search

Azure / azure-policy

Repository for Azure Resource Policy built-in definitions and samples
MIT License
1.49k stars 1.08k forks source link

Audit diagnostic setting for selected resource types: false positive for `microsoft.network/networkinterfaces` #1369

Open sanderaernouts opened 3 weeks ago

sanderaernouts commented 3 weeks ago

Details of the scenario you tried and the problem that is occurring

When the Audit diagnostic setting for selected resource types is assigned in a scope that contains a resource of the type microsoft.network/networkinterfaces, a private endpoint in our case, then the policy will flag these resources as Non-Complaint. The policy checks for the existence of the field Microsoft.Insights/diagnosticSettings/logs.enabled with a value of true.

However the Microsoft.Insights/diagnosticSettings for a microsoft.network/networkinterfaces is different from most resource types. Below is the difference:

"properties": {
-   "logs": [
-       {
-           "category": null,
-           "categoryGroup": "allLogs",
-           "enabled": true,
-           "retentionPolicy": {
-               "days": 0,
-               "enabled": false
-           }
-       }
-   ],
+   "logs": [],
    "metrics": [
        {
            "timeGrain": null,
            "enabled": true,
            "retentionPolicy": {
                "days": 0,
                "enabled": false
            },
            "category": "AllMetrics"
        }
    ]
}

Because logs is an empty array, it does not contain enabled: true and this the policy flags this resource as Non-Compliant

Verbose logs showing the problem

N/A

Suggested solution to the issue

Do not check logs.enabled for microsoft.network/networkinterfaces.

If policy is Guest Configuration - details about target node

N/A