Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable allLogs category group resource logging - missing policies #1225

Open
Greg-Court opened this issue Jan 15, 2025 · 6 comments
Open

Enable allLogs category group resource logging - missing policies #1225

Greg-Court opened this issue Jan 15, 2025 · 6 comments

Comments

@Greg-Court
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

Azure/caf-enterprise-scale/azurerm version 6.2.0

➜ git:(main) terraform version
Terraform v1.10.2
on darwin_arm64

  • provider registry.terraform.io/azure/azapi v1.15.0
  • provider registry.terraform.io/hashicorp/azurerm v3.117.0
  • provider registry.terraform.io/hashicorp/random v3.6.3
  • provider registry.terraform.io/hashicorp/time v0.12.1

Description

Describe the bug

In the initiative assignment "Enable category group resource logging for supported resources to Log Analytics", only 69 policies are deployed. 71 policies are missing - including key resource types like azure firewall, app gateway, storage accounts etc.

Image

A colleague of mine has deployed the module separately and also only 69 policies are present compared to the 140 registered on AzAdvisor

https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html
@christianGoe
Copy link

Good Point -> but it seems that the Builtin Policy definition set removed those 71 missing policies in version 1.1.0
As workaround I used the version 1.0.0 in the lib/Policy_assingments/policy_assignment_es_deploy_diag_logscat.json

@kamil-makowski
Copy link

@christianGoe could you please explain how did you change this version?

@christianGoe
Copy link

@christianGoe could you please explain how did you change this version?
I copied the \modules\archetypes\lib\policy_assignments\policy_assignment_es_deploy_diag_logscat.tmpl.json to the Lib Policy_assingments folder and changed the name to policy_assignment_es_deploy_diag_logscat.json and changed in the file the policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038" -> this is the version 1.0.0 from the Policyset
Then this version of the Policy Set should be deployed

@Greg-Court
Copy link
Author

Thanks for the tip @christianGoe!

However still would like to know why these are missing from the current version / why they were removed?

@amayfoxen
Copy link

My guess (looking to upgrade from 6.1.0 to 6.2.0) is that it's because it's switched from an initiative that sends the allLogs category to the management workspace to one that sends audit category logs, and many services don't support that category.

@matt-FFFFFF
Copy link
Member

Hi there, thanks for raising the issue. I think your concerns are valid and since they pertain to the policies that we deploy I'm going to transfer this issue to the enterprise scale repo, where they are authored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@matt-FFFFFF @kamil-makowski @Greg-Court @christianGoe @amayfoxen