on azure virtual machines](https://www.azadvertizer.net/azpolicyadvertizer/59efceea-0c96-497e-a4a1-4eb2290dac15.html) to use the correct RBAC role.
 - Added new initiative for Microsoft Defender for Endpoints [Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/77b391e3-2d5d-40c3-83bf-65c846b3c6a3.html).

diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json
@@ -53,6 +53,14 @@
                     "displayName": "PaaS Private endpoint group ID (subresource)",
                     "description": "The group ID of the PaaS private endpoint. Also referred to as subresource."
                 }
+            },
+            "evaluationDelay": {
+                "type": "String",
+                "metadata": {
+                    "displayName": "Evaluation Delay",
+                    "description": "The delay in evaluation of the policy defaulting to after provisioning success. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists"
+                },
+                "defaultValue": "AfterProvisioningSuccess"
             }
         },
         "policyRule": {
@@ -86,7 +94,7 @@
                 "effect": "[[parameters('effect')]",
                 "details": {
                     "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
-                    "EvaluationDelay": "AfterProvisioningSuccess",
+                    "EvaluationDelay": "[[parameters('evaluationDelay')]]",
                     "roleDefinitionIds": [
                         "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
                     ],