search

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
761 stars 514 forks source link

Deploy-Diagnotics-LogAnalytics Diag Settings leads to non-compliant resource in Azure Policy #820

Closed coriet closed 3 months ago

coriet commented 3 months ago

Let us know the feedback or general question

Currently 'policy_definition_es_Deploy-Diagnostics-LogAnalytics.json' mentions that the deployed 'Policy will set the diagnostic with all metrics and category enabled', however "Summary Logs" are missing. Therefore the policy will always show non-compliant resources in Azure Policy.

Changing from:

"logs": [ { "category": "Audit", "enabled": "[parameters('logsEnabled')]" } ]

To:

"logs": [ { "category": "Audit", "enabled": "[parameters('logsEnabled')]" }, { "category": "SummaryLogs", "enabled": "[parameters('logsEnabled')]" } ]

Will fix the issue.

Code of Conduct

jtracey93 commented 3 months ago

Hey @coriet,

In the last policy refresh of ALZ we moved away from the custom diagnostic settings policies we used to the new built-in initiatives for this that utilise category groups that avoid these scenarios from occurring.

Have you updated to the latest release of ALZ Bicep and adopted this change as per the release notes? https://github.com/Azure/ALZ-Bicep/releases

N.B. the policy refresh work occurred in v0.18.0

coriet commented 3 months ago

Thank you @jtracey93 I will do so. Thank you for the feedback.