Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AVM Module Issue]: publicNetworkAccess disabled, but still violates the policy da69ba51-aaf1-41e5-8651-607cd0b37088 #3816

Open
1 task done
Besdima opened this issue Nov 20, 2024 · 9 comments · May be fixed by #3822
Open
1 task done

[AVM Module Issue]: publicNetworkAccess disabled, but still violates the policy da69ba51-aaf1-41e5-8651-607cd0b37088 #3816

Besdima opened this issue Nov 20, 2024 · 9 comments · May be fixed by #3822
Assignees
@seesharprun
Labels
Class: Resource Module 📦 This is a resource module Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed Needs: Triage 🔍 Maintainers need to triage still Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue Type: Bug 🐛 Something isn't working

Comments

@Besdima
Copy link

Besdima commented Nov 20, 2024

Check for previous/existing GitHub issues

  • I have checked for previous/existing GitHub issues

Issue Type?

Bug

Module Name

avm/res/document-db/database-account

(Optional) Module Version

0.8.1

Description

We have a policy configured for CosmosDB accounts to disable public network access, and when we provision CosmosDB accounts with the following parameters:

networkRestrictions: {
  publicNetworkAccess: 'Disabled'
  ipRules: []
  virtualNetworkRules: []
}

It still violates the policy:

New-AzResourceGroupDeployment : 1:16:53 AM - Error: Code=RequestDisallowedByPolicy; Message=Resource
'xxxx' was disallowed by policy.

(Optional) Correlation Id

No response
@Besdima Besdima added Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue labels Nov 20, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Type: Bug 🐛 Something isn't working label Nov 20, 2024
@avm-team-linter AVM Team Linter
Copy link

@Besdima, thanks for submitting this issue for the avm/res/document-db/database-account module!

Important

A member of the @Azure/avm-res-documentdb-databaseaccount-module-owners-bicep or @Azure/avm-res-documentdb-databaseaccount-module-contributors-bicep team will review it soon!

@avm-team-linter avm-team-linter bot added the Class: Resource Module 📦 This is a resource module label Nov 20, 2024
@github-project-automation github-project-automation bot moved this to Needs: Triage in AVM - Module Issues Nov 20, 2024
@Besdima
Copy link
Author

Besdima commented Nov 20, 2024

I run it in the testing environment, and the deployment seems to ignore the publicNetworkAccess parameter and deploys the CDB with the public endpoint on.

Image

Image

Probably there is an issue with this logic in the template:
'publicNetworkAccess', coalesce(tryGet(parameters('networkRestrictions'), 'publicNetworkAccess'), 'Enabled')

@seesharprun
Copy link
Contributor

In the current Azure Cosmos DB configuration, you can only disable public network access if you declare child resources like a NoSQL, Gremlin, MongoDB, or Table database.

Here's the corresponding line: https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/document-db/database-account/main.bicep#L273

I'm testing a change to fix this in a new version so you can disable public network access even if you don't define resources.

@Besdima
Copy link
Author

Besdima commented Nov 20, 2024
edited
Loading

edt.

I see what you mean now - thank you.

@seesharprun seesharprun linked a pull request Nov 20, 2024 that will close this issue
Open
11 tasks
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

@microsoft-github-policy-service microsoft-github-policy-service bot added the Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days label Nov 27, 2024
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Caution

**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days. **

Tip

  • To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention ‼️" label once the issue has been responded to.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed label Dec 2, 2024
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Caution

**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days. **

Tip

  • To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention ‼️" label once the issue has been responded to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seesharprun seesharprun

Labels
Class: Resource Module 📦 This is a resource module Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed Needs: Triage 🔍 Maintainers need to triage still Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue Type: Bug 🐛 Something isn't working
Projects
AVM - Module Issues
Status: Needs: Triage
Milestone
No milestone
3 participants
@seesharprun @Besdima @bryansan-msft