AMBA policy ALZ_ServiceHealth_ActionGroups Missing when remediating AMBA policies - Bug Report

[Greg-Court]

When remediating AMBA policy assignments (brownfield environment), following steps outlined here running the following commands:

.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $managementManagementGroup -policyName Alerting-Management
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $identityManagementGroup -policyName Alerting-Identity
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-LandingZone
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth
.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets

All remediation commands complete successfully, apart from Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth, producing the following error:

Exception: /azure-monitor-baseline-alerts/patterns/alz/scripts/Start-AMBARemediation.ps1:106
Line |
 106 |          throw "No policy assignments found for policy $policyName at  …
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No policy assignments found for policy ALZ_ServiceHealth_ActionGroups at management group scope *redacted*

[Springstone]

@arjenhuitema could you have a quick look at this one please?

[arjenhuitema]

Hi @Greg-Court, thanks for your feedback,

The reason for this is that the policy remediation script in AMBA has received an update to accommodate a new feature that hasn't been integrated into the ALZ portal accelerator yet.

If the AMBA initiatives are compliant, there's no need to rerun the script. However, if the Service health initiative is not compliant, please run this version of the script.

.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth

[Springstone]

@arjenhuitema @Greg-Court transferring to the AMBA repo for consistency.

[arjenhuitema]

Hi @Greg-Court,

In #278 you mentioned that you rolled out the latest version using Azure CLI, which got me revisiting this issue.

My initial reaction is not correct because it applies solely to deployments via the ALZ portal accelerator.

I've looked into the script and identified a problem relating to how the wait time was implemented. After initiating the remediations of ALZ_ServiceHealth_ActionGroups, a 5 minute delay is factored in because it is a prerequisite for the subsequent deployment of service health alerts. The code that was implemented to address the remediation of just the ALZ_ServiceHealth_ActionGroups prior to the wait time failed to accurately list the policy, resulting in this error.

The latest script update is in our development branch. The merge to the main branch is scheduled for completion by the end of August.

• Start-AMBARemediation.ps1