Errors when deploying ALZ Bicep custom policies

jeffdmipshell commented 2 months ago

What happened? Provide a clear and concise description of the bug, including deployment details.

When deploying custom ALZ policies using alz documentation some of the Initiatives and policy definitions fail to install. Below is ONE of the error messages I receive when reviewing the deployment logs

New-AzManagementGroupDeployment: 1:33:29 PM - The deployment 'alz-PolicyDefsDeployment-20240417T1304337658Z' failed with error(s). Showing 3 out of 9 error(s). Status Message: The policy set definition 'DenyAction-DeleteProtection' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'DenyAction-ActivityLogs,DenyAction-DiagnosticLogs'. (Code:InvalidCreatePolicySetDefinitionRequest

{"code":"InvalidCreatePolicySetDefinitionRequest","message":"The policy set definition 'Deploy-Diagnostics-LogAnalytics' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deploy-Diagnostics-ACI,Deploy-Diagnostics-ACR,Deploy-Diagnostics-AnalysisService,Deploy-Diagnostics-ApiForFHIR,Deploy-Diagnostics-APIMgmt,Deploy-Diagnostics-ApplicationGateway,Deploy-Diagnostics-WebServerFarm,Deploy-Diagnostics-Website,Deploy-Diagnostics-AA,Deploy-Diagnostics-AVDScalingPlans,Deploy-Diagnostics-Bastion,Deploy-Diagnostics-CDNEndpoints,Deploy-Diagnostics-CognitiveServices,Deploy-Diagnostics-CosmosDB,Deploy-Diagnostics-Databricks,Deploy-Diagnostics-DataExplorerCluster,Deploy-Diagnostics-DataFactory,Deploy-Diagnostics-DLAnalytics,Deploy-Diagnostics-EventGridSub,Deploy-Diagnostics-EventGridTopic,Deploy-Diagnostics-EventGridSystemTopic,Deploy-Diagnostics-ExpressRoute,Deploy-Diagnostics-Firewall,Deploy-Diagnostics-FrontDoor,Deploy-Diagnostics-Function,Deploy-Diagnostics-HDInsight,Deploy-Diagnostics-iotHub,Deploy-Diagnostics-LoadBalancer,Deploy-Diagnostics-LogAnalytics,Deploy-Diagnostics-LogicAppsISE,Deploy-Diagnostics-MariaDB,Deploy-Diagnostics-MediaService,Deploy-Diagnostics-MlWorkspace,Deploy-Diagnostics-MySQL,Deploy-Diagnostics-NIC,Deploy-Diagnostics-NetworkSecurityGroups,Deploy-Diagnostics-PostgreSQL,Deploy-Diagnostics-PowerBIEmbedded,Deploy-Diagnostics-RedisCache,Deploy-Diagnostics-Relay,Deploy-Diagnostics-SignalR,Deploy-Diagnostics-SQLElasticPools,Deploy-Diagnostics-SQLMI,Deploy-Diagnostics-TimeSeriesInsights,Deploy-Diagnostics-TrafficManager,Deploy-Diagnostics-VM,Deploy-Diagnostics-VirtualNetwork,Deploy-Diagnostics-VMSS,Deploy-Diagnostics-VNetGW,Deploy-Diagnostics-VWanS2SVPNGW,Deploy-Diagnostics-WVDAppGroup,Deploy-Diagnostics-WVDHostPools,Deploy-Diagnostics-WVDWorkspace'."}

Please provide the correlation id associated with your error or bug.

df24ae68-098f-4ba2-a81c-9d5c803db6e0

What was the expected outcome?

deployment of all custom ALZ policies

Relevant log output

New-AzManagementGroupDeployment: 1:33:29 PM - The deployment 'alz-PolicyDefsDeployment-20240417T1304337658Z' failed with error(s). Showing 3 out of 9 error(s).
Status Message: The policy set definition 'DenyAction-DeleteProtection' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'DenyAction-ActivityLogs,DenyAction-DiagnosticLogs'. (Code:InvalidCreatePolicySetDefinitionRequest)

Status Message: The policy set definition 'Deploy-Diagnostics-LogAnalytics' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deploy-Diagnostics-ACI,Deploy-Diagnostics-ACR,Deploy-Diagnostics-AnalysisService,Deploy-Diagnostics-ApiForFHIR,Deploy-Diagnostics-APIMgmt,Deploy-Diagnostics-ApplicationGateway,Deploy-Diagnostics-WebServerFarm,Deploy-Diagnostics-Website,Deploy-Diagnostics-AA,Deploy-Diagnostics-AVDScalingPlans,Deploy-Diagnostics-Bastion,Deploy-Diagnostics-CDNEndpoints,Deploy-Diagnostics-CognitiveServices,Deploy-Diagnostics-CosmosDB,Deploy-Diagnostics-Databricks,Deploy-Diagnostics-DataExplorerCluster,Deploy-Diagnostics-DataFactory,Deploy-Diagnostics-DLAnalytics,Deploy-Diagnostics-EventGridSub,Deploy-Diagnostics-EventGridTopic,Deploy-Diagnostics-EventGridSystemTopic,Deploy-Diagnostics-ExpressRoute,Deploy-Diagnostics-Firewall,Deploy-Diagnostics-FrontDoor,Deploy-Diagnostics-Function,Deploy-Diagnostics-HDInsight,Deploy-Diagnostics-iotHub,Deploy-Diagnostics-LoadBalancer,Deploy-Diagnostics-LogAnalytics,Deploy-Diagnostics-LogicAppsISE,Deploy-Diagnostics-MariaDB,Deploy-Diagnostics-MediaService,Deploy-Diagnostics-MlWorkspace,Deploy-Diagnostics-MySQL,Deploy-Diagnostics-NIC,Deploy-Diagnostics-NetworkSecurityGroups,Deploy-Diagnostics-PostgreSQL,Deploy-Diagnostics-PowerBIEmbedded,Deploy-Diagnostics-RedisCache,Deploy-Diagnostics-Relay,Deploy-Diagnostics-SignalR,Deploy-Diagnostics-SQLElasticPools,Deploy-Diagnostics-SQLMI,Deploy-Diagnostics-TimeSeriesInsights,Deploy-Diagnostics-TrafficManager,Deploy-Diagnostics-VM,Deploy-Diagnostics-VirtualNetwork,Deploy-Diagnostics-VMSS,Deploy-Diagnostics-VNetGW,Deploy-Diagnostics-VWanS2SVPNGW,Deploy-Diagnostics-WVDAppGroup,Deploy-Diagnostics-WVDHostPools,Deploy-Diagnostics-WVDWorkspace'. (Code:InvalidCreatePolicySetDefinitionRequest)

Check previous GitHub issues

[X] I have searched the issues for this item and found no duplicate

Code of Conduct

[X] I agree to follow this project's Code of Conduct

jeffdmipshell commented 2 months ago

Found this previously closed issue request: https://github.com/Azure/ALZ-Bicep/issues/326. Trying to rerun the deployment again after ~10 minutes of waiting and deployment still fails: CorrelationId: 543a885b-99b9-437b-b94c-40adb607b324

jtracey93 commented 2 months ago

@jeffdmipshell Have you ensured that you have updated the parameter inputs in the parameter files as we have seen this before when the management group ID has not been updated in the parameter files to match the management groups you deployed

Azure / ALZ-Bicep