search

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
764 stars 514 forks source link

Errors when deploying alzDefaultPolicyAssignments.bicep #632

Closed amp-pds closed 1 year ago

amp-pds commented 1 year ago

What happened? Provide a clear and concise description of the bug, including deployment details.

Each time deploying alzDefaultPolicyAssignments.bicep we get errors for policy set definitions.

Though note each time the deployment is run, the failed policy set definitions can be the same or different ones.

        New-AzManagementGroupDeployment `
        -DeploymentName ${{parameters.Id}}-CustomPolicyDefsDeployment-$deployTime `
        -Location ${{parameters.location}} `
        -ManagementGroupId $(intermediateRootId) `
        -TemplateFile upstream-releases\$(UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\policy\definitions\customPolicyDefinitions.bicep `
        -Verbose `
        -parTelemetryOptOut  $true `  
        -parTargetManagementGroupId $(intermediateRootId)

Example errors below for two different deployment from same deployment script.

Please provide the correlation id associated with your error or bug.

Deployment 1: CorrelationId: 9ecbd923-54db-4247-8073-13d95964484a Deployment 2: CorrelationId: 79167354-64bd-46cd-8f7f-4e3011d27f83

What was the expected outcome?

No response

Relevant log output

Deployment 1:
Status Message: The policy set definition 'Deploy-MDFC-Config' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deploy-ASC-SecurityContacts'. (Code:InvalidCreatePolicySetDefinitionRequest)

Status Message: The policy set definition 'Audit-UnusedResourcesCostOptimization' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Audit-AzureHybridBenefit,Audit-Disks-UnusedResourcesCostOptimization,Audit-PublicIpAddresses-UnusedResourcesCostOptimization,Audit-ServerFarms-UnusedResourcesCostOptimization'. (Code:InvalidCreatePolicySetDefinitionRequest)

Status Message: The policy set definition 'Deploy-Diagnostics-LogAnalytics' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deploy-Diagnostics-ACI,Deploy-Diagnostics-ACR,Deploy-Diagnostics-AnalysisService,Deploy-Diagnostics-ApiForFHIR,Deploy-Diagnostics-APIMgmt,Deploy-Diagnostics-ApplicationGateway,Deploy-Diagnostics-WebServerFarm,Deploy-Diagnostics-Website,Deploy-Diagnostics-AA,Deploy-Diagnostics-AVDScalingPlans,Deploy-Diagnostics-Bastion,Deploy-Diagnostics-CDNEndpoints,Deploy-Diagnostics-CognitiveServices,Deploy-Diagnostics-CosmosDB,Deploy-Diagnostics-Databricks,Deploy-Diagnostics-DataExplorerCluster,Deploy-Diagnostics-DataFactory,Deploy-Diagnostics-DLAnalytics,Deploy-Diagnostics-EventGridSub,Deploy-Diagnostics-EventGridTopic,Deploy-Diagnostics-EventGridSystemTopic,Deploy-Diagnostics-ExpressRoute,Deploy-Diagnostics-Firewall,Deploy-Diagnostics-FrontDoor,Deploy-Diagnostics-Function,Deploy-Diagnostics-HDInsight,Deploy-Diagnostics-iotHub,Deploy-Diagnostics-LoadBalancer,Deploy-Diagnostics-LogAnalytics,Deploy-Diagnostics-LogicAppsISE,Deploy-Diagnostics-MariaDB,Deploy-Diagnostics-MediaService,Deploy-Diagnostics-MlWorkspace,Deploy-Diagnostics-MySQL,Deploy-Diagnostics-NIC,Deploy-Diagnostics-NetworkSecurityGroups,Deploy-Diagnostics-PostgreSQL,Deploy-Diagnostics-PowerBIEmbedded,Deploy-Diagnostics-RedisCache,Deploy-Diagnostics-Relay,Deploy-Diagnostics-SignalR,Deploy-Diagnostics-SQLElasticPools,Deploy-Diagnostics-SQLMI,Deploy-Diagnostics-TimeSeriesInsights,Deploy-Diagnostics-TrafficManager,Deploy-Diagnostics-VM,Deploy-Diagnostics-VirtualNetwork,Deploy-Diagnostics-VMSS,Deploy-Diagnostics-VNetGW,Deploy-Diagnostics-VWanS2SVPNGW,Deploy-Diagnostics-WVDAppGroup,Deploy-Diagnostics-WVDHostPools,Deploy-Diagnostics-WVDWorkspace'. (Code:InvalidCreatePolicySetDefinitionRequest)

Deployment 2:
Status Message: The policy set definition 'Enforce-ALZ-Decomm' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deploy-Vm-autoShutdown'. (Code:InvalidCreatePolicySetDefinitionRequest)

Status Message: The policy set definition 'Deploy-MDFC-Config' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deploy-ASC-SecurityContacts'. (Code:InvalidCreatePolicySetDefinitionRequest)

Status Message: The policy set definition 'Enforce-ALZ-Sandbox' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deny-VNET-Peer-Cross-Sub'. (Code:InvalidCreatePolicySetDefinitionRequest)

Check previous GitHub issues

Code of Conduct

amp-pds commented 1 year ago

Found issue. There were two spaces after -parTelemetryOptOut $true ` line which was preventing the next line to function correctly and override the parTargetManagementGroupId parameter in the template.