search

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
744 stars 495 forks source link

Missing permissions on Datacollection rules for Policy MI #815

Open sandorhofman opened 1 month ago

sandorhofman commented 1 month ago

What happened? Provide a clear and concise description of the bug, including deployment details.

I deployed ALZ-Bicep v0.18.0 with the default policy assignments. It created DCR's and a UMI in the management subscription. After deploying a VM in a Online subscription I get policy deployment errors.

The reason for this behaviour is that the DCR is in the platform management group while the policy assignment is on the landingzone management group. The managed identy from the landingzone group has no permissions for the datacollection rules in the management subscription. The same thing is happening for ChangeTracking and UMI assignments.

Please provide the correlation id associated with your error or bug.

c449650d-4e60-4919-a907-9db4811ac4a3

What was the expected outcome?

Creation of a DataCollectionRule Association between the Azure Monitor Agent and the DCR in the Management Subscription.

Relevant log output

The client 'app-id of policy MI' with object id '...' has permission to perform action 'Microsoft.Insights/dataCollectionRuleAssociations/write' on scope '/subscriptions/...onlinesubguid..../resourcegroups/vm-online/providers/Microsoft.Compute/virtualMachines/vm-online/providers/Microsoft.Insights/dataCollectionRuleAssociations/assoc-55mf2y3zlwzjc'; however, it does not have permission to perform action(s) 'Microsoft.Insights/dataCollectionRules/read' on the linked scope(s) '/subscriptions/...mgmt subscription.../resourceGroups/alz-mg-p-rg001/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr' (respectively) or the linked scope(s) are invalid. (Code: LinkedAuthorizationFailed)

Check previous GitHub issues

Code of Conduct

jtracey93 commented 1 month ago

tagging @arjenhuitema for awareness and oversight on all things AMA.

Is there something missing from an RBAC role assignment perspective in ALZ Bicep @arjenhuitema that @oZakari can add?

arjenhuitema commented 1 month ago

It looks like the Managed Identity of the policy assignments within the Landing Zone scope lacks Reader and Managed Identity Operator permissions on the Platform, which are necessary to access the DCRs and assign the UAMI. I’ve put together a table that shows which permissions are needed for each policy assignment and shared that with @oZakari