Bug Report: Policy VM Monitoring fails, permission lacking for policy

steph409 commented 5 days ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform:

azure provider:

module: 6.0.0

Description

Initiative: Enable Azure Monitor for VMs

In there is a policy called: [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

In the new policy sets, there is a policy to set up monitoring with a DCR and a user assigned managed identity. This gets deployed on the landing zones management group.

In the default terraform configuration, both the user assigned identity and the DCR which are passed in as parameters are in the Management Management-Group.

When remediating the policy, I get the following error:

The client 'FROM_POLICY' with object id 'FROM_POLICY' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/LANDINGZONES/resourcegroups/TEST/providers/Microsoft.Compute/virtualMachines/TEST-linux'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/MANAGEMENT-SUBSCRIPTION/resourceGroups/MYCORP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TEST-uami' (respectively) or the linked scope(s) are invalid. (Code: LinkedAuthorizationFailed)

Similar to the private DNS zone contributor, which is needed for the private DNS one policy, an additional role assignment is needed. This is implemented here.

Describe the bug

Steps to Reproduce

deploy the v6.0.0 of the module. Create the DCR and UMI using the module in it's default configuration.
Create a virtual machine in the landing zones folder.
try to remediate the policy [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines from initiative Enable Azure Monitor for VMs
watch the remediation fail with missing permission on management group

Screenshots

Additional context

steph409 commented 4 days ago

To add some more information: The same policy gets applied on the platform management group. There, it get's 5 permissions:

Contributor
Log Analytics Contributor
Monitoring Contributor
User Access Administrator
Virtual Machine Contributor

The permission Microsoft.ManagedIdentity/userAssignedIdentities/assign/action is not in any of those roles as far as I can see. So I assigned the role Managed Identity Operator to the identity of the policy on the management management-group.

The same happens for landing zones on the landing zone management group. Out of those, the Log Analytics Contributor and Monitoring Contributor would need to be applied on the platform/management management group instead of the landing zone management group, as the data collection rules and log analytics workspace are there.

When I assign those manually to the identity of the policy Deploy-VM-Monitoring from the landing zones policy, the remediation works.

I did the following role assignments:


resource "azurerm_role_assignment" "fix_monitoring_vm_managed_identity_operator" {
  role_definition_name = "Managed Identity Operator"
  scope = "/providers/Microsoft.Management/managementGroups/${local.root_id}-platform"
  principal_id = module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/${local.root_id}-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring"].identity.0.principal_id
}

resource "azurerm_role_assignment" "fix_monitoring_vm_log_analytics_contributor" {
  role_definition_name = "Log Analytics Contributor"
  scope = "/providers/Microsoft.Management/managementGroups/${local.root_id}-platform"
  principal_id = module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/${local.root_id}-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring"].identity.0.principal_id
}

resource "azurerm_role_assignment" "fix_monitoring_vm_monitoring_contributor" {
  role_definition_name = "Monitoring Contributor"
  scope = "/providers/Microsoft.Management/managementGroups/${local.root_id}-platform"
  principal_id = module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/${local.root_id}-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring"].identity.0.principal_id
}

I have not tested it, but would assume that the other policies for monitoring/working with DCR on the landing zone management group will also not work.

matt-FFFFFF commented 4 days ago

@steph409 Thanks for raising and coming up with a solution!

@arjenhuitema Can you comment here? Did we consider this, I can't see in the design notes.

steph409 commented 4 days ago

fyi I just tested with the Deploy-VmHybr-Monitoring policy, and I got the same issue. Adding above permissions for the respective identity resolved the issue.

Azure / terraform-azurerm-caf-enterprise-scale