search

Azure / Azure-Lighthouse-samples

Provide samples for understanding managed service solutions
MIT License
286 stars 289 forks source link

Deployment of Management Group level policy for Lighthouse fails #90

Closed luander closed 3 years ago

luander commented 3 years ago

Then trying to deploy the policy to delegate subscriptions at management group level I get the following error:

New-AzManagementGroupDeployment -Name onboard-lighthouse -Location westeurope -ManagementGroupId core-mgr -TemplateFile .\deployLighthouseIfNotExistManagementGroup.json -TemplateParameterFile .\deployLighthouseIfNotExistsManagementGroup.parameters.json -Verbose
VERBOSE: 
VERBOSE: 10:49:49 AM - Template is valid.
VERBOSE: 10:49:50 AM - Create template deployment 'onboard-lighthouse'
VERBOSE: 10:49:50 AM - Checking deployment status in 5 seconds
New-AzManagementGroupDeployment : 10:49:55 AM - The deployment 'onboard-lighthouse' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The policy definition 'Enable-Azure-Lighthouse' rule is invalid. The 'field' property 'Microsoft.ManagedServices/registrationAssignments/registrationDefinitionProperties.managedByTenantId' of the policy rule doesn't exist as an alias under provider 'Microsoft.ManagedServices' and resource     
type 'registrationAssignments'. The supported aliases are 'Microsoft.ManagedServices/registrationAssignments/registrationDefinitionId; Microsoft.ManagedServices/registrationAssignments/provisioningState; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.description; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.authorizations[*].principalId; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.authorizations[*].roleDefinitionId; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.authorizations[*];      
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.authorizations; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.registrationDefinitionName; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.provisioningState; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.manageeTenantId; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.manageeTenantName; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.managedByTenantId; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.managedByTenantName; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan.name; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan.publisher; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan.product; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan.version; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.id; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.type; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.name; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition'. Please open a CSS ticket at https://azure.microsoft.com/support/create-ticket to request new aliases. (Code:InvalidPolicyAlias)
CorrelationId: ae50a5dd-7463-4476-b30e-1093f451a0ae
At line:1 char:1
+ New-AzManagementGroupDeployment -Name onboard-lighthouse -Location we ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzManagementGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureManagementGroupDeploymentCmdlet

I fixed the error by changing:

"existenceCondition": {
    "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.ManagedServices/registrationDefinitions"
        },
        {
            "field": "Microsoft.ManagedServices/registrationAssignments/registrationDefinitionProperties.managedByTenantId",
            "equals": "[[parameters('managedByTenantId')]"
        }
    ]
},

to:

"existenceCondition": {
    "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.ManagedServices/registrationDefinitions"
        },
        {
            "field": "Microsoft.ManagedServices/registrationAssignments/registrationDefinition.managedByTenantId",
            "equals": "[[parameters('managedByTenantId')]"
        }
    ]
},
luander commented 3 years ago

91

luander commented 3 years ago

Even after this fix, which enables me to deploy the policy. It doesn't seem to work as it doesn't find any non-compliant subscription. I assigned the policy to the root management group. @serenaz Could you give me a hand making the policy work?

serenaz commented 3 years ago

Hey! Thanks for submitting the PR :) Have your subscriptions registered the RP ManagedServices? If so, does the Policy deploy the RegistrationAssignments?

luander commented 3 years ago

Hey @serenaz Thanks for your message, I manually registered "Microsoft.ManagedServices" provider on all subscriptions under the management group and was able to successfully create a remediation task and onboard all subscriptions to Lighthouse. However, after the deployment they still reported as non-compliant. After some trial and error I managed to have all subscriptions compliant by changing the existence condition to:

"existenceCondition": {
    "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.ManagedServices/registrationDefinitions"
        },
        {
            "field": "Microsoft.ManagedServices/registrationDefinitions/managedByTenantId",
            "equals": "[[parameters('managedByTenantId')]"
        }
    ]
},
serenaz commented 3 years ago

Ok, great! I'll add a note to the readme about registering for the RP and change the existence condition, too.