Closed azureiac closed 3 years ago
krnese
commented
3 years ago policies.json must be deployed to a management group. You can try using Azure PowerShell:
New-AzManagementGroupDeployment -ManagementGroupId <mgId> -Location <location> -Name <name> -TemplateUri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/docs/reference/adventureworks/armTemplates/auxiliary/policies.json"
azureiac
commented
3 years ago Where we need to pass the mandatory parameters: topLevelManagementGroupPrefix as above command is throwing error
jtracey93
commented
3 years ago This should work for you:
New-AzManagementGroupDeployment -ManagementGroupId <mgId> -Location <location> -Name <name> -TemplateUri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/docs/reference/adventureworks/armTemplates/auxiliary/policies.json" -topLevelManagementGroupPrefix <mgId>Even after passing -Name parameter I am not able to see the deployment under management group Deployments tab. Also I noticed few errors while executing above PowerShell command through Azure DevOps release pipeline .
Status Message: The policy set definition 'Deploy-Sql-Security' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deploy-Sql-Tde,Deploy-Sql-SecurityAlertPolicies,Deploy-Sql-AuditingSettings,Deploy-Sql-vulnerabilityAssessments'. (Code:InvalidCreatePolicySetDefinitionRequest)
Status Message: The policy set definition 'Deploy-ASC-Config' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope. The following policy definitions are invalid: 'Deploy-ASC-Defender-VMs,Deploy-ASC-Defender-Sql,Deploy-ASC-Defender-AppSrv,Deploy-ASC-Defender-SA,Deploy-ASC-Defender-SQLVM,Deploy-ASC-Defender-AKS,Deploy-ASC-Defender-ACR,Deploy-ASC-Defender-AKV,Deploy-ASC-Defender-DNS,Deploy-ASC-Defender-ARM,Deploy-ASC-SecurityContacts'. (Code:InvalidCreatePolicySetDefinitionRequest)
Status Message: The policy set definition 'Deploy-Diag-LogAnalytics' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope.
jtracey93
commented
3 years ago Hi @ssangle,
I have just tested this and it worked for me using the following commands:
New-AzManagementGroup -GroupId 'testing'
New-AzManagementGroupDeployment -ManagementGroupId testing -Location northeurope -Name eslzPolicies -TemplateUri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/docs/reference/adventureworks/armTemplates/auxiliary/policies.json" -topLevelManagementGroupPrefix testing
As you can see the policies are all here:
Hope this helps
Thanks
Jack
azureiac
commented
3 years ago @jtracey93 : It is deploying some policies for me as well but deployment is failing for some initiatives.
code": "InvalidCreatePolicySetDefinitionRequest", "message": "The policy set definition 'Deploy-Diag-LogAnalytics' request is invalid. Policy definitions should be specified only at or above the policy set definition's scope.
jtracey93
commented
3 years ago Hi @sssangle,
Can you share the exact steps and commands you are using to deploy (please redact/replace any sensitive information)?
As this error message suggests that the required child policy definitions thats make up the policy initiative (aka set) exist outside of the inheritance tree for where the policy set is trying to be created.
Let us know
azureiac
commented
3 years ago @jtracey93 : thanks for your quick reply I found the mistake and change my management group name and deployed again and it is working now
Hi Team,
We just wanted to leverage the custom policies part separately in project
How can we leverage the enterprise scale custom policies from the reference architecture provided in github.
We directly copied the policies.json file from auxillary template folder and deployed it but it is failing the template deployment .
Can you please guide on this.