search

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
748 stars 499 forks source link

Policy Assignment "Deploy-ASC-Monitoring" has no identity. Intention? #707

Closed baartch closed 8 months ago

baartch commented 9 months ago

Let us know the feedback or general question

Hi everyone I'm a little confused about this.

We have many Non-compliant resources in the Policy Assignment named Enable Monitoring in Microsoft Defender for Cloud. image

When I click on Create remediation task I get a 404. image

And when I check the template, it is the only deploy template (policy_assignment_es_deploy_***) where identity is set to none. All the other deploy templates have a SystemAssigned identity. https://github.com/Azure/ALZ-Bicep/blob/17edce484a4eef9d0d82951677bf927128efc4c2/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json#L16

Could it be that ./infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json needs a SystemAssigned identity too?

Code of Conduct

jtracey93 commented 8 months ago

Hey @baartch,

Thanks for raising. This policy assignment is actually for the initiative (1f3afdf9-d0c9-4c3d-847f-89da613e70a8) which is the "Microsoft cloud security benchmark" initiative.

This initiative doesn't use an effect that requires an identity, so remediation tasks are not possible for this one.

Unfortunately it's assignment name is some legacy technical debt we have that we are aware of, but it would be a breaking change to change it's name, but it's not deploying anything, just a bad name 😟

Hope that helps