From 83ebd471b32f2a65a2d2eaeb6f77bd91d31c279e Mon Sep 17 00:00:00 2001
From: Sacha Narinx <springstone@outlook.com>
Date: Tue, 28 May 2024 12:22:28 +0400
Subject: [PATCH] feat: Improve efficiency of Deploy-Private-DNS-Generic policy
 evaluation

---
 docs/wiki/Whats-new.md                                 |  2 +-
 .../policyDefinitions/Deploy-Private-DNS-Generic.json  | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index fbe8d83d42..4f4aff9fbb 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -87,7 +87,7 @@ This release includes:
   - [Virtual Machine should have TrustedLaunch enabled](https://www.azadvertizer.net/azpolicyadvertizer/c95b54ad-0614-4633-ab29-104b01235cbf.html)
 - Updated ARM deployment for Defender for APIs, which now requires a sub plan be specified. We're defaulting to sub plan "P1", and have confirmed that costs will only be incurred once an API has expressly been onboarded to Defender for APIs. Please thoroughly review Defender for API plans as they related to your environment and adjust the sub plan as needed.
 - Deprecated custom policy [Storage Account set to minimum TLS and Secure transfer should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Storage-minTLS.html) and replaced with two built-in policies [Secure transfer to storage accounts should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html) and [Storage accounts should have the specified minimum TLS version](https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html).
-- Added new custom policy "Deploy-Private-DNS-Generic" this policy will DINE-configure private DNS zone groups to override the DNS resolution for PaaS services private endpoint. It is generic to enable private DNS zones for the services which supports private DNS but don't have built-in policies available and also for the new services which support private DNS in future. This policy is also configured to evaluate immediately after successfully provisioning a resource, instead of waiting the default 10 minutes.
+- Added new custom policy "Deploy-Private-DNS-Generic" this policy will DINE-configure private DNS zone groups to override the DNS resolution for PaaS services private endpoint. It is generic to enable private DNS zones for the services which supports private DNS but don't have built-in policies available and also for the new services which support private DNS in future. This policy is also configured to evaluate immediately after successfully provisioning a resource by default, with the ability to configure the evaluation delay, instead of waiting the default 10 minutes.
 - Deprecated [Deploy-EncryptTransit](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit.html) initiative and superseded with [Deploy-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit_20240509.html) to minimize breaking change impact on existing deployments.
 - Fixed the assignment for [Configure periodic checking for missing system updates on azure virtual machines](https://www.azadvertizer.net/azpolicyadvertizer/59efceea-0c96-497e-a4a1-4eb2290dac15.html) to use the correct RBAC role.
 - Added new initiative for Microsoft Defender for Endpoints [Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/77b391e3-2d5d-40c3-83bf-65c846b3c6a3.html).
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json
index adb37600dc..3e933d3173 100644
--- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json
@@ -53,6 +53,14 @@
                     "displayName": "PaaS Private endpoint group ID (subresource)",
                     "description": "The group ID of the PaaS private endpoint. Also referred to as subresource."
                 }
+            },
+            "evaluationDelay": {
+                "type": "String",
+                "metadata": {
+                    "displayName": "Evaluation Delay",
+                    "description": "The delay in evaluation of the policy defaulting to after provisioning success. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists"
+                },
+                "defaultValue": "AfterProvisioningSuccess"
             }
         },
         "policyRule": {
@@ -86,7 +94,7 @@
                 "effect": "[[parameters('effect')]",
                 "details": {
                     "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
-                    "EvaluationDelay": "AfterProvisioningSuccess",
+                    "EvaluationDelay": "[[parameters('evaluationDelay')]]",
                     "roleDefinitionIds": [
                         "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
                     ],