Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.72k stars 978 forks source link

`Deploy-Diagnostics-LogAnalytics`: non compliant #1635

Closed ghost closed 5 months ago

ghost commented 6 months ago

Describe the bug

The Deploy-Diagnostics-LogAnalytics policy is non-compliant, although a deployment finishes.

This is due to logs[*].enabled being [True,false] != True.

I made the policy compliant by enabling the Summary Logs manually. I'm happy to contribute the changes to the policy. As the policy just got one parameter to enable logs or not, I would suggest to just enable the other Log category as well.

We could also enable the log categrory groups instead of single log categories (currently exactly the same). But when MS adds a new category to a group, that shouldn't break the policy anymore.

What do you think?

Steps to reproduce

  1. Create LAW in RG
  2. Assign Policy to RG with LAW as target
  3. See non-compliant as expected
  4. Create RemediationTask
  5. Check that diagnostic settings are deployed
  6. LAW still non compliant
Springstone commented 6 months ago

Hi @QBY-ThimoLimpert thanks for reporting. We're in the process of deprecating all the ALZ Diagnostic Settings policies and transitioning to new category based policies over the next few weeks. I'll keep this open to ensure we've covered Diag for LAW.

neok-g commented 6 months ago

@Springstone @QBY-ThimoLimpert The same issue applies to most of these policies if not all of them. New log categories cause the following policies to be non-compliant at our side:

Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploy Diagnostic Settings for Databricks to Log Analytics workspace

Springstone commented 5 months ago

Closing this as we've deprecated all our diagnostic settings policies and shifted to the PG owned initiative to do the same. Please review https://aka.ms/alz/whatsnew for details.

If you find gaps in diagnostic settings coverage, please add the missing services to this discussion: #1644 as this is where we will track this going forward.

The new Diag Settings v2 initiative is based on categories and we default to "allLogs" which should cover all categories that may have been missed before. For this particular resource this is the new built-in: https://www.azadvertizer.net/azpolicyadvertizer/818719e5-1338-4776-9a9d-3c31e4df5986.html