search

Azure / bicep-registry-modules

Bicep registry modules
MIT License
507 stars 352 forks source link

[AVM Module Issue]: avm/res/operational-insights/workspace does not support deploy of SQLAuditing solution #3378

Closed jikuja closed 5 days ago

jikuja commented 1 month ago

Check for previous/existing GitHub issues

Issue Type?

Bug

Module Name

avm/res/operations-management/solution

(Optional) Module Version

No response

Description

Following code fails:

module law 'br/public:avm/res/operational-insights/workspace:0.7.0' = {
  name: logAnalyticsWorspaceName
  params: {
    name: logAnalyticsWorspaceName
    enableTelemetry: false
    gallerySolutions: [
      {
        name: 'SQLAuditing'
        product: 'SQLAuditing'
        publisher: 'Microsoft'
      }
    ]
  }
}

Error message:

Solution product name cannot start with 'OMSGallery/' as it is reserved for Microsoft first party solutions. Operation Id: '8aab36af321b604584069fe60e602148' (Code: InvalidParameter, Target: plan.product)

Solution can be added by using solutions resource:

var solutionName = 'SQLAuditing(${logAnalyticsWorspaceName})'
resource solution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = {
  name: solutionName
  location: location
  properties: {
    workspaceResourceId: law.outputs.resourceId
  }
  plan: {
    name: solutionName
    promotionCode: ''
    product: 'SQLAuditing'
    publisher: 'Microsoft'
  }
}

For me it looks like SQLAudit solution is not available on OMSGallery namespace,

https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/operations-management/solution/main.bicep#L48:

var solutionProduct = publisher == 'Microsoft' ? 'OMSGallery/${name}' : product

For a reference Portal creates following resource(not the call but resulting stete of the resource) when turning on auditing to LAW on Azure SQL:

{
  "plan": {
    "name": "SQLAuditing[law-law]",
    "publisher": "Microsoft",
    "promotionCode": "",
    "product": "SQLAuditing",
    "version": "1.0"
  },
  "properties": {
    "workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/RgName/providers/Microsoft.OperationalInsights/workspaces/law-law",
    "provisioningState": "Succeeded",
    "creationTime": "Thu, 26 Sep 2024 14:55:20 GMT",
    "lastModifiedTime": "Thu, 26 Sep 2024 14:55:20 GMT",
    "containedResources": [
      "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/RgName/providers/Microsoft.OperationalInsights/workspaces/law-law/views/SQLSecurityInsights",
      "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/RgName/providers/Microsoft.OperationalInsights/workspaces/law-law/views/SQLAccessToSensitiveData"
    ],
    "referencedResources": []
  },
  "location": "westeurope",
  "tags": {},
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/RgName/providers/Microsoft.OperationsManagement/solutions/SQLAuditing[law-law]",
  "name": "SQLAuditing[law-law]",
  "type": "Microsoft.OperationsManagement/solutions"
}

(Optional) Correlation Id

No response

avm-team-linter[bot] commented 1 month ago

@jikuja, thanks for submitting this issue for the avm/res/operations-management/solution module!

[!IMPORTANT] A member of the @Azure/avm-res-operationsmanagement-solution-module-owners-bicep or @Azure/avm-res-operationsmanagement-solution-module-contributors-bicep team will review it soon!

microsoft-github-policy-service[bot] commented 1 month ago

[!IMPORTANT] The "Needs: Triage :mag:" label must be removed once the triage process is complete!

[!TIP] For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

microsoft-github-policy-service[bot] commented 1 month ago

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

  • To prevent further actions to take effect, the "Status: Response Overdue šŸš©" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!
microsoft-github-policy-service[bot] commented 1 month ago

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

  • To prevent further actions to take effect, the "Status: Response Overdue šŸš©" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!
microsoft-github-policy-service[bot] commented 1 month ago

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

  • To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.
microsoft-github-policy-service[bot] commented 1 month ago

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

  • To prevent further actions to take effect, the "Status: Response Overdue šŸš©" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!
microsoft-github-policy-service[bot] commented 1 month ago

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

  • To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.
microsoft-github-policy-service[bot] commented 3 weeks ago

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

  • To prevent further actions to take effect, the "Status: Response Overdue šŸš©" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!
microsoft-github-policy-service[bot] commented 3 weeks ago

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

  • To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.
krbar commented 3 weeks ago

@jikuja Thank you for reporting the issue, I will look into it.

krbar commented 2 weeks ago

@jikuja Quick update on this. You were right, the SQLAuditing solution seems not to follow the standard naming patterns and expects the product name in a format of a 3rd party solution.

This will be a two-step fix. First, we need to merge the #3671 and publish a new version of the avm/res/operations-management/solution module. This version doesn't attempt to compose the names expected by the resource provider based on the user's input. Instead, the user input must be in a format expected by the resource provider. This will require to update the parameters, but will allow more flexibility.

Once the avm/res/operations-management/solution module is updated, we will update the avm/res/operational-insights/workspace module to use the new solutions module.