tyconsulting / azurepolicy Goto Github PK

Seems like copy-paste for web apps without changing config for bastion.
Below are correct fields for policy definition:

        "policyRule": {
          "if": {
            "field": "type",
            "equals": "Microsoft.Network/bastionHosts"
          },

Resource type:

"resources": [
                      {
                        "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings",

Log and metrics config:

                          "metrics": [],
                          "logs": [
                            {
                              "category": "BastionAuditLogs",
                              "enabled": true
                            }

Hi, the above policy has a mistake starting with the parameters on line 88. you copied the parameters from the Log analytics version (it appears). the correct block is below. I hope this helps.
"parameters": {
"diagnosticsSettingNameToUse": {
"type": "string"
},
"resourceName": {
"type": "string"
},
"eventHubName": {
"type": "string"
},
"eventHubAuthorizationRuleId": {
"type": "string"
},
"location": {
"type": "string"
}
},

https://github.com/tyconsulting/azurepolicy/blob/master/policy-definitions/resource-diagnostics-settings/log-analytics/azurepolicy.apiMgmt-la.json

During testing, "create or update resource diagnostic setting" operation failed. The supported Metric categories are "AllMetrics" and should be updated accordingly.

• Error code = BadRequest
• Message = Metric category 'Gateway Requests' is not supported, supported categories are: 'AllMetrics'

The azure policy definition is azurepolicy/policy-definitions/resource-diagnostics-settings/log-analytics/azurepolicy.sqlDBs-la.json .These two log categories must be added to the policy else Azure policy compliance evaluation will mark it as non-compliant because the two missing categories are set to "false".

• DevOpsOperationsAudit
• SQLSecurityAuditEvents

Azure Portal shows 9 log categories, but the API call is sending 11 log categories.

Encountered following error, while creating new policy defining:

The script is here:
t1.txt

Great policies, just one note regarding existence condition. Due to lack of metrics in diagnostics logs we dont export metrics at all and disable them. However the existence condition checks if metrics are True, even if parameters is set to false. So it will just never be compliant because metrics is never enabled.

Existence condition should check same as parameter input

I tried using 2018-06-01 but got this error.

Looking at in the API docs diagnosticSettings is only mentioned in 2017-05-01-preview.
Am I the only one having this issue?

Applying the CDN policy ist not working because of the following error:
Error code
RemediatedResourceNotFound

Reason
The resource being remediated '/subscriptions//resourcegroups//providers/microsoft.cdn/profiles//endpoints/' could not be retrieved.

Noticed in https://github.com/tyconsulting/azurepolicy/pull/24/files that initiative-definitions/resource-diagnostics-settings/* had been removed. This is intention?

Using deploy-policySetDef.ps1 becomes tedious

I don't believe this works with Virtual Machines anymore. The Virtual Machine blade for Diagnostics doesn't even take a log analytics workspace as input. Is there a different blade menu for Virtual Machines this was intended for that I'm not seeing? See screen shot for reference.

Hi, I am trying to use deploy-policyDef.ps1 using
.\deploy.ps1 -managementGroupName "$mgtGroup" -definitionFile "$file"

I do receive following error:

New-AzPolicyDefinition : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At azurepolicydeploy-policyDef.ps1:70 char:44
+     $deployResult = New-AzPolicyDefinition @deployParams
    + CategoryInfo          : InvalidData: (:) [New-AzPolicyDefinition], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzurePolicyDefinitionCmdlet

My policy definition looks like this:

{
	"properties": {
		"name": "xxx",
		"displayName": "xxx",
		"mode": "Indexed",
		"description": "xxx",
		"metadata": {
			"category": "General"
		},
		"parameters": {
			"regions": {
				"type": "Array",
				"metadata": {
					"description": "The list of locations that can be specified when deploying resources.",
					"strongType": "location",
					"displayName": "Allowed locations"
				},
				"defaultValue": ["westeurope", "northeurope"]
			},
			"effect": {
				"type": "String",
				"metadata": {
					"displayName": "Effect",
					"description": "Enable or disable the execution of the policy"
				},
				"allowedValues": [
					"Audit",
					"Deny"
				],
				"defaultValue": "Audit"
			}
		},
		"policyRule": {
			"if": {
				"allOf": [
					{
						"field": "location",
						"notIn": "[parameters('regions')]"
					},
					{
						"field": "location",
						"notEquals": "global"
					},
					{
						"field": "type",
						"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
					}
				]
			},
			"then": {
				"effect": "[parameters('effect')]"
			}
		}
	}
} 

Hi Tao,

Great work putting together this great resource!

I'd really love to use some of these policy definitions, but I'm not sure what license they're under.

Could you release these as a Apache 2, MIT or BSD?

Thanks!

Carl