search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.72k stars 965 forks source link

🪲 Bug Report - Deploy Diagnostic Settings for Firewall to Log Analytics workspace #985

Closed neok-g closed 2 years ago

neok-g commented 2 years ago

Describe the bug

I noticed that the following Enterprise Scale policy definition remains non-compliant after a remediation task has run:

Deploy Diagnostic Settings for Firewall to Log Analytics workspace

To Reproduce

Steps to reproduce the behaviour:

  1. Deploy the Enterprise Scale policy definitions/initiatives
  2. Create a policy assignment for the policy initiative 'Deploy Diagnostic Settings to Azure Services'
  3. Create an Azure firewall
  4. After a while the Azure firewall instance appears in policy compliance overview as non-compliant
  5. Create a remediation task for the policy Deploy Diagnostic Settings for Firewall to Log Analytics workspace.
  6. A diagnostic setting is created but the Azure firewall remains non-compliant

Expected behaviour

Diagnostic Setting should be created for Azure firewall and Azure firewall should be compliant

Screenshots 📷

If applicable, add screenshots to help explain your problem. Please feel free to blur/cover any sensitive information.

image

Correlation ID

A correlation ID really helps us investigate your issue further. Please provide one if possible. Details on how to find a correlation ID can be found here: Correlation ID and support

Additional context

Anything else we should know to help us troubleshoot this bug?

neok-g commented 2 years ago

Any update on this one?

jtracey93 commented 2 years ago

Hey @neok-g,

I will try and repro this today and then look at what fix is needed

jtracey93 commented 2 years ago

Have deployed both AzFw Premium and Standard and have seen the following missing log categories causing this non-compliance image

We will investigate and update the policy definition

neok-g commented 2 years ago

I can confirm the first 3 log categories are set on my side as well. The policy uses existenceCondtion:

      "existenceCondition": {
        "allOf": [
          {
            "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
            "equals": "[parameters('logAnalytics')]"
          }
        ]
      },

For my understanding if one of the log categories is disabled (false) then the overall Microsoft.Insights/diagnosticSettings/logs.enabled will be false and so the policy remains non-compliant? Is that how it works?

jtracey93 commented 2 years ago

Correct, there are also a number of other categories to be added to the definition that I have fixed and will merge later today on PR #992