search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.73k stars 980 forks source link

Deployment fails to Azure Gov #1687

Open MSBrett opened 5 months ago

MSBrett commented 5 months ago

Describe the bug Deployment fails to Azure Gov

Steps to reproduce

  1. Log into the Azure Gov Portal
  2. From the search bar search for and choose "Deploy a custom template".
  3. Select "Azure Landing Zone" from the list of templates.
  4. Select "Azure Government" from the list of supported clouds.
  5. Fill out the forms and deploy the template using default values - 3 subscriptions provided.
  6. Deployment fails with this error:

{ "status": "Failed", "error": { "code": "DeploymentFailed", "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.", "details": [ { "code": "BadRequest", "message": "{\r\n \"error\": {\r\n \"code\": \"PolicyDefinitionNotFound\",\r\n \"message\": \"The policy set definition 'Enforce-EncryptTransit' request is invalid. The following policy definition could not be found: '/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb'.\"\r\n }\r\n}" } ] } }

The same error occurs when deploying from Learn and Github.

Springstone commented 5 months ago

Hi @MSBrett thanks for raising this issue. Basically, this means one of the policies in that initiative is not available in Azure Gov cloud. Unfortunately, we currently don't have any way to validate sovereign cloud deployments (and it is a very complicated process to validate if policies are available in each of the sovereign clouds).

We are currently in the process of someone in our team getting access to Azure Gov (Fairfax) and hopefully we can improve the quality and reliability for those customers.

sdolgin commented 2 months ago

@Springstone +1 for my customer currently attempting to deploy ALZ into Fairfax. Any guidance or a work around?

Here is a partial list of initiatives failing for us as of Sept 12

Policy Set Name Resource ID
Enforce-Guardrails-ContainerApps /providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb
Enforce-Guardrails-Network /providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a
Enforce-Guardrails-KeyVault /providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57
Enforce-Guardrails-Storage /providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c
Enforce-EncryptTransit_20240509 /providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb
Enforce-Guardrails-KeyVault-Sup /providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456
Enforce-Guardrails-Automation /providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc
Enforce-EncryptTransit /providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb
Enforce-Guardrails-MySQL /providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4

all of these are reported as "could not be found"

/cc @brsteph

JCoreMS commented 2 months ago

Given the deployment is US Gov specific, is it possible to omit or replace these with what IS available?