search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
410 stars 216 forks source link

Remediation Task could not be created #633

Closed KennethBess closed 3 months ago

KennethBess commented 3 months ago

Describe the bug

When the remediation pipeline run, we get the following error:

===================================================================================================
Creating 34 remediation tasks...
===================================================================================================
'/managementGroups/EMEA.prod/Deploy-AzActivity-Log': 1 resources, 'Configure Azure Activity logs to stream to specified Log Analytics workspace', deployifnotexists
    Remediation Task could not be created.
'/managementGroups/EMEA.prod/Deploy-MDFC-Config|defenderforossdb': 1 resources, 'Configure Azure Defender for open-source relational databases to be enabled', deployifnotexists
    Remediation Task could not be created.
'/managementGroups/EMEA.prod/Deploy-MDFC-Config|defenderforcosmosdbs': 2 resources, 'Configure Microsoft Defender for Azure Cosmos DB to be enabled', deployifnotexists
    Remediation Task could not be created.
'/managementGroups/EMEA.prod/Deploy-MDFC-Config|defenderforstorageaccountsv2': 2 resources, 'Configure Microsoft Defender for Storage to be enabled', deployifnotexists
    Remediation Task could not be created.
'/managementGroups/EMEA.prod/Deploy-MDFC-Config|defenderforarm': 1 resources, 'Configure Azure Defender for Resource Manager to be enabled', deployifnotexists
    Remediation Task could not be created.
'/managementGroups/EMEA.prod/Deploy-MDFC-Config|migratetomdetvm': 1 resources, 'Setup subscriptions to transition to an alternative vulnerability assessment solution', deployifnotexists
    Remediation Task could not be created.
'/managementGroups/EMEA.prod/Deploy-MDFC-Config|defenderforsqlservervirtualmachines': 1 resources, 'Configure Azure Defender for SQL servers on machines to be enabled', deployifnotexists
    Remediation Task could not be created.
'/managementGroups/EMEA.prod/Deploy-MDFC-Config|ascexport': 2 resources, 'Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data', deployifnotexists

I can't seem to find any documentation or anyone else reported this. It might not be a bug, but please help me understand what I can check/do to get this resolved.

Screenshots image

EPAC Version Version of EPAC module is 10.2.9

AB#44055

techlake commented 3 months ago

RThis can happen, I do not completly understand why. We should surface the error message from Azure

anwather commented 3 months ago

Might be an idea to debug the script - we would need to find out exactly why Azure is throwing that error - since we supress the error in the code. @KennethBess are you using the PowerShell module or a forked repository? Either way you could remove the -ErrorAction SilentlyContinue at https://github.com/Azure/enterprise-azure-policy-as-code/blob/faea595a00dea7f55be86eab061bd791572af357/Scripts/Operations/New-AzRemediationTasks.ps1#L256 and see what error is being thrown?

anwather commented 3 months ago

Closing to due to no response - please reopen this issue if required.

craigmoyle commented 2 weeks ago

If this helps anyone in the future I was getting the "Remediation Task could not be created." error as well. When I updated the script to unsupress the errors I found the Microsoft.PolicyInsights provider wasn't registered for my MGs for some reason. e.g.

Start-AzPolicyRemediation: /builds/build/Scripts/Operations/New-AzRemediationTasks.ps1:256 Line | 256 | … ationTask = Start-AzPolicyRemediation @parameters -WhatIf:$WhatIfPref … | ~~~~~~~~~~~~~ | Operation returned an invalid status code 'Conflict' | (ManagementGroupNotRegistered: The management group: 'xx-xxxx' or | any of its ancestors are not registered to 'Microsoft.PolicyInsights'. | Creating remediation tasks for large number of resources in management | group scopes requires that the management group is registered to the | 'Microsoft.PolicyInsights' resource provider. Please register the | management group and try again. See | https://aka.ms/ResourceProviderMGRegistration for more details.) Remediation Task could not be created.

added the provider registration via the API for all the MGs using az rest and all was good again:

https://learn.microsoft.com/en-au/rest/api/resources/providers/register-at-management-group-scope?view=rest-resources-2021-04-01