search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.72k stars 978 forks source link

No Deploy-Diagnostic policy for standard Logic Apps #1638

Closed alperkar closed 6 months ago

alperkar commented 6 months ago

Describe the bug As mentioned in the title, there is no Deploy-Diagnostic policy for standard Logic Apps The existing definition, Deploy-Diagnostics-LogicAppsISE does not apply to this Another existing definition, Deploy-Diagnostics-Function actually matches Standard Logic App resources because they are of type "Microsoft.Web/sites" and their "kind" field is "functionapp,workflowapp" but it does not work because function app and logic app log categories differ (extra log category Workflow Runtime Logs for Logic Apps):

Logic app: image

Function app: image

There is a built in policy called "Enable logging by category group for Logic apps (microsoft.logic/workflows) to Storage" which also does not apply to Standard Logic Apps because they are obviously not microsoft.logic/workflows but Microsoft.Web/sites

Obviously one can write their own policy definition but ALZ should have this added to the repository since this is a frequently used Azure resource.

Steps to reproduce

1. 2.

Screenshots

Springstone commented 6 months ago

@achechen Thanks for reporting. Please note, we are moving away from our custom diagnostic settings policies, and moving to PG category-based logging as part of this PR #1641 As a result we will shortly be closing all Diag Settings based issues.

alperkar commented 6 months ago

@Springstone thank you for this. I took a look at the new initiative (https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html), however, it also is missing a policy for standard Logic Apps ("Microsoft.Web/sites" ) - it only contains a policy for microsoft.logic/workflows (consumption type of Logic App)

The new initiative also lacks a policy for Function Apps. Am I missing something here?

Springstone commented 6 months ago

Let's get past the release of the built-ins, and we'll work with PG on addressing the gaps. Most likely, the resource provider does not currently support reporting diagnostic settings in a way that has been agreed (supporting categories).

You are free to open Azure support tickets already based on the initiative if you find gaps. Key for the ALZ team is that we no longer support diagnostic settings policies due to the significant overhead.

Springstone commented 6 months ago

@achechen the reason why those services don't have policies at this time, is as suspected, those resources don't yet support the "audit" and "allLogs" uber-categories. I'll share your concern with the PG owners though, and hopefully this will get resolved asap.

Springstone commented 6 months ago

Please add the missing services to this discussion: https://github.com/Azure/Enterprise-Scale/discussions/1644 as this is where we will track this going forward.