Log Analytics Subscription Id missing from Policy Parameter ID

[grtn316]

Policies that enforce Diagnostic Logs to be configured to send to Log Analytics appear to not be adding in the subscription ID or the unique GUID for the workspace name:

Example of the parameter in an assigned policy: Deploy-Diagnostics-PublicIP

/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/main-mgmt/providers/Microsoft.OperationalInsights/workspaces/main-la-00000000-0000-0000-0000-000000000000

[krowlandson]

Great catch... we only enabled the integration on the "Deploy-Log-Analytics" Policy Assignment as this is at the Management landing zone scope, however we absolutely need to add these.

Adding this to our backlog for the next release.

[tohov]

@krowlandson
I'm not sure how to proceed. I may have not found the correct way to deploy the Log Analytics workspace and the dependent policy assignments (mainly Deploy-AzActivity-Log and Deploy-Resource-Diag).

I have the 0.3.1 version of the module and when I deploy the Deploy-AzActivity-Log policy assignment, I end up with the parameter having the value like so: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/p2-mgmt/providers/Microsoft.OperationalInsights/workspaces/p2-la. Should I be always setting this parameter manually to include the correct subscription id? I think it's the same issue with Deploy-Resource-Diag policy assignment.

Also, if I were to set the rgName parameter and change the name of the resource group that is being deployed by the Deploy-Log-Analytics then I guess the I'd have to change the ${root_scope_id}-mgmt part...? See below.

Extract from policy_assignment_es_deploy_azactivity_log.tmpl.json

"parameters": {
      "logAnalytics": {
        "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la"
      }
    },

I'd like to understand if using deployIfNotExists policy mentioned above to deploy Log Analytics is going to be an inferior way to deploy LA now that the Deploy Management Resources is out (thought still undocumented). What is the difference?

[tohov]

So I created a remediation task based on non-compliance report of the Deploy-Log-Analytics assignment with deployIfNotExists. The remediation task fails with this error message. I have zeroed out some of the subscription id information

Code	InvalidTemplate
Message	Deployment template validation failed:
'The resource '/subscriptions/00000000-0000-0000-0000-5e99a78051c0/resourceGroups/p2-mgmt/providers
/Microsoft.OperationalInsights/workspaces/p2-la/linkedServices/Automation' at line '1' and column '949'
doesn't depend on parent resource '/subscriptions/00000000-0000-0000-0000-5e99a78051c0/resourceGroups/p2-mgmt/providers
/Microsoft.OperationalInsights/workspaces/p2-la'. Please add dependency explicitly using the 'dependsOn' syntax.
Please see https://aka.ms/arm-template/#resources for usage details.'.

Am I doing something wrong? Or is the policy definition template really invalid?

@krowlandson Is there any other way to communicate to the team other then GitHub Issues? Or would you like us to raise and issue on all the unclear stuff regarding policy deployments?

[grtn316]

@tohov

Did you set the management group Id as a variable during your deployment? Was this an upgrade or a fresh deployment of 0.3.1?

[tohov]

@grtn316
Did I set the management group ID as parameter during the policy assignment deployment? No.
Did I set the Tenant Root Group ID as variable when deploying the module. Yes.

I started testing from an empty canvas again. All goes well until it's time to deploy the Deploy-Log-Analytics policy assignment. It starts out well. Deployment of the policy is successful. It then goes on to make the evaluation. This comes up as non-compliant. But when I look at the policy assignment the managed identity does not have any permissions assigned. Those should come from the policy definition.

At the time of writing this. I took another look at it. And seems like the Portal GUI is either extremely slow or it just takes some time for the role assignments to be effective. But now I can see both permissions: Log Analytics Contributor and Monitoring Contributor. Going to try the remediation task next.

[tohov]

Remediation task fails with the previously reported InvalidTemplate error. Frustrating. Seems like there is something wrong with the dependsOn syntax or definitions.

I've used all my skills to deploy the Log Analytics workspace via policy but seems like the policy Gods are against me.

[grtn316]

@tohov

The management subscription must be set for the policies to be configured properly:

  #Subscription id context for TF Apply command must be match the subscription_id_management
  deploy_management_resources    = true
  subscription_id_management     = data.azurerm_client_config.current.subscription_id

Please be aware that the Subscription Id context that your TF Apply is being ran under must be the subscription Id of your management subscription.

[tohov]

@grtn316 Hmm... seems like we're talking different things here. I'm just trying to deploy the policy assignment that has a deployIfNotExists effect that is set in the archetype definition. You're talking about the Management Resources, right? Where can I find more information about those? Wiki seems empty to me? You see, I have not defined any of those configure_management_resources or other newly released features. If I understood how to configure those, I'd certainly try them.

[grtn316]

@tohov

I see. You will need to deploy those resources and that should fix the issue with your policy not having the proper resource id populated.

You can look at my personal example here: demo (You can ignore my custom management group testing and just use what you have)

[tohov]

Okay, looked at the pull requests and there is a not-yet-merged documentation of management resources. Just for clarification: if using management resources method then those policies deploy-asc-defender and deploy-log-analytics become unnecessary, won't they?

[tohov]

@grtn316 I'll look into that demo, thank you very much for your help!

[krowlandson]

@krowlandson
I'm not sure how to proceed. I may have not found the correct way to deploy the Log Analytics workspace and the dependent policy assignments (mainly Deploy-AzActivity-Log and Deploy-Resource-Diag).

I have the 0.3.1 version of the module and when I deploy the Deploy-AzActivity-Log policy assignment, I end up with the parameter having the value like so: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/p2-mgmt/providers/Microsoft.OperationalInsights/workspaces/p2-la. Should I be always setting this parameter manually to include the correct subscription id? I think it's the same issue with Deploy-Resource-Diag policy assignment.

Also, if I were to set the rgName parameter and change the name of the resource group that is being deployed by the Deploy-Log-Analytics then I guess the I'd have to change the ${root_scope_id}-mgmt part...? See below.

Extract from policy_assignment_es_deploy_azactivity_log.tmpl.json

"parameters": {
      "logAnalytics": {
        "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la"
      }
    },

I'd like to understand if using deployIfNotExists policy mentioned above to deploy Log Analytics is going to be an inferior way to deploy LA now that the Deploy Management Resources is out (thought still undocumented). What is the difference?

@tohov, looking at the information provided it looks like @grtn316 is on the right track with his suggestion.

To clarify a couple of additional points around this:

• The module works in two parts relating to the management configuration:
  • Part 1 is the configuration of management resources set by configure_management_resources, which determines which resources to create if deploy_management_resources = true, and which values to set against the policies relating to these (such as Deploy-ASC-Defender and Deploy-Log-Analytics, but also many others). subscription_id_management serves as part of this configuration, ensuring the placeholder value 00000000-0000-0000-0000-000000000000 is replaced with a real Subscription ID.
  • Part 2 is the deployment of the resources which only happens when deploy_management_resources = true
• subscription_id_management is also used to pin the provided Subscription to the management Management Group.

If you do not wish to deploy the management resources (e.g. Log Analytics workspace) using the module you can simply rely on Policy, but our recommendation is to set deploy_management_resources = true, ensuring that the module is run under a provider which is configured to point to the same Subscription. We are working on examples covering this, but do not expect these to be released for a few weeks.

Also, we are working behind the scenes to update the Wiki documentation for this which will hopefully help in the future.

Hope this helps, but please keep posting questions here and we will do our best to support you.

[tohov]

@krowlandson Thanks for the help. It really helped to see @grtn316's configuration as it was almost (not entirely) what I was looking for. I now understand lot better how to deploy management resources. Going to test management resource deployment out today with 0.3.2 version of the module.

[tohov]

@krowlandson Even with my best efforts, I got stuck with the deployment. Went through the issues again and there was one similar issue but it does not resolve my situation. I will post a new issue about it. #116