search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
389 stars 84 forks source link

[BUG] Azure.ServiceBus.AuditLogs - False failure during deployment #2564

Closed ChrisSidebotham closed 9 months ago

ChrisSidebotham commented 9 months ago

Existing rule

Azure.ServiceBus.AuditLogs

Description of the issue

Rule is not picking up configured diagnostic settings for Premium SKU Service Bus I have checked by applying all variations of accepted logging, this is for AVM module development:

Bicep to deploy:

resource serviceBusNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): {
  name: diagnosticSetting.?name ?? '${name}-diagnosticSettings'
  properties: {
    storageAccountId: diagnosticSetting.?storageAccountResourceId
    workspaceId: diagnosticSetting.?workspaceResourceId
    eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId
    eventHubName: diagnosticSetting.?eventHubName
    metrics: diagnosticSetting.?metricCategories ?? [
      {
        category: 'AllMetrics'
        timeGrain: null
        enabled: true
      }
    ]
    logs: diagnosticSetting.?logCategoriesAndGroups ?? [
      {
        categoryGroup: 'AllLogs'
        enabled: true
      }
    ]
    marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId
    logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType
  }
  scope: serviceBusNamespace
}]

Result in Resource (Azure): image

Configured settings: image

Error messages

[FAIL] Azure.ServiceBus.AuditLogs (AZR-000358)
| Template: avm/res/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep:1259:36

| RECOMMEND:
| Consider configuring diagnostic settings to record interactions with data of
| the Service Bus.

| REASON:
| - Minimum one diagnostic setting should have (RuntimeAuditLogs) configured or category group (audit, allLogs) configured.

| HELP:
| - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceBus.AuditLogs/

Error: AZR-000358: ***sbnwaf001 failed Azure.ServiceBus.AuditLogs. Ensure namespaces audit diagnostic logs are enabled.

Reproduction

See AVM Module located here: https://github.com/ChrisSidebotham/bicep-registry-modules/blob/avm-res-servicebus-namespace/avm/res/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep

Version of PSRule

2.9.0

Version of PSRule for Azure

1.31.3

Additional context

No response

BernieWhite commented 9 months ago

@ChrisSidebotham Thanks for reporting the issue.

BernieWhite commented 9 months ago

Tracked this one down @ChrisSidebotham, code reference was very helpful thanks. This bug is a little more specific to AVM process. When different deployments create the same resource. Sub-resources (for the diagnostics settings) were not being associated correctly.