Bug Report: Deploy Private DNS Zones - Built-in policies missing from initiative

[juanandmsft]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.6.3

azure provider: 3.80.0

module: 5.0.2

Description

Describe the bug

The following built-in policies to manage private endpoints at scale are not included in the ALZ policy initiative definition at [modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json]:

Policy File	Policy displayName	Policy ID
PrivateLinkForAzureAD_PrivateLinkDns_DeployIfNotExists.json	Configure Private Link for Azure AD to use private DNS zones	7e4301f9-5f32-4738-ad9f-7ec2d15563ad
BotService_PrivateDNSZone_DeployIfNotExists.json	Configure BotService resources to use private DNS zones	6a4e6f44-f2af-4082-9702-033c9e88b9f8
AMG_PrivateDNSZone_DeployIfNotExists.json	Configure Azure Managed Grafana workspaces to use private DNS zones	4c8537f8-cd1b-49ec-b704-18e82a42fd58
DVHostpool_PrivateDNSZone_DINE.json	Configure Azure Virtual Desktop hostpool resources to use private DNS zones	9427df23-0f42-4e1e-bf99-a6133d841c4a
DVWorkspace_PrivateDNSZone_DINE.json	Configure Azure Virtual Desktop workspace resources to use private DNS zones	34804460-d88b-4922-a7ca-537165e060ed
DeviceUpdate_DeployPrivateDnsZoneForPrivateEndpoint_Deploy.json	Configure Azure Device Update for IoT Hub accounts to use private DNS zones	a222b93a-e6c2-4c01-817f-21e092455b2a
Arc_PrivateEndpoint_DNS_Deploy.json	Configure Azure Arc Private Link Scopes to use private DNS zones	55c4db33-97b0-437b-8469-c4f4498f5df9
IoTCentral_DeployPrivateDnsZoneForPrivateEndpoint_Deploy.json	Deploy - Configure IoT Central to use private DNS zones	d627d7c6-ded5-481a-8f2e-7e16b1e6faf6
AzBackupRSVault_PeDnsConfigDeploy.json	[Preview]: Configure Recovery Services vaults to use private DNS zones for backup	af783da1-4ad1-42be-800d-d19c70038820
StoragePrivateDnsZoneGroup_Table.json	Configure a private DNS Zone ID for table groupID	028bbd88-e9b5-461f-9424-a1b63a7bee1a
StoragePrivateDnsZoneGroup_TableSecondary.json	Configure a private DNS Zone ID for table_secondary groupID	c1d634a5-f73d-4cdd-889f-2cc7006eb47f

Storage table referred also at #1502

Steps to Reproduce

1. Create a private endpoint for the resources types above without DNS integration.
2. The assigned initiative does not deploy the corresponding dnsZoneGroup sub-resource.

Screenshots

Additional context

When working with private endpoints at scale, along with the ALZ initiative additional custom initiative or per-policy-assigments are needed to match additional private endpoint types.

[matt-FFFFFF]

Hi!

Thanks for raising. This needs to go upstream to Enterprise Scale repo. I will move

[Springstone]

@rozkurt easy one for you to tackle.

[Springstone]

As per #1578 we've addressed all the missing Private DNS Zone entities EXCEPT AAD, as even though there is a policy there is no supporting documentation and testing has raised some concerns, so we will leave this out for now. We'll add to the backlog to review Entra ID private link, but closing this issue as it is largely addressed.