Governance Transforms Private Endpoints - Azure/az-prototype GitHub Wiki
Remove private endpoint resources from non-networking stages
Domain: networking
| Check | Description |
|---|---|
| TFM-NET-001 | Remove private endpoint, private DNS zone, DNS zone link, and DNS zone group resources from non-networking stages. These resources belong exclusively in the dedicated Networking stage. |
Remove private endpoint, private DNS zone, DNS zone link, and DNS zone group resources from non-networking stages. These resources belong exclusively in the dedicated Networking stage.
Rationale: The architecture mandates a single Networking stage that creates ALL private endpoints, DNS zones, and DNS zone groups. Service stages must NOT create these resources — they only set publicNetworkAccess to Disabled on their own resources.
Agents: terraform-agent, bicep-agent
All
Type: Structured
Search: 'privateEndpoints or privateDnsZones in non-networking stage'
Replace: 'removed'
Handler: remove_private_endpoint_resources