Share via

Policy for Cross Subscription Deployments

GOMES Emerson 1 Reputation point
2022-12-10T01:19:57.733+00:00

Hello,

I am trying to create a Policy that should create Private DNS Virtual Network Links for multiple vnets spread across different subscriptions. There's a single Private DNS Zone in a separate subscription (called CRS).
The problem I am facing is that the deployment fails because it tries to perform the deployment in the same subscription as the resource being parsed (the vnets), when it should use the CRS subscription; even though the CRS subcriptionId and resourceGroup are specified as part of the deployment template. I have no idea what else I could try here.

This is my policy code: 

{  
  "properties": {  
    "displayName": "DeployPrivateDnsVNLink",  
    "policyType": "Custom",  
    "mode": "All",  
    "parameters": {},  
    "policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Network/virtualNetworks"  
          },  
          {  
            "field": "Microsoft.Network/virtualNetworks/provisioningState",  
            "equals": "Succeeded"  
          }  
        ]  
      },  
      "then": {  
        "effect": "deployIfNotExists",  
        "details": {  
          "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",  
          "existenceScope": "subscription",  
          "name": "[concat('zone.domain/', field('name'))]",  
          "existenceCondition": {  
            "allOf": [  
              {  
                "equals": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",  
                "field": "type"  
              },  
              {  
                "equals": "[field('id')]",  
                "field": "Microsoft.Network/privateDnsZones/virtualNetworkLinks/virtualNetwork.id"  
              }  
            ]  
          },  
          "deployment": {  
            "properties": {  
              "resourceGroup": "rg-crs",  
              "subscriptionId": "xxx",  
              "mode": "incremental",  
              "parameters": {  
                "vNetId": {  
                  "value": "[field('id')]"  
                },  
                "vNetName": {  
                  "value": "[field('name')]"  
                }  
              },  
              "template": {  
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",  
                "contentVersion": "1.0.0.0",  
                "parameters": {  
                  "vNetId": {  
                    "type": "string"  
                  },  
                  "vNetName": {  
                    "type": "string"  
                  }  
                },  
                "resources": [  
                  {  
                    "resourceGroup": "rg-crs",  
                    "subscriptionId": "xxx",  
                    "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",  
                    "apiVersion": "2018-09-01",  
                    "name": "[concat('zone.domain/', parameters('vNetName'))]",  
                    "location": "global",  
                    "properties": {  
                      "registrationEnabled": false,  
                      "virtualNetwork": {  
                        "id": "[parameters('vNetId')]"  
                      }  
                    }  
                  }  
                ]  
              }  
            }  
          },  
          "roleDefinitionIds": [  
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"  
          ]  
        }  
      }  
    }  
  },  
  }  
}

Any advice is appreciated.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,015 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnuragSingh-MSFT 21,546 Reputation points Moderator
    2022-12-20T04:38:16.72+00:00

    Hi @GOMES Emerson ,

    Thank you for reaching out to Microsoft Q&A for this question. I am sorry for the delayed response.

    I see that you are trying to use Azure Policy to deploy resources. I would instead advise using ARM template to deploy the resources using Azure Portal, PowerShell or CLI - please see this link for details - Deploy a local ARM template. The requirement here is to deploy resources and Azure Policy is not a good choice for it.

    Azure Policy is mainly used for enforcing compliance and standard at-scale, so that the overall state of the environment can be evaluated and remediated. Every policy assignment is done to a scope (ManagementGroup, Subscription, ResourceGroup) - which would enforce the policy roles on the resources in this scope. The use case mentioned in the question requires cross-scope deployment, which is not going to be easy to achieve (If not impossible - I haven't tested it yet).

    Please let me know if you have any questions.

    ---
    Please 'Accept as answer' if it helped so that it can help others in the community looking for help on similar topics.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.