search

Azure / azure-monitor-baseline-alerts

Azure Monitor Baseline Alerts
MIT License
140 stars 205 forks source link

[Question/Feedback]: Modifying policy definitions clarification #24

Closed NikolaiKleppe closed 11 months ago

NikolaiKleppe commented 11 months ago

Check for previous/existing GitHub issues

Description

Hello,

As higlighted in the wiki for customizing-the-amba-policies it doesn't go into detail on how this is accomplished.

The reason I'm asking is that it seems to be more complicated than just editing the individual policy definitions (which is simple enough) inside the services directory. All policy definitions are, to my understanding, converted into a single big json file policies.json (which is referenced by alzArm.json used by pipeline). This is done automatically I assume, by the policies.bicep file?

So modifying the invididual policies won't apply any actual changes when running the pipeline because policies.json is not updated to reflect these changes without first running policies.bicep locally.

Am I understanding this correctly? If so there should to be documentation on how to use the policies.bicep file

Surely we're not supposed to edit the policies.json file directly? Specially when a big portion of it looks like this:

image

image

To me it seems like the policy definitions inside the services directory is the source of truth, the rest is automated

arjenhuitema commented 11 months ago

Hello @NikolaiKleppe,

Thank you for your feedback. I´m adding this to our backlog so we can improve the documentation.

You are correct, just modifying the individual policies will not apply any changes directly. We have recently moved away from deploying PolicyDefinitions and PolicySetDefinitions individually and as you have pointed out, everything is now combined in the policy.json file.

"Surely we're not supposed to edit the policies.json file directly?

Correct. Since this file is build, It´s best not to change the file directly.

How to modify individual policies

If you want to modify settings that are not parameterized, please follow the following steps:

  1. Fork the repo.
  2. Modify the policies.
  3. If you are adding new policies, you need to add them in the policies.bicep file.
  4. Run
    bicep build .\patterns\alz\templates\policies.bicep --outfile .\patterns\alz\policyDefinitions\policies.json
  5. Commit and sync the changes to your fork
  6. Deploy with: az deployment mg create --template-uri https://raw.githubusercontent.com/<yourgithub>/azure-monitor-baseline-alerts/<main or branchname>/patterns/alz/alzArm.json --location $location --management-group-id $pseudoRootManagementGroup --parameters .\patterns\alz\alzArm.param.json

Hope this helps. Thanks again for you feedback.

NikolaiKleppe commented 11 months ago

Great! Thanks a lot for the details @arjenhuitema - We'll be doing this going forward