Deployment fails with SSLEnforcement policy violation for Azure PostgreSQL creation

dinesh.angolkar 2021-02-15 13:14:10 UTC #1

Keywords: Apache Airflow - Microsoft Azure - Technical issue - Secure Connections (SSL/HTTPS)
Description:
Hi Team,
I am trying to create "Airflow with Azure Database for PostgreSQL" but fails due to SSLEnforcement policy violation.

Below is the raw error message:

{
  "code": "InvalidTemplateDeployment",
  "details": [
    {
      "code": "RequestDisallowedByPolicy",
      "target": "myairflowjuay7un24pdea-database",
      "message": "Resource 'myairflowjuay7un24pdea-database' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"DENY-PG-sslEnforcement\",\"id\":\"/providers/Microsoft.Management/managementGroups/*******************/providers/Microsoft.Authorization/policyAssignments/DENY-PG-sslEnforcement\"},\"policyDefinition\":{\"name\":\"DENY-PG-sslEnforcement\",\"id\":\"/providers/Microsoft.Management/managementgroups/****************/providers/Microsoft.Authorization/policyDefinitions/DENY-PG-sslEnforcement\"}}]'.",
      "additionalInfo": [
        {
          "type": "PolicyViolation",
          "info": {
            "policyDefinitionDisplayName": "DENY-PG-sslEnforcement",
            "evaluationDetails": {
              "evaluatedExpressions": [
                {
                  "result": "True",
                  "expressionKind": "Field",
                  "expression": "type",
                  "path": "type",
                  "expressionValue": "Microsoft.DBforPostgreSQL/servers",
                  "targetValue": "Microsoft.DBforPostgreSQL/servers",
                  "operator": "Equals"
                },
                {
                  "result": "True",
                  "expressionKind": "Field",
                  "expression": "Microsoft.DBforPostgreSQL/servers/sslEnforcement",
                  "path": "properties.sslEnforcement",
                  "targetValue": "Enabled",
                  "operator": "NotEquals"
                }
              ]
            },
            "policyDefinitionId": "/providers/Microsoft.Management/managementgroups/*********************/providers/Microsoft.Authorization/policyDefinitions/DENY-PG-sslEnforcement",
            "policyDefinitionName": "DENY-PG-sslEnforcement",
            "policyDefinitionEffect": "deny",
            "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/*********************/providers/Microsoft.Authorization/policyAssignments/DENY-PG-sslEnforcement",
            "policyAssignmentName": "DENY-PG-sslEnforcement",
            "policyAssignmentDisplayName": "DENY-PG-sslEnforcement",
            "policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/***************************",
            "policyAssignmentParameters": {}
          }
        }
      ]
    }
  ],
  "message": "The template deployment failed because of policy violation. Please see details for more information."
}

Is there any way to turn on SSLEnabled flag for Azure PostgreSQL ?

davidg 2021-02-16 10:24:43 UTC #2

Hello @dinesh.angolkar,

The team will check the case and will reply as soon as possible.

Regards

dinesh.angolkar 2021-02-16 14:26:51 UTC #3

We have "Azure DB for PostgreSQL" already setup in our subscription with SSL Enabled. So I ideally want to leverage this instance with may be a separate database for airflow.

Ibone 2021-02-17 10:59:55 UTC #4

Hi @dinesh.angolkar,

"Airflow with Azure Database for PostgreSQL" is a template with both, if you want airflow, you need another solution.

Our solutions of airflow with Postgresql use SSL for service communication by default, you can check this guide https://docs.bitnami.com/azure-templates/infrastructure/apache-airflow/get-started/learn-more-azure-database-postgresql/

Are you deploy this solution following these steps https://docs.bitnami.com/azure-templates/get-started/#step-2-deploy-multi-tier-wordpress-on-microsoft-azure or the CLI?

Regards,
Ibone.

dinesh.angolkar 2021-02-17 11:44:57 UTC #5

Hi @Ibone,

We are trying to create "Airflow with Azure PostgreSQL" via portal (https://portal.azure.com/#create/bitnami.airflow-multitierdefault)

It seems it is trying to create "Azure DB for PostgreSQL" with SSL disabled and hence violating the management group policy on the same (as evident in above raw error json string)

Regards,
Dinesh Angolkar

dinesh.angolkar 2021-02-17 11:48:19 UTC #6

@Ibone,

I have "Azure DB for PostgreSQL" and "Azure Cache for Redis" already setup in our subscription.
Need guidance on integrating the Airflow scheduler, webserver, workers with above 2 PAAS services.
Also we want to use Celery executor on Kubernetes

Regards,
Dinesh Angolkar

Ibone 2021-02-18 10:27:46 UTC #7

Hi @dinesh.angolkar,

Did you check this guide https://docs.bitnami.com/tutorials/deploy-apache-airflow-azure-postgresql-redis/?
Maybe all you need to do is step 3 https://docs.bitnami.com/tutorials/deploy-apache-airflow-azure-postgresql-redis/#step-3-deploy-apache-airflow-on-azure-kubernetes-service-with-helm

Regards,
Ibone.

dinesh.angolkar 2021-02-18 10:52:42 UTC #8

Hi @Ibone,

Please find below screenshot from the same page you referred to: It says "SSL access is disabled because at the time of writing, the Bitnami Apache Airflow Helm chart does not currently support SSL access to external PostgreSQL and Redis services"