search

Azure / azure-policy

Repository for Azure Resource Policy built-in definitions and samples
MIT License
1.52k stars 1.09k forks source link

Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics: Needs to assess Microsoft.Network/networkWatchers/flowLogs/provisioningState #1402

Open jcetina opened 4 days ago

jcetina commented 4 days ago

Details of the scenario you tried and the problem that is occurring

Flow logs can fail to provision correctly sometimes (we don't know why - they just do). When provisioning state fails, it is reflected in the JSON representation of the flowLog resource in properties.provisioningState. If this field does not equal Succeeded, then the resource is not correctly provisioned.

Verbose logs showing the problem

This is the only indication of error we get in Activity Logs.

{
  "RoleLocation": "North Central US",
  "Stamp": "FDWorker",
  "ReleaseVersion": "6.2024.46.11+3c79601.release_2024w46",
  "time": "2024-11-22T00:34:09.2141001Z",
  "resourceId": "/SUBSCRIPTIONS/81F81C41-D871-4740-A542-0E7B3D536214/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_WESTUS2/FLOWLOGS/TESTWINVM-VNET-LICHAO127-TEST-WIN-FLOWLOG",
  "operationName": "MICROSOFT.NETWORK/NETWORKWATCHERS/FLOWLOGS/WRITE",
  "category": "Administrative",
  "resultType": "Failure",
  "resultSignature": "Failed.",
  "durationMs": "0",
  "callerIpAddress": "23.96.248.27",
  "correlationId": "14b66339-913b-7aeb-684d-78408020799e",
  "identity": {
    "authorization": {
      "scope": "/subscriptions/81f81c41-d871-4740-a542-0e7b3d536214/resourcegroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2/flowLogs/testwinvm-vnet-lichao127-test-win-flowlog",
      "action": "Microsoft.Network/networkWatchers/flowLogs/write",
      "evidence": {
        "role": "Contributor",
        "roleAssignmentScope": "/providers/Microsoft.Management/managementGroups/MG-GITHUB",
        "roleAssignmentId": "1c7820899fe5eb71bade1e5ad34bbafc",
        "roleDefinitionId": "b24988ac618042a0ab8820f7382dd24c",
        "principalId": "1b81b93d061b41eeb778ac29d4816c4f",
        "principalType": "ServicePrincipal"
      }
    },
    "claims": {
      "aud": "https://management.azure.com/",
      "iss": "https://sts.windows.net/398a6654-997b-47e9-b12b-9515b896b4de/",
      "iat": "1732235208",
      "nbf": "1732235208",
      "exp": "1732321908",
      "aio": "k2BgYJgvvj7ByP3Bns/rC6unmCfNAQA=",
      "appid": "bc6c9426-93d0-447f-95bc-486412ac94c5",
      "appidacr": "2",
      "http://schemas.microsoft.com/identity/claims/identityprovider": "https://sts.windows.net/398a6654-997b-47e9-b12b-9515b896b4de/",
      "idtyp": "app",
      "http://schemas.microsoft.com/identity/claims/objectidentifier": "1b81b93d-061b-41ee-b778-ac29d4816c4f",
      "rh": "1.AUYAVGaKOXuZ6UexK5UVuJa03kZIf3kAutdPukPawfj2MBPxAABGAA.",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1b81b93d-061b-41ee-b778-ac29d4816c4f",
      "http://schemas.microsoft.com/identity/claims/tenantid": "398a6654-997b-47e9-b12b-9515b896b4de",
      "uti": "Izf428L9m0uwtvA38MubAA",
      "ver": "1.0",
      "xms_idrel": "7 24",
      "xms_mirid": "/subscriptions/81f81c41-d871-4740-a542-0e7b3d536214/providers/Microsoft.Authorization/policyAssignments/vnet_fundamentals",
      "xms_tcdt": "1576802647"
    }
  },
  "level": "Error",
  "properties": {
    "statusMessage": "{\"status\":\"Failed\",\"error\":{\"code\":\"ResourceOperationFailure\",\"message\":\"The resource operation completed with terminal provisioning state 'Failed'.\",\"details\":[{\"code\":\"InternalServerError\",\"message\":\"An error occurred.\",\"details\":[]}]}}",
    "eventCategory": "Administrative",
    "entity": "/subscriptions/81f81c41-d871-4740-a542-0e7b3d536214/resourcegroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2/flowLogs/testwinvm-vnet-lichao127-test-win-flowlog",
    "message": "Microsoft.Network/networkWatchers/flowLogs/write",
    "hierarchy": "398a6654-997b-47e9-b12b-9515b896b4de/MG-GITHUB/MG-GITHUB-NONPROD/81f81c41-d871-4740-a542-0e7b3d536214"
  },
  "tenantId": "398a6654-997b-47e9-b12b-9515b896b4de",
  "jobId": "ResourceLongOperationJob-GRL-NETWORKWATCHERRG-MICROSOFT:2ENETWORK:2FNETWORKWATCHERS:2FNETWORKWATCHER:5FWESTUS2:2FFLOWLOGS:2FTESTWINVM:2DVNET:2DLICHAO127:2DTEST:2DWIN:2DFLOWLOG-WESTUS2-00638678323168934826",
  "jobType": "ResourceLongOperationJob"
}

Suggested solution to the issue

Include the following check in the existinceCondition within the allOf block:

                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/provisioningState",
                    "equals": "Succeeded"
                  }

If policy is Guest Configuration - details about target node

jcetina commented 4 days ago

Note: this also applies to Configure virtual network to enable Flow Log and Traffic Analytics