We have an Azure hub and spoke network scenario, where we deploy resources into a spoke network. The ressources are secured with private endpoints.
For DNS resolution we are using azure private dns zones, these zones reside in the hub subscription and are linked to the hub network.
For the we are using these beautiful deploy if not exist policies https://www.azadvertizer.net/azpolicyadvertizer/75973700-529f-4de2-b794-fb9b6781b6b0.html
But as we are also deploying an App Service Environment, that has no private endpoint, but a private IP, we cant use this policie in that case.
Is there an elegant solution, or policy how to add the a records to the private dns zone automaticaly, without giving permission to the deployment principal?
