Remediation not working for policy Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.

[neok-g]

Describe the bug Remediation for the policy 'Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.' does not work. The error is: Reason No policy evaluation result was found. The policy assignment's exclusions may have changed or it no longer exists. Please retry the remediation with 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance'.

Steps to reproduce

1. Deploy the policy definition and create an assignment
2. Create a NSG without flowlogs configured
3. NSG becomes non-compliant after a. while
4. Create a remediation task. The task fails. with the error above and the NSG remains non-compliant.

Screenshots

[jtracey93]

Thanks @neok-g for the issue.

Can you confirm the definition ID of the policy as we have 2 with the same description:

https://www.azadvertizer.net/azpolicyadvertizer_all.html#%7B%22col_3%22%3A%7B%22flt%22%3A%22nsg%22%7D%2C%22col_10%22%3A%7B%22flt%22%3A%22ESLZ%22%7D%7D

Thanks

Jack

[neok-g]

Hi @jtracey93

Thanks for your response. The policy definition ID of the policy we use is: /providers/Microsoft.Management/managementGroups/mg-pg-prd/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs

Thanks

[neok-g]

Any update on this one?

[neok-g]

@jtracey93 Do you need more input from my side? Are you able to reproduce this one?

[jtracey93]

Hi @neok-g,

I think we are all good, just some time to investigate amongst some other items that we are working on.

Hopefully will get a chance to look this week 👍

[jtracey93]

@neok-g, are you able to test this version of the policy please and let us know if it works? https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs-to-LA.html

[neok-g]

@jtracey93 Thanks! I will take a look at it today

[jtracey93]

Perfect @neok-g let us know how it goes

[neok-g]

@jtracey93 I guess you shared the wrong one. We use the "Deploys NSG flow logs and traffic analytics" instead of "Deploys NSG flow logs and traffic analytics to Log Analytics" since we want provide our own storageaccount.

[jtracey93]

Apologies @neok-g, was not aware that was your requirement.

Out of interest, I saw this built-in is now available https://www.azadvertizer.net/azpolicyadvertizer/5e1cd26a-5090-4fdb-9d6a-84a90335e22d.html

And it looks to be a pretty close match to what our custom policy does apart from its assigned to a region, but you can assign multiple times.

Just wondering if you could give this a go whilst i find some time to test our one to see if i can replicate your bug?

[neok-g]

@jtracey93 No problem. The thing is we would like to specify retention period in combination with a self-chosen storage account. The only policy that seems to offer both is "Deploys NSG flow logs and traffic analytics". The built-in "Configure network security groups to use specific workspace for traffic analytics" has retention hardcoded 0 days and disabled.

[neok-g]

Any update on this one?

[neok-g]

Could you please provide an update on this one?

[jtracey93]

Hey @neok-g,

We are awaiting to review and merge PR #1022 before working on these. We hope to review and merge this PR this week.

[jtracey93]

Trigger ADO Sync 1

[jtracey93]

Trigger ADO Sync 2

[Springstone]

@neok-g been a long time since we've provided updates, apologies. Please note, we have deprecated the ALZ custom policies for "Deploy NSG flow logs *" and they have been superseded by the built-in policy https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html. This should address your issue.