Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Azure Policies with Log Analytics Workspace parameters issue #244

Closed
ofbjansen opened this issue Dec 16, 2021 · 7 comments
Closed

Bug Report: Azure Policies with Log Analytics Workspace parameters issue #244

ofbjansen opened this issue Dec 16, 2021 · 7 comments
Assignees
@matt-FFFFFF
Labels
external bug

Comments

@ofbjansen
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.0.8

azure provider: 2.88.1

module: 1.1.0

Description

Describe the bug

When deploying any of the policies that use Log Analytics workspace in a parameter the policy is created and all looks fine, but the actual log analytics workspace is not linked to the policy. You will see the log analytics setting in the overview, but when editting the policy you have to manual select the log analytics workspace by hand. After selecting the log analytics workspace you will get that resources are changed outside of terraform.

Steps to Reproduce

  1. Deploy module with management resources.
  2. Check "Enable Azure Monitor for VM's" Policy assignment.
  3. You will find that Parameter ID "LogAnalytics_1" has a parameter value that seems to be reflecting the LAW
  4. Edit assignment and go to Parameters.
  5. You will find that the Log Analytics workspace is not linked.
  6. Link it to the correct log analytics workspace.
  7. Run a plan on your code and the plan will give a lot of changes on the assigned policies in the policy sets

Screenshots

Additional context

I have advanced settings to change management resource group name and log analytics workspace name.

This is my results after changing the log analytics parameter in the portal and then run the terraform plan:

-/+ resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
      ~ id                   = "/providers/Microsoft.Management/managementGroups/onno/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring" -> (known after apply)
      ~ metadata             = jsonencode(
            {
              - createdBy       = "<replaced>"
              - createdOn       = "2021-12-16T11:23:20.6031504Z"
              - parameterScopes = {
                  - logAnalytics_1 = "/subscriptions/<replaced>/resourcegroups/rg-test"
                }
              - updatedBy       = "<replaced>"
              - updatedOn       = "2021-12-16T11:28:15.7183847Z"
            }
        ) -> (known after apply)
        name                 = "Deploy-VM-Monitoring"
      ~ parameters           = jsonencode(
          ~ {
              ~ logAnalytics_1 = {
                  ~ value = "/subscriptions/<replaced>/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/log-test" -> "/subscriptions/<replaced>/resourceGroups/rg-test/providers/Microsoft.OperationalInsights/workspaces/log-test"
                }
            } # forces replacement
        )
        # (7 unchanged attributes hidden)

      ~ identity {
          ~ principal_id = "<replaced>" -> (known after apply)
          ~ tenant_id    = "<replaced>" -> (known after apply)
            # (1 unchanged attribute hidden)
        }
    }
@ghost ghost added the Needs: Triage 🔍 Needs triaging by the team label Dec 16, 2021
@matt-FFFFFF matt-FFFFFF self-assigned this Dec 16, 2021
@ghost ghost removed the Needs: Triage 🔍 Needs triaging by the team label Dec 16, 2021
@matt-FFFFFF
Copy link
Member

Hi @ofbjansen,

Thanks for reporting the issue. Can I ask that you try and deploy the policy assignment using only the module, and then run the following command to get the configuration from ARM:

az rest --method GET --uri /providers/Microsoft.Management/managementGroups/onno/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring?api-version=2021-06-01

This will show you the JSON representation of the policyAssignment. I am interested to know if we have a portal UI bug here or whether the policy parameter is not configured correctly.

Many thanks!

@ofbjansen
Copy link
Author 

az rest --method GET --uri /providers/Microsoft.Management/managementGroups/onno/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring?api-version=2021-06-01

Hi matt, I get an error back:
no matches found: /providers/Microsoft.Management/managementGroups/onno/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring?api-version=2021-06-01

@ghost ghost added Needs: Attention 👋 Needs attention from the maintainers and removed Needs: Author Feedback labels Dec 16, 2021
@ofbjansen
Copy link
Author

ofbjansen commented Dec 17, 2021
edited
Loading

@matt-FFFFFF

Found out that the policy assignments are missing metadata variables. Not yet found the solution in the code (not yet thought about it), but wanted to share what I did in order to make it work in my Sandbox.

In the module changed the policy_assignment_es_deploy_vm_monitoring.tmpl.json file to contain the metadata missing for the policy to work (file location modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json):

code added:

"metadata": {
      "parameterScopes": {
        "logAnalytics_1": "/subscriptions/<subscription_id_removed>/resourcegroups/rg-test"
      }
    },

this additional configuration made it work for the vm monitoring and I guess this is the case on multiple other policies.

Hope this will give you all a nudge in the right direction.

@krowlandson
Copy link
Contributor

@ofbjansen - yes we also believe this to be the solution and are just waiting on the chance to test and confirm. This was on our backlog but low priority as no-one had previously asked for this.

As our policies are sourced from the Azure/Enterprise-Scale, we will have to make the updates there, pull down and then add to the next release.

We will keep you up to date on how this progresses via this issue for now but will probably link to another in the upstream repository once we're ready to start working on this.

Thank you for bringing this to our attention for prioritisation 😄

@ghost ghost removed the Needs: Attention 👋 Needs attention from the maintainers label Dec 17, 2021
@matt-FFFFFF
Copy link
Member

Hi @ofbjansen

I wanted to clarify that this issue doesn't prevent the policy assignment from working, it only prevents the portal UI from displaying the parameter correctly.

To prove this, I have deployed the module and then performed a GET on the Azure Policy Assignment resource using the following command:

❯ az rest --method GET --uri /providers/Microsoft.Management/managementGroups/issue244/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring?api-version=2021-06-01 | jq .properties.parameters

This produces the following output, with the correct resourceId of the Log Analytics Workspace, as you can see:

{
  "logAnalytics_1": {
    "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/issue244-mgmt/providers/Microsoft.OperationalInsights/workspaces/issue244-la"
  }
}

I will log an issue in the parent repo to cover this so that we have it on our backlog. However, this may have a low priority as it is a cosmetic bug, rather than a functional one.

@matt-FFFFFF
Copy link
Member

Upstream issue: Azure/Enterprise-Scale#882

@matt-FFFFFF
Copy link
Member

Closing, will create a separate enhancement issue to track

@matt-FFFFFF matt-FFFFFF mentioned this issue Dec 21, 2021
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Jan 20, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@matt-FFFFFF matt-FFFFFF

Labels
external bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@krowlandson @matt-FFFFFF @ofbjansen