Open steph409 opened 5 days ago
To add some more information: The same policy gets applied on the platform management group. There, it get's 5 permissions:
The permission Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
is not in any of those roles as far as I can see. So I assigned the role Managed Identity Operator
to the identity of the policy on the management management-group.
The same happens for landing zones on the landing zone management group. Out of those, the Log Analytics Contributor and Monitoring Contributor would need to be applied on the platform/management management group instead of the landing zone management group, as the data collection rules and log analytics workspace are there.
When I assign those manually to the identity of the policy Deploy-VM-Monitoring from the landing zones policy, the remediation works.
I did the following role assignments:
resource "azurerm_role_assignment" "fix_monitoring_vm_managed_identity_operator" {
role_definition_name = "Managed Identity Operator"
scope = "/providers/Microsoft.Management/managementGroups/${local.root_id}-platform"
principal_id = module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/${local.root_id}-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring"].identity.0.principal_id
}
resource "azurerm_role_assignment" "fix_monitoring_vm_log_analytics_contributor" {
role_definition_name = "Log Analytics Contributor"
scope = "/providers/Microsoft.Management/managementGroups/${local.root_id}-platform"
principal_id = module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/${local.root_id}-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring"].identity.0.principal_id
}
resource "azurerm_role_assignment" "fix_monitoring_vm_monitoring_contributor" {
role_definition_name = "Monitoring Contributor"
scope = "/providers/Microsoft.Management/managementGroups/${local.root_id}-platform"
principal_id = module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/${local.root_id}-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring"].identity.0.principal_id
}
I have not tested it, but would assume that the other policies for monitoring/working with DCR on the landing zone management group will also not work.
@steph409 Thanks for raising and coming up with a solution!
@arjenhuitema Can you comment here? Did we consider this, I can't see in the design notes.
fyi I just tested with the Deploy-VmHybr-Monitoring policy, and I got the same issue. Adding above permissions for the respective identity resolved the issue.
Community Note
Versions
terraform:
azure provider:
module: 6.0.0
Description
Initiative: Enable Azure Monitor for VMs
In there is a policy called: [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines
In the new policy sets, there is a policy to set up monitoring with a DCR and a user assigned managed identity. This gets deployed on the landing zones management group.
In the default terraform configuration, both the user assigned identity and the DCR which are passed in as parameters are in the Management Management-Group.
When remediating the policy, I get the following error:
The client 'FROM_POLICY' with object id 'FROM_POLICY' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/LANDINGZONES/resourcegroups/TEST/providers/Microsoft.Compute/virtualMachines/TEST-linux'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/MANAGEMENT-SUBSCRIPTION/resourceGroups/MYCORP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TEST-uami' (respectively) or the linked scope(s) are invalid. (Code: LinkedAuthorizationFailed)
Similar to the private DNS zone contributor, which is needed for the private DNS one policy, an additional role assignment is needed. This is implemented here.
Describe the bug
Steps to Reproduce
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines
from initiativeEnable Azure Monitor for VMs
Screenshots
Additional context